User loses £55,000 (~$72,000) to Trezor phishing email

April 3, 2022

User loses £55,000 (~$72,000) to Trezor phishing email

Trezor hardware wallet (attribution)

A Bitcoin holder using a Trezor hardware wallet fell victim to a phishing scam after attackers stole email lists from a third-party vendor use by Trezor. The user wrote on Reddit that they were "not paying attention and was on autopilot, just doing what it said. Was arguing with my gf via Telegram at the time... had not slept enough, was a bit hungover and was distracted" when they received the email.

The email in question appeared to be from Trezor, and claimed that users' funds were in jeopardy. It prompted them to download a new (fake) version of the Trezor wallet software, and when users entered their seed phrase to restore their wallet from a backup, it drained their crypto. "What a mug I am," wrote the affected user. "Had been building up my BTC for seven years and lost it in a few minutes' utter stupidity."

The Reddit post also included two follow-up edits, displaying the victim blaming that is common when users are hit with phishing scams and other attacks. The user wrote "Edit: yes I entered my keys, because I'm a twat Edit 2: a lot of people saying they'd never fall for it. I hope they're right."

"I fell victim to the Trezor phishing scam" Reddit post on r/bitcoin

April 2, 2022

Attack on Inverse Finance results in a $15.6 million loss

(attribution)

An attacker targeting the defi project Inverse Finance was able to manipulate the price oracle of INV/ETH, artificially inflating the apparent price of INV and allowing the attacker to borrow against it. The attacker was ultimately able to turn the borrowed DOLA, ETH, WBTC, and YFI tokens, priced at a total of around $15.6 million, into around 4300 ETH (priced at around $14.5 million). As of early April 2, the attacker had transferred 1,300 ETH (around $4.5 million) to a tumbler to make it more difficult to trace.

April 1, 2022

Taiwanese singer Jay Chou has Bored Ape stolen

An illustration of a grimacing ape with pink fur and diamond teeth wearing a colorful stunt jacket on an orange background

BAYC #3738 (attribution)

Taiwanese singer Jay Chou fell victim to an apparent phishing scam, in which a malicious actor transferred his pricey Bored Ape NFT to their own wallet. The scammer then flipped the NFT for sale on LooksRare for 130 ETH (~$425,000).

The theft prompted security researchers at Check Point Research to investigate what ended up being a serious bug in Rarible, where malicious NFTs could execute JavaScript and trick users into signing a contract that would then empty their wallets.

"Taiwanese star Jay Chou says Bored Ape NFT has been stolen by 'phishing website'", South China Morning Post

April 1, 2022

Class action lawsuit filed against "Let's Go Brandon" coin creators for alleged pump-and-dump

NASCAR driver poses standing against a racecar with American flag detailing, the domain "LGBcoin.io", and the number 68 painted on it

Brandon Brown poses with LGB coin branded car before sponsorship deal is cancelled (attribution)

A class-action lawsuit filed by Missouri investor Eric De Ford claims that the people behind the pro-Trump "Let's Go Brandon" (LGB) memecoin misled investors about a NASCAR sponsorship deal and celebrity backing. LGB coin had nearly reached an agreement to be the primary sponsor for NASCAR driver Brandon Brown, but the sponsorship was axed by NASCAR shortly after LGB coin announced it. Regardless, those behind the coin allegedly continued to promote the coin as though the NASCAR sponsorship was in motion, even as the token value cratered. The lawsuit alleges that "Defendants pushed the LGB Tokens as a means of promoting the American dream, while simultaneously touting the prospects for LGB Tokens and the ability for investors to make significant returns from the LGB Tokens like other so-called 'meme coin' digital assets... In truth, Defendants cynically marketed the LGB Tokens to investors so that they could sell off their portion of the Float for a profit."

De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.

April 1, 2022

Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project

3D-rendered piece of "land" crudely made from simple polygons, with block text reading "1x1" underneath

Fake BAYC land NFT (attribution)

An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.

Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.

"Beware: This Fake BAYC Metaverse Land NFT Exploits OpenSea Bug", NFT Evening
"Beware Bored Ape Yacht Club Scam", DappRadar

April 1, 2022

Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised

Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."

Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.

March 31, 2022

Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform

Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.

"OpenSea Exec Who Quit After ‘Insider Trading’ Scandal Is Back With NFT Platform", CoinDesk

March 31, 2022

Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling

Illustration of a woman wearing a blue and pink cowboy hat, with blue hair, crying green tears, on a green background

Cosmic Cowgirls #1128 (attribution)

The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.

The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".

March 30, 2022

Lending protocol Ola Finance is hacked for $3.6 million

(attribution)

Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"

One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.

"Ola Finance on Fuse Network suffers $3.6 million hack", The Block

March 29, 2022

Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull

A 3D-rendered humanlike bunny, with cow-print skin, a tie-dye shirt, and red irises.

Bored Bunny #3258 (attribution)

Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).

Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.

The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

Tweet thread by zachxbt

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.