Skip to timeline

Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Start from the top

Uranium Finance hacker cashes out in Magic: The Gathering cards

Stacks of <i>Magic: The Gathering - Fallen Empires</i> booster boxesMagic: The Gathering booster boxes (attribution)
In April 2021, an attacker stole $50 million from the defi exchange Uranium Finance. Blockchain investigator zachxbt now says that he believes this attacker has been able to cash out his ill-gotten funds... in an unusual way.

After tracing the attacker's attempts to launder the money through Tornado Cash and then obfuscate that it had come from the mixing service (something that raises flags at some exchanges), zachxbt observed the funds go to a broker of Magic: The Gathering based in the United States. Altogether, the hacker appeared to be spending millions on starter decks, alpha sets, and sealed boxes — often overpaying by 5-10%. These items routinely sell for hundreds or thousands of dollars.

The thief is probably a creative money launderer rather than an massive MTG fan, and is probably reselling the cards to further obscure the source of the money. Then again, MTG is more than a little addictive.

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain
Tech tags: DeFi

Rob Robb robs victims of $1.2 million

If you're named Rob Robb, do you have any choice but go into a life of thievery?

Robb, also known as "pokerbrat2019", convinced at least 11 people to give him a total of $1.2 million, which he said he would use to develop various MEV bots. Instead of doing so, he pocketed the money, offering a litany of excuses for why the project was continually delayed.

Robb had previously been convicted of a $4 million scam in 2002 after soliciting funds for an online gambling platform, instead using the money to buy a car and fund his own gambling.

Theme tags: Hack or scam

Users of the Safe Wallet lose cumulative $2 million to address poisoning

Users of the (not so) Safe Wallet have lost $2.05 million altogether in the past week as they've been targeted by an attacker using an address poisoning attack. The same attacker was also behind such an attack on the Florence Finance real-world lending protocol, in which they stole $1.45 million.

According to research group ScamSniffer, the attacker has stolen at least $5 million from at least 21 victims in the past four months.

Theme tags: Hack or scam

Florence Finance loses $1.45 million to address poisoning

An apparent address poisoning attack on the Florence Finance real-world asset lending protocol led to the loss of $1.45 million in the USDC stablecoin.

As of December 4, Florence Finance had not publicly acknowledged the theft.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi, lending

Hounax crypto scam steals $19 million

A scam Hong Kong cryptocurrency platform called Hounax swindled its customers out of HK$148 million (US$19 million). The group drew in customers by offering financial expertise on social media and awarding prize money to those who signed up to the platform. While some customers successfully tested whether they could withdraw their funds earlier on, the platform later stopped allowing customers to withdraw, or told them they would need to pay additional fees to do so.

The Hong Kong Securities and Futures Commission added Hounax to its warning list on November 1, a move that victims have criticized as much too late to stop the damage.

Theme tags: Hack or scam

KyberSwap hacked for $50 million

The KyberSwap decentralized exchange was hacked by an attacker who stole large sums of ETH, wETH, and the USDC stablecoin. Altogether, the assets are valued at around $54.7 million. The attacker was able to exploit a complex bug in a feature for liquidity pool providers. Prior to the hack, KyberSwap had approximately $80 million in TVL.

Shortly after the attack, the thief sent a message: "Negotiations will start in a few hours when I am fully rested." The KyberSwap team later responded to offer a 10% bounty, also seeming to praise the attacker: "You have done one of the most sophisticated hacks ser. That was high EV and everyone missed it."

The thief had other plans, though, ultimately issuing a list of "demands" which included "complete executive control" over the company and "surrender of all ... assets" to the hacker. They wrote that they had big plans for the network, and although they planned to dismiss all executives, they wrote that employees would be offered double salaries to continue their work. The hacker signed the message "Kyber Director".

Meanwhile, KyberSwap regained around $4.7 million after negotiations with the operators of front-running bots, who agreed to return 90% of the funds they obtained through frontrunning the hacker's transactions.

Theme tags: Bug, Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

HTX (fka Huobi) and Heco Chain hacked for $115 million

Justin Sun confirmed that HTX (formerly Huobi) and its related Heco Chain protocol were hacked for a combined $115 million. It's been a rough few weeks for Sun, whose Poloniex exchange was hacked for around $120 million on November 10, and a rough few months for HTX, which was hacked for $8 million in late September.

HTX suspended withdrawals as they investigated the hack, and wrote that the company would "fully compensate for HTX's hot wallet losses". Security firm Cyvers said they believed the theft was enabled by a private key leak.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum

dYdX insurance fund loses $9 million in apparent attack

Around 40% of the "insurance fund", intended to protect dYdX users from having to backstop other traders' losing trades, was drained in what dYdX CEO described as "pretty clearly a targeted attack against dYdX". An attacker manipulated the market for the Yearn Finance token, which is not normally heavily traded on dYdX, but which experienced a surge in trades around the attack. By taking advantage of flaws in dYdX's risk management, the attacker was able to rack up big losses and then force the dYdX insurance fund to pay out.
Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

Kronos trading firm suffers key breach

The cryptocurrency trading firm Kronos Research announced on Twitter that they had stopped trading while they investigated "unauthorized access of some of our API keys". They claimed that "potential losses are not a significant portion of our equity". They later confirmed the loss at around $26 million.
Theme tags: Hack or scam

Network of fake Twitter accounts impersonating crypto security firms phish panicked victims

A screenshot of Twitter's trending topics sidebar, showing that #OpenSeaSecurityBreach, #OpenSeaHackAlert, and #CryptoSafetyConcerns were trendingTwitter trending topics on November 14 (attribution)
On the evening of November 14 I logged on to Twitter to notice that #OpenSeaHackAlert and related hashtags were trending. But they were trending not because OpenSea had truly been hacked, but because a huge network of fake accounts with usernames similar to those of PeckShield, CertiK, and zachxbt — well-known accounts that alert crypto traders to possible scams — were spamming the hashtag. Hoping to spark panic into crypto holders who had used the popular service, as well as other services like Uniswap which they were claiming were breached, the phishers shared links to sites that would supposedly help users revoke access to their wallets by those services, securing their assets. Instead, however, those malicious sites would drain the wallets.

According to researcher zachxbt, who himself was one of the impersonated, the scammers have stolen more than $300,000 in various assets using this technique.

This is not the first time such a technique has been used — a scammer attempted a similar, though less successful, scheme in April 2022. Scams like this take advantage of the poor UX in the crypto world for tracking and revoking wallet permissions that have been granted, requiring people to use third-party websites created for this purpose. Some of them are legitimate, but there are many malicious copies of these revocation sites that prey upon users who may be acting quickly in fear that their assets are at risk.

Theme tags: Hack or scam

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.