Web3 is Going Just Great

February 24, 2025

Almost $50 million stolen from Infini "stablecoin neobank"

Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused "stablecoin neobank", a fintech company that promises "financial freedom" by "democratizing banking" and "redefining the future of digital finance".

Infini experienced a different form of "financial freedom" when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.

The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: "We've got solid runway to operate. No worries."

Infini attempted to contact the thief via on-chain message, threatening that they had "gathered critical IP and device information" about them, and asking them to return 80% of the funds in exchange for a promise that Infini "will cease further tracking or analysis, and you will not face accountability". However, Infini's 48-hour deadline has come and gone without any reply.

"0xInfini Incident Analysis", CertiK
Tweet by Infini [archive]
Messages from Infini to the exploiter

May 17, 2024

Crypto scam money launderers charged for laundering more than $73 million through Deltec

(attribution)

Two people were charged in California for laundering money obtained from cryptocurrency and fiat "pig butchering" scams. After receiving the money from the investment scammers, the launderers then allegedly helped to obfuscate at least $73 million in transactions by moving the money through Deltec Bank in The Bahamas and converting it into the Tether stablecoin.

Deltec is a well-known bank in the cryptocurrency world, mostly for its ties to Tether and to FTX. In July 2023, US authorities seized tens of millions from Deltec accounts in connection to a cryptocurrency money laundering investigation. It's not clear if that was the same investigation.

"Two Foreign Nationals Arrested for Laundering At Least $73M Through Shell Companies Tied to Cryptocurrency Investment Scams", U.S. Department of Justice [archive]

March 15, 2024

Someone accidentally burns $1.36 million Tether

Someone accidentally threw away $1.36 million when they accidentally sent Tethers to the Tether contract address — making them permanently inaccessible in a process known as "burning". This is a rather common phenomenon in crypto, where it's easy to accidentally copy/paste the wrong address.

Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.

The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.

Tweet thread by Charles Wang [archive]
Telegram post by zachxbt

January 30, 2024

Abracadabra exploited for almost $6.5 million, Magic Internet Money stablecoin depegs

(attribution)

Well that sure is a headline I just had to write.

The Magic Internet Money ($MIM) stablecoin has lost its dollar peg again, dipping all the way below $0.77 in a flash crash before returning to around $0.95.

The depeg appears to be related to an exploit of the Abracadabra lending protocol, which allows people to borrow $MIM. An attacker exploited an apparent flaw in the platform's smart contracts to drain around $6.5 million.

This is the second time the token has depegged, after a June 2022 incident shortly after the Terra collapse.

"Abracadabra's $6.49M loss leads to MIM stablecoin destabilization", Cointelegraph [archive]

January 16, 2024

TrueUSD loses peg (again) as traders sell due to fears over its stability

(attribution)

TrueUSD, a stablecoin connected to Justin Sun, deviated from its intended $1 peg to around $0.983 as traders sold off more than $100 million of the token seeking safer options. The fears seemed to be sparked by the rapidfire and massive hacks of the Justin Sun-connected HTX (hacked for $115 million) and Poloniex (hacked for $120 million) in November.

Adding to those is the fact that TrueUSD recently paused its real-time reserves attestations, due to systems reporting liabilities that exceeded assets, though TrueUSD (obviously) claimed this was just an error.

"TrueUSD drops below $1 peg to $0.985 amid selloff", The Block [archive]
"TrueUSD attestations paused again, this time for improper 'balances'", Protos [archive]
"TrueUSD stablecoin depegs as holders dump $330M in TUSD", Cointelegraph [archive]

December 25, 2023

Tether mints itself a $1 billion Christmas present

(attribution)

I wish I could give myself a billion dollars for Christmas, too.

On December 25, Tether minted 1 billion of its USDT dollar-pegged stablecoin. CEO Paolo Ardoino announced on Twitter that the mint was an "authorized but not issued transaction, meaning that this amount will be used as inventory for next period issuance requests and chain swaps". This seems to be a recent trend for Tether, as similar language was used for a $1 billion mint in September.

The activity has raised more questions around where the real money backing Tether is coming from, and if it even exists at all. Some have argued that these recent Tether mints are being used to artificially inflate the price of Bitcoin, which has been on an upward trend since mid-October.

Tether, which boasts a market cap of more than $90 billion, has never been audited, and has lied about its backing in the past.

"Tether mints $1B USDT for ‘inventory replenish’ — CEO Paolo Ardoino", Cointelegraph [archive]

December 5, 2023

The AEUR stablecoin isn't

Chart of the AEUR price in USDT, showing it maintaining its €1 (~$1.08) peg before spiking to over €3, dropping somewhat, and trending back upwards

I don't think "stable"coins are supposed to do that (attribution)

Binance says traders must have missed the memo on the AEUR stablecoin, which was intended to be pegged to the Euro. Shortly after it was listed on Binance, high demand caused the token — which had a limited supply of 5 million — to begin trading for as high as €3 per token. "[U]sers ... might not have realized its standing as a stablecoin" wrote Binance in an announcement, published the day after the exchange suspended trading in the token due to "abnormal volatility".

Binance announced a compensation plan for users who purchased the token during an eligibility period and who were unable to resell, in an apparent attempt to placate the angry traders who accused Binance of "scamming" them by halting trading.

AEUR was issued by Anchored Coins, a Swiss stablecoin issuer.

November 20, 2023

DOJ cracks down on $225 million crypto romance scam

(attribution)

At least according to the rather shady Tether stablecoin provider, the U.S. Department of Justice has been working on an investigation into a massive "pig butchering" romance scam and human trafficking operation based out of Southeast Asia.

According to Tether, they "voluntarily fr[oze] approximately 225 million in USDT tokens" in connection to the investigation.

Some romance scammers hoping to lure victims into sending them cryptocurrencies are themselves victims of human trafficking operations, where they are held victim and forced to send such messages.

"Following Investigations by Tether, OKX, and the U.S. Department of Justice, Tether Voluntarily Freezes 225M in Stolen USDT Linked to International Crime Syndicate", Tether [archive]

November 11, 2023

Raft exploited for $3.3 million, then hacker screws up

(attribution)

An attacker exploited the Raft defi project after finding a vulnerability that allowed them to mint 6.7 million of Raft's R stablecoin without any backing.

The attacker then went to convert the R into ETH, which they would then be able to launder and cash out. However, an error in the attacker's code caused 1,570 ETH ($3.25 million) to be sent to the burn address, rendering it permanently inaccessible to everyone including the hacker. Only 7 ETH remained. However, because they had to spend ETH to fund the attack, the hack ultimately resulted in a loss of 4 ETH (~$8,000) for the perpetrator. Oops.

As a result of the hack, the R stablecoin lost its dollar peg, plummeting down to around $0.70. Raft acknowledged the attack and announced that they had paused minting.

October 16, 2023

TrueUSD tries to claim no affiliation with tokens created by its deployer address, raising further questions

(attribution)

A new, Euro-pegged stablecoin called $TEURO emerged on October 13, with an initial supply of around €70 million. However, TrueUSD subsequently tweeted that "we have zero affiliation with it". The post warned people to "step back and refrain from risky investments".

However, the post raised only more questions, as the $TEURO token had been deployed by the address that deployed the primary TrueUSD token. This means that either TrueUSD is lying when they claim they're unaffiliated with $TEURO, or some of their private keys were compromised, allowing an unrelated party to deploy a contract appearing to belong to them.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.