Skip to timeline

Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Follow on Twitter, Mastodon, or RSS.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Scammers capitalize on Binance lawsuit fears to pull off Discord phishing scam

Adding insult to injury in Binance's tough couple of days, someone has managed to hijack the Discord vanity URL used by BNB Chain, the blockchain project associated with Binance. The scammers created a fake Discord channel where they have posted a message: "In order to curb the reactionary market's response to patently false SEC accusations, we are hosting a $BNB airdrop on BSC to show our faith in our technology and community!" The scammers urged members to connect their crypto wallets, ostensibly to receive their share of the roughly 100,000 BNB (nearly $30 million) the scammers claimed they'd allocated to the giveaway.

After this was brought to BNB Chain's attention by crypto sleuth zachxbt, they tweeted that they "acted quickly (within 10 minutes) to ban the offending accounts and remove the posts. We've taken steps to secure the server and protect against any further abuse." However, less than an hour later they put out a new tweet announcing that the URL had been hijacked to redirect to a new server.

"This is a scam, and if you connect your wallet, you will lose your funds. Please exercise caution until we are able to confirm a resolution", they wrote.

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain

Atomic Wallet hacks total over $35 million

Multiple users of the Atomic Wallet software suffered wallet compromises totaling more than $35 million in a spate of hacks suggesting an issue with the wallet itself. Atomic Wallet is a self-custody wallet, a suggested safer alternative than storing crypto assets in accounts controlled by third party companies. In February 2022, a security firm was forced to publicly disclose issues with the Atomic Wallet software after attempting to address them with the company via traditional routes, but went ignored.

Following the thefts, Atomic Wallet tweeted that they were aware of the reports of wallet compromises, and that they were attempting to learn more about the attacks, but had not yet confirmed any method of attack. They've since taken down the wallet software download page, likely out of concern that the software itself has been compromised.

Crypto sleuth zachxbt compiled a list of reported compromised Atomic Wallets, finding that multiple individuals lost multiple millions in the attack. The largest known individual theft so far involved almost $8 million in USDT (Tether); other individuals lost $2.8 million in USDT and 1,897 ETH (~$3.5 million).

Users of Atomic Wallet have been advised to transfer their assets to other wallets.

On June 6, both zachxbt and blockchain research group Elliptic speculated that the laundering strategy by the thieves resembled that of the North Korea-linked Lazarus Group, which has been responsible for other major crypto thefts.

Theme tags: Hack or scam

unshETH compromised after private key leaked to GitHub

After a developer leaked private keys to GitHub, someone used them to drain $375,000 from the unshETH defi project. The project emergency paused withdrawals of unshETH ether to prevent further damage.

The leaked key allowed the attacker to transfer ownership of project smart contracts to themselves, though they later returned ownership.

unshETH posted a message to the hacker, demanding they return 90% of the stolen funds. They threatened: "We want to be clear, and this is not a bluff: we know who you and some people connected to you (friends) are, and we will absolutely move forward with law enforcement if you have not returned the money by the deadline above. We don't want to do this to you or have to rope your friends in, and would prefer everything be settled and everyone just move forward, but if we don't get the funds back by the above-mentioned time, we will be left with no choice in order to protect our protocol."

"Sounds exactly like someone bluffing would say", wrote one commenter.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

"Charity NFT project" by supposed cancer patient raises $117,000 with stolen art before being exposed as a fraud

Tweets by Andrew Wang: "I woke up today to see one of my friends trending on twitter, @Hopeexist1. she made a collection to help herself battle cancer and some awesome web3 people spotlighted her today, so i'd like to add to it I'll put my rep on the line to say this is for real amidst all the scams in our space. I speak with her art teacher often when she's gone for treatment and he says she's the best student he's ever had, that her talent is too precious, that she must survive. He cares like a father"Tweets by Andrew Wang promoting the scam (attribution)
A person claiming to be battling cancer created a "charity NFT project" ostensibly to help with her treatment. She convinced some crypto influencers to promote the project, including Andrew Wang, a popular Twitter account with nearly 200,000 followers. Wang tweeted, "I'll put my rep on the line to say this is for real amidst all the scams in our space". He claimed to have spoken with the NFT project creator's art teacher, writing: "he says she's the best student he's ever had, that her talent is too precious, that she must survive."

Several hours later, the project creator deleted her Twitter account, and crypto sleuth zachxbt unearthed evidence that the pixel art she had been selling as NFTs had been stolen from various others. Altogether, the "Pixel Penguins" NFT project she promoted raised around 63.5 ETH (~$117,000).

Wang later apologized for promoting the scam, claiming that he had tried to do due diligence but had been in contact with her for over a year, and had spoken on the phone with someone claiming to be her art teacher. However, zachxbt wrote, "Seems some people called it out last year. Not sure how much he actually 'verified'".

Theme tags: Hack or scam, Yikes
Blockchain tags: Blockchain: Ethereum
Tech tags: NFT

Apparent whitehat exploits El Dorado Exchange, claiming developers built in a backdoor to steal user funds

The new Arbitrum-based El Dorado Exchange (EDE) was exploited for around $580,000. In an interesting twist, the attacker claimed to be a whitehat who was exposing that the developers had "implemented a backdoor that allowed them to force liquidate any position they desired. This activity involved intentionally signing incorrect prices to manipulate users' positions and steal their funds".

The attacker promised to return all funds, minus a 10% "white hat fee", if the developers "admit to manipulating the prices", and also offered to disclose other vulnerabilities they claimed to have found in the project.

The project founders wrote in response: "Yes we acknowledge making an ill-advised decision to manipulate the price. However our intention was to blacklist those who had previously exploited the system, fully aware that all transactions are recorded on the blockchain. We did not aim to misappropriate users funds as this would leave a traceable record. We will promptly remove the problematic bomb contract."

The exploiter began returning funds shortly afterwards.

Theme tags: Hack or scam, Shady business
Blockchain tags: Blockchain: BNB Chain, Ethereum
Tech tags: DeFi

Jimbos Protocol exploited for $7.5 million

Three days after the launch of its v2 protocol, the Arbitrum-based Jimbos Protocol was exploited for 4,090 ETH (~$7.5 million). The project had not properly controlled for slippage, which enabled an attacker to use a flash loan to manipulate the trading pairs on the project. The attacker then bridged the stolen funds to the Ethereum chain.

After the attack, Jimbos Protocol tweeted "We are aware of the exploit regarding our protocol and are actively in contact with law enforcement and security professionals. We will release further information when possible." They also sent an on-chain message to the exploiter, offering to stop all investigations if the hacker returns 90% of the stolen funds.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

Hackers steal around $170,000 after compromising Steve Aoki's Twitter account

Headshot of Steve AokiSteve Aoki (attribution)
Twitter account compromises remain a lucrative way to scam crypto enthusiasts. Someone was able to compromise the Twitter account belonging to electronic musician and crypto enthusiast Steve Aoki, posting a fake link to his NFT project that drained unsuspecting traders' wallets.

The scam was helped along by ben.eth, a Twitter personality who retweeted one of the tweets by the compromised account in which Aoki appeared to endorse a token created by ben.eth. According to crypto sleuth zachxbt, multiple followers of ben.eth were impacted by his retweet, which zachxbt characterized as "quote tweet[ing] a phishing scam posted by the compromised @steveaoki account for clout". Ben.eth ultimately promised to reimburse his fans who lost money thanks to his tweets.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum

Morgan DF Fintoch likely exit scams for around $31 million

A Ponzi scheme called Morgan DF Fintoch lured consumers by claiming to be owned by the American banking giant Morgan Stanley. Morgan Stanley themselves warned of the scheme, writing that it was an impersonator, and that any claims of affiliation were false. The government of Singapore also issued a warning about the firm in early May. The company advertised a wallet which they claimed would "pay 1% per day,36% 30 Days and 100% in 63 days".

On May 23, crypto sleuth zachxbt tweeted that the project appeared to have executed their exit scam, bridging around 31.6 million Tether to various addresses. Platform users began to report that they could not withdraw funds.

Theme tags: Hack or scam, Rug pull, Shady business

Brand new $CS token exploited for almost $700,000

An attacker exploited the brand new $CS token for almost $700,000 using a flash loan exploit. They then swapped the funds into around 383 ETH ($689,400) and laundered them through Tornado Cash.
Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum

Tornado Cash DAO suffers hostile takeover

A proposal ostensibly to penalize cheating network participants in the Tornado Cash crypto tumbler project successfully passed by DAO vote. However, the proposer had added an extra function, which they subsequently used to obtain 1.2 million votes. Now that they have more than the ~700,000 legitimate Tornado Cash votes, they have full control of the project.

The attacker has already drained locked votes and sold some of the $TORN tokens, which are governance tokens that both entitle the holder to a vote but also were being traded for $5–$7 around the time of the attack. The attacker has since tumbled 360 ETH (~$655,300) through Tornado Cash to obscure its final destination. Meanwhile, $TORN plummeted in value more than 30% as the attacker dumped the tokens.

The attacker now has full control over the DAO, which according to crypto security researcher Sam Sun grants them the ability to withdraw all of the locked votes (as they did), drain all of the tokens in the governance contract, and "brick" (make permanently non-functional) the router.

Theme tags: Hack or scam, Hmm
Blockchain tags: Blockchain: Ethereum
Tech tags: DAO

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.