133 NFTs valued at $2.4 million stolen when hacked Bored Apes Instagram advertises fake land airdrop

An illustrated ape with green fur covered in sores, wearing an orange beanie and 3D glassesBAYC #7203 (attribution)
The Bored Ape Yacht Club's Instagram account was compromised and used to advertised a fake airdrop for metaverse land. This was particularly believable, as the much-anticipated project announced it would be launching this week.

The post invited people to visit a website that prompted users to connect their wallets in order to receive the airdrop. Users who did so found their NFTs transferred out of their wallet to the scammer. So far, 44 people have fallen for the scam site, transferring a total of 133 NFTs with an estimated value of around $2.4 million. The stolen NFTs included items from pricey collections including Bored Apes, Mutant Apes, Bored Ape Kennel Club, and CloneX. Several of the NFTs had previously been sold for over $100,000 each.

Hacker pulls $1 million from defi project, then destroys contract without withdrawing the funds

An attacker targeted the ZEED defi projects, successfully using a flash loan attack to pull just over $1 million from the project. With the funds transferred to the attack contract, the hacker then called the contract's self-destruct function, making it impossible for the funds to ever be withdrawn. It's unclear if this was intentional and done as a sort of statement, or if the attacker intended to take the profit for themselves but forgot to do so before destroying the contract.

Scammers phish $4.3 million from Terra users in ten days using Google Ads

A screenshot of Google results for the search "astorport" showing an advertisement resembling the proper Google result, with an arrow reading "SCAM"Phishing results in Google ads (attribution)
Scammers ran Google ads for popular search queries relating to the Terra ecosystem. When users searched for things like "Anchor protocol" or "Astroport", the first result was actually a Google ad purchased by scammers impersonating the real protocols. The scammers were even able to make the domains resemble the correct domains, though these changed once the users clicked the advertisement. Users were then prompted to enter their seed phrases to connect their wallets, after which point the scammers were able to empty the wallets.

52 different people fell for the scam, losing a total of around $4.3 million in assets. The scammers appeared to be targeting high-value wallets, with only two accounts transferring less than $1,000. 24 individual wallets were scammed for more than $10,000 each, 7 wallets lost more than $100,000, and one user lost almost $1.4 million.

NFT influencer 0x_fxnction suffers $240,000 wallet compromise

NFT influencer 0x_fxnction reported that his wallet had been compromised, and 2349 SOL (~$240,000) had been stolen. The money had primarily been profit from the DeGods project, he said, and was unwisely stored in one hot wallet because it was "meant to help buy a house and was being withdrawn in the next weeks".

He said he hadn't used the wallet to mint any NFTs since October, and said he had revoked all access to minting websites since then. He wrote that he was unsure how the compromise had happened: "My best guess: an old minting site from October still had access to my wallet, even after 'revoking' happened in Phantom.... But honestly, it's just a guess."

Developers drain over $1.1 million from $CHEDDA

The price of the $CHEDDA token suddenly plummeted 50% when a developer removed $1.17 million from the project. The withdrawal was accomplished with a function only available to privileged wallets—that is, those belonging to the project team or its developers.

Members of the Chedda team claimed on Discord that they were not behind it, and that it had been done by an outsourced development team who was working on the projects farming and staking. "They technically should've been within contract, but they robbed us," wrote Discord moderator Ali Michelle (referring to legal contracts rather than smart contracts). "They were in contract so it would be illegal and full on theft, i believe". Despite the devastating loss, Michelle urged remaining members of the community to "hodl and help us bring this back to life!"

The project had been audited by CertiK, who were quick to note that the contract containing the function used to drain funds was "not in CertiK’s audit scope".

$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud

An ape with fur resembling magma and volcanic rock, with a green muzzle, with leeches coming out of its nose and mouthMutant Ape #28478 (attribution)
Some MetaMask users using iOS were shocked to discover that their MetaMask credentials were automatically being stored to iCloud today, after MetaMask acknowledged this was the case in the wake of a costly phishing attack. Domenic Iacovone lost cryptocurrency and several pricey NFTs after a successful social engineering attack by scammers pretending to be Apple support earned them access to his iCloud account. From there, they were able to access his iCloud data, and use the stored MetaMask credentials to drain his wallet. The trader lost $650,000 worth of cryptocurrency and NFTs, including Mutant Apes and Gutter Cats, to the attack.

It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".

2omb and Redemption defi projects endure repeated flash loan attacks

Redemption provides the liquidity pools for 2omb, a Fantom-based algorithmic stablecoin project with big promises: "What if you could invest in a golden goose? Something you can acquire that will actually print you more money to either invest or use?"

Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.

Beanstalk Farms stablecoin project loses $182 million to exploit

All my magic beans gone. An attacker successfully used a flash loan attack to exploit a flaw in Beanstalk Farms' stablecoin protocol, which allowed them to make off with 24,830 ETH (almost $76 million). The attacker then donated $250,000 to Ukraine before moving the remaining funds to Tornado Cash to tumble.

Estimated damages to the project were higher than the amount the hacker was able to take for themselves—around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.

Rikkei Finance exploited for $1 million

Rikkei Finance, which describes itself as a metaverse defi project, was apparently exploited. 2,571 BNB, priced at around $1.07 million, was transferred out of the protocol and quickly moved to a tumbler.

RCMP says more than $2 million has been lost to crypto scams in Richmond, B.C. since January

The police in Richmond, British Columbia say they've received 22 reports of crypto fraud, which have included fake investment schemes, romance scams, or scammers impersonating government officials. One individual targeted by a fake investment scheme lost CA$550,000, which he thought he was investing in foreign exchange companies that turned out to all be fake.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.