General Bytes crypto ATMs exploited for over $1.6 million

A General Bytes Bitcoin ATM, which has a bright orange face with the text "Bitcoin ATM" on it, and a screen showing multiple cryptocurrencies that can be purchased.General Bytes Bitcoin ATM (attribution)
The largest manufacturer of Bitcoin ATMs, General Bytes, disclosed that attackers had stolen more than $1.6 million by exploiting a vulnerability in their software. The company released a statement on March 18 disclosing the breach, and urging operators of their ATMs to immediately upgrade their software to patch the devices.

In addition to standalone servers, General Bytes' cloud service was impacted, and the company announced that it would be permanently shuttering it. "It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors," wrote the company in their statement explaining the decision, apparently unaware that this is something software companies find themselves doing all the time.

This exploit was the second breach suffered by General Bytes this year, after hackers exploited a vulnerability in August 2022 that allowed them to steal customer funds. It's unknown how much was stolen in that attack. The company also patched multiple hardware and software issues in their ATMs in September 2021, after Kraken Security Labs discovered issues including poor security practices that would allow attackers to "walk up to an ATM and compromise it".

Thousands lose money to iEarn Bot crypto scam

According to a report by the BBC, a scam called iEarn Bot has impacted thousands of victims across multiple countries. In the scam, victims are convinced to sign up for an "AI intelligent quantitative trading robot" called iEarn Bot, which appears to successfully trade cryptocurrencies on their behalf. However, after a time, victims realize they are not able to withdraw their supposed earnings, nor the funds they've put in.

According to the BBC, dozens of high-profile individuals in Romania, including members of the government and academics, lost money to the scam after it was promoted by technology expert Gabriel Garais — who also says he lost money in the scheme.

iEarn Bot claims to be a US-based company, although its website is full of false information. The person named as the company's founder told the BBC he has nothing to do with the scheme, and companies and institutions listed as "strategic partners" say there is no such partnership.

The BBC identified one cryptocurrency wallet that received payments from around 13,000 others totaling nearly $1.3 million.

Thwarted hacker asks security firm to reimburse gas fees

File this one under "the audacity".

On March 17, blockchain security company BlockSec observed an attacker trying to exploit a vulnerability in the NFT lending project Paraspace. Although they had successfully identified a vulnerability that could have allowed them to steal 2,900 ETH (a bit over $5 million), their attempt to execute the hack failed because they didn't correctly estimate what it would cost them in gas fees.

After observing the attempt, BlockSec executed a whitehat rescue, where they successfully executed the same attack to remove the funds from Paraspace and secure them until they could return them to the project team.

Incredibly, the exploiter sent an on-chain message to BlockSec: "hey man, I am the one who made the contract you just copied, I couldn't make it work for a stupid gas estimation error. since I lost a lot of money trying to make it work, it would be cool to get at least some of them back... best of luck". Altogether, the would-be attacker spent around 0.7 ETH (~$1,200) on gas fees while trying to pull off the hack.

Phishers take advantage of fears surrounding the USDC de-peg

When USDC deviated from its dollar peg on March 10, phishers were quick to devise a scheme to take advantage of holders' fears. A group launched a website appearing to be the blog belonging to Circle, the company that backs USDC. On the fake blog, they announced a supposed defi exchange where users would be able to exchange their USDC for stablecoins like Tether.

Holders trying to use the exchange approved transactions which they didn't realize allowed the phishers to drain their ETH. So far, the scammers have stolen around 74 ETH ($130,500).

Over $35 million lost as contagion from Euler hack spreads throughout defi

Contagion from the massive exploit of the Euler project has spread to around a dozen defi projects, including Balancer, Angle Protocol, Yearn Finance, InverseFinance, and others. Some are still evaluating if and how they may be affected, and how much they've lost.

Around $11.9 million of tokens were sent from the Balancer defi liqiuidity project to Euler during the attack, prompting Balancer to pause the project.

The Angle Protocol decentralized stablecoin project also disclosed that almost half of the total value locked in the project — around $17.6 million in the USDC stablecoin — were sent to Euler during the hack.

Euler Finance exploited for almost $200 million

The decentralized lending platform Euler Finance suffered a flash loan attack in which an exploiter stole $197 million from the project. The attacker stole $8.7 million in the Dai stablecoin, $18.5 million in wrapped Bitcoin, $135.8 million in Lido staked Ethereum (stETH), and $33.8 million in the USDC stablecoin. Although Euler was well known for its many code audits, the project had later added a vulnerable function that had not been as heavily audited.

Euler announced that they were aware of the exploit, and were "working with security professionals and law enforcement".

PeopleDAO loses $120,000 after payment spreadsheet is shared publicly

PeopleDAO is the successor to ConstitutionDAO, a group that made an ill-fated attempt to buy a copy of the US Constitution in November 2021. When the accounting lead for PeopleDAO accidentally shared an editable accounting spreadsheet link in a public Discord channel, an enterprising member of the Discord decided to take advantage. They inserted a row with their own wallet address for a 76 ETH (~$120,000) payment, then hid the row so it wouldn't display to the other viewers.

When team leads reviewed the spreadsheet to sign off on the payments, they didn't see the row, and there was no rollup showing total payments or anything else that would've helped them catch the malicious activity. The transactions were uploaded to a tool allowing asset transfers via CSV, and the required six out of nine multisig members approved the transaction.

PeopleDAO have reported that they're working with various security researchers to track the funds, and have reported the theft to the FBI and FTC.

Hedera Network halts access after exploit

The Hedera network turned off access to the Hedera mainnet on March 9 after observing "smart contract irregularities". They subsequently confirmed that the Hedera smart contract service had been attacked by exploiters who were able to transfer individual users' tokens to their own accounts. Some individuals using cold wallets even claimed their tokens had been stolen.

Hedera has not disclosed how much had been stolen. Total value locked (TVL) on the network dropped 33% from $36.1 million to $24.6 million.

Some balked at Hedera's ability to simply turn off user access to the network, despite claiming to be a decentralized project.

BitBNS discloses that they were hacked in February 2022, hid it as "system maintenance"

An investigation by crypto sleuth zachxbt uncovered that the Indian crypto exchange BitBNS had been hacked on February 1, 2022, but hid it from users. After experiencing a $7.5 million theft, the exchange tweeted "system maintenance in progress", suggesting they were having problems with Amazon Web Services.

After zachxbt's investigation, BitBNS admitted that they had hidden the hack from customers. "Law enforcement advised us that the users should be educated about the incident only after the investigation is completed or reaches a dead end," said BitBNS CEO Guarav Dahake, who also said that some funds were ultimately recovered thanks to law enforcement and cooperation from other exchanges.

Two BNB-based projects attacked for around $700,000 each

Two BNB-based defi projects have been exploited for around $700,000 each in attacks that one of the projects has claimed were perpetrated by the same group. First, an attacker siphoned more than 2,400 BNB (~$728,000) from the Dungeonswap defi project.

Later, 80% of funds in the liquidity pool for the defi project LaunchZone were suddenly drained, tanking the LZ token price over 80% to $0.026 from its previous price of around $0.15. The stolen funds were priced at around $700,000.

Some questioned if LaunchZone had rug-pulled. However, the project claimed that "$LZ is being hacked from [Dungeonswap] exploiter" and urged its users to "please keep calm". They also announced that they had paused trading and transfers of the LZ token.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.