Scammers posing as Bored Ape Yacht Club founders scam NFT collector Sohrob Farudi out of $800,000

An illustration of a person in side profile, wearing a bright red baseball cap. They have dark grey skin and blue dreadlocks in a ponytail, and are wearing futuristic green glasses.ON1 #7253, one of the stolen NFTs (attribution)
The day after Nicholas lost almost $500,000 to NFT scammers, another collector was targeted for an even larger sum. "I've never felt more dumb, helpless, embarrassed or just plain sad in my entire life", Farudi wrote on Twitter. The scammers, who pretended to be the founders of the popular Bored Ape NFT collection, had tricked him into exposing his private key QR code to them in another Discord/OpenSea scam.

Scammers posing as OpenSea support staff steal $480,000 from NFT collector Jeff Nicholas

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648, one of the stolen NFTs (attribution)
After asking for help in the OpenSea Discord channel, Nicholas was successfully scammed by individuals posing as customer support. After convincing the investor to share his screen, allowing scammers to view his private key, they transferred all of his NFTs, worth almost $500,000, from his wallet in transactions that can't be reversed. Earlier that year, Nicholas had appeared as a guest on a podcast episode titled "How NFTs Will Change Everything".

Liquid Global cryptocurrency exchange hacked for $90 million

Japanese cryptocurrency exchange Liquid Global suffered a hack that saw $90 million in various assets stolen. The exchange stated that the attack had targeted the company's MPC wallet.

A week after the hack, FTX extended a $120 million loan to the platform. In April 2022, FTX formally acquired Liquid for an undisclosed amount.

DAO Maker project exploited for more than $7.3 million

The DAO Maker project (not to be confused with the well-known MakerDAO) is a launchpad that claims to be "building the future of venture capital". Its website boasts that users who stake their $DAO can "earn up to 70% APY". The project suffered an exploit on June 3 in which attackers stole 7,376,245 USDC, a US dollar-pegged stablecoin. Although the project had been audited by three different auditing companies, hackers were able to exploit an issue in the claim portal for some tokens. According to the DAO Maker team, 5,521 users were affected, and lost an average of $1,250 each. Attackers immediately moved some of the funds to the Tornado Cash cryptocurrency tumbler, while some remained dormant for months before being moved.

$611 million is stolen from Poly Network in one of the largest cryptocurrency heists to date

Hackers stole approximately $611 million from the decentralized finance platform Poly Network in the largest cryptocurrency theft against a single platform to date. In a bizarre twist, the hacker returned the funds, and Poly Network offered them a position as a chief security advisor (though it is not clear if they accepted).

"Women-led" NFT project, "Fame Lady Squad", turns out to be a bunch of dudes

An illustration of a woman with bright green hair and red eyes with laser beams shooting out of them. She's sticking her tongue out and has a bright blue tattoo on her faceFame Lady #2269 (attribution)
The "Fame Lady Squad" NFT project touted itself as a woman-designed and -developed project that would give back to women in the space, drawing support from high-profile individuals like Gary Vaynerchuk, and ultimately around $1.5 million in investments. Problem is, the three women who were supposedly running the project were a group of Russian men, accused by one of the individuals who uncovered the lie of trying to profit off American social causes. The group had a history of creating NFT projects based on false stories. One of their other projects, "Cyber City Girls Club", was intended to campaign to stop hate against Asians, and also originally purported to be run only by women (it wasn't).

Poloniex settles with the SEC for more than $10.3 million

Poloniex, a cryptocurrency exchange, agreed to pay more than $10.3 million in a settlement with the SEC. The SEC had alleged that Poloniex had flouted securities laws from 2017 thorugh 2019 by operating an unregistered trading platform. In the settlement, Poloniex neither admitted nor denied the charges.

The US-based Poloniex was acquired in 2018 by Circle, then in late 2019 by an investment group that included Justin Sun. Sun moved Poloniex to the Seychelles and closed U.S. operations upon acquiring the platform.

Blockchain Credit Partners forfeits over $12.8 million in SEC agreement

The SEC charged two individuals with selling more than $30 million in unregistered securities in what they described as a defi project that bought "real world" assets like car loans to generate income for investments they promised investors would generate more than 6% interest. Although the company was not able to operate as they'd promised, due to crypto's price volatility, the company lied to investors that all was hunky-dory.

The respondents agreed to a $12.8 million forfeiture of ill-gotten profits, plus a combined $250,000 penalty. The case marked a first from the SEC in the decentralized finance space.

DeviantArt releases software to detect infringement of artwork on NFT marketplaces... because the NFT marketplaces won't

DeviantArt releases software to automatically scan the NFT platform OpenSea for NFTs that use stolen artwork from DeviantArt. While it's awesome that DeviantArt created this tool to help the artists on their platform, it underscores the hands-off, look-the-other-way approach OpenSea has taken to the rampant art theft on their platform. Even reports of blatant copies of artwork have been rejected with no action, and artists are forced to report each infringement of their work individually even if there are many.

Uulala and related individuals settle with SEC for a total of $543,000 in fines

The company Uulala, which aimed to provide underbanked individuals with opportunities to build credit, settled with the SEC over charges that they ran an unregistered ICO that raised $9 million. Although they claimed to be using a "proprietary micro-credit algorithm" and proprietary database technology, the SEC said their algorithm was still under development and that they were using database technology belonging to another company. As a part of the settlement, Uulala disabled all $UULA tokens and asked crypto exchanges to disallow trading.

Flash loan exploit empties $25 million from Popsicle Finance

Popsicle Finance, a DeFi platform, lost $25 million to a bug exploited with flash loans. The organization later reimbursed users who lost money to the exploit.

Russian Ponzi scheme collapses after defrauding investors of around $95 million

Finiko, a Russian operation that turned out to be a Ponzi scheme, collapsed in July 2021 after defrauding approximately $95 million from people. Investors, facing difficult economic conditions in Russia, were promised they could see returns of up to 30% a month.

An attacker steals coins by giving out coins of their own

An attacker giving out free UniH tokens was able to exploit a bug in a non-standard token contract and steal RUNE tokens from unsuspecting victims. By baiting people into selling their new UniH tokens, the attacker was able to execute malicious code that transferred any RUNE tokens also in their wallet. This was the fourth exploit pertaining to the Thorchain platform in the month of July.

Norton Antivirus now sneakily installs a crypto miner on your computer so you can mine crypto (and give some to them)

Norton, the makers of the popular Norton Antivirus software, started installing "Norton Crypto" on customers' machines when they install the popular Norton 360 antivirus and malware protection software. It mines Ethereum, skimming 15% for Norton of course. They don't seem to mention that the energy costs incurred by crypto mining on a personal machine are likely to exceed any actual mining proceeds.

Coinbase said its USD Coin would be fully backed 1-1 with USD. It isn't.

Coinbase's USD Coin claimed that there was $1 "in a bank account" to back it, meaning that if everyone hypothetically tried to redeem their USDC at once at any given time, it would be possible. A July disclosure showed that this wasn't true, and that the coin was actually backed by commercial paper, corporate bonds, and other assets. Bloomberg speculated that the FTC might investigate the claim as a possible "unfair or deceptive act or practice".

StableMagnet makes off with $27 million in rug pull

StableMagnet creators rugpulled about $27 million from users by swapping out linked library code. Users who had StableMagnet linked to their cryptocurrency wallets saw their wallets drained.

A not-so-stable stablecoin, titan, comes crashing down

An illustration of a gold coin with a large T, and the word titan spelled on the rimTitan coin illustration (attribution)
The cryptocurrency "titan" dropped from $65 to $0.000000024 within a few hours, despite being a stablecoin that is supposed to be much less volatile than most cryptocurrencies. As the price began to drop, the smart contract encountered a bug that prevented investors from selling their holdings. Among those burned by the coin's crash was billionaire investor Mark Cuban, who had blogged about the token only days prior.

Hacker nets $6.3 million in Belt Finance exploit

Belt Finance fell victim to a flash loan attack which netted an attacker $6.3 million. This was yet another exploit targeting a protocol built on the Binance Smart Chain protocol, following other attacks over the previous five months on C.R.E.A.M. Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon, Spartan Protocol, BurgerSwap, and PancakeBunny.

SEC begins case against those involved in alleged $2 billion BitConnect fraud

The SEC filed an action against five individuals that they alleged promoted unregistered securities in a $2 billion investment scheme, which they described as a "lending program". In September, the SEC also charged BitConnect's founder, Satish Kumbhani, for his role in the scheme, as well as an additional promoter.

"Trivial" bug costs BurgerSwap $7.2 million

A missing line of code made it "trivally" easy for an attacker to use a flash loan attack to pull $7.2 million from the DeFi platform BurgerSwap. BurgerSwap said it would "strive to cover all [users'] loss".

Attackers drain $3 million from BOG liquidity pool

Attackers exploited a flaw in the smart contract of Bogged Finance's BOG token to drain half the liquidity pool, equivalent about $3 million. This resulted in the BOG token tanking in value from about $1.80 to $0.0003.

Rumors swirl around what actually happened with DeFi100: a rug pull, or a simple website defacement?

DeFi100, a Binance-based DeFi protocol, suddenly replaced its website with a statement: "We scammed you guys and you can't do shit about it". One crypto analyst estimated a scam would've netted the team $32 million. However, the developers subsequently denied the scam and claimed the website had been hacked, restoring it soon after. Although the developers maintain they never stole any money, rumors around what actually happened sank the project.

$45 million stolen from PancakeBunny Finance

A hacker used flash loans to manipulate the price of other token pools, to then exploit a bug in PancakeBunny logic that calculates how many tokens should be minted. They were able to mint and then sell 7 million tokens, making off with $45 million and tanking the price of BUNNY tokens from $146 to $0.90. PancakeBunny tweeted shortly after the attack that they would be "working on a reimbursement plan" for those affected.

FinNexus "hacked" for $7.6 million in likely inside job

A decentralized finance project called FinNexus was reportedly hacked for $7.6 million, in what was widely speculated to actually be a rug pull by the project's developers.

The theft appeared to have been enabled by someone who had access to the project's admin key, and was able to change the token owner to an address where they then minted and withdrew tokens, amounting to a $7.6 million theft.

Hacker drains $10.85 million from bEarn Fi

An attacker pulled $10.85 million in funds out of one of bEarn Fi's vaults by exploiting a bug that allowed them to withdraw more funds than they deposited. bEarn promised to compensate affected users with 105% of the amount they lost.

$24.5 million emptied from xToken platform

A flash loan attack allowed hackers to exploit two vulnerabilities in the xToken DeFi platform and steal $24.5 million. This was the first of two large-scale hacks of the platform this year.

Rari Capital exploited for $15 million

An attacker exploited a Rari Capital ETH pool, stealing ETH worth around $15 million. The theft caused the price of Rari's governance token to plummet by around 50%.

Value DeFi hacked twice in one week, three times in six months

After a $10 million hack just two days prior, Value DeFi had another $11 million stolen after attackers found and exploited a different bug in their smart contract.

Value DeFi hacked for the second time in six months

Attackers exploited a bug in Value DeFi's smart contract to drain $10 million out of the platform, in a second attack in six months. In November 2020, the platform had lost $7 million to a flash loan attack, after bragging about their "flash loan attack protection". The group was also discovered to be using a paid actress to pretend to be one of their co-founders.

A bug in the Spartan Protocol platform allows an attacker to steal around $30 million

A flawed calculation pertaining to the liquidity pool of Spartan Protocol allowed an attacker to drain $30 million from the project.

An attempt to incorporate NFTs throws a wrench into a $40 million domain name auction

Frank Schilling, founder of the Uni Naming & Registry (UNR) held an auction for 23 TLDs (the bit at the end of the domain, like .com or .org). These included .link, .help, .game, and even .christmas. The April auction grossed more than $40 million, but as of mid-December the transactions had not been completed. This is because UNR attempted to add some marketing flair to the auction by including NFTs for each of the TLDs, to go to the auction winners. ICANN, the group responsible for much of the domain world, objected to and withheld consent for the transactions, writing "we sought to understand the impact of the transactions on the Domain Name System ('DNS'), including how Non-Fungible Tokens (NFTs) created on the Ethereum Name Service (ENS) were being used, and were involved in the transactions. ICANN repeatedly asked UNR for documentation or other information related to NFTs in the hopes that UNR would provide fulsome and complete responses."

Uranium Finance is drained of $50 million in hack

A bug in Uranium Finance, a DeFi exchange based on Binance Smart Chain, allowed an attacker to drain the liquidity pools for multiple token pairs. Uranium had just commissioned an audit which uncovered the bug, but the attack occured two hours before the patch went live. An apparent member of Uranium's development team wrote that they believed the attack had been the result of leaked information.

German museum accidentally burns two valuable Cryptopunks NFTs in copy-paste error

A pixel art human wearing a purple baseball cap and smoking a cigaretteCryptopunk #2838 (attribution)
An employee of the ZKM Centre for Art and Media in Karlsruhe accidentally sent two of their four Cryptopunk NFTs back to its smart contract address. This is referred to as "burning" the NFTs, because the address is inaccessible and the NFTs are permanently impossible to trade as a result. The employee had copied the Cryptopunks contract address while browsing Etherscan, and didn't realize that was what he was pasting while making the transfer — wallet addresses are long hex strings like 0xb47e3cd​837ddf8e4c​57f05d70a​b865de6e​193bbb and are prone to errors like this since they are not easily distinguished at a glance. The two NFTs were originally acquired for the museum for approximately $100 each in 2017, and are individually valued at around $187,000 as of January 2022.

CEO of Turkish crypto exchange Thodex apparently makes off with $2 billion in investments

Turkish Bitcoin exchange Thodex halted trading and limited customers' access to their investments, claiming it was to investigate suspicious activity and swearing it was not an exit scam. With an international manhunt now underway for the Thodex CEO, and no sign of the approximately $2 billion that was invested in the platform, it seems awfully likely it was a rug pull.

$80 million taken from EasyFi lending platform

Hackers compromised a computer belonging to EasyFi founder Ankitt Gaur, accessing his private keys which allowed them to transfer $6 million in stablecoins and $120 million worth of EASY. The price of EASY crashed as a result of the low liquidity, limiting the hacker's total payout to around $80 million. EasyFi followed the breach with a hard fork to "EZ 2.0", and compensated users with a mix of stablecoins and "IOU tokens" that could later be redeemed for discounted EZ.

Africrypt investors disappear with $3.6 billion of investor funds

The two founders of a South Africa-based crypto investment firm called Africrypt claimed they had been hacked, and all assets had been stolen. The duo disappeared as legal action began, and as skepticism grew as to the veracity of that story.

FTX loses $800 million to MobileCoin market manipulation

At some point in April 2021, a trader on the FTX cryptocurrency exchange successfully exploited the firm for around $800 million. They were able to take positions in relatively illiquid crypto tokens, including MobileCoin and BTMX, then manipulate the token prices to appear much higher than their true market value (for example, MobileCoin spiked to $70 a token, rather than around $6). Using these falsely high-valued tokens as collateral, the trader was able to borrow around $800 million in more liquid tokens, abandoning the relatively valueless collateral on the exchange.

During the October 2023 criminal trial of FTX founder and CEO Sam Bankman-Fried, he gave more detail on how the exploit took place, and admitted that he personally had disabled FTX's automatic liquidation systems for this account. Though he intended to closely monitor the account to prevent any losses to FTX, he said that it was actually his actions that allowed the trader to drain such a massive quantity of assets from the exchange.

Prosecutors alleged that Bankman-Fried later had his cryptocurrency trading firm, Alameda Research, shoulder the loss, saying that he'd hoped it would be less visible on Alameda's balance sheets than on FTX's.

Creators of "Turtledex", a project offering decentralized storage, make off with $2.5 million

24 hours after pre-sale, the team behind Turtledex drained $2.5 million from the liquidity pool and disappeared. Turtledex's smart contract had been audited shortly before the sale, with no major issues found, leading some to question the point of such audits.

Social token platform Roll hacked for $5.7 million

Private keys for hot wallets on the Roll network were compromised, allowing the theft of around $5.7 million from various "social tokens". "Friends With Benefits", an a16z-backed DAO with an associated token that allows those who are approved by the DAO and can afford the ~$8,000 entrance fee access to exclusive parties, was one of the tokens affected, and it tanked in value by about 96%. Roll apologized and announced a fund to help those affected, though the $500,000 fund was only a small fraction of the money lost.

A headline-making $69 million NFT sale looks an awful lot like a publicity stunt

A collage of 5,000 tiny images"Everydays — The First 5000 Days" by Beeple (attribution)
Vignesh Sundaresan's $69 million purchase of an NFT by artist Beeple made headlines. However, Amy Castor outlined a few days later that Sundaresan is a business partner of Beeple's, and that Beeple himself owns 2% of the B20 tokens created by Sundaresan's cryptocurrency investment firm. She speculates that money may not have exchanged hands at all, but that Sundaresan and Beeple orchestrated the purchase to artificially inflate the value of the work, increase Beeple's popularity, and draw attention to Sundaresan and his company.

Indie Developer sells commissioned pixel art as NFTs without permission from original artists

A pixel art abstract blue and white painting, with a pixel frameTCD #71 --- Rise --- by Kyle Pulver (attribution)
Jason Rohrer, developer of the 2014 indie game The Castle Doctrine announced his plan to auction 155 of the digital paintings that he had commissioned for the game as NFTs on the OpenSea platform, without ever requesting permission from the original artists or informing them of his plan at all. In an email, Rohrer told Kotaku that he hadn't asked for permission from the artists to sell the works as NFTs "mostly because having email conversations with 50+ people would exceed my bandwidth as a solo creator." At least three artists asked for their work to be removed from the collection.

An NFT artist changes all images in their collection to photos of rugs to make a point about the value of NFTs

An OpenSea screenshot showing that all NFTs show photos of rugsNFTs after the "rug pull" (attribution)
NFT artist "neitherconfirm" created a collection of 26 NFTs of stained glass-style computer-generated art. After release, they changed the art for each NFT to a picture of a rug, an apparent reference to "rug pulls". The artist wrote on Twitter, "Nobody got hurt. It is pretty easy to change the jpg, even if it does not belong to me or it is on auction. I am the artist, my decision, right? A thread from somebody making his living with art irl about the value of NFTs... All discussions about the value of NFTs are meaningless as long as the token is not inseparable from the artwork itself... What is the meaning of creating an unforgeable token on a highly secured network if somebody can alter, relink or destroy your possession? As long as the value of your artwork is reliable on a central service you do not own anything."

Hackers take $3.8 million from DODO

DeFi project DODO was relieved of $3.8 million after hackers exploited a bug in their v2 Crowdpools smart contracts. The exchange later recovered $1.89 million of these funds.

An attacker steals $3 million from the PAID Network

A contract exploit allowed a hacker to mint almost 60 million PAID tokens (priced at around $160 million based on the value before the attack) on the PAID Network. The hacker then made off with about $3 million in Ethereum from their efforts. The attack caused the PAID token to crash about 88% in value over the course of a day, from around $2.86 to $0.32.

Meerkat DeFi team briefly rug-pulls $31 million before returning the funds with an odd explanation

The team behind the Meerkat DeFi protocol claimed they had been victims of a hack, but subsequently disappeared from the web after the equivalent of $31 million in Binance Coin (BNB) and BUSD was pulled from the project. Two days later, a developer for the project wrote that the project had been a "test [of] user greed and subjectivity", and aimed to "[help] users realize the potential danger in smart contracts [and] the subjectivity in the audit processes of audit companies." The developer wrote that all victims would be refunded. Some believed that the bizarre "experiment" explanation was to cover that Binance had stepped in to address the scam.

$37.5 million stolen from C.R.E.A.M. lending platform

A hacker was able to code a smart contract that tricked C.R.E.A.M. into believing it was from a trusted source. They were then able to make off with $37.5 million worth of Ethereum and stablecoins in what was only the first of several major exploits of the platform in 2021.

Yearn Finance loses $11 million to a hack

An exploit in Yearn Finance's yDAI vault resulted in an $11 million loss to the platform, though "only" $2.8 million of this went to the hacker.

Tether pays $18.5 million in penalties; NY Attorney General alleges they don't have the cash reserves they claim

The stablecoin Tether swears up and down that it's fully backed by actual currency, but the New York Attorney General doesn't agree. Tether paid $18.5 million in penalties, was banned from trading in New York, and agreed to submit transparency reports for two years in exchange for ending the long-running legal dispute.

PopcornSwap rug pulls

PopcornSwap launched on BNB Chain and then immediately drained its liquidity pool, making off with tokens priced at around $2 million.

Binance stated that they had been able to freeze users' assets on the BNB Chain partway through the incident. However, as of June 2023, Binance had not taken any steps to return the frozen funds to their original owners.

Saddle Finance exploited within hours of launch

The Saddle Finance defi project, a fork of the Curve Finance project, launched on January 20. It promised it would "eliminate slippage".

The project was exploited only hours later, by attackers who stole more than 7.9 BTC (~$275,000) by taking advantage of high slippage on the platform.