Hacker steals around $55 million from bZx

An attacker fooled a developer of the bZx decentralized finance platform into opening a Word document with a malicious macro, which ran a script that gave the attackers access to the developer's crypto wallet private keys. They were able to gain access not only the developer's personal wallet keys, but to two keys to bZx wallets. The attacker made off with approximately $55 million. bZx subsequently tried to offer the attacker a bounty to return the funds, though they were not successful.

Media outlets are duped into believing that Kroger will begin accepting Bitcoin Cash

PR Newswire republished a fake press release which claimed that the Kroger supermarket chain would begin accepting "Bitcoin Cash" (not to be confused with Bitcoin) at its outlets. The fake press release was briefly successful in pumping the value of the currency before it was revealed to be a hoax.

Blockchain Global enters liquidation

Blockchain Global, the parent company of a cryptocurrency exchange called ACX.io, entered voluntary administration after its protracted collapse. Customers had been unable to access funds on the exchange since late 2019.

Creditor claims are likely to exceed $50 million. The operators of the company allegedly commingled customer, investor, and company funds, and used this pool of money on personal expenses and investments in other companies. The liquidator has recommended that the Australian Securities & Investments Commission (ASIC) investigate the company's directors, Sam Lee, Zijing "Ryan" Xu, and Liang "Allan" Guo.

Oracle manipulation attack against Vesper Finance nets hacker over $3 million

By manipulating the price of a low-liquidity, beta-stage stablecoin, an attacker was able to borrow all tokens in a Rari Fuse pool using the initial token as (inflated) collateral. They then swapped the tokens for Ethereum, and made off with more than $3 million.

BXH exchange exploited for $139 million

The decentralized exchange BXH was exploited for $139 million. BXH CEO Neo Wang attributed the exploit to a compromised administrator key, which he said suggested either a staff member's computer was breached, or a staff member themselves was behind the theft. BXH offered a reward to the hacker if they returned the funds, and offered a $1 million bounty to any person who could help retrieve the funds, but was ultimately not successful in having the money returned.

Creators of a Squid Game-themed token make off with more than $3 million

Creators of a Squid Game-themed token (not affiliated with, or authorized by, those behind the Netflix series) created a token which quickly skyrocketed in value and earned news coverage in outlets like the BBC. Not long after investors began to report they were unable to sell their tokens, creators drained $3.36 million out of the liquidity pool in an apparent rug pull.

NFT collector scammed out of almost $1 million

An illustration of a sad-looking ape with pink fur, blowing a bubble of gum, wearing a black turtleneck and black baseball cap with the logo "BAYC" on it.Bored Ape #2031, one of the stolen NFTs (attribution)
NFT collector Calvin Becerra fell for some social engineering on Discord: "Guys posing as buyers in Discord were helping me troubleshoot a problem we thought was happening... They walked me through language settings in my MetaMask and had me choose an option and took everything." The scammers obtained three of his "Bored Ape Yacht Club" NFTs (one pictured), which collectively valued around $1 million. Becerra successfully lobbied OpenSea, Rarible, and NFT Trader to block sales of the stolen NFTs, though some viewed the NFT exchanges' intervention as a demonstration that these exchanges can indeed interfere with access to the blockchain.

Developer of "Monkey Jizz" cryptocurrency makes off with $270,000

A cartoon of a monkey sitting behind a wooden sign that reads "Monkey Jizz""Monkey Jizz" ogo (attribution)
In a twist absolutely no one could have predicted, the developer of a coin called "Monkey Jizz" ran off with around $270,000. The project promised to share a portion of transactions with all investors, and eventually publish a video game. However, on October 31, the developer set a 94.9% sale fee to discourage people from selling, then transferred out the cash and disappeared.

$60 million disappears in AnubisDAO project within a day of its launch

An illustration of two black Egyptian dog sculptures facing outwards, from a pillar. On the pillar is a circular insignia with a shiba inu wearing a pharoah-like headdress. Bordering the circle is the Greek omega symbol. In front of the pillar is an open treasure chest with stacks of gold coins and jewels.AnubisDAO art (attribution)
A project called AnubisDAO launched a coin called ANKH, and were quickly flooded with cash from investors hoping to find another dog-themed memecoin success like Dogecoin or Shiba Inu. In less than 24 hours, the money vanished from the liquidity pool in what project creators claim was a phishing attack, but more likely was a rug pull. One investor interviewed by CNBC said he had invested nearly $470,000 in the coin before the money was drained.

OpenSea NFT trading platform patches a vulnerability that had allowed hackers to steal from users

Bug bounty hunters helped OpenSea patch a cross-site scripting (XSS) vulnerability in their platform that previously allowed attackers to create an NFT from an SVG image, which contained an iframe that would execute JavaScript. Attackers could create an authorization popup that looks legitimate, and if the victim fell for it, gain access to their wallet. OpenSea quickly patched the vulnerability after disclosure, though it appears it had been used in the wild — the bounty hunters began their research after seeing tweets of users who had fallen victim to attackers using the exploit.

A much-hyped Miss Universe NFT project turns out to be a rugpull

A trading card styled image depicting Miss Universe 2015, Pia WurtzbachPia Wurtzbach NFT (attribution)
Miss Universe and its models, the @nft Instagram, and Steve Harvey all got in on the advertisements for the Miss Universe NFT project, which Miss Universe presenter Paula Shugart said was "going to be the first brand in the NFT space that is about women, about women's empowerment, and embracing the technology, and moving forward. I love it; this is the first one that is away from other more male-oriented spaces." Buyers were offered signed prints, virtual meetings with the models, exclusive events, and a chance to win $50,000. None of this materialized, the Miss Universe Instagram account was deleted, and NFT owners who asked questions began to be banned from the project's Discord channel.

Rapper Tekashi 6ix9ine releases a series of NFTs, only for the project not to deliver anything it promised

An illustration of a human character on a yellow background, wearing a yellow construction helmet, with blue hair. It has yellow teeth and is holding a bloody machete.One of the Trollz NFTs (attribution)
$100,000 to charity, governance power over the project funds, a boxing game, and weekly competitions and raffles were all promised as a part of the Tekashi 6ix9ine-backed Trollz NFT collection. However, the project crumbled shortly after it began, with creators removing the ability to mint new NFTs before the designated number were released, a takeover of a Discord bot funneling prospective buyers to scam links, and the rapper deleting any trace of his affiliation with the project. One buyer lost $40,000; around $4 million in total was poured into the apparent scam.

DeFi platform C.R.E.A.M. is hacked for a third time, this time for $130 million

Crypto lending service C.R.E.A.M. Finance lost $130 million in a flash loan attack. It was the third hack of the platform this year, following a $37.5 million hack in February and an $18.8 million attack in August.

A tech startup aims to solve the real problem with the U.S. justice system: the lack of gambling involved

Tech startup "Ryval", which is formally launching in 2022, announced its plans to allow "everyday Americans" to bet on the outcomes of civil lawsuits, potentially raising funds for the parties. While the company is spinning this as "mak[ing] access to justice more affordable", I have considerably less faith that allowing crypto investors to decide on who and what is worthy of a lawsuit (or at least which lawsuits are likely to be "profitable" to them) will somehow introduce more equality into the American legal system.

"Realms of Ruin", a YA storytelling NFT project, collapses hours after launch

Six popular young-adult fiction writers attempted to launch an NFT project where they created a base universe, and participants would contribute their own stories (which they would mint as NFTs) that would be added to the official storyline if the authors liked them enough. Questions around who would own copyright, how teenagers (the target audience) would obtain cryptocurrency and mint NFTs, and environmental impact led the creators to shutter the project only five hours after the launch announcement went out.

Successful exploit of the CreatureToadz NFT project briefly nets a poorly-disguised hacker 88 ETH (almost $350,000)

A CreatureToadz NFT: an illustration of a red lumpy toad with hearts on its cheeks, with rain superimposed overCreatureToad #3813 (attribution)
A 17-year-old hacker was able to use a phishing webhook to make himself an admin in the CreatureToadz Discord server. Users who minted NFTs unknowingly sent cash to him, netting him a total of around 88 ETH (almost $350,000). However, after the hacker's real identity was uncovered shortly after the attack, the hacker returned the funds, claiming he'd intended to return it all along.

Hacker steals $16 million from Indexed Finance

A hacker drained $16 million from Indexed Finance, a defi protocol built on the Ethereum blockchain. The stolen funds represented nearly half of the total value locked on the platform. The hacker was later revealed to allegedly be an 18-year-old Canadian named Andy Medjedovic, who continued to refuse to return the funds even when his identity was revealed. The hacker argues that he simply took advantage of an arbitrage opportunity, and swore to "fight to the death" in court over his right to keep the money. However, the hacker never showed up to a December court appearance, and a warrant was issued for his arrest.

Four NFT projects on the Solana blockchain rug-pull in one day

A rendering of a small room, with a desk with a large monitor and computer tower, an L-shaped couch, and a large TV on one wall.One of the Solana Towers NFTs (attribution)
Developers behind Solana Towers, an NFT project allowing investors to buy rooms in a metaverse virtual condo as NFTs, disappeared with around $280,000 a day after the project's launch. It was only one of the projects to do so that day, joining the developers behind three other Solana NFT projects: "Interstellar Bots", "Cheesy Dizzy", and "Technidroids".

The creator of the "Evolved Apes" NFT project makes off with $2.7 million a week after launch

A cartoon man wearing a mesh tank top, with a beard and facial stubble, a hot pink earring, and a brown mohawk, drinks a can of beer.EvolvedApe NFT (attribution)
A week after the launch of the "Evolved Apes" NFT project, which consisted of 10,000 NFTs and a promised fighting game, the anonymous developer behind the project disappeared after pulling the equivalent of $2.7 million out of the project's funds.

Baller Ape Club NFT developers rug pull for $2.6 million

Illustration of a purple neon themed bar scene with crypto price charts on the wallsBaller Ape Club website (attribution)
A blatant clone of the extremely popular Bored Ape Yacht Club project, called "Baller Ape Club" and on the Solana blockchain, went live after much anticipation. Shortly afterwards, its creators made off with $2.6 million and deleted their websites and social media. The same group had pulled off one rug pull already, stealing around $150,000, and later went on to do a third rug pull in January 2022.

Founder of DeFi platform Compound threatens users who received mistaken payments with the IRS

Robert Leshner, the founder of Compound Labs, took an unusual approach when trying to recoup funds that were mistakenly distributed through a $160 million bug in the protocol. He tweeted, "Please return [the funds]. Keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS". The threats were not received particularly well, with some questioning what assumptions Leshner was making about his typical user's tax status, and Leshner subsequently apologized for his "bone-headed" tweet.

An NFT project developer steals $138,000, sending images of random emojis to buyers

A 3D-rendered bust, with a futuristic helmet and cowl, and a red and white neck covering.Sample Iconics artwork (attribution)
NFT collectors eagerly bought thousands of presales of an NFT project called "Iconics" after viewing sample artwork from a supposedly 17-year-old 3D artist. When they viewed their NFTs, instead of the 3D busts they had expected, they were brought to images of random collections of emojis. It was later discovered that the artwork had been stolen from an artist unaffiliated with the NFT project.

German government's blockchain-based ID wallet removed from app stores shortly after launch due to major issues

Shortly before the federal election, the German government launched the app "ID Wallet". It was supposed to store driver's licenses and other identification documents, and allow them to be shared with authorized parties (like the police, or during hotel check-ins). Because the distributed ledger back-end met neither basic EU security standards, nor handled more than a few thousand users (in total, not per second), the launch failed and private data stored in the app would have been exposed to identity theft. FOIA requests revealed that the project developers had known about the shortcomings of their design months in advance. The German Federal Office for Information Security wrote in a report, "[the use of the blockchain-based solution] significantly increases the complexity and, as a result, the fundamental susceptibility to security gaps in the entire system if the benefits are unclear".

Vee Finance platform emptied of $35 million a week after its launch

The Vee Finance decentralized finance platform was hacked for $35 million worth of Ethereum and Bitcoin. The platform suspended trading after the hack was discovered, and also tried to tempt the hackers with promises of a bug bounty if they'd just be so kind as to return the funds. The platform had only launched a week earlier, though boasted of having $300 million worth of assets locked on their exchange.

pNetwork loses $12 million to a bug

A hacker stole $12 million from the DeFi platform pNetwork after exploiting a bug in the codebase. The network offered a $1.5 million bounty to the attacker to return the funds.

Supply chain attack drains $3 million from SushiSwap

A retro-looking website titled "JAY PEGS AUTO MART". There are buttons for "MINT' DONA" and "BIG OCEAN", and gifs of wacky inflatable tubes at the bottom.Jay Pegs Auto Mart website (attribution)
SushiSwap's token platform, Miso, was hit with a supply chain attack that landed the attacker more than $3 million worth of Ethereum. Malicious code was injected into the platform's frontend by a contractor who submitted a pull request. The attacker was able to target a car-themed NFT auction called "Jay Pegs Auto Mart". However, the team discovered the identity of the attacker and the funds were returned after some legal threats.

Head of Product for major NFT platform, OpenSea, is asked to resign following allegations of NFT insider trading

A Twitter sleuth discovers that OpenSea's Head of Product, Nate Chastain, had apparently been engaging in a form of insider trading by buying NFTs that he knew would later be featured on the front page of OpenSea, then selling them once their value increased from the spotlight. The Twitter user identified a chain of transactions show Chastain laundering the transactions through several anonymous accounts. OpenSea posted a statement confirming the shady trades had taken place, and that they had requested and received the employee's resignation, though they didn't specifically name Chastain as the culprit. Chastain's Twitter profile was updated shortly after, identifying him as a former OpenSea employee. OpenSea announced the next day that they had implemented policies preventing employees from trading on confidential information, which I guess they just hadn't bothered to think about previously.

GTV Media Group, a media company operated by Steve Bannon and Guo Wengui, pay $539 million settlement over ICO

The SEC filed charges against GTV Media Group and related entities, alleging they engaged in an unregistered ICO when they offered investors the opportunity to buy "G-Coins" (also called "G-Dollars"). GTV immediately settled with the SEC, agreeing to pay over $539 million.

GTV Media Group is a media company co-founded by Steve Bannon and Guo Wengui, both figures in the American far right who have close ties to Donald Trump.

Fake press release dupes media outlets into reporting that Walmart will begin accepting Litecoin

A graph of the value of Litecoin, showing a brief but large spike in its valueSpike in Litecoin value attributed to the fake press release (attribution)
A press release distributed via GlobeNewswire claimed Walmart was announcing a partnership with Litecoin to begin accepting the cryptocurrency as a payment method. The value of Litecoin spiked before tumbling after Walmart said the announcement was fake.

SEC charges Rivetz Corp. and related entities for $18 million ICO

The SEC charged Rivetz Corp. and related entities with running an illegal ICO when they launched their "RvT tokens". They raised $18 million through the ICO, which they never registered with the SEC, to raise funds for the Rivetz blockchain security company. The funds, which were raised in ETH, were used to give the company's founder a $1 million bonus, plus a $2.5 million loan which he used to "purchase a house in the Cayman Islands that he then leased back to Rivetz Int'l."

El Salvador adopts Bitcoin as legal tender

Nayib BukeleEl Salvador's president Nayib Bukele (attribution)
Nayib Bukele unexpectedly announced that El Salvador would be adopting Bitcoin as legal tender, and the policy went into effect on September 7, 2021. With the benefit of hindsight, we can see that the decision came near the very top of the Bitcoin prices. Those who put money into Bitcoin at Bukele's urging have lost quite a lot of money.

So has El Salvador itself, assuming Bukele is telling the truth about his many claimed Bitcoin purchases. As of December 2022, Nayib Bukele has lost more than $67 million on those investments.

C.R.E.A.M. Finance exploited again, this time for $25 to $30 million

A vulnerability in C.R.E.A.M. Finance allowed a re-entrancy attack to steal somewhere between $25 and $30 million from C.R.E.A.M. finance in its second multimillion dollar hack of the year.

xToken loses another $4.5 million in second hack of the year

A vulnerability in xToken's xSNX product allowed hackers to use flash loans to empty $4.5 million from xToken. This hack followed an even larger hack in May, where the platform was exploited for around $25 million.

Scammers posing as Bored Ape Yacht Club founders scam NFT collector Sohrob Farudi out of $800,000

An illustration of a person in side profile, wearing a bright red baseball cap. They have dark grey skin and blue dreadlocks in a ponytail, and are wearing futuristic green glasses.ON1 #7253, one of the stolen NFTs (attribution)
The day after Nicholas lost almost $500,000 to NFT scammers, another collector was targeted for an even larger sum. "I've never felt more dumb, helpless, embarrassed or just plain sad in my entire life", Farudi wrote on Twitter. The scammers, who pretended to be the founders of the popular Bored Ape NFT collection, had tricked him into exposing his private key QR code to them in another Discord/OpenSea scam.

Scammers posing as OpenSea support staff steal $480,000 from NFT collector Jeff Nicholas

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648, one of the stolen NFTs (attribution)
After asking for help in the OpenSea Discord channel, Nicholas was successfully scammed by individuals posing as customer support. After convincing the investor to share his screen, allowing scammers to view his private key, they transferred all of his NFTs, worth almost $500,000, from his wallet in transactions that can't be reversed. Earlier that year, Nicholas had appeared as a guest on a podcast episode titled "How NFTs Will Change Everything".

Liquid Global cryptocurrency exchange hacked for $90 million

Japanese cryptocurrency exchange Liquid Global suffered a hack that saw $90 million in various assets stolen. The exchange stated that the attack had targeted the company's MPC wallet.

A week after the hack, FTX extended a $120 million loan to the platform. In April 2022, FTX formally acquired Liquid for an undisclosed amount.

DAO Maker project exploited for more than $7.3 million

The DAO Maker project (not to be confused with the well-known MakerDAO) is a launchpad that claims to be "building the future of venture capital". Its website boasts that users who stake their $DAO can "earn up to 70% APY". The project suffered an exploit on June 3 in which attackers stole 7,376,245 USDC, a US dollar-pegged stablecoin. Although the project had been audited by three different auditing companies, hackers were able to exploit an issue in the claim portal for some tokens. According to the DAO Maker team, 5,521 users were affected, and lost an average of $1,250 each. Attackers immediately moved some of the funds to the Tornado Cash cryptocurrency tumbler, while some remained dormant for months before being moved.

$611 million is stolen from Poly Network in one of the largest cryptocurrency heists to date

Hackers stole approximately $611 million from the decentralized finance platform Poly Network in the largest cryptocurrency theft against a single platform to date. In a bizarre twist, the hacker returned the funds, and Poly Network offered them a position as a chief security advisor (though it is not clear if they accepted).

"Women-led" NFT project, "Fame Lady Squad", turns out to be a bunch of dudes

An illustration of a woman with bright green hair and red eyes with laser beams shooting out of them. She's sticking her tongue out and has a bright blue tattoo on her faceFame Lady #2269 (attribution)
The "Fame Lady Squad" NFT project touted itself as a woman-designed and -developed project that would give back to women in the space, drawing support from high-profile individuals like Gary Vaynerchuk, and ultimately around $1.5 million in investments. Problem is, the three women who were supposedly running the project were a group of Russian men, accused by one of the individuals who uncovered the lie of trying to profit off American social causes. The group had a history of creating NFT projects based on false stories. One of their other projects, "Cyber City Girls Club", was intended to campaign to stop hate against Asians, and also originally purported to be run only by women (it wasn't).

Poloniex settles with the SEC for more than $10.3 million

Poloniex, a cryptocurrency exchange, agreed to pay more than $10.3 million in a settlement with the SEC. The SEC had alleged that Poloniex had flouted securities laws from 2017 thorugh 2019 by operating an unregistered trading platform. In the settlement, Poloniex neither admitted nor denied the charges.

The US-based Poloniex was acquired in 2018 by Circle, then in late 2019 by an investment group that included Justin Sun. Sun moved Poloniex to the Seychelles and closed U.S. operations upon acquiring the platform.

Blockchain Credit Partners forfeits over $12.8 million in SEC agreement

The SEC charged two individuals with selling more than $30 million in unregistered securities in what they described as a defi project that bought "real world" assets like car loans to generate income for investments they promised investors would generate more than 6% interest. Although the company was not able to operate as they'd promised, due to crypto's price volatility, the company lied to investors that all was hunky-dory.

The respondents agreed to a $12.8 million forfeiture of ill-gotten profits, plus a combined $250,000 penalty. The case marked a first from the SEC in the decentralized finance space.

DeviantArt releases software to detect infringement of artwork on NFT marketplaces... because the NFT marketplaces won't

DeviantArt releases software to automatically scan the NFT platform OpenSea for NFTs that use stolen artwork from DeviantArt. While it's awesome that DeviantArt created this tool to help the artists on their platform, it underscores the hands-off, look-the-other-way approach OpenSea has taken to the rampant art theft on their platform. Even reports of blatant copies of artwork have been rejected with no action, and artists are forced to report each infringement of their work individually even if there are many.

Uulala and related individuals settle with SEC for a total of $543,000 in fines

The company Uulala, which aimed to provide underbanked individuals with opportunities to build credit, settled with the SEC over charges that they ran an unregistered ICO that raised $9 million. Although they claimed to be using a "proprietary micro-credit algorithm" and proprietary database technology, the SEC said their algorithm was still under development and that they were using database technology belonging to another company. As a part of the settlement, Uulala disabled all $UULA tokens and asked crypto exchanges to disallow trading.

Flash loan exploit empties $25 million from Popsicle Finance

Popsicle Finance, a DeFi platform, lost $25 million to a bug exploited with flash loans. The organization later reimbursed users who lost money to the exploit.

Russian Ponzi scheme collapses after defrauding investors of around $95 million

Finiko, a Russian operation that turned out to be a Ponzi scheme, collapsed in July 2021 after defrauding approximately $95 million from people. Investors, facing difficult economic conditions in Russia, were promised they could see returns of up to 30% a month.

An attacker steals coins by giving out coins of their own

An attacker giving out free UniH tokens was able to exploit a bug in a non-standard token contract and steal RUNE tokens from unsuspecting victims. By baiting people into selling their new UniH tokens, the attacker was able to execute malicious code that transferred any RUNE tokens also in their wallet. This was the fourth exploit pertaining to the Thorchain platform in the month of July.

Norton Antivirus now sneakily installs a crypto miner on your computer so you can mine crypto (and give some to them)

Norton, the makers of the popular Norton Antivirus software, started installing "Norton Crypto" on customers' machines when they install the popular Norton 360 antivirus and malware protection software. It mines Ethereum, skimming 15% for Norton of course. They don't seem to mention that the energy costs incurred by crypto mining on a personal machine are likely to exceed any actual mining proceeds.

Coinbase said its USD Coin would be fully backed 1-1 with USD. It isn't.

Coinbase's USD Coin claimed that there was $1 "in a bank account" to back it, meaning that if everyone hypothetically tried to redeem their USDC at once at any given time, it would be possible. A July disclosure showed that this wasn't true, and that the coin was actually backed by commercial paper, corporate bonds, and other assets. Bloomberg speculated that the FTC might investigate the claim as a possible "unfair or deceptive act or practice".

StableMagnet makes off with $27 million in rug pull

StableMagnet creators rugpulled about $27 million from users by swapping out linked library code. Users who had StableMagnet linked to their cryptocurrency wallets saw their wallets drained.

A not-so-stable stablecoin, titan, comes crashing down

An illustration of a gold coin with a large T, and the word titan spelled on the rimTitan coin illustration (attribution)
The cryptocurrency "titan" dropped from $65 to $0.000000024 within a few hours, despite being a stablecoin that is supposed to be much less volatile than most cryptocurrencies. As the price began to drop, the smart contract encountered a bug that prevented investors from selling their holdings. Among those burned by the coin's crash was billionaire investor Mark Cuban, who had blogged about the token only days prior.