Starstream treasury drained of $4 million

Starstream, a defi project built on the Andromeda layer 2 Ethereum protocol, had its treasury drained. Blockchain security company CertiK reported that the treasury appeared to have contained around $4 million in STARS, all of which was stolen. Shortly after the hack, the attacker transferred 900 ETH ($2.9 million) to a crypto tumbler. Starstream had been audited by two security firms prior to the exploit.

Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it

Tweet by grantith.eth, reading "HUGE OPENSEA ISSUE You MUST go check on revote.site if you have the OpenSea API allowance, if yes you should revoke for your NFTs! I just lost a $100k Azuki so ALWAYS check and don't make the same mistake. Share it to save someone NFTs.A tweet falsely claiming an OpenSea vulnerability, linking to a scam permission revocation website (attribution)
It's not exactly straightforward to revoke wallet permissions once they've been granted, and so many users use a site called revoke.cash to remove permissions in the case of malicious contracts or as a precautionary measure. A clever scammer created a fake website that mimics revoke.cash, called revoke.site, and then used a verified Twitter account to tweet about a "huge OpenSea issue" that they claimed resulted in the loss of a pricey NFT. Hoping that people would panic and try to use the site to revoke permissions, in reality the website runs a script to determine the highest value assets, and then prompts the user to "revoke" permissions for those assets — when in reality, it sets approval for those assets to be transferred to the scammer's wallet. As of the evening of April 7, the wallet had received 13 NFTs, and flipped eight of them for a total profit of 4.9 ETH (~$16,000).

Star Trek gets into NFTs

A rendering of a spaceship resembling the Starship EnterpriseSample Star Trek NFT (attribution)
Star Trek announced the creation of "Star Trek Continuum", a part of Paramount's new NFT platform. They state that the project is "accessible to everyone [with $250 to throw around] and allows another expression of fandom [by giving us their money]". The press release attempts to drum up FOMO by writing, "there will never be more of these designs created and the minting window will only be open for 24 hours" — however, it also talks about how this is "Season 0" and the platform will be used for "future seasons of Star Trek™ NFTs."

Ubisoft abandons Tom Clancy's Ghost Recon Breakpoint after shoehorning NFTs into it

A monochrome, dark grey helmet modelUbisoft "Wolf Enhanced Helmet A" NFT (attribution)
Ubisoft announced in December that they would be incorporating NFTs in to their Tom Clancy's Ghost Recon Breakpoint title, much to the chagrin of its players and some employees as well. On April 5, Ubisoft announced that they would no longer be releasing updates to the game, nor would they be minting any additional NFTs.

Although the Formula 1 blockchain game that shut down earlier this month made halfhearted promises to allow NFT holders to swap their NFTs for ones used in a different game, Ubisoft has made no such promises.

Another $1 million lawsuit is filed against OpenSea for stolen apes

An illustration of a red-furred ape wearing a captain's hat, grimacing with half-lidded eyes, and wearing a dress shirt and maroon vest with an ascotBored Ape #8858 (attribution)
A third "stolen ape" lawsuit was filed against OpenSea, alleging that Opensea's "security vulnerability allowed an outside party to illegally enter through OpenSea's code and access Plaintiff's NFT wallet, in order to sell Plaintiff's Bored Ape at a fraction of the value." Someone was able to buy the plaintiff's Bored Ape for 24.89 ETH (~$60,000) — much less than the 135 ETH (~$332,000) the plaintiff had recently listed it at. The scammer then quickly flipped the NFT for resale for 92.9 ETH (~$225,000) within an hour.

The language in the lawsuit is very similar to the stolen ape lawsuit filed February 18, which is not surprising because the plaintiffs are using some of the same lawyers. Vice interviewed one of the lawyers, and determined that the somewhat odd wording refers to the issue in which OpenSea users didn't realize their old listings of NFTs at lower prices were still active.

Worldcoin, creators of the eyeball scanning orb that promises universal basic income, encounters more difficulties

A man sits staring into a gleaming silver sphereStare into the Orb (attribution)
New reporting from BuzzFeed News and MIT Technology Review described some of the issues that Worldcoin has been encountering on its mission to scan the eyeballs of the world population, in exchange for nebulous promises of crypto. Although "Orb operators" have been out and about scanning eyeballs in countries around the world, those who've agreed to be scanned have only been offered a voucher for Worldcoin tokens and a promise that they may, someday, be redeemable for $20. Meanwhile, the company appears to be flouting data privacy laws and endangering operators of these Orbs, who have encountered threats from angry uncompensated users, and some of whom have been detained by law enforcement. Those who have agreed to have their eyes scanned have accused the company of "stealing their eyes", and fear how their biometric data may be used.

Collectors spend a cumulative $26 million on gas fees alone for "VaynerSports" NFT project—3x the amount made from the NFTs

A rendering of a card with the letters "VSP" on itVaynerSports Pass NFT (attribution)
AJ Vaynerchuk, brother of prominent NFT personality Gary Vaynerchuk (aka Gary Vee), launched his VaynerSports NFT collection. The popularity of the project resulted in surging gas fees on the Ethereum chain, and a poorly-implemented contract worsened issues. Users encountered failed transactions, meaning they lost the gas fee they had spent, and also did not successfully mint an NFT. Once the mint was over, 2411 ETH ($8.2 million) had been spent on mints, and 7652 ETH ($26.4 million) had been spent on gas fees. Some users lost thousands of dollars in gas fees on failed transactions.

Someone mints NFTs of r/place, because what's the point of collective artwork if someone can't profit off it

Pixel artwork showing a Bitcoin with a cancel symbol, and "r/FUCKNFTS"Portion of r/place (attribution)
Reddit reopened its chaotic collaborative art project, r/place, for several days. Users could place colored pixels onto a shared canvas at limited intervals, collaborating to festoon the page with flags, fan art, memes, subreddit names, activist statements, logos, and everything else people could collectively convince others to help create. The collaborative canvas at various times conveyed pro- and anti-crypto sentiment, with r/Buttcoin putting up a valiant effort to stamp "Fuck NFTs" onto the piece.

Sadly, the collaborative and fun community art piece and social experiment was financialized almost immediately after the last pixels were placed, with several projects cropping up to sell portions of the canvas for crypto. One of the projects ended almost as quickly as it began, replacing all its NFT images with the "r/FUCKNFTS" portion of the canvas and rewriting the description to say, "Ok, I guess that was a bad move and a bad Joke. Please use Cryptos as decentralized money against states, not to sale dumb images on the internet. Love U Reddit, got U". Other projects, however, remain for sale.

COVID-19 conspiracy theorist Robert Malone announces to trucker convoy his plans to dox more than 4,000 people using blockchain-based tech "so they can't take it down"

Robert Malone speaks into a microphone at a podium on an outdoor stageRobert Malone speaking to trucker convoy (attribution)
Robert W. Malone, a COVID-19 conspiracy theorist, gave a speech to a group of anti-vax truckers in which he announced plans to dox over 4,000 "[World Economic Forum] trainees" by publishing their names, addresses, and current and historical work information. "We're about to put this up on a blockchain-protected site so they can't take it down" he said, to cheers. "We're going to ask all of you and we're going to ask Steve Bannon's posse to crowdsource the rest of those names," he said, "There are a ton of... people residing in the United States... that are embedded throughout our government, and throughout the tech industry, and throughout the banking industry, and throughout the bloody media!" When a crowd member shouted "Lock them up!" he replied, "locking them up isn't even going to do it", leading another person in the crowd to shout, "hang them!"

Federal authorities seize $34 million in Bitcoin from alleged seller of stolen account information

A Floridian suspected of selling hacked account information for services including HBO, Netflix, and Uber had $34 million in Bitcoin seized by federal authorities. Prosecutors accused a suspect of a scheme from 2015–2017 in which he sold stolen account information on the dark web. Unusually, they filed a civil rather than criminal case against the defendant, and were able to seize the crypto in a default judgment. Tough day for those arguing that crypto is somehow inherently immune from government actions.

Scammer takes advantage of a platform's poor UX to steal several pricey Bored Ape NFTs

An illustration of a light yellow ape with lidded eyes with yellow irises, blowing a bubble of gum, wearing a red t-shirtBored Ape #1584 (attribution)
A trader who owned a Bored Ape and two Mutant Ape NFTs apparently reached a deal to trade them for three different Bored Ape NFTs. Because OpenSea doesn't support swapping NFTs directly, only buying and selling them for ETH, the traders used a less-known platform called KiwiSwap to do the trade. Like many platforms, KiwiSwap aims to help users spot faked NFTs by showing a "verified" badge — however, because the platform shows the badge overlaid on the NFT image, a scammer was able to create imitation Bored Apes that included the same checkmark as a part of the image, making them appear legitimate. KiwiSwap also does not include functionality that would allow a user to click through to verify the NFT is the one it claims to be.

When the user confirmed the transaction, they transferred their three pricey apes to the scammer, receiving three worthless ones in return. NFT trader 0xQuit estimated the loss at around $587,000.

Amidst rumors of market manipulation, Waves' USD-based "stablecoin" loses peg, drops to $0.82

A chart on CoinMarketCap showing USDN/USD. The price had been relatively stable at $1 for the entire three-month view, until suddenly dropping to around $0.80 on April 4Price chart showing USDN depeg (attribution)
The stablecoin belonging to the Waves protocol, "Neutrino dollar" (aka USDN), crashed nearly 20%, despite intending to maintain its 1:1 ratio to the US dollar. The volatility occurred amidst flying accusations on Twitter, where various people first accused the Waves team of manipulating the price of their own token and running a Ponzi scheme, and then Waves' CEO accused an outside trading firm of manipulating the $WAVES price and "organiz[ing] FUD campaigns to trigger panic selling".

User loses £55,000 (~$72,000) to Trezor phishing email

A black plastic rectangle that tapers towards the bottom. It has a "TREZOR" logo and a square screen displaying a lock icon.Trezor hardware wallet (attribution)
A Bitcoin holder using a Trezor hardware wallet fell victim to a phishing scam after attackers stole email lists from a third-party vendor use by Trezor. The user wrote on Reddit that they were "not paying attention and was on autopilot, just doing what it said. Was arguing with my gf via Telegram at the time... had not slept enough, was a bit hungover and was distracted" when they received the email.

The email in question appeared to be from Trezor, and claimed that users' funds were in jeopardy. It prompted them to download a new (fake) version of the Trezor wallet software, and when users entered their seed phrase to restore their wallet from a backup, it drained their crypto. "What a mug I am," wrote the affected user. "Had been building up my BTC for seven years and lost it in a few minutes' utter stupidity."

The Reddit post also included two follow-up edits, displaying the victim blaming that is common when users are hit with phishing scams and other attacks. The user wrote "Edit: yes I entered my keys, because I'm a twat Edit 2: a lot of people saying they'd never fall for it. I hope they're right."

Attack on Inverse Finance results in a $15.6 million loss

An attacker targeting the defi project Inverse Finance was able to manipulate the price oracle of INV/ETH, artificially inflating the apparent price of INV and allowing the attacker to borrow against it. The attacker was ultimately able to turn the borrowed DOLA, ETH, WBTC, and YFI tokens, priced at a total of around $15.6 million, into around 4300 ETH (priced at around $14.5 million). As of early April 2, the attacker had transferred 1,300 ETH (around $4.5 million) to a tumbler to make it more difficult to trace.

Taiwanese singer Jay Chou has Bored Ape stolen

An illustration of a grimacing ape with pink fur and diamond teeth wearing a colorful stunt jacket on an orange backgroundBAYC #3738 (attribution)
Taiwanese singer Jay Chou fell victim to an apparent phishing scam, in which a malicious actor transferred his pricey Bored Ape NFT to their own wallet. The scammer then flipped the NFT for sale on LooksRare for 130 ETH (~$425,000).

The theft prompted security researchers at Check Point Research to investigate what ended up being a serious bug in Rarible, where malicious NFTs could execute JavaScript and trick users into signing a contract that would then empty their wallets.

Class action lawsuit filed against "Let's Go Brandon" coin creators for alleged pump-and-dump

NASCAR driver poses standing against a racecar with American flag detailing, the domain "LGBcoin.io", and the number 68 painted on itBrandon Brown poses with LGB coin branded car before sponsorship deal is cancelled (attribution)
A class-action lawsuit filed by Missouri investor Eric De Ford claims that the people behind the pro-Trump "Let's Go Brandon" (LGB) memecoin misled investors about a NASCAR sponsorship deal and celebrity backing. LGB coin had nearly reached an agreement to be the primary sponsor for NASCAR driver Brandon Brown, but the sponsorship was axed by NASCAR shortly after LGB coin announced it. Regardless, those behind the coin allegedly continued to promote the coin as though the NASCAR sponsorship was in motion, even as the token value cratered. The lawsuit alleges that "Defendants pushed the LGB Tokens as a means of promoting the American dream, while simultaneously touting the prospects for LGB Tokens and the ability for investors to make significant returns from the LGB Tokens like other so-called 'meme coin' digital assets... In truth, Defendants cynically marketed the LGB Tokens to investors so that they could sell off their portion of the Float for a profit."

De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.

Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project

3D-rendered piece of "land" crudely made from simple polygons, with block text reading "1x1" underneathFake BAYC land NFT (attribution)
An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.

Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.

Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised

Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."

Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.

Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform

Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.

Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling

Illustration of a woman wearing a blue and pink cowboy hat, with blue hair, crying green tears, on a green backgroundCosmic Cowgirls #1128 (attribution)
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.

The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".

Lending protocol Ola Finance is hacked for $3.6 million

Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"

One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.

Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull

A 3D-rendered humanlike bunny, with cow-print skin, a tie-dye shirt, and red irises.Bored Bunny #3258 (attribution)
Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).

Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.

The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history

One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.

Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".

Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions

A rendering of a clear glass-like sphere partially filled with black sand, with a white 3D x partially embedded in the sandOne of the Ash NFTs (attribution)
Collectors were excited for a chance to obtain NFTs from the artist Pak's upcoming collection, "Ash Chapter II: Metamorphosis". Pak is an extremely popular digital artist, and his newest collection boasted collaborators including Pussy Riot, Paris Hilton, and others.

Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.

People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.

manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.

Artist for Andrew Yang's crypto lobbying DAO is offered $500 after being promised "a percentage" of revenue in a project that raised at least $790,000

An intricate, rainbow-colored digital art mural of a cityLobby3D mural (attribution)
In February, perennial political candidate Andrew Yang announced he had created "Lobby3", a DAO which he says will push for crypto-friendly regulation and "eradicate poverty". The website sports a cute illustration of a city, which was created by a group of artists, and which was also originally intended to be split into "puzzle pieces" to be minted as NFTs (though this apparently never came to pass).

One of the artists, Phillip Lietz, took to Twitter on March 28 to call out the group for the pittance he was offered for his work, posting screenshots of an email exchange he had had with a member of the project team. The emails show Lietz asking whether artists would receive compensation for their work, and a project team member replying: "Yes... any artist we select will receive a percentage of our revenue".

They went on to say that if they used his work, they would "negotiate a percentage of what we sell". The reply to Lietz's question about if there was a contract was: "No formal contract as we need to move fast, but I imagine this email would hold up in court as a written agreement if it ever came to that (it wouldn't! Andrew and I are men of our words!)" In a subsequent email, the team member wrote that they would "love to send you a Lobby3 Member token", and that "our artist commissions weren't huge, but [we] would love to send you $500 for your time and effort". Lietz replied to say that the DAO's NFT fundraising appeared to have raised at least $790,000, and that $500 was an unfair amount (although I suppose 0.06% is technically "a percentage"). The team member replied by basically negging Lietz, writing "Honestly, I didn't want to say this, but I will now mention: we weren't actually going to use your art in the project... but you seemed like a great guy and I wanted to throw you some cash and get you some exposure".

Anyway, nice job Andrew and team! Nothing says "eradicating poverty" and "empowering creatives" like paying them basically nothing.

Top Super Smash Bros. Ultimate player has his Twitter account hacked to shill NFTs

A pink robot with green drool and rolled-back eyes, with a head floating above the body.The profile picture of the hacked account (attribution)
MkLeo, who is widely considered to be the best Smash Ultimate player in the world, had his 217,000-follower Twitter account hacked and repurposed for NFT shilling. The scammers changed his profile picture to a pink robot creature with green drool, and began posting tweets talking about his supposed collaboration with The Possessed NFT project. The link in the tweets went to a scam website that claimed to allow people to mint NFTs from the actual Possessed NFT project. It's not yet clear how many people fell for the malicious link, but MkLeo's Twitter account appeared to be back under his control later that evening.

Another collector loses a Bored Ape to a phishing scam

A grey robot ape, making a confused face with an open mouth, wearing an orange beanie and black t-shirt on an orange backgroundBored Ape #5778 (attribution)
NFT collector Cameron Moulène was excited to see a link promising a merch drop in the bio of an account with the same branding as Bored Ape Yacht Club, but with the handle BoardApesYC (rather than BoredApesYC). Clicking the link, which matched the BAYC website link except with a character swapped in ("yarht"), the trader connected his wallet and soon found his favorite NFT transferred to the phisher. He had originally purchased Bored Ape #5778, which he described as his "forever ape" that he never planned to sell, in August 2021 for 53.88 ETH ($166,684 at the time). The scammer flipped the Ape within an hour for 110 ETH ($368,660).

When chastised by other NFT collectors who assumed he had stored the ape on a hot wallet, Moulène clarified that the NFTs had been stored in a Ledger hardware wallet. He later tweeted, "Since I've got a platform, here's what I learned today: COLD WALLET, does not just mean storing assets in a series of ledgers/trezors. It means a wallet that is NEVER Linked to anything besides MM or OS." Moulène went on to threaten legal action, saying, "Oh I will spend 10x that ape tracking these fucks down and suiting [sic] them into oblivion." and "I'm going to pursue legal action in the states and internationally (if need be) to find the people responsible and hold them accountable."

Owner of two pricey Ape NFTs sells them for $140 in a possible hack

A beige-furred ape with half-closed eyes, wearing sunglasses, smoking a cigarette, and wearing a leather jacket with no shirt underneath, on a yellow-green backgroundBored Ape #835 (attribution)
NFT trader Calvin Chan recently made some unusual NFT trades. He sold his Bored Ape, which he had bought in August 2021 for 16 ETH (then about $50,000), for 115 DAI ($115 — DAI is a stablecoin pegged to USD). Not only was this a near-total loss compared to the purchase price, Bored Apes' floor price is around 107 ETH (~$360,000), and this Ape likely could've sold for more than that. Chan also sold a Mutant Ape for 25 DAI/$25 to the same buyer — despite Mutant Apes' floor price of 22.5 ETH (~$75,000).

Some initially speculated that he may have mistaken the offer represented in DAI for ETH, as 115 ETH (~$387,500) and 25 ETH (~$84,000) would've been pretty reasonable trades for the respective NFTs. However, the trader posted on Twitter that he had been "swiped ... of his BAYC and MAYC... I am fine. In shock, but okay. Do i know what happened? No. Still trying to wrap my head around how and why."

NFT trader loses a Mutant Ape NFT to an NFT swap scam

An illustration of an ape that appears to be made out of volcanic rock and magma, with a green dripping face, smoking a pipe, wearing a sweater made out of wormsMutant Ape #232 (attribution)
A trader known by taylorRichie.eth agreed to swap their Morie NFT for a Doodle, in a trade they'd coordinated with a user on Discord. Because OpenSea doesn't support trading one NFT for another, only buying and selling them for crypto, the traders had to use a different, less-known swap platform to perform the trade. Although taylorRichie.eth took precautions, like typing in the URL themselves instead of clicking a link, they were still fooled into signing a malicious transaction that transferred a different NFT in their wallet, a Mutant Ape, to the scammer. The scammer then quickly flipped the stolen NFT to another buyer for 22 ETH ($73,585).

Revest Finance is hacked for $2 million

The Revest protocol was targeted with an attack that stole $BLOCKS, $ECO, and $RENA tokens from their vault. The protocol wrote that the attacker used a "highly sophisticated attack on a vulnerability that went unnoticed during our Solidity.Finance audit as well as ... multiple peer-reviews". The hacker quickly swapped the stolen tokens for ETH via various decentralized exchanges, then tumbled the funds using Tornado Cash. The protocol wrote that they "do not possess the funds needed for meaningful financial recompense, and are not covered by any DeFi insurance provider", but promised to try to "do everything within our power to make things as right as they can possibly be made".

Coinbase begins to require users in Canada, Singapore, and Japan to input personal information about the recipients of their crypto transactions

Coinbase began sending out notices to its customers who reside in Canada, Singapore, and Japan, to tell them that in early April, they will need to begin inputting information about the recipients of any crypto they send. Coinbase said the change was in order to comply with various regulations imposed by those countries. The specifics differ somewhat between the three countries: for example, in Canada, the verification is only required for amounts above CA$1,000 (about US$800); Japanese users need to provide verification for any amounts, but only if transferring to entities outside of Japan; and Singaporean users need to verify any amounts sent to anyone. Canadian and Singaporean residents will also need to provide the address of the recipient of their funds, whereas Japanese customers only need to supply the name and country of residence.

Some Coinbase customers in these jurisdictions seemed less than enthused at the announcement. One tweeted, "Wait, then what's the point of crypto/blockchain, being outside of fin.system and all.. I may be better off sending fiat money".

Crypto tax software firm ZenLedger fires executive after the New York Times discovers he lied extensively about his background

Color-filtered photograph of Dan Hannum from the shoulders up, with a lens flareDan Hannum Twitter profile photo (attribution)
New York Times reporter Ron Lieber began fact-checking a story in March about a deal between crypto tax software firm ZenLedger and the Internal Revenue Service. Lieber ran into trouble fact-checking the claims of ZenLedger COO Dan Hannum, who told a compelling story of being arrested as a juvenile, then turning his life around and earning college degrees, working at several major Wall Street firms, and becoming a crypto millionaire. Lieber discovered that Hannum had never earned the degrees he claimed, nor worked at the Wall Street firms he listed. He also found no evidence that Hannum had ever managed $100 million in assets like he said, nor that he had made so much on crypto that he was paying "millions in taxes" alone.

After Lieber put these questions to ZenLedger, the company fired Hannum. ZenLedger founder Pat Larsen was cagey around the circumstances under which Hannum was hired, and an outside spokesperson for the company laid the blame on a bad referral and a federal background check that returned "no flags regarding his education or work history". A venture capital firm that invested in the company reported that they "did more due diligence than a traditional venture capitalist would have done" on the company but had not checked Hannum's background.

Exxon Mobil reportedly gets in on Bitcoin mining

According to Bloomberg, Exxon Mobil has begun a pilot program to set up Bitcoin miners at an oil well in North Dakota. The project reportedly runs off 18 million ft³ of natural gas that would otherwise be flared. Although early proponents waxed poetic about how anyone could mine Bitcoin, the increasing hardware specialization and massive electricity costs have made it practical at scale only for those with access to the hardware and cheap sources of electricity — including, now, the world's second largest oil company.

Some crypto proponents have spoken positively about using excess gas that would otherwise be flared for Bitcoin mining, though climate experts have spoken out against it being a sufficient or reasonable solution. "It's like if you had a leaky gasoline pipeline and, instead of fixing the problem, you plugged in a Humvee next to the leak and left the engine on in perpetuity with the A/C on full blast," said UC Santa Barbara professor Paasha Mahdavi.

Hacked verified Twitter accounts impersonate BAYC founders, scam $1 million with fake ApeCoin airdrop

A light purple-furred ape with boils, wearing a pirate hat, with green face with mushrooms growing on it, and open mouthMutant Ape #22660 (attribution)
Some scammers obtained hacked verified Twitter accounts, then rebranded them to claim to be founders of the Bored Ape Yacht Club. They then tweeted about how their team's ApeCoin launch had been so successful, they'd decided to airdrop more tokens. Users who clicked the link and connected their wallets quickly discovered they'd been scammed when their high-value NFTs were transferred from their accounts, then flipped for resale. One victim of the scam said they'd lost $600,000, and tweeted: "@BhawanaCAN put out a tweet refering for more $ape available- I trusted the blue checkmark @twitter @jack now the ape and my gutter cat is gone - fuck you @BhawanaCAN". @BhawanaCAN, prior to the hack, was an account belonging to the former CEO of the Cricket Association of Nepal.

There were multiple scammer accounts involved in the scheme, and one researcher has estimated that the scammers had made around $1 million from reselling the NFTs as of March 24. A similar hack had occurred several days earlier, in which a hacked verified account impersonated a BAYC founder and successfully stole three pricey Bored Apes from a collector.

Roller derby community resoundingly rejects NFT project

An illustration of a pink-skinned person with a black helmet with a star on it with spikes, holding skates over their shoulder. The text "BOUT TIME NFTTT" is superimposed over it in a neon styleBout Time NFTTT logo (attribution)
After three roller derby stars announced an NFT project called "'Bout Time", the roller derby community was fairly united in its displeasure with the idea. Though the project intended to donate some of their proceeds back to the roller derby community, the overwhelming response appeared to be that engaging with NFTs was indefensible even if the project did provide money for the derby leagues. Most concerns seemed to revolve around the environmental impact of NFTs in general, as well as the scams that are rampant in the NFT world. After considering the feedback to their project, the three skaters announced that they would not be continuing with the project, which was due to mint on March 31. One of the project founders told Vox, "If this community doesn't want us to run this project, then we're not going to do this project for them. The whole reason was to raise money for the derby community, and they so strongly spoke out against us."

Department of Justice charges the scammers behind the January "Frosties" NFT rug pull with fraud and money laundering shortly before they launch their second project

Pastel rainbow colored illustration of a flame, wearing a hoodieImage from the Embers NFT project, which the Frosties scammers were about to launch (attribution)
On January 9, an ice cream-themed NFT project called "Frosties" made off with $1.1 million in a rug pull only an hour after the NFTs were launched. Less than three months later, the U.S. Attorney's Office for the Southern District of New York announced that they had charged the two 20-year-old individuals behind the scheme with conspiracy to commit wire fraud and conspiracy to commit money laundering. Although it is bizarrely common to see people question whether NFT rug pulls are actually crimes, the USAO was quite clear: "Rather than providing the benefits advertised to Frosties NFT purchasers, Nguyen and Llacuna transferred the cryptocurrency proceeds of the scheme to various cryptocurrency wallets under their control." The Special Agent in Charge stated, "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

The statement also alleged that the duo were working on another NFT project called "Embers", which they hoped would generate around $1.5 million. The project was set to mint on March 26, and the 60,000-member Discord has been thrown into disarray. Some of the community moderators began deleting links to the D.O.J. announcement, and attempted to suggest that the Department of Justice website had been faked to "FUD" the project.

The individuals behind the Frosties scheme face charges that each carry a maximum sentence of 20 years in prison, if they are convicted.

Pye suffers a $2.6 million loss in a flash loan attack

The security firm PeckShield reported that the Pye ecosystem had been targeted with a flash loan attack, which drained around $2.6 million from the protocol. Pye is a group of defi software projects built on the Binance Chain. The project had just undergone a large migration, and it appeared the bug may have been introduced in the new contracts.

The guy behind the "NFT band" on Ellen thinks you should have to pay royalties on dance moves

Four figures resembling neon-colored versions of bigfoot play instruments on a large screen. A woman wearing bright blue pants and a jacket kneels in front of the screen singing into a microphone.I tried to get a good screengrab of the "NFT band" but the videographer, reasonably, seemed to find the human performer more interesting (attribution)
In the latest installment of "large television program launders the reputations of NFTs", an "NFT band" performed on Ellen... Well, some animated characters danced on a screen while a human performed, a concept that is not exactly new.

The animator who created the band animation, however, has big dreams for the possibilities NFTs could bring to dancers. Dancers "can now claim digital ownership over a series of moves or routines by means of NFTs". Imagine, he says, "owning the original Moonwalk". Yes, everyone, just imagine how much better the world could be today if everyone had had to pay royalties whenever they imitated Michael Jackson's signature move.

Parts of the "Caked Apes" NFT project team both sue each other

A purple dripping ape with a turquoise helmet and green dripping teeth, wearing a pink shirt on a pink and orange backgroundCaked Ape #2487 (attribution)
Two lawsuits were filed nearly simultaneously, each alleging misconduct by the other party with respect to the "Caked Apes" NFT project — a project full of illustrations that were very clearly derived from the popular Bored Apes project, but feature neon colors and psychedelic motifs. Caked Apes so far has done around $1.9 million in sales.

Both lawsuits center on Taylor Whitley and his departure from the project, but they diverge considerably from there. Whitley's suit claims that he was wrongly ousted from the project; the other lawsuit claims that Whitley engaged in "unhinged, destructive, and egotistical acts... to sabotage... "Caked Apes", after Whitley failed to usurp ownership and control of the project entirely for himself". They also allege that Whitley misused DMCA takedowns to have the collection removed from online marketplaces. The lawsuits are liable to be complicated somewhat by the fact that a partnership agreement doesn't appear to have ever been written up.

A Robin Hood-esque attacker steals $52 million from Cashio, then returns smaller amounts and pledges to donate the rest to charity

A hacker was able to exploit an infinite mint glitch in the protocol of Cashio, a Solana stablecoin project. They were able to pull around $50 million out of the platform, while also tanking the value of the $CASH token in the process. The attacker left a note in the input data of their Ethereum transactions that "Account with less 100k have been returned. all other money will be donated to charity."

Saber, the providers of the Cashio liquidity pool, published a postmortem of the attack in which they wrote that "We do not have the money to pay back depositors." The hack was the second largest in Solana history, behind the February Wormhole hack. Saber entreated the hacker to return the funds, writing, "accounts with over $100k are often users' life savings on leverage, and many of us will seriously be affected financially after this incident."

On March 28, the attacker sent a message saying that "the intention was only to take money from those who do not need it, not from those who do", and invited users who had over $100,000 to apply to receive their funds back with "an explanation of the source of this money and why you need it back. more detail is better. money will not be refund to rich american and european that don't need it." Somewhat strangely, Cashio themselves began hosting a website to allow affected users to plead with the hacker to return the money.

VeVe marketplace goes offline for over a day after an exploit results in a "large amount of gems being acquired illegitimately"

The VeVe marketplace has developed a bit of a reputation as the partner of choice for some big names who have dipped their toes into "licensed digital collectible" NFTs, including Marvel, Pixar, and Coca-Cola. It is also notable for using in-app tokens called Gems, which can be purchased with credit cards, but have been impossible to cash out since the mid-2021 launch (though VeVe has very recently said they are beta testing a cashout system).

On March 22, VeVe tweeted that "We have become aware of an exploit of our systems which resulted in a large amount of gems being acquired illegitimately", and that they had closed the market, as well as purchases and transfers of Gems. The market remained closed for over a day as VeVe apparently triaged the problem. It's not clear yet what the impact has been to the platform or its users, though many reported that their NFTs appeared to have plunged in value.

G2 Esports sues NFT provider Bondly, accuses them of using them for publicity

G2 Esports announced a partnership with NFT provider Bondly in June 2021, through which they planned to release profile picture NFTs that would also provide access to membership perks. Nothing has materialized since then, despite their plans to launch in February. On March 22, G2 filed suit against Bondly, accusing them of agreeing to a deal they knew they could not fulfill, but that would lend Bondly credibility and publicity via the association with the G2 brand. According to the lawsuit, shortly after the first invoice was sent for the rights payments that Bondly was due to pay to G2, Bondly wrote that the company was "past the point of being able to successfully deliver an NFT program". G2 has said the failed deal resulted in $5,250,000 in damages.

Team behind the NeoNexus NFT project raises several million dollars, then abandons it

Tweet by Jack Shi, containing a photo of a man sitting in the driver's seat of a sports car with the gull-wing door opened. Text reads "#NewProfilePic This car is so comfortable and worth way more than my house."Tweet by NeoNexus founder Jack Shi (attribution)
NeoNexus was a metaverse NFT project that raised about 25,000 SOL (worth around $2.2 million today; previously worth $3.5 to $4.5 million). The project had sold various "property NFTs", and had plans to create other NFTs representing things like characters and vehicles.

On March 21, the project's founder Jack Shi wrote on Twitter, "It is with a heavy heart that we must inform you that we can no longer continue healthy development of the NEONEXUS project. We would like to hand over the project to our community, or a community-selected party for takeover if that's feasible / possible." Going into more detail on Discord, he said the project had run out of money, which he blamed on waning interest in Solana NFTs.

The reaction to the announcement was overwhelmingly negative, particularly given the project's founder's apparent habit of bragging about his luxury cars. Many users described the abrupt shutdown as a rug pull, and one user even mentioned looking into a class action suit against the project team.

Phishing scheme promising to animate one's apes nets attacker a collector's three pricey Bored Apes

A Bored Ape with leopard print fur, wearing a black bowler hat and American flag shirt with a deep V-neck, with half-closed red eyes, on an orange backgroundBAYC #71 (attribution)
An NFT collector fell for a scam website promising to "turn your BAYC animated". After connecting their wallet, the attacker transferred their three pricey Bored Ape NFTs to their own wallet, then quickly flipped them for resale for a combined total of around 264 ETH ($764,000). Zachxbt, a crypto fraud sleuth who first noticed the scam, estimated the NFTs' actual value at closer to $900,000.

It appeared from the victim's retweets that they had fallen for a scam shared by a verified Twitter account that claimed to be one of the Bored Apes founders. However, a closer look at the Twitter handle showed it was a hacked account with the username "volt_france", which previously had belonged to the French branch of the Volt Europa political movement.

Hacker steals more than $1.5 million after compromising wallets belonging to crypto whale Arthur_0x

CloneX #13992, one of the stolen NFTsCloneX #13992, one of the stolen NFTs (attribution)
Arthur_0x, a crypto investor and NFT whale, had two of their hot wallets compromised. The attacker stole ETH and transferred some big-ticket NFTs out of the wallets, including at least five CloneX NFTs and 17 Azuki NFTs. CloneX NFTs have been selling for an average of 16.76 ETH (about $50,000) over the past 30 days, and Azuki NFTs have been going for 12.5 ETH ($37,600). The attacker had not yet sold all the NFTs they had stolen, but within two hours of the attack they had 545 ETH (about $1.6 million) in their wallet.

Arthur_0x wrote on Twitter that they had previously only ever used a hardware wallet on their PC, but when they started more regularly trading NFTs they'd started using a hot wallet. "Hot wallet on mobile phone is indeed not safe enough", they wrote on Twitter, "Guess no more hot wallet usage then." They also wrote, "The only thing I can say to the hacker is: you mess with the wrong person" and tweeted the wallet address to which the NFTs were being transferred, asking for it to be blocklisted.

Hacker steals $1.45 million from OneRing Finance using code that self-destructs after the attack

A hacker was able to use a flash loan attack to exploit an issue with OneRing Finance. By manipulating the price of tokens in the project's liquidity pool, the hacker was able to draw out 1.45 million USDC, a stablecoin pegged to the US dollar. According to PeckShield, the loss to the protocol was larger than what the hacker actually was able to cash out.

The hacker complicated things somewhat for OneRing by covering their tracks. They used a "self-destruct" mechanism — typically used by developers to destroy smart contracts that are found to have a bug — to destroy the contract they used to carry out the attack, making it more difficult for OneRing to determine which parts of their codebase were vulnerable and led to the attack.

NFT scammers take over the Twitter account of a Florida gubernatorial candidate

Twitter profile of Nikki Fried, showing banner and profile pictures for "Skulltoons", and the name "nikki.eth"Nikki Fried's compromised Twitter profile (attribution)
The Twitter account belonging to Nikki Fried, the current Florida Agriculture Commissioner and a Democratic candidate for the 2022 Florida gubernatorial race, was compromised and repurposed as an NFT shill account. The account, which was verified and had more than 270,000 followers, suddenly underwent what I imagine was a bit of a startling rebrand for her followers: her name was changed to "nikki.eth", and the Twitter bio was replaced with "Mod for SkulltoonsNFT, ThugBirdz, AzukiZen. Web3 Enthusiast". The account also changed its banner and profile pictures to Skulltoons images, and started tweeting about giveaways. By March 20, Fried had apparently regained control of the account, though the account privacy had been changed to protected.

The Fried account compromise is only one instance of what has become a trend on Twitter: Twitter accounts belonging to high-profile individuals, or accounts that are verified or have a large number of followers, being compromised and sold to NFT scammers. On March 11, ESPN baseball reporter Jeff Passan also had his twitter account compromised and repurposed to shill Skulltoons NFTs. Skulltoons distanced themselves from that incident, writing that they believed the hackers were trying to scam their NFT community.

Kaiju Kongz NFT project artificially inflates its floor price by destroying your NFTs if you list them for sale at too low a price

A pixel art image of a large ape creature with green and yellow eyesKaiju Kongz (attribution)
An NFT project's value is often discussed in terms of its floor price — that is, the lowest price at which any given NFT in a collection is listed for sale. The new NFT project Kaiju Kongz decided to take advantage of the fact that you can pretty much do anything you want with a smart contract to ensure that the floor price of its project only increases shortly after the NFTs are launched. They released their project with a "burn schedule" — a list price that gradually increases as time goes on, where if someone lists their NFT below that price, it will automatically be burnt — the closest thing to "destroying" an NFT that's possible. This serves to ensure that the floor price stays above the minimum value the project creators want, which doubles daily from 0.065 ETH (~$190) on the day of launch to 0.64 (~$1900) on March 22.

Some NFT collectors criticized the choice. One described it as "illegal market manipulation tactics", and others said the project should grow the floor "organically". Given the rampant manipulation in the NFT space, one wonders if the real criticism collectors have with the project is that they were too transparent about their price manipulation, and should've just done it quietly like other projects have.

Founder of crypto investment scheme "IGObit" and the sham organization "World Sports Alliance" is convicted of wire fraud

Asa Saint Clair created an organization called the World Sports Alliance, which he falsely described to prospective investors as being closely affiliated with the United Nations (for some reason). Saint Clair convinced more than 60 people that they should invest in his IGObit digital coin offering, stating they would received guaranteed return on investment, but instead he just took the money and used it for his own purposes. Saint Clair was convicted on March 18, and faces a maximum sentence of 20 years in prison.

People briefly borrow Bored Ape NFTs to claim as much as $1.1 million in $APE tokens

The Bored Ape Yacht Club recently created a token called ApeCoin, some of which they announced would be distributed to people who owned various Bored Ape NFTs and NFTs from their related collections. However, because the token distribution didn't use a snapshot of ownership data, but rather distributed tokens per-NFT to the first owner who claimed them, people were able to game the system. Some owners of Bored Ape and related NFTs had put their NFTs into an NFTX vault, which is a setup where someone takes a subset of their NFTs and creates a token that is based on them. The token can then be staked to generate yield, or can be sold, and if someone owns enough of the tokens, they can redeem them for the NFTs. A clever operator found a vault containing five Bored Ape NFTs, which had unclaimed $APE associated with them since they were locked up in the vault. They used a flash loan to purchase a large amount of the vault's token, redeem the five BAYC NFTs, claim the airdropped tokens, return the BAYC NFTs, sell back the tokens, and repay the loan, all in one transaction that cost them nothing but netted them 60,564 $APE, which they then swapped for 399 ETH ($1.1 million).

People were somewhat split on whether this could be classed as a vulnerability in the $APE airdrop, since (as with many crypto hacks and scams) the person was operating completely within the rules set out in code.