Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling

Illustration of a woman wearing a blue and pink cowboy hat, with blue hair, crying green tears, on a green backgroundCosmic Cowgirls #1128 (attribution)
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.

The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".

Lending protocol Ola Finance is hacked for $3.6 million

Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"

One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.

Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull

A 3D-rendered humanlike bunny, with cow-print skin, a tie-dye shirt, and red irises.Bored Bunny #3258 (attribution)
Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).

Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.

The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history

One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.

Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".

Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions

A rendering of a clear glass-like sphere partially filled with black sand, with a white 3D x partially embedded in the sandOne of the Ash NFTs (attribution)
Collectors were excited for a chance to obtain NFTs from the artist Pak's upcoming collection, "Ash Chapter II: Metamorphosis". Pak is an extremely popular digital artist, and his newest collection boasted collaborators including Pussy Riot, Paris Hilton, and others.

Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.

People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.

manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.

Artist for Andrew Yang's crypto lobbying DAO is offered $500 after being promised "a percentage" of revenue in a project that raised at least $790,000

An intricate, rainbow-colored digital art mural of a cityLobby3D mural (attribution)
In February, perennial political candidate Andrew Yang announced he had created "Lobby3", a DAO which he says will push for crypto-friendly regulation and "eradicate poverty". The website sports a cute illustration of a city, which was created by a group of artists, and which was also originally intended to be split into "puzzle pieces" to be minted as NFTs (though this apparently never came to pass).

One of the artists, Phillip Lietz, took to Twitter on March 28 to call out the group for the pittance he was offered for his work, posting screenshots of an email exchange he had had with a member of the project team. The emails show Lietz asking whether artists would receive compensation for their work, and a project team member replying: "Yes... any artist we select will receive a percentage of our revenue".

They went on to say that if they used his work, they would "negotiate a percentage of what we sell". The reply to Lietz's question about if there was a contract was: "No formal contract as we need to move fast, but I imagine this email would hold up in court as a written agreement if it ever came to that (it wouldn't! Andrew and I are men of our words!)" In a subsequent email, the team member wrote that they would "love to send you a Lobby3 Member token", and that "our artist commissions weren't huge, but [we] would love to send you $500 for your time and effort". Lietz replied to say that the DAO's NFT fundraising appeared to have raised at least $790,000, and that $500 was an unfair amount (although I suppose 0.06% is technically "a percentage"). The team member replied by basically negging Lietz, writing "Honestly, I didn't want to say this, but I will now mention: we weren't actually going to use your art in the project... but you seemed like a great guy and I wanted to throw you some cash and get you some exposure".

Anyway, nice job Andrew and team! Nothing says "eradicating poverty" and "empowering creatives" like paying them basically nothing.

Top Super Smash Bros. Ultimate player has his Twitter account hacked to shill NFTs

A pink robot with green drool and rolled-back eyes, with a head floating above the body.The profile picture of the hacked account (attribution)
MkLeo, who is widely considered to be the best Smash Ultimate player in the world, had his 217,000-follower Twitter account hacked and repurposed for NFT shilling. The scammers changed his profile picture to a pink robot creature with green drool, and began posting tweets talking about his supposed collaboration with The Possessed NFT project. The link in the tweets went to a scam website that claimed to allow people to mint NFTs from the actual Possessed NFT project. It's not yet clear how many people fell for the malicious link, but MkLeo's Twitter account appeared to be back under his control later that evening.

Another collector loses a Bored Ape to a phishing scam

A grey robot ape, making a confused face with an open mouth, wearing an orange beanie and black t-shirt on an orange backgroundBored Ape #5778 (attribution)
NFT collector Cameron Moulène was excited to see a link promising a merch drop in the bio of an account with the same branding as Bored Ape Yacht Club, but with the handle BoardApesYC (rather than BoredApesYC). Clicking the link, which matched the BAYC website link except with a character swapped in ("yarht"), the trader connected his wallet and soon found his favorite NFT transferred to the phisher. He had originally purchased Bored Ape #5778, which he described as his "forever ape" that he never planned to sell, in August 2021 for 53.88 ETH ($166,684 at the time). The scammer flipped the Ape within an hour for 110 ETH ($368,660).

When chastised by other NFT collectors who assumed he had stored the ape on a hot wallet, Moulène clarified that the NFTs had been stored in a Ledger hardware wallet. He later tweeted, "Since I've got a platform, here's what I learned today: COLD WALLET, does not just mean storing assets in a series of ledgers/trezors. It means a wallet that is NEVER Linked to anything besides MM or OS." Moulène went on to threaten legal action, saying, "Oh I will spend 10x that ape tracking these fucks down and suiting [sic] them into oblivion." and "I'm going to pursue legal action in the states and internationally (if need be) to find the people responsible and hold them accountable."

Owner of two pricey Ape NFTs sells them for $140 in a possible hack

A beige-furred ape with half-closed eyes, wearing sunglasses, smoking a cigarette, and wearing a leather jacket with no shirt underneath, on a yellow-green backgroundBored Ape #835 (attribution)
NFT trader Calvin Chan recently made some unusual NFT trades. He sold his Bored Ape, which he had bought in August 2021 for 16 ETH (then about $50,000), for 115 DAI ($115 — DAI is a stablecoin pegged to USD). Not only was this a near-total loss compared to the purchase price, Bored Apes' floor price is around 107 ETH (~$360,000), and this Ape likely could've sold for more than that. Chan also sold a Mutant Ape for 25 DAI/$25 to the same buyer — despite Mutant Apes' floor price of 22.5 ETH (~$75,000).

Some initially speculated that he may have mistaken the offer represented in DAI for ETH, as 115 ETH (~$387,500) and 25 ETH (~$84,000) would've been pretty reasonable trades for the respective NFTs. However, the trader posted on Twitter that he had been "swiped ... of his BAYC and MAYC... I am fine. In shock, but okay. Do i know what happened? No. Still trying to wrap my head around how and why."

NFT trader loses a Mutant Ape NFT to an NFT swap scam

An illustration of an ape that appears to be made out of volcanic rock and magma, with a green dripping face, smoking a pipe, wearing a sweater made out of wormsMutant Ape #232 (attribution)
A trader known by taylorRichie.eth agreed to swap their Morie NFT for a Doodle, in a trade they'd coordinated with a user on Discord. Because OpenSea doesn't support trading one NFT for another, only buying and selling them for crypto, the traders had to use a different, less-known swap platform to perform the trade. Although taylorRichie.eth took precautions, like typing in the URL themselves instead of clicking a link, they were still fooled into signing a malicious transaction that transferred a different NFT in their wallet, a Mutant Ape, to the scammer. The scammer then quickly flipped the stolen NFT to another buyer for 22 ETH ($73,585).

Revest Finance is hacked for $2 million

The Revest protocol was targeted with an attack that stole $BLOCKS, $ECO, and $RENA tokens from their vault. The protocol wrote that the attacker used a "highly sophisticated attack on a vulnerability that went unnoticed during our Solidity.Finance audit as well as ... multiple peer-reviews". The hacker quickly swapped the stolen tokens for ETH via various decentralized exchanges, then tumbled the funds using Tornado Cash. The protocol wrote that they "do not possess the funds needed for meaningful financial recompense, and are not covered by any DeFi insurance provider", but promised to try to "do everything within our power to make things as right as they can possibly be made".

Coinbase begins to require users in Canada, Singapore, and Japan to input personal information about the recipients of their crypto transactions

Coinbase began sending out notices to its customers who reside in Canada, Singapore, and Japan, to tell them that in early April, they will need to begin inputting information about the recipients of any crypto they send. Coinbase said the change was in order to comply with various regulations imposed by those countries. The specifics differ somewhat between the three countries: for example, in Canada, the verification is only required for amounts above CA$1,000 (about US$800); Japanese users need to provide verification for any amounts, but only if transferring to entities outside of Japan; and Singaporean users need to verify any amounts sent to anyone. Canadian and Singaporean residents will also need to provide the address of the recipient of their funds, whereas Japanese customers only need to supply the name and country of residence.

Some Coinbase customers in these jurisdictions seemed less than enthused at the announcement. One tweeted, "Wait, then what's the point of crypto/blockchain, being outside of fin.system and all.. I may be better off sending fiat money".

Crypto tax software firm ZenLedger fires executive after the New York Times discovers he lied extensively about his background

Color-filtered photograph of Dan Hannum from the shoulders up, with a lens flareDan Hannum Twitter profile photo (attribution)
New York Times reporter Ron Lieber began fact-checking a story in March about a deal between crypto tax software firm ZenLedger and the Internal Revenue Service. Lieber ran into trouble fact-checking the claims of ZenLedger COO Dan Hannum, who told a compelling story of being arrested as a juvenile, then turning his life around and earning college degrees, working at several major Wall Street firms, and becoming a crypto millionaire. Lieber discovered that Hannum had never earned the degrees he claimed, nor worked at the Wall Street firms he listed. He also found no evidence that Hannum had ever managed $100 million in assets like he said, nor that he had made so much on crypto that he was paying "millions in taxes" alone.

After Lieber put these questions to ZenLedger, the company fired Hannum. ZenLedger founder Pat Larsen was cagey around the circumstances under which Hannum was hired, and an outside spokesperson for the company laid the blame on a bad referral and a federal background check that returned "no flags regarding his education or work history". A venture capital firm that invested in the company reported that they "did more due diligence than a traditional venture capitalist would have done" on the company but had not checked Hannum's background.

Exxon Mobil reportedly gets in on Bitcoin mining

According to Bloomberg, Exxon Mobil has begun a pilot program to set up Bitcoin miners at an oil well in North Dakota. The project reportedly runs off 18 million ft³ of natural gas that would otherwise be flared. Although early proponents waxed poetic about how anyone could mine Bitcoin, the increasing hardware specialization and massive electricity costs have made it practical at scale only for those with access to the hardware and cheap sources of electricity — including, now, the world's second largest oil company.

Some crypto proponents have spoken positively about using excess gas that would otherwise be flared for Bitcoin mining, though climate experts have spoken out against it being a sufficient or reasonable solution. "It's like if you had a leaky gasoline pipeline and, instead of fixing the problem, you plugged in a Humvee next to the leak and left the engine on in perpetuity with the A/C on full blast," said UC Santa Barbara professor Paasha Mahdavi.

Hacked verified Twitter accounts impersonate BAYC founders, scam $1 million with fake ApeCoin airdrop

A light purple-furred ape with boils, wearing a pirate hat, with green face with mushrooms growing on it, and open mouthMutant Ape #22660 (attribution)
Some scammers obtained hacked verified Twitter accounts, then rebranded them to claim to be founders of the Bored Ape Yacht Club. They then tweeted about how their team's ApeCoin launch had been so successful, they'd decided to airdrop more tokens. Users who clicked the link and connected their wallets quickly discovered they'd been scammed when their high-value NFTs were transferred from their accounts, then flipped for resale. One victim of the scam said they'd lost $600,000, and tweeted: "@BhawanaCAN put out a tweet refering for more $ape available- I trusted the blue checkmark @twitter @jack now the ape and my gutter cat is gone - fuck you @BhawanaCAN". @BhawanaCAN, prior to the hack, was an account belonging to the former CEO of the Cricket Association of Nepal.

There were multiple scammer accounts involved in the scheme, and one researcher has estimated that the scammers had made around $1 million from reselling the NFTs as of March 24. A similar hack had occurred several days earlier, in which a hacked verified account impersonated a BAYC founder and successfully stole three pricey Bored Apes from a collector.

Roller derby community resoundingly rejects NFT project

An illustration of a pink-skinned person with a black helmet with a star on it with spikes, holding skates over their shoulder. The text "BOUT TIME NFTTT" is superimposed over it in a neon styleBout Time NFTTT logo (attribution)
After three roller derby stars announced an NFT project called "'Bout Time", the roller derby community was fairly united in its displeasure with the idea. Though the project intended to donate some of their proceeds back to the roller derby community, the overwhelming response appeared to be that engaging with NFTs was indefensible even if the project did provide money for the derby leagues. Most concerns seemed to revolve around the environmental impact of NFTs in general, as well as the scams that are rampant in the NFT world. After considering the feedback to their project, the three skaters announced that they would not be continuing with the project, which was due to mint on March 31. One of the project founders told Vox, "If this community doesn't want us to run this project, then we're not going to do this project for them. The whole reason was to raise money for the derby community, and they so strongly spoke out against us."

Department of Justice charges the scammers behind the January "Frosties" NFT rug pull with fraud and money laundering shortly before they launch their second project

Pastel rainbow colored illustration of a flame, wearing a hoodieImage from the Embers NFT project, which the Frosties scammers were about to launch (attribution)
On January 9, an ice cream-themed NFT project called "Frosties" made off with $1.1 million in a rug pull only an hour after the NFTs were launched. Less than three months later, the U.S. Attorney's Office for the Southern District of New York announced that they had charged the two 20-year-old individuals behind the scheme with conspiracy to commit wire fraud and conspiracy to commit money laundering. Although it is bizarrely common to see people question whether NFT rug pulls are actually crimes, the USAO was quite clear: "Rather than providing the benefits advertised to Frosties NFT purchasers, Nguyen and Llacuna transferred the cryptocurrency proceeds of the scheme to various cryptocurrency wallets under their control." The Special Agent in Charge stated, "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

The statement also alleged that the duo were working on another NFT project called "Embers", which they hoped would generate around $1.5 million. The project was set to mint on March 26, and the 60,000-member Discord has been thrown into disarray. Some of the community moderators began deleting links to the D.O.J. announcement, and attempted to suggest that the Department of Justice website had been faked to "FUD" the project.

The individuals behind the Frosties scheme face charges that each carry a maximum sentence of 20 years in prison, if they are convicted.

Pye suffers a $2.6 million loss in a flash loan attack

The security firm PeckShield reported that the Pye ecosystem had been targeted with a flash loan attack, which drained around $2.6 million from the protocol. Pye is a group of defi software projects built on the Binance Chain. The project had just undergone a large migration, and it appeared the bug may have been introduced in the new contracts.

The guy behind the "NFT band" on Ellen thinks you should have to pay royalties on dance moves

Four figures resembling neon-colored versions of bigfoot play instruments on a large screen. A woman wearing bright blue pants and a jacket kneels in front of the screen singing into a microphone.I tried to get a good screengrab of the "NFT band" but the videographer, reasonably, seemed to find the human performer more interesting (attribution)
In the latest installment of "large television program launders the reputations of NFTs", an "NFT band" performed on Ellen... Well, some animated characters danced on a screen while a human performed, a concept that is not exactly new.

The animator who created the band animation, however, has big dreams for the possibilities NFTs could bring to dancers. Dancers "can now claim digital ownership over a series of moves or routines by means of NFTs". Imagine, he says, "owning the original Moonwalk". Yes, everyone, just imagine how much better the world could be today if everyone had had to pay royalties whenever they imitated Michael Jackson's signature move.

Parts of the "Caked Apes" NFT project team both sue each other

A purple dripping ape with a turquoise helmet and green dripping teeth, wearing a pink shirt on a pink and orange backgroundCaked Ape #2487 (attribution)
Two lawsuits were filed nearly simultaneously, each alleging misconduct by the other party with respect to the "Caked Apes" NFT project — a project full of illustrations that were very clearly derived from the popular Bored Apes project, but feature neon colors and psychedelic motifs. Caked Apes so far has done around $1.9 million in sales.

Both lawsuits center on Taylor Whitley and his departure from the project, but they diverge considerably from there. Whitley's suit claims that he was wrongly ousted from the project; the other lawsuit claims that Whitley engaged in "unhinged, destructive, and egotistical acts... to sabotage... "Caked Apes", after Whitley failed to usurp ownership and control of the project entirely for himself". They also allege that Whitley misused DMCA takedowns to have the collection removed from online marketplaces. The lawsuits are liable to be complicated somewhat by the fact that a partnership agreement doesn't appear to have ever been written up.

A Robin Hood-esque attacker steals $52 million from Cashio, then returns smaller amounts and pledges to donate the rest to charity

A hacker was able to exploit an infinite mint glitch in the protocol of Cashio, a Solana stablecoin project. They were able to pull around $50 million out of the platform, while also tanking the value of the $CASH token in the process. The attacker left a note in the input data of their Ethereum transactions that "Account with less 100k have been returned. all other money will be donated to charity."

Saber, the providers of the Cashio liquidity pool, published a postmortem of the attack in which they wrote that "We do not have the money to pay back depositors." The hack was the second largest in Solana history, behind the February Wormhole hack. Saber entreated the hacker to return the funds, writing, "accounts with over $100k are often users' life savings on leverage, and many of us will seriously be affected financially after this incident."

On March 28, the attacker sent a message saying that "the intention was only to take money from those who do not need it, not from those who do", and invited users who had over $100,000 to apply to receive their funds back with "an explanation of the source of this money and why you need it back. more detail is better. money will not be refund to rich american and european that don't need it." Somewhat strangely, Cashio themselves began hosting a website to allow affected users to plead with the hacker to return the money.

VeVe marketplace goes offline for over a day after an exploit results in a "large amount of gems being acquired illegitimately"

The VeVe marketplace has developed a bit of a reputation as the partner of choice for some big names who have dipped their toes into "licensed digital collectible" NFTs, including Marvel, Pixar, and Coca-Cola. It is also notable for using in-app tokens called Gems, which can be purchased with credit cards, but have been impossible to cash out since the mid-2021 launch (though VeVe has very recently said they are beta testing a cashout system).

On March 22, VeVe tweeted that "We have become aware of an exploit of our systems which resulted in a large amount of gems being acquired illegitimately", and that they had closed the market, as well as purchases and transfers of Gems. The market remained closed for over a day as VeVe apparently triaged the problem. It's not clear yet what the impact has been to the platform or its users, though many reported that their NFTs appeared to have plunged in value.

G2 Esports sues NFT provider Bondly, accuses them of using them for publicity

G2 Esports announced a partnership with NFT provider Bondly in June 2021, through which they planned to release profile picture NFTs that would also provide access to membership perks. Nothing has materialized since then, despite their plans to launch in February. On March 22, G2 filed suit against Bondly, accusing them of agreeing to a deal they knew they could not fulfill, but that would lend Bondly credibility and publicity via the association with the G2 brand. According to the lawsuit, shortly after the first invoice was sent for the rights payments that Bondly was due to pay to G2, Bondly wrote that the company was "past the point of being able to successfully deliver an NFT program". G2 has said the failed deal resulted in $5,250,000 in damages.

Team behind the NeoNexus NFT project raises several million dollars, then abandons it

Tweet by Jack Shi, containing a photo of a man sitting in the driver's seat of a sports car with the gull-wing door opened. Text reads "#NewProfilePic This car is so comfortable and worth way more than my house."Tweet by NeoNexus founder Jack Shi (attribution)
NeoNexus was a metaverse NFT project that raised about 25,000 SOL (worth around $2.2 million today; previously worth $3.5 to $4.5 million). The project had sold various "property NFTs", and had plans to create other NFTs representing things like characters and vehicles.

On March 21, the project's founder Jack Shi wrote on Twitter, "It is with a heavy heart that we must inform you that we can no longer continue healthy development of the NEONEXUS project. We would like to hand over the project to our community, or a community-selected party for takeover if that's feasible / possible." Going into more detail on Discord, he said the project had run out of money, which he blamed on waning interest in Solana NFTs.

The reaction to the announcement was overwhelmingly negative, particularly given the project's founder's apparent habit of bragging about his luxury cars. Many users described the abrupt shutdown as a rug pull, and one user even mentioned looking into a class action suit against the project team.

Phishing scheme promising to animate one's apes nets attacker a collector's three pricey Bored Apes

A Bored Ape with leopard print fur, wearing a black bowler hat and American flag shirt with a deep V-neck, with half-closed red eyes, on an orange backgroundBAYC #71 (attribution)
An NFT collector fell for a scam website promising to "turn your BAYC animated". After connecting their wallet, the attacker transferred their three pricey Bored Ape NFTs to their own wallet, then quickly flipped them for resale for a combined total of around 264 ETH ($764,000). Zachxbt, a crypto fraud sleuth who first noticed the scam, estimated the NFTs' actual value at closer to $900,000.

It appeared from the victim's retweets that they had fallen for a scam shared by a verified Twitter account that claimed to be one of the Bored Apes founders. However, a closer look at the Twitter handle showed it was a hacked account with the username "volt_france", which previously had belonged to the French branch of the Volt Europa political movement.

Hacker steals more than $1.5 million after compromising wallets belonging to crypto whale Arthur_0x

CloneX #13992, one of the stolen NFTsCloneX #13992, one of the stolen NFTs (attribution)
Arthur_0x, a crypto investor and NFT whale, had two of their hot wallets compromised. The attacker stole ETH and transferred some big-ticket NFTs out of the wallets, including at least five CloneX NFTs and 17 Azuki NFTs. CloneX NFTs have been selling for an average of 16.76 ETH (about $50,000) over the past 30 days, and Azuki NFTs have been going for 12.5 ETH ($37,600). The attacker had not yet sold all the NFTs they had stolen, but within two hours of the attack they had 545 ETH (about $1.6 million) in their wallet.

Arthur_0x wrote on Twitter that they had previously only ever used a hardware wallet on their PC, but when they started more regularly trading NFTs they'd started using a hot wallet. "Hot wallet on mobile phone is indeed not safe enough", they wrote on Twitter, "Guess no more hot wallet usage then." They also wrote, "The only thing I can say to the hacker is: you mess with the wrong person" and tweeted the wallet address to which the NFTs were being transferred, asking for it to be blocklisted.

Hacker steals $1.45 million from OneRing Finance using code that self-destructs after the attack

A hacker was able to use a flash loan attack to exploit an issue with OneRing Finance. By manipulating the price of tokens in the project's liquidity pool, the hacker was able to draw out 1.45 million USDC, a stablecoin pegged to the US dollar. According to PeckShield, the loss to the protocol was larger than what the hacker actually was able to cash out.

The hacker complicated things somewhat for OneRing by covering their tracks. They used a "self-destruct" mechanism — typically used by developers to destroy smart contracts that are found to have a bug — to destroy the contract they used to carry out the attack, making it more difficult for OneRing to determine which parts of their codebase were vulnerable and led to the attack.

NFT scammers take over the Twitter account of a Florida gubernatorial candidate

Twitter profile of Nikki Fried, showing banner and profile pictures for "Skulltoons", and the name "nikki.eth"Nikki Fried's compromised Twitter profile (attribution)
The Twitter account belonging to Nikki Fried, the current Florida Agriculture Commissioner and a Democratic candidate for the 2022 Florida gubernatorial race, was compromised and repurposed as an NFT shill account. The account, which was verified and had more than 270,000 followers, suddenly underwent what I imagine was a bit of a startling rebrand for her followers: her name was changed to "nikki.eth", and the Twitter bio was replaced with "Mod for SkulltoonsNFT, ThugBirdz, AzukiZen. Web3 Enthusiast". The account also changed its banner and profile pictures to Skulltoons images, and started tweeting about giveaways. By March 20, Fried had apparently regained control of the account, though the account privacy had been changed to protected.

The Fried account compromise is only one instance of what has become a trend on Twitter: Twitter accounts belonging to high-profile individuals, or accounts that are verified or have a large number of followers, being compromised and sold to NFT scammers. On March 11, ESPN baseball reporter Jeff Passan also had his twitter account compromised and repurposed to shill Skulltoons NFTs. Skulltoons distanced themselves from that incident, writing that they believed the hackers were trying to scam their NFT community.

Kaiju Kongz NFT project artificially inflates its floor price by destroying your NFTs if you list them for sale at too low a price

A pixel art image of a large ape creature with green and yellow eyesKaiju Kongz (attribution)
An NFT project's value is often discussed in terms of its floor price — that is, the lowest price at which any given NFT in a collection is listed for sale. The new NFT project Kaiju Kongz decided to take advantage of the fact that you can pretty much do anything you want with a smart contract to ensure that the floor price of its project only increases shortly after the NFTs are launched. They released their project with a "burn schedule" — a list price that gradually increases as time goes on, where if someone lists their NFT below that price, it will automatically be burnt — the closest thing to "destroying" an NFT that's possible. This serves to ensure that the floor price stays above the minimum value the project creators want, which doubles daily from 0.065 ETH (~$190) on the day of launch to 0.64 (~$1900) on March 22.

Some NFT collectors criticized the choice. One described it as "illegal market manipulation tactics", and others said the project should grow the floor "organically". Given the rampant manipulation in the NFT space, one wonders if the real criticism collectors have with the project is that they were too transparent about their price manipulation, and should've just done it quietly like other projects have.

Founder of crypto investment scheme "IGObit" and the sham organization "World Sports Alliance" is convicted of wire fraud

Asa Saint Clair created an organization called the World Sports Alliance, which he falsely described to prospective investors as being closely affiliated with the United Nations (for some reason). Saint Clair convinced more than 60 people that they should invest in his IGObit digital coin offering, stating they would received guaranteed return on investment, but instead he just took the money and used it for his own purposes. Saint Clair was convicted on March 18, and faces a maximum sentence of 20 years in prison.

People briefly borrow Bored Ape NFTs to claim as much as $1.1 million in $APE tokens

The Bored Ape Yacht Club recently created a token called ApeCoin, some of which they announced would be distributed to people who owned various Bored Ape NFTs and NFTs from their related collections. However, because the token distribution didn't use a snapshot of ownership data, but rather distributed tokens per-NFT to the first owner who claimed them, people were able to game the system. Some owners of Bored Ape and related NFTs had put their NFTs into an NFTX vault, which is a setup where someone takes a subset of their NFTs and creates a token that is based on them. The token can then be staked to generate yield, or can be sold, and if someone owns enough of the tokens, they can redeem them for the NFTs. A clever operator found a vault containing five Bored Ape NFTs, which had unclaimed $APE associated with them since they were locked up in the vault. They used a flash loan to purchase a large amount of the vault's token, redeem the five BAYC NFTs, claim the airdropped tokens, return the BAYC NFTs, sell back the tokens, and repay the loan, all in one transaction that cost them nothing but netted them 60,564 $APE, which they then swapped for 399 ETH ($1.1 million).

People were somewhat split on whether this could be classed as a vulnerability in the $APE airdrop, since (as with many crypto hacks and scams) the person was operating completely within the rules set out in code.

Australian regulatory agency begins lawsuit against Facebook over failing to address scammy crypto ads

The Australian Competition & Consumer Commission (ACCC) announced that they had begun federal court proceedings against Facebook, alleging that the company "engaged in false, misleading or deceptive conduct by publishing scam advertisements featuring prominent Australian public figures". The ACCC claims that Facebook ads featured prominent Australian individuals without their approval, and implied that the crypto schemes were associated with or endorsed by those individuals. When a person clicked through the link, they were invited to provide contact information to a group of scammers who reportedly incessantly called the targets to pressure them into putting money into the schemes — in one case, a Facebook user lost more than $650,000. The ACC alleged that Facebook "aided and abetted or was knowingly concerned in false or misleading conduct and representations by the advertisers", but didn't take sufficient action to stop the misrepresentation, even after public figures raised the alarm about their likenesses being used without consent to scam people.

Binance says it will stop operating in Ontario, for real this time, and admits they lied to investors

In June 2021, Binance announced they would stop operating in Ontario after the province introduced new prospectus and registration requirements for crypto exchanges. However, in December, Binance said in an email to Ontarian investors they were allowed to continue operating in the province — prompting the Ontario Securities Commission to release a statement titled "Binance is not registered in Ontario", which said, "Binance represented to OSC Staff that no new transactions involving Ontario residents would occur after December 31, 2021. Binance has issued a notice to users, without any notification to the OSC, rescinding this commitment. This is unacceptable."

On March 16, Binance confirmed that they would actually stop servicing Ontario residents, for real this time. They also admitted to sending an email to investors on January 1 that said that they could no longer trade or onboard to the platform, despite not putting any such restriction in place.

Discord hack targeting Rare Bears NFT project nets attacker $800,000

An illustration of a bear wearing a crown, with laser beams firing from its eyes, with headphones around its neck, holding a molotov cocktailRare Bear (attribution)
After hackers successfully compromised the account of one of the Rare Bears Discord moderators, they posted an announcement that new NFTs were being minted. Those who tried to participate in the mint wound up having their accounts compromised and their NFTs stolen. The hackers sold most of the 179 NFTs they stole, for a combined total of 286 ETH (more than $800,000).

Not only did the attackers post a fake mint link, they took steps to prevent the project from thwarting their attack by banning other members and removing user rights that would have allowed other project members to delete the fake links. They also added a bot to the server that locked channels so people couldn't send warnings that the links were fake.

The Rare Bears team did eventually regain access and secured their Discord server. In an apology posted on their Twitter page, they addressed the multiple security breaches that Rare Bears have faced to date, and said they had "stepped up" and would be having a firm audit their project.

Bored Ape Yacht Club launches their new ApeCoin, which immediately tanks in price

Price of ApeCoin, compared to USD, showing a brief and large spike, followed by a drop and then fairly steady valueApeCoin price (attribution)
Bored Ape Yacht Club decided to release "ApeCoin", a new cryptocurrency token. The token distribution heavily favors current BAYC owners, truly underscoring the fantasy about a fairer distribution of wealth that some people thought crypto would somehow magically bring about. Holders of Bored Ape NFTs — already priced at several hundred thousand dollars apiece — received airdropped tokens in proportion to their holdings of Yuga Labs NFTs; one holder of 12 Bored Apes, 10 Mutant Apes, and 11 Kennel Club NFTs reported receiving 150,964 APE (valued at $1.3 million when $APE was at $8.56).

The $APE price briefly soared to around $40 shortly after launch, before crashing precipitously to around $8.50 not long after, presumably as people cashed out their free money. Even many cryptocurrency enthusiasts were nonplussed by the launch, with many describing it as a "money grab" or an attempt to enrich the founders, which apparently is a bad thing (despite many crypto projects openly doing the same). One angry Redditor wrote, "Owners of Bored Ape NFTs were given the coin first(very rich people), then it was sold to the normies who got FOMO and pumped the price, then it crashed. Yet again, leaving regular people holding bags of pure garbage while the coin pushers wave bye-bye from their lambos."

Winamp joins LimeWire in the emerging "legacy software comes back from the dead to do NFTs" trope

The first Winamp skin, a dark grey interface with buttons resembling those used in Windows 95 or 98Original Winamp skin, which they say will "be the base Artwork for all your derivative needs" (attribution)
A week after LimeWire emerged from cryostasis to announce it would become an NFT platform, Winamp decided to jump in as well. Winamp was a Windows media player that first launched in 1997, and was sold for a hefty sum to AOL in 1999, before fading into obscurity after facing tough competition from iTunes in the early 2000s. Although Winamp has been promising new versions of the software since its 2014 sale to Radionomy, only a single beta release in 2018 has ever materialized. However, on March 16, the Winamp Twitter account announced "the auctioning of Winamp Original Skin as 1/1 NFT AND the launch of Winamp Foundation". The Winamp Foundation, they wrote, would "collect money to help musicians across the world to make the music they love". The response on Twitter was overwhelmingly negative, with a top comment reading, "It is incredible how you took decades of good will nostalgia and removed it with a single tweet."

Official Formula 1 blockchain game suddenly shuts down

A rendering of a blue and white F1 racecar, hovering above a black triangular plastic base that says "Tiberon [sic] Car""Tiberon [sic] Car" NFT (attribution)
F1 Delta Time, a crypto car racing game that was officially licensed with F1 racing, shut down in mid-March. The game had previously generated a lot of hype — one of its car NFTs was the most expensive NFT sold in 2019 (more than $100,000). However, game owner Animoca was unable to renew their license to use the F1 brand, resulting in a sudden and unceremonious shut down. Players were given a single day of notice before the game went offline. Users, of course, keep their NFTs, but their ostensible use is now no more. The developers have tried to placate their players by offering various replacement options, primarily based around Animoca's Polygon-based "REVV Racing" game.

NFTBOOKS enters the race to see who can remake DRM the worst

A pie chart where none of the sections appear to be proportional to the numbered percentages, and are all slightly overlappingNFTBOOKS token distribution chart (attribution)
A project called NFTBOOKS has cropped up, promising to "transform the world of book-readings" by creating an NFT economy of authors, book-lenders, readers, translators, and, of course, investors. A writer named Tiffany Hutchinson contacted the project to politely inquire about how it intended to prevent the theft that is so rampant in the NFT space, and received some pretty disappointing answers. After trying several times to wave her off with vague answers about "there will be a review process" to check ownership of the work, they explained that they would implement "a filter on our system" that would check against identical copies. When she asked how that system would work if the original author was not the first person to create an NFT of the work, or how they would prevent someone from making small changes to the work to trick the filters, the project first gave staggeringly poor answers, then wrote that Hutchinson simply didn't understand, then became combative with her.

Fortunately there doesn't actually appear to be much to the project yet — actually creating a platform and an app to allow people to borrow books doesn't come until the fifth and sixth stages of their roadmap. The project is currently on the fourth step, and has been focusing their attentions on things like "marketing campaign" (stage 1), "aggressive marketing rollout" (stage 2), and "extreme marketing campaign" (stage 3). The stage 3 "extreme marketing campaign" also came with a "website relaunch", which we have to thank for one of the most outrageous pie charts I have ever seen (pictured) (which was later determined to have been a stock photo of a pie chart where they'd just changed the numbers). Perhaps they should focus some of their marketing efforts on coming up with answers to the simplest of questions that they should probably expect from authors — the type of people they're claiming to help.

Hundred Finance and Agave Finance are both exploited for a collective $12 million

An attacker using a flash loan attack targeted two projects on the Gnosis blockchain: Hundred Finance and Agave Finance. Each project paused their smart contracts, but not before the attacker made off with a considerable sum of money. That day, the attacker put the funds through a cryptocurrency tumbler, making it much more difficult to trace the collective 4,479 ETH that was stolen in roughly equal amounts from each protocol.

Hundred and Agave were the second and third defi protocols targeted by flash loan attacks that same day, with Deus Finance losing more than $3 million to hackers using the same class of exploit.

Binance pauses withdrawals and deposits via Polygon

After an extended Polygon outage on March 10, Binance temporarily paused deposits and withdrawals via Polygon on March 15. Although Binance reported it was "due to the network wide issues of the Polygon network", Polygon stated that "Polygon PoS network is stable, and working fine. All funds are safe. Binance is upgrading its nodes, and currently syncing the block data, hence they have paused the deposit and withdrawal." It was unclear why this would happen days after the original outage.

Hackers make off with over $3 million from Deus Finance

Hackers were able to use a flash loan attack to manipulate a price oracle, pulling 200,000 DAI and 1101.8 ETH (totaling almost $3.1 million) out of the Deus Finance defi platform. PeckShield, the analysis firm that identified the vulnerability, wrote that the $3 million number represented the amount the hackers were actually able to withdraw and put through a cryptocurrency tumbler, but that the loss to the project may have been larger. The CEO of Deus Finance subsequently wrote on Twitter that users whose positions were liquidated as a result of the exploit would be repaid.

Sneaky malware replaces Bitcoin addresses in clipboard to reroute transactions

Bitcoin wallet addresses look something like bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq, and so it's not always obvious at a glance if one string of random characters might have been replaced with another. Malware taking advantage of this fact has been spotted in the wild, replacing copied Bitcoin addresses with the address of a scammer, so that if a person pastes in an address to send Bitcoin to, it goes to the scammer instead. One trader learned this the hard way when the 0.255 BTC (about $10,000) they'd tried to send to an exchange never arrived. After looking into it, they saw that the funds had gone to a completely different address than they'd intended, and were able to sniff out that malware was to blame.

Invictus DAO whales quickly vote to shutter the project in its first ever community vote, leaving most others with huge losses

Invictus price history since November 12, 2021, showing a brief spike in late November and then a precipitous drop and slow decreaseInvictus token price in USD (attribution)
The Sol Invictus project was an Olympus DAO-like project on the Solana blockchain, much like the Wonderland project that went up in flames recently. Promising absolutely massive returns, with numbers like 60,000% APY being tossed around, people bought in hoping to see their money skyrocket. The project also partnered with major names in the Solana ecosystem, earning legitimacy.

However, although the project enjoyed a spike in price in November, the token has bled value since then. On March 9, the project leaders began a conversation about team salaries, where they also floated the idea of redeeming the treasury and closing the project. On March 11 they began a vote, which lasted only three days, and allowed members of the DAO to vote on whether the project should close and distribute treasury funds to participants. Much like the Wonderland vote in late January, a relatively small number of whales with a large share of the votes (who bought in early and still stood to make money on the project) were able to pass the vote to close the project, despite a majority of voters selecting to keep the project going. Furthermore, because the Invictus tokens used for voting also themselves hold the value, some people were unable to vote in the poll because their tokens were locked up in lending platforms where they had used them as collateral. Many participants in the project who haven't been actively watching the governance page likely don't even know the vote happened.

Some members of the project wrote on Discord that they felt rugged, with one even speculating that the project had been so eager to implement voting so they could pass a "community" vote to close the project and make off with a profit without damaging their reputations or potentially facing lawsuits. Various members of the project Discord shared how much they had lost: one person said they were down $20,000, another was down $75,000, and a third person reported losing $400,000. One person asked "who else is in the 6 figure loss club" and received three agreement emoji reactions; another person said they'd lost a year's salary. Some people already opted to try to sell their tokens early, worrying that the project leaders might make off with the treasury and not allow people to redeem their $IN; others waited in hopes of the redemption price being higher than the current token price; and some even suggested buying more $IN in hopes that they could make a profit if the redemption price is higher than the current price.

Discord compromise targets fans of the Wizard Pass project in a two-for-one scam that both accepted payments for fake NFTs and stole the NFTs that victims already owned

Wizard Pass is an NFT trading community and package of various software tools that can be joined for a price: a collection of 3,000 NFTs gates access to the community. The NFTs had a successful mint on March 7, and since then have been trading for around 0.3 ETH ($800) on the secondary market. Although the project stated that they would never mint more passes, members of the Discord were excited when the project's founder announced they would be doing a public sale for an additional 1,000 NFTs, at 0.1 ETH ($250) apiece. Unfortunately, there was no such mint, and it turned out the founder's Discord account had been hacked. As of midday on March 14, the hacker had received 66.4 ETH ($169,000) from 290 wallets.

A Twitter thread by SerpentAU suggested that the malicious minting website had not only accepted ETH from victims and provided nothing in return, but had also prompted users to grant full access to their NFT wallet, allowing valuable NFTs to be stolen. It's not yet clear how many NFTs were stolen as a result.

Collector sues artist after spending over $500,000 on an image of Pepe the Frog that others got for free

A trading card style image with an illustration of Pepe the Frog leaning on the edge of a pond, with his buttocks partially exposed. The text area of the card contains Matt Furie's signature.FEELSGOODMAN Series 20, Card 50 (attribution)
Matt Furie is the original creator of the Pepe the Frog cartoon that was later co-opted as an alt-right hate symbol, and which has also been popular among crypto enthusiasts and other online communities. Furie, his company Chain/Saw, and his DAO PegzDAO held an auction on October 8, 2021, and seemed to promise that the NFT would be one-of-a-kind: "500 cards issued, 400 burned, 99 will remain in the PegzDAO, and ONE is being auctioned here". Halston Thayer ended up winning the auction by bidding 150 ETH, then worth $537,084. However, on October 24, 46 of the 99 NFTs that were held by PegzDAO were distributed for free. According to a lawsuit filed by Thayer on March 12, 2022, releasing the 46 additional NFTs "significantly devalu[ed] Plaintiff's Pepe NFT to less than $30,000". The lawsuit seeks reimbursement of Thayer's original purchase, as well as punitive damages. Best of luck to the lawyers trying to describe "Rare Pepes" to a judge, or keep a straight face when saying that yes, the plaintiff did pay more than half a million for a drawing of a rather callipygian cartoon frog.

A trader reportedly makes half a million from a flash crash, then the LATOKEN exchange takes their coins

A trader set very low limit order on Ripple's XRP token, and was delighted to see it executed with XRP very briefly plummeted in value in what's known as a flash crash. The price recovered quickly, and the trader found themselves $458,000 wealthier. However, when they tried to withdraw some of their money from the exchange they were using, LAToken, the withdrawal was declined and their account was restricted for 24 hours for an unspecified terms of use violation. When the trader regained access to their account, the XRP they bought was nowhere to be found.

Report alleges Socios withheld payments owed to advisors and staff to maintain the value of its cryptocurrency

Off the Pitch reported on March 11 that Socios, the sports fan platform, had withheld payments owed to staff, advisors, and others who had signed agreements to endorse the platform's cryptocurrency, chiliZ. Internal messages showed that Socios founder Alexandre Dreyfus repeatedly referred to the payments owed to advisors as "the free money we give them". The reasoning for withholding the payments he'd agreed to? According to internal messages from Dreyfus, "When you give free tokens, people can sell at any price... It doesn't matter for them; so it makes the price going down... and the REAL investors who bought are losing money because of that." Staff members also were not paid the amounts they were owed. Some of them had moved to Malta, where Socios is headquartered, and were stuck there waiting to be paid.

$4 billion hedge fund Fir Tree Capital Management shorts Tether

The large hedge fund Fir Tree Capital Management has decided that the doubts around the stablecoin Tether are serious enough to take out a substantial short position against the project. Tether has faced questions from regulators, many of which center around whether or not the stablecoin is actually backed by the reserves it claims to have. Some of the assets Tether holds are high-yield commercial paper, which Fir Tree evidently believes is substantially tied to Chinese real estate firms. If that is the case, the real estate crisis in China (primarily revolving around Evergrande Group) could cause the value of Tether's reserves to plummet. According to Fir Tree, they've been shorting Tether since July, and expect their bet could pay off within a year. Other commenters and analysts have speculated that if Tether collapses, and that it very well might, there could be enormous ramifications for the rest of the cryptocurrency space.

UK Financial Conduct Authority requires all Bitcoin ATMs to be shut down

A person holds a phone while tapping a screen on an orange Bitcoin ATMBitcoin ATM (attribution)
All 81 functional Bitcoin ATMs in the United Kingdom are operating illegally, says the UK's Financial Conduct Authority (FCA). None of the companies operating them have a license to do so, and the FCA has said that they will take action against the companies if they don't shut down the kiosks.

One company now owns three of the most popular NFT collections: Bored Apes, CryptoPunks, and Meebits

A voxel-style rendering of a human with short black hair and a beanie cap, wearing a tie-die shirt, ripped jeans, and green sneakersMeebit #12742 (attribution)
Nothing really says "decentralized" like one company controlling the priciest and most popular NFT collections! Yuga Labs, the company behind the popular Bored Apes Yacht Club NFTs, announced they had purchased CryptoPunks and Meebits from LarvaLabs. CryptoPunks is one of the oldest NFT collections, and, along with Bored Apes and Meebits, ranks among the priciest collections on the market. Yuga Labs is also the owner of the popular Bored Ape Kennel Club and the Mutant Ape Yacht Club projects.