Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.
Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised
Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform
Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling
The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".
Lending protocol Ola Finance is hacked for $3.6 million
One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.
Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull
Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.
The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."
Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history
Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".
Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions
Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.
People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.
manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.
Artist for Andrew Yang's crypto lobbying DAO is offered $500 after being promised "a percentage" of revenue in a project that raised at least $790,000
One of the artists, Phillip Lietz, took to Twitter on March 28 to call out the group for the pittance he was offered for his work, posting screenshots of an email exchange he had had with a member of the project team. The emails show Lietz asking whether artists would receive compensation for their work, and a project team member replying: "Yes... any artist we select will receive a percentage of our revenue".
They went on to say that if they used his work, they would "negotiate a percentage of what we sell". The reply to Lietz's question about if there was a contract was: "No formal contract as we need to move fast, but I imagine this email would hold up in court as a written agreement if it ever came to that (it wouldn't! Andrew and I are men of our words!)" In a subsequent email, the team member wrote that they would "love to send you a Lobby3 Member token", and that "our artist commissions weren't huge, but [we] would love to send you $500 for your time and effort". Lietz replied to say that the DAO's NFT fundraising appeared to have raised at least $790,000, and that $500 was an unfair amount (although I suppose 0.06% is technically "a percentage"). The team member replied by basically negging Lietz, writing "Honestly, I didn't want to say this, but I will now mention: we weren't actually going to use your art in the project... but you seemed like a great guy and I wanted to throw you some cash and get you some exposure".
Anyway, nice job Andrew and team! Nothing says "eradicating poverty" and "empowering creatives" like paying them basically nothing.
Top Super Smash Bros. Ultimate player has his Twitter account hacked to shill NFTs
Another collector loses a Bored Ape to a phishing scam
When chastised by other NFT collectors who assumed he had stored the ape on a hot wallet, Moulène clarified that the NFTs had been stored in a Ledger hardware wallet. He later tweeted, "Since I've got a platform, here's what I learned today: COLD WALLET, does not just mean storing assets in a series of ledgers/trezors. It means a wallet that is NEVER Linked to anything besides MM or OS." Moulène went on to threaten legal action, saying, "Oh I will spend 10x that ape tracking these fucks down and suiting [sic] them into oblivion." and "I'm going to pursue legal action in the states and internationally (if need be) to find the people responsible and hold them accountable."
- Tweet by Cameron Moulène
- Bored Ape #5778 on OpenSea
Owner of two pricey Ape NFTs sells them for $140 in a possible hack
Some initially speculated that he may have mistaken the offer represented in DAI for ETH, as 115 ETH (~$387,500) and 25 ETH (~$84,000) would've been pretty reasonable trades for the respective NFTs. However, the trader posted on Twitter that he had been "swiped ... of his BAYC and MAYC... I am fine. In shock, but okay. Do i know what happened? No. Still trying to wrap my head around how and why."
NFT trader loses a Mutant Ape NFT to an NFT swap scam
Revest Finance is hacked for $2 million
- "Revest Protocol Exploit Recovery Plan", Revest Finance
Coinbase begins to require users in Canada, Singapore, and Japan to input personal information about the recipients of their crypto transactions
Some Coinbase customers in these jurisdictions seemed less than enthused at the announcement. One tweeted, "Wait, then what's the point of crypto/blockchain, being outside of fin.system and all.. I may be better off sending fiat money".
Crypto tax software firm ZenLedger fires executive after the New York Times discovers he lied extensively about his background
After Lieber put these questions to ZenLedger, the company fired Hannum. ZenLedger founder Pat Larsen was cagey around the circumstances under which Hannum was hired, and an outside spokesperson for the company laid the blame on a bad referral and a federal background check that returned "no flags regarding his education or work history". A venture capital firm that invested in the company reported that they "did more due diligence than a traditional venture capitalist would have done" on the company but had not checked Hannum's background.
Exxon Mobil reportedly gets in on Bitcoin mining
Some crypto proponents have spoken positively about using excess gas that would otherwise be flared for Bitcoin mining, though climate experts have spoken out against it being a sufficient or reasonable solution. "It's like if you had a leaky gasoline pipeline and, instead of fixing the problem, you plugged in a Humvee next to the leak and left the engine on in perpetuity with the A/C on full blast," said UC Santa Barbara professor Paasha Mahdavi.
Hacked verified Twitter accounts impersonate BAYC founders, scam $1 million with fake ApeCoin airdrop
There were multiple scammer accounts involved in the scheme, and one researcher has estimated that the scammers had made around $1 million from reselling the NFTs as of March 24. A similar hack had occurred several days earlier, in which a hacked verified account impersonated a BAYC founder and successfully stole three pricey Bored Apes from a collector.
Roller derby community resoundingly rejects NFT project
- "When NFTs came to roller derby, roller derby put up a fight", Vox
- Bout Time NFTTT website, with statement about project closure
Department of Justice charges the scammers behind the January "Frosties" NFT rug pull with fraud and money laundering shortly before they launch their second project
The statement also alleged that the duo were working on another NFT project called "Embers", which they hoped would generate around $1.5 million. The project was set to mint on March 26, and the 60,000-member Discord has been thrown into disarray. Some of the community moderators began deleting links to the D.O.J. announcement, and attempted to suggest that the Department of Justice website had been faked to "FUD" the project.
The individuals behind the Frosties scheme face charges that each carry a maximum sentence of 20 years in prison, if they are convicted.
Pye suffers a $2.6 million loss in a flash loan attack
The guy behind the "NFT band" on Ellen thinks you should have to pay royalties on dance moves
The animator who created the band animation, however, has big dreams for the possibilities NFTs could bring to dancers. Dancers "can now claim digital ownership over a series of moves or routines by means of NFTs". Imagine, he says, "owning the original Moonwalk". Yes, everyone, just imagine how much better the world could be today if everyone had had to pay royalties whenever they imitated Michael Jackson's signature move.
- "NFT Band Debuts With Singer Kiesza on Ellen Degeneres Show", Decrypt
- "Kiesza Performs 'Passenger'", YouTube video
Parts of the "Caked Apes" NFT project team both sue each other
Both lawsuits center on Taylor Whitley and his departure from the project, but they diverge considerably from there. Whitley's suit claims that he was wrongly ousted from the project; the other lawsuit claims that Whitley engaged in "unhinged, destructive, and egotistical acts... to sabotage... "Caked Apes", after Whitley failed to usurp ownership and control of the project entirely for himself". They also allege that Whitley misused DMCA takedowns to have the collection removed from online marketplaces. The lawsuits are liable to be complicated somewhat by the fact that a partnership agreement doesn't appear to have ever been written up.
A Robin Hood-esque attacker steals $52 million from Cashio, then returns smaller amounts and pledges to donate the rest to charity
Saber, the providers of the Cashio liquidity pool, published a postmortem of the attack in which they wrote that "We do not have the money to pay back depositors." The hack was the second largest in Solana history, behind the February Wormhole hack. Saber entreated the hacker to return the funds, writing, "accounts with over $100k are often users' life savings on leverage, and many of us will seriously be affected financially after this incident."
On March 28, the attacker sent a message saying that "the intention was only to take money from those who do not need it, not from those who do", and invited users who had over $100,000 to apply to receive their funds back with "an explanation of the source of this money and why you need it back. more detail is better. money will not be refund to rich american and european that don't need it." Somewhat strangely, Cashio themselves began hosting a website to allow affected users to plead with the hacker to return the money.
VeVe marketplace goes offline for over a day after an exploit results in a "large amount of gems being acquired illegitimately"
On March 22, VeVe tweeted that "We have become aware of an exploit of our systems which resulted in a large amount of gems being acquired illegitimately", and that they had closed the market, as well as purchases and transfers of Gems. The market remained closed for over a day as VeVe apparently triaged the problem. It's not clear yet what the impact has been to the platform or its users, though many reported that their NFTs appeared to have plunged in value.
G2 Esports sues NFT provider Bondly, accuses them of using them for publicity
- "G2 Esports files lawsuit against NFT provider Bondly", The Washington Post
Team behind the NeoNexus NFT project raises several million dollars, then abandons it
On March 21, the project's founder Jack Shi wrote on Twitter, "It is with a heavy heart that we must inform you that we can no longer continue healthy development of the NEONEXUS project. We would like to hand over the project to our community, or a community-selected party for takeover if that's feasible / possible." Going into more detail on Discord, he said the project had run out of money, which he blamed on waning interest in Solana NFTs.
The reaction to the announcement was overwhelmingly negative, particularly given the project's founder's apparent habit of bragging about his luxury cars. Many users described the abrupt shutdown as a rug pull, and one user even mentioned looking into a class action suit against the project team.
Phishing scheme promising to animate one's apes nets attacker a collector's three pricey Bored Apes
It appeared from the victim's retweets that they had fallen for a scam shared by a verified Twitter account that claimed to be one of the Bored Apes founders. However, a closer look at the Twitter handle showed it was a hacked account with the username "volt_france", which previously had belonged to the French branch of the Volt Europa political movement.
Hacker steals more than $1.5 million after compromising wallets belonging to crypto whale Arthur_0x
Arthur_0x wrote on Twitter that they had previously only ever used a hardware wallet on their PC, but when they started more regularly trading NFTs they'd started using a hot wallet. "Hot wallet on mobile phone is indeed not safe enough", they wrote on Twitter, "Guess no more hot wallet usage then." They also wrote, "The only thing I can say to the hacker is: you mess with the wrong person" and tweeted the wallet address to which the NFTs were being transferred, asking for it to be blocklisted.
- Tweet by Arthur_0x
- Tweet by Arthur_0x
- Attacker wallet on Etherscan
Hacker steals $1.45 million from OneRing Finance using code that self-destructs after the attack
The hacker complicated things somewhat for OneRing by covering their tracks. They used a "self-destruct" mechanism — typically used by developers to destroy smart contracts that are found to have a bug — to destroy the contract they used to carry out the attack, making it more difficult for OneRing to determine which parts of their codebase were vulnerable and led to the attack.
- "OneRing Finance exploit. Post-mortem — After OShare Hack.", OneRing Finance blog
- Tweet thread by PeckShield
NFT scammers take over the Twitter account of a Florida gubernatorial candidate
The Fried account compromise is only one instance of what has become a trend on Twitter: Twitter accounts belonging to high-profile individuals, or accounts that are verified or have a large number of followers, being compromised and sold to NFT scammers. On March 11, ESPN baseball reporter Jeff Passan also had his twitter account compromised and repurposed to shill Skulltoons NFTs. Skulltoons distanced themselves from that incident, writing that they believed the hackers were trying to scam their NFT community.
- "Hackers hijack Nikki Fried’s campaign Twitter account", Florida Politics
Kaiju Kongz NFT project artificially inflates its floor price by destroying your NFTs if you list them for sale at too low a price
Some NFT collectors criticized the choice. One described it as "illegal market manipulation tactics", and others said the project should grow the floor "organically". Given the rampant manipulation in the NFT space, one wonders if the real criticism collectors have with the project is that they were too transparent about their price manipulation, and should've just done it quietly like other projects have.
Founder of crypto investment scheme "IGObit" and the sham organization "World Sports Alliance" is convicted of wire fraud
- "President Of Sham United Nations Affiliate Convicted Of Cryptocurrency Scheme", U.S. Attorney’s Office, Southern District of New York
People briefly borrow Bored Ape NFTs to claim as much as $1.1 million in $APE tokens
People were somewhat split on whether this could be classed as a vulnerability in the $APE airdrop, since (as with many crypto hacks and scams) the person was operating completely within the rules set out in code.
Australian regulatory agency begins lawsuit against Facebook over failing to address scammy crypto ads
- "ACCC takes action over alleged misleading conduct by Meta for publishing scam celebrity crypto ads on Facebook", Australian Competition & Consumer Commission
Binance says it will stop operating in Ontario, for real this time, and admits they lied to investors
On March 16, Binance confirmed that they would actually stop servicing Ontario residents, for real this time. They also admitted to sending an email to investors on January 1 that said that they could no longer trade or onboard to the platform, despite not putting any such restriction in place.
- "Binance tells regulators it will cease operations in Ontario... for real this time", Cointelegraph
- "Binance is not registered in Ontario", Ontario Securities Commission
Discord hack targeting Rare Bears NFT project nets attacker $800,000
Not only did the attackers post a fake mint link, they took steps to prevent the project from thwarting their attack by banning other members and removing user rights that would have allowed other project members to delete the fake links. They also added a bot to the server that locked channels so people couldn't send warnings that the links were fake.
The Rare Bears team did eventually regain access and secured their Discord server. In an apology posted on their Twitter page, they addressed the multiple security breaches that Rare Bears have faced to date, and said they had "stepped up" and would be having a firm audit their project.
Bored Ape Yacht Club launches their new ApeCoin, which immediately tanks in price
The $APE price briefly soared to around $40 shortly after launch, before crashing precipitously to around $8.50 not long after, presumably as people cashed out their free money. Even many cryptocurrency enthusiasts were nonplussed by the launch, with many describing it as a "money grab" or an attempt to enrich the founders, which apparently is a bad thing (despite many crypto projects openly doing the same). One angry Redditor wrote, "Owners of Bored Ape NFTs were given the coin first(very rich people), then it was sold to the normies who got FOMO and pumped the price, then it crashed. Yet again, leaving regular people holding bags of pure garbage while the coin pushers wave bye-bye from their lambos."
- "Everybody Is Mad About 'ApeCoin'", Vice
- "This APE fiasco is just about getting the founders rich" from r/CryptoCurrency
- Tweet by kevwuzy
Winamp joins LimeWire in the emerging "legacy software comes back from the dead to do NFTs" trope
Official Formula 1 blockchain game suddenly shuts down
NFTBOOKS enters the race to see who can remake DRM the worst
Fortunately there doesn't actually appear to be much to the project yet — actually creating a platform and an app to allow people to borrow books doesn't come until the fifth and sixth stages of their roadmap. The project is currently on the fourth step, and has been focusing their attentions on things like "marketing campaign" (stage 1), "aggressive marketing rollout" (stage 2), and "extreme marketing campaign" (stage 3). The stage 3 "extreme marketing campaign" also came with a "website relaunch", which we have to thank for one of the most outrageous pie charts I have ever seen (pictured) (which was later determined to have been a stock photo of a pie chart where they'd just changed the numbers). Perhaps they should focus some of their marketing efforts on coming up with answers to the simplest of questions that they should probably expect from authors — the type of people they're claiming to help.
Hundred Finance and Agave Finance are both exploited for a collective $12 million
Hundred and Agave were the second and third defi protocols targeted by flash loan attacks that same day, with Deus Finance losing more than $3 million to hackers using the same class of exploit.
Binance pauses withdrawals and deposits via Polygon
Hackers make off with over $3 million from Deus Finance
Sneaky malware replaces Bitcoin addresses in clipboard to reroute transactions
Invictus DAO whales quickly vote to shutter the project in its first ever community vote, leaving most others with huge losses
However, although the project enjoyed a spike in price in November, the token has bled value since then. On March 9, the project leaders began a conversation about team salaries, where they also floated the idea of redeeming the treasury and closing the project. On March 11 they began a vote, which lasted only three days, and allowed members of the DAO to vote on whether the project should close and distribute treasury funds to participants. Much like the Wonderland vote in late January, a relatively small number of whales with a large share of the votes (who bought in early and still stood to make money on the project) were able to pass the vote to close the project, despite a majority of voters selecting to keep the project going. Furthermore, because the Invictus tokens used for voting also themselves hold the value, some people were unable to vote in the poll because their tokens were locked up in lending platforms where they had used them as collateral. Many participants in the project who haven't been actively watching the governance page likely don't even know the vote happened.
Some members of the project wrote on Discord that they felt rugged, with one even speculating that the project had been so eager to implement voting so they could pass a "community" vote to close the project and make off with a profit without damaging their reputations or potentially facing lawsuits. Various members of the project Discord shared how much they had lost: one person said they were down $20,000, another was down $75,000, and a third person reported losing $400,000. One person asked "who else is in the 6 figure loss club" and received three agreement emoji reactions; another person said they'd lost a year's salary. Some people already opted to try to sell their tokens early, worrying that the project leaders might make off with the treasury and not allow people to redeem their $IN; others waited in hopes of the redemption price being higher than the current token price; and some even suggested buying more $IN in hopes that they could make a profit if the redemption price is higher than the current price.
- [RFC] Allocate Funds for Team / Operational Expenses + Third Option on Invictus DAO forums
- [INIP] Allocate Funds for Team / Operational Expenses + Redemption on Invictus DAO forums
Discord compromise targets fans of the Wizard Pass project in a two-for-one scam that both accepted payments for fake NFTs and stole the NFTs that victims already owned
A Twitter thread by SerpentAU suggested that the malicious minting website had not only accepted ETH from victims and provided nothing in return, but had also prompted users to grant full access to their NFT wallet, allowing valuable NFTs to be stolen. It's not yet clear how many NFTs were stolen as a result.