Authorities link Axie Infinity hack to North Korean Lazarus hacking group

According to the FBI, the infamous cybercrime group Lazarus has been implicated in the March Axie Infinity exploit that saw $625 million taken from the game's blockchain bridge. Lazarus are a criminal group with strong ties to North Korea, and are suspected of being behind infamous cyberattacks including the WannaCry ransomware that impacted a wide number of industries including hospitals and manufacturing, as well as legislative and justice systems. The U.S. Treasury department has added the crypto wallet that received the stolen funds to its sanctions list, which may make it substantially harder for the attackers to withdraw the money. The wallet still contains around 150,000 ETH, valued at around $445 million, but has been slowly siphoning it out to various other wallets, exchanges, and tumblers over the past weeks.

RCMP says more than $2 million has been lost to crypto scams in Richmond, B.C. since January

The police in Richmond, British Columbia say they've received 22 reports of crypto fraud, which have included fake investment schemes, romance scams, or scammers impersonating government officials. One individual targeted by a fake investment scheme lost CA$550,000, which he thought he was investing in foreign exchange companies that turned out to all be fake.

Shareholders file a class-action suit against Coinbase over deceptively positive statements

A group of shareholders have filed a class-action lawsuit against Coinbase, alleging that the registration and prospectus statements provided for the company's IPO were false and misleading. The suit alleges that Coinbase failed to disclose that the company would require a large cash injection, and that it was susceptible to outages that were becoming more common as the company scaled. They described the company's positive statements about its outlook as "materially misleading and/or lack[ing] a reasonable basis".

Fake SkyVerse project draws in more than $150,000

Fake mint website, showing the text "SKYVERSE MINT IS LIVE 4062/5555 minted Total: 0.1 ETH Connect Wallet"Fake SkyVerse website (attribution)
A scammer recreated the Twitter account for SkyVerse, a much-anticipated NFT land project due to launch in "mid-April". More than 250 NFT collectors eager to get in on a mint that has only vaguely pointed to a date have fallen prey to a scammer convincing them that not only has the project started minting, but they're rapidly selling out. The scammer implemented a "counter" on the webpage that appears to show the project quickly selling out in real-time, apparently hoping to increase the FOMO that might encourage someone to hastily connect their wallet. However, a glance at the website source shows the counter is just instantiated to a fixed value, and then increments arbitrarily to show the counter approaching the maximum number of NFTs that will be sold. So far, the website has drawn 50 ETH ($150,000) from would-be collectors trying to mint NFTs for 0.1 ETH ($300) each.

NFT collector gets $280 top bid for the Jack Dorsey tweet NFT he bought for $2.9 million last year

Screenshot of a tweet by @jack: "just setting up my twttr"NFT of Jack Dorsey's first tweet (attribution)
After Jack Dorsey made an NFT out of his first-ever tweet, then-cryptocurrency executive Sina Estavi won the auction in March 2021 with a 1,630 ETH bid (then around $2.9 million). A little over a year later, on April 6, Estavi tweeted that he would be selling the NFT. He listed the NFT on Opensea for 14,969 ETH (around $46 million), in an auction slated to last a week. When the auction closed, there were seven offers ranging from 0.0019 ETH ($6) to 0.09 ETH ($277). It's still up to Estavi whether or not to accept a bid.

Ethereum transition to proof-of-stake delayed again, as is tradition

For years now, Ethereum has been talking about a transition from its energy-intensive, expensive proof-of-work consensus model to a proof-of-stake consensus model, which sports a totally different set of flaws! Exciting.

The project has been delayed so many times that it has become a bit of a running joke — crypto critics regularly describe the Ethereum PoS migration as something that has been "only six months away" for several years now. Meanwhile, it has proven a useful way for Ethereum fans to dismiss the valid concerns about the enormous energy expenditure of their preferred blockchain, as though enormous emissions and e-waste are somehow a non-issue if there is some vague plan at some perpetually-in-the-future point to move away from them.

Anyway, Ethereum developers have projected new levels of optimism lately, with several of them describing "the merge" as imminent — I believe a June timeframe was the popular estimate. Unfortunately, this appears to have been just as unachievable as the prior "deadlines", with an Ethereum core developer stating it was now looking like it wouldn't happen until some time this autumn. This is particularly brutal timing, given Nilay Patel's interview yesterday with a16z's Chris Dixon, where he confidently pointed to an early July "merge" date (only to become substantially less confident when pressed on specifics). Anyway, see you this fall for the next hype cycle — between now and then, Ethereum will have again consumed energy comparable to the amounts used annually by some small countries, for little if any useful purpose.

Texas Securities Commissioner issues emergency order to stop a metaverse casino

Securities Commissioner Travis J. Iles issued an emergency cease and desist order to stop "Sand Vegas Casino Club", a project that writes on its website "THE HOUSE ALWAYS WINS. And with SandVegasCasinoClub NFTs YOU can BE THE HOUSE!" The project would have allowed NFT buyers to participate in a "profit-share program" and earn "passive income" from a metaverse casino where people could not only gamble, but purchase metaverse items representing drinks and cigarettes (really).

In the order, the Commissioner alleged that the project was "leveraging interest in metaverses to perpetrate a high-tech fraudulent securities offering", and had been falsely claiming to their followers that securities laws don't apply to NFTs. "They are misleading purchasers by claiming they can simply avoid securities regulation by implementing illusory features or use different terminology," the Commissioner's announcement said.

Science fiction author Pierce Brown cancels NFT project after negative fan response

A sillhouette of a human figure on a red-brown background. The figure has an afro and what appears to be a steam valve on their neck, and is smoking a cigar.Solar Society promotional art (attribution)
"Don't make your dystopian books our reality, Pierce," a fan replied to sci-fi author Pierce Brown's announcement of an NFT project. Brown, the author of the bestselling Red Rising series of novels, announced an NFT project called "Solar Society" based around his work. Fan response was overwhelmingly negative, with some expressing concerns over environmental impact, and others dismayed at the negative effect they feel NFTs have had on creative communities.

The day after the announcement, Brown released a statement saying that he had been drawn in by the hope that NFTs would allow him to avoid "big companies whose sole focus is strong-arming away the rights to projects they've never been a part of to turn a big profit." He wrote, "I felt that if I didn't jump on it myself, someone else would, without the love, care, and artistry we believe in". He concluded that, given the response from his fans, he would not be continuing the NFT project. Some encouraged him to use the artwork that had already been created for merchandise or other non-NFT art sales.

Someone once again appears to trade on insider knowledge of Coinbase listings

On April 11, Coinbase announced 50 new cryptocurrencies they were considering listing on their exchange. These announcements tend to increase the price of the tokens under consideration, as traders take bets that the coins will be listed, and that their being listed on a major exchange and made more easily accessible will result in a price increase down the road.

The day after the announcement, crypto influencer "Cobie" wrote on Twitter, "Found an ETH address that bought hundreds of thousands of dollars of tokens exclusively featured in the Coinbase Asset Listing post about 24 hours before it was published, rofl". The wallet had spent around $400,000 on multiple currencies listed in the announcement, which certainly appears as though they knew about the contents of the announcement before it was published.

This is not the first time allegations of insider trading have been made based on Coinbase announcements. In February, a trader made a profit of over $700,000 by trading on what appeared to be advance knowledge of two upcoming Coinbase announcements.

The Wikimedia community formally requests that the Wikimedia Foundation no longer accept cryptocurrency donations

Wikipedia editors and other members of the Wikimedia communities completed a three-month-long discussion about whether the Wikimedia Foundation (WMF) should continue to accept donations in crypto. The WMF, which is the non-profit that owns and operates Wikipedia and related projects, has accepted crypto donations via BitPay since 2014. They have been a small source of donation revenue — in the last fiscal year, the WMF received about $130,000 worth of crypto donations. "Crypto was around 0.08% of our revenue last year, and it remains one of our smallest revenue channels," wrote a Wikimedia Foundation staff member.

The community member writing the closing summary of the discussion wrote that "Common arguments in support include: issues of environmental sustainability, that accepting cryptocurrencies constitutes implicit endorsement of the issues surrounding cryptocurrencies, and community issues with the risk to the movement's reputation for accepting cryptocurrencies.... Excluding new accounts and unregistered users, the tally is 232 to 94, or 71.17% in support of the proposal. These results indicate overall community support, with a significant minority in opposition. Thus, the Wikimedia community requests that the Wikimedia Foundation stop accepting cryptocurrency donations."

Attacker cashes out more than $11 million from Elephant Money in a flash loan attack

A person was able to use a flash loan attack to drain the Elephant Money project, crashing the token price to 0 while cashing out 27,416 BNB ($11 million). Losses to the project were likely higher, including the loss of 30 billion $ELEPHANT tokens (~$10 million). The project boasted audits by both CertiK and Solidity Finance on its website, though CertiK later tweeted that the flaw was with the treasury contract, which was unverified and unaudited.

Elephant Money is a defi project with some questionable promises — its Twitter account advertises that people can "earn 672% APY", and a recent tweet encouraged people to use Elephant Money "as your new bank: Your share of ELEPHANT tokens can be compared to your debit account, except that it also generates you money. Stampede Perpetual Bonds is your retirement fund." Hopefully no one took them up on their suggestion to put their debit account balance or retirement money into the project.

Celsius stops allowing non-accredited investors in the United States to lend out their crypto

Celsius announced that, in order to comply with United States regulations, they would no longer allow non-accredited investors from the U.S. to "earn rewards on" (that is, lend) their crypto using their Earn product. Earn advertises that people can "earn up to 18.63% APY, get paid weekly" by putting their crypto into a Celsius account, which Celsius then lends out in exchange for interest. There are, of course, no insurance protections for the user in case of losses. Non-accredited investors will now be limited to only using their Celsius account to exchange, borrow, or transfer crypto — not lend.

Individual accreditation is based on net worth or income: only those with net worth above $1 million, or yearly income above $200,000, qualify. American Celsius users were largely unhappy with the change, with one writing, "Celsius Network making the rich richer. Shameful."

Ichi token plummets 90% after Rari liquidity pool is emptied

Ichi, a defi project that allows other projects to create their own stablecoins suffered cascading liquidations in its Rari pool, leading to a token price crash. Rari is a protocol that allows users earn yields on liquidity pools for various assets. Ichi's liquidity pool on Rari was set up with an extremely high collateral factor (85%) and no supply caps, which allowed borrowers to borrow more $ICHI to use as collateral than actually existed in the liquidity pool, with many borrowing $ICHI to buy more $ICHI. As borrowers did this, the price briefly spiked from the token's early April price of around $70 to $139 before plummeting to below $2.

One Rari developer blamed Ichi for the disaster, writing, "Fuse is a permissionless protocol. Pool operators are responsible for following best practices to avoid situations like this one". Rari Capital's official Twitter account also blamed Ichi, stating, "This is a permissionless pool that is owned and operated by Ichi. We hope to see an announcement from Ichi regarding redemption strategies and next steps to make users whole."

In the FAQ about the incident, Ichi wrote that they had allowed such a high LTV ratio in the pool because they expected "users would make responsible decisions that would benefit the community". There is currently around $30 million of bad debt in the liquidity pool.

NFT collector suffers wallet compromise and loses over 100 NFTs, priced at over $600,000

A computer-generated image of blue and orange wave-like structures on a striated yellow and orange backgroundOne of Casper's stolen NFTs, Jiometory No Compute - ジオメトリ ハ ケイサンサレマセン #1021 (attribution)
NFT collector "Casper" discovered their wallet had been compromised, and an attacker had stolen around 114 NFTs worth around $600,000. The collector took to Twitter to urge people not to transact with his compromised wallet, and to ask OpenSea and other marketplaces to freeze the address. As of April 12, it was unclear how the wallet had been compromised. However, other wallets besides Casper's had transferred NFTs to the same exploiter address, so they may not have been the only user affected.

Attacker drains Creat Future tokens through flaw that allows anyone to transfer the contents of another person's wallet

A chart showing the value of $CF/$USDT. The price was steady before briefly spiking and then crashing to near 0CF/USDT pair (attribution)
An attacker stole about $1.9 million after exploiting a bug in the smart contract for the Creat Future token. The contract's transfer function was defined as public, with no validation on the caller, allowing anyone to transfer tokens from any wallet. An attacker quickly exploited this flaw to drain millions of $CF tokens from various wallets, then exchange and tumble them to cover their tracks. The attacker made off with about $1.9 million, and the value of $CF crashed.

$CF was an asset belonging to Creat Future, an early-stage defi project. Some have speculated that the hack was an inside job, and the vulnerable function was added intentionally.

First crypto burger purchase at Bored Ape restaurant illustrates why people don't widely do this

A packaged fast food meal with a Bored Ape and two Mutant Apes printed on the packagingBored & Hungry packaging (attribution)
A restaurateur opened "Bored & Hungry", a Bored Ape-themed restaurant in Long Beach, California that offers a simple menu of hamburgers or plant-based burgers (with or without onions), french fries, and soda. Prices are listed in plain ol' cash, but the restaurant published a celebratory Instagram post on April 9 showing their first ever meal purchased with $APE, the Bored Ape-associated crypto token.

A customer ordered two combo meals, which he purchased by using his mobile crypto wallet to transfer 2 $APE. I was able to track down the transaction, and at the exact time of transfer, 2 $APE were priced at $21.92. The value of $APE has increased by 20% since then, so the purchaser lost out on those earnings by spending them at that time (compared to cash, which is worth roughly the same as it was 10 days ago). This is a (very small) example of why people don't tend to use as currency the same assets they are expecting to increase substantially in value. Furthermore, the purchaser had to agree to an estimated $10 in gas fees when he confirmed the transaction — half as much again as the price of the meal. The transaction ultimately cost the purchaser $4.66 in gas due to fortunately low rates that day, but it was a transaction fee that wouldn't exist if they used cash, or would be substantially smaller and typically absorbed by the restaurant if using a credit card.

Painful financial implications aside, a public transaction record means it's now trivial for anyone to see who is purchasing food at the restaurant using crypto in real time — something that has concerning implications for victims of stalking and other abuse if implemented more widely, as well as just for average people who enjoy having some degree of privacy.

Anyway, hopefully the food's good — assuming the person had any appetite left after looking at their food containers depicting an ape with green skin sloughing off its face.

Gripnr seeks to financialize your Dungeons & Dragons games

An illustration of a dwarf with a long grey beard and short cropped hair with some braids in it. He is hunched over holding a glaive and is wearing a chainmail shirtGripnr dwarf NFT illustration (attribution)
Because, really, what is even the point of playing Dungeons & Dragons if you're not buying a premade character from a limited set of options, playing premade adventures with it, getting "Gripnr certified" as a dungeonmaster (or finding someone who is), paying transaction fees every time you level up or get new equipment, or reselling your characters after the campaign ends (to someone who apparently wants a "used" D&D character)?

A company called Gripnr is already working to line up NFT pre-sales, despite acknowledging that they have no idea how they will prevent fraudulent data input — an issue commonly known as the oracle problem. It's also unclear how they intend to change the game so that it's sufficiently different from the Wizards of the Coasts game that they will not face legal action (an issue that ended another crypto project planned to be based around a WotC game). We can only hope that none of this may last long enough to become an issue, given that Gripnr have come up with an idea that I can't imagine appealing to a single person who's ever played D&D.

Legal action begins against developer who solicited investments to build an OpenSea competitor, then used it to fund his NFT trading

Attorney Kevin Homiak tweeted that his firm would be representing several individuals who contributed money to a developer, Tyler Gaye, who promised to be working on an NFT platform called 0peNFT. After pulling in donations totaling 227 ETH (then around $400,000), the project was plagued with delays. Despite promises that the team was hard at work, people observing the public Github noticed it showed almost no commits to the project code.

Meanwhile, Gaye used the project Twitter account to promote his own NFT collection. He also took the donated funds and used them to buy NFTs. When pressed on this in the project's Telegram chat, he wrote, "Im buying NFTs because its my ETH and thats what I wanted to do." After crypto scam investigator zachxbt wrote about Gaye's scams, Gaye threatened to "put him in the ground if we ever meet in person".

Gaye has spent almost 400 ETH on NFTs since beginning to collect donations for his project — equivalent to over $1 million. He has also sold NFTs for a total of around 315 ETH (roughly breaking even with the amount he spent on NFTs, if looking at the ETH prices at time of trade), and amassed a substantial number of NFTs he still holds.

Blockchain bridge for the WonderHero play-to-earn game is exploited

WonderHero is a mobile play-to-earn turn-based strategy game. Attackers were able to mint 80 million $WND after successfully exploiting the bridge linking the WonderHero play-to-earn sidechain and the BNB chain. The attacker was able to swap their stolen $WND for 750 BNB ($325,000), tanking the price of $WND to near zero in the process.

Starstream treasury drained of $4 million

Starstream, a defi project built on the Andromeda layer 2 Ethereum protocol, had its treasury drained. Blockchain security company CertiK reported that the treasury appeared to have contained around $4 million in STARS, all of which was stolen. Shortly after the hack, the attacker transferred 900 ETH ($2.9 million) to a crypto tumbler. Starstream had been audited by two security firms prior to the exploit.

Scammer creates a fake site to revoke wallet permissions, then pretends there is an OpenSea vulnerability to trick people into using it

Tweet by grantith.eth, reading "HUGE OPENSEA ISSUE You MUST go check on revote.site if you have the OpenSea API allowance, if yes you should revoke for your NFTs! I just lost a $100k Azuki so ALWAYS check and don't make the same mistake. Share it to save someone NFTs.A tweet falsely claiming an OpenSea vulnerability, linking to a scam permission revocation website (attribution)
It's not exactly straightforward to revoke wallet permissions once they've been granted, and so many users use a site called revoke.cash to remove permissions in the case of malicious contracts or as a precautionary measure. A clever scammer created a fake website that mimics revoke.cash, called revoke.site, and then used a verified Twitter account to tweet about a "huge OpenSea issue" that they claimed resulted in the loss of a pricey NFT. Hoping that people would panic and try to use the site to revoke permissions, in reality the website runs a script to determine the highest value assets, and then prompts the user to "revoke" permissions for those assets — when in reality, it sets approval for those assets to be transferred to the scammer's wallet. As of the evening of April 7, the wallet had received 13 NFTs, and flipped eight of them for a total profit of 4.9 ETH (~$16,000).

Star Trek gets into NFTs

A rendering of a spaceship resembling the Starship EnterpriseSample Star Trek NFT (attribution)
Star Trek announced the creation of "Star Trek Continuum", a part of Paramount's new NFT platform. They state that the project is "accessible to everyone [with $250 to throw around] and allows another expression of fandom [by giving us their money]". The press release attempts to drum up FOMO by writing, "there will never be more of these designs created and the minting window will only be open for 24 hours" — however, it also talks about how this is "Season 0" and the platform will be used for "future seasons of Star Trek™ NFTs."

Ubisoft abandons Tom Clancy's Ghost Recon Breakpoint after shoehorning NFTs into it

A monochrome, dark grey helmet modelUbisoft "Wolf Enhanced Helmet A" NFT (attribution)
Ubisoft announced in December that they would be incorporating NFTs in to their Tom Clancy's Ghost Recon Breakpoint title, much to the chagrin of its players and some employees as well. On April 5, Ubisoft announced that they would no longer be releasing updates to the game, nor would they be minting any additional NFTs.

Although the Formula 1 blockchain game that shut down earlier this month made halfhearted promises to allow NFT holders to swap their NFTs for ones used in a different game, Ubisoft has made no such promises.

Another $1 million lawsuit is filed against OpenSea for stolen apes

An illustration of a red-furred ape wearing a captain's hat, grimacing with half-lidded eyes, and wearing a dress shirt and maroon vest with an ascotBored Ape #8858 (attribution)
A third "stolen ape" lawsuit was filed against OpenSea, alleging that Opensea's "security vulnerability allowed an outside party to illegally enter through OpenSea's code and access Plaintiff's NFT wallet, in order to sell Plaintiff's Bored Ape at a fraction of the value." Someone was able to buy the plaintiff's Bored Ape for 24.89 ETH (~$60,000) — much less than the 135 ETH (~$332,000) the plaintiff had recently listed it at. The scammer then quickly flipped the NFT for resale for 92.9 ETH (~$225,000) within an hour.

The language in the lawsuit is very similar to the stolen ape lawsuit filed February 18, which is not surprising because the plaintiffs are using some of the same lawyers. Vice interviewed one of the lawyers, and determined that the somewhat odd wording refers to the issue in which OpenSea users didn't realize their old listings of NFTs at lower prices were still active.

Worldcoin, creators of the eyeball scanning orb that promises universal basic income, encounters more difficulties

A man sits staring into a gleaming silver sphereStare into the Orb (attribution)
New reporting from BuzzFeed News and MIT Technology Review described some of the issues that Worldcoin has been encountering on its mission to scan the eyeballs of the world population, in exchange for nebulous promises of crypto. Although "Orb operators" have been out and about scanning eyeballs in countries around the world, those who've agreed to be scanned have only been offered a voucher for Worldcoin tokens and a promise that they may, someday, be redeemable for $20. Meanwhile, the company appears to be flouting data privacy laws and endangering operators of these Orbs, who have encountered threats from angry uncompensated users, and some of whom have been detained by law enforcement. Those who have agreed to have their eyes scanned have accused the company of "stealing their eyes", and fear how their biometric data may be used.

Collectors spend a cumulative $26 million on gas fees alone for "VaynerSports" NFT project—3x the amount made from the NFTs

A rendering of a card with the letters "VSP" on itVaynerSports Pass NFT (attribution)
AJ Vaynerchuk, brother of prominent NFT personality Gary Vaynerchuk (aka Gary Vee), launched his VaynerSports NFT collection. The popularity of the project resulted in surging gas fees on the Ethereum chain, and a poorly-implemented contract worsened issues. Users encountered failed transactions, meaning they lost the gas fee they had spent, and also did not successfully mint an NFT. Once the mint was over, 2411 ETH ($8.2 million) had been spent on mints, and 7652 ETH ($26.4 million) had been spent on gas fees. Some users lost thousands of dollars in gas fees on failed transactions.

Someone mints NFTs of r/place, because what's the point of collective artwork if someone can't profit off it

Pixel artwork showing a Bitcoin with a cancel symbol, and "r/FUCKNFTS"Portion of r/place (attribution)
Reddit reopened its chaotic collaborative art project, r/place, for several days. Users could place colored pixels onto a shared canvas at limited intervals, collaborating to festoon the page with flags, fan art, memes, subreddit names, activist statements, logos, and everything else people could collectively convince others to help create. The collaborative canvas at various times conveyed pro- and anti-crypto sentiment, with r/Buttcoin putting up a valiant effort to stamp "Fuck NFTs" onto the piece.

Sadly, the collaborative and fun community art piece and social experiment was financialized almost immediately after the last pixels were placed, with several projects cropping up to sell portions of the canvas for crypto. One of the projects ended almost as quickly as it began, replacing all its NFT images with the "r/FUCKNFTS" portion of the canvas and rewriting the description to say, "Ok, I guess that was a bad move and a bad Joke. Please use Cryptos as decentralized money against states, not to sale dumb images on the internet. Love U Reddit, got U". Other projects, however, remain for sale.

COVID-19 conspiracy theorist Robert Malone announces to trucker convoy his plans to dox more than 4,000 people using blockchain-based tech "so they can't take it down"

Robert Malone speaks into a microphone at a podium on an outdoor stageRobert Malone speaking to trucker convoy (attribution)
Robert W. Malone, a COVID-19 conspiracy theorist, gave a speech to a group of anti-vax truckers in which he announced plans to dox over 4,000 "[World Economic Forum] trainees" by publishing their names, addresses, and current and historical work information. "We're about to put this up on a blockchain-protected site so they can't take it down" he said, to cheers. "We're going to ask all of you and we're going to ask Steve Bannon's posse to crowdsource the rest of those names," he said, "There are a ton of... people residing in the United States... that are embedded throughout our government, and throughout the tech industry, and throughout the banking industry, and throughout the bloody media!" When a crowd member shouted "Lock them up!" he replied, "locking them up isn't even going to do it", leading another person in the crowd to shout, "hang them!"

Federal authorities seize $34 million in Bitcoin from alleged seller of stolen account information

A Floridian suspected of selling hacked account information for services including HBO, Netflix, and Uber had $34 million in Bitcoin seized by federal authorities. Prosecutors accused a suspect of a scheme from 2015–2017 in which he sold stolen account information on the dark web. Unusually, they filed a civil rather than criminal case against the defendant, and were able to seize the crypto in a default judgment. Tough day for those arguing that crypto is somehow inherently immune from government actions.

Scammer takes advantage of a platform's poor UX to steal several pricey Bored Ape NFTs

An illustration of a light yellow ape with lidded eyes with yellow irises, blowing a bubble of gum, wearing a red t-shirtBored Ape #1584 (attribution)
A trader who owned a Bored Ape and two Mutant Ape NFTs apparently reached a deal to trade them for three different Bored Ape NFTs. Because OpenSea doesn't support swapping NFTs directly, only buying and selling them for ETH, the traders used a less-known platform called KiwiSwap to do the trade. Like many platforms, KiwiSwap aims to help users spot faked NFTs by showing a "verified" badge — however, because the platform shows the badge overlaid on the NFT image, a scammer was able to create imitation Bored Apes that included the same checkmark as a part of the image, making them appear legitimate. KiwiSwap also does not include functionality that would allow a user to click through to verify the NFT is the one it claims to be.

When the user confirmed the transaction, they transferred their three pricey apes to the scammer, receiving three worthless ones in return. NFT trader 0xQuit estimated the loss at around $587,000.

Amidst rumors of market manipulation, Waves' USD-based "stablecoin" loses peg, drops to $0.82

A chart on CoinMarketCap showing USDN/USD. The price had been relatively stable at $1 for the entire three-month view, until suddenly dropping to around $0.80 on April 4Price chart showing USDN depeg (attribution)
The stablecoin belonging to the Waves protocol, "Neutrino dollar" (aka USDN), crashed nearly 20%, despite intending to maintain its 1:1 ratio to the US dollar. The volatility occurred amidst flying accusations on Twitter, where various people first accused the Waves team of manipulating the price of their own token and running a Ponzi scheme, and then Waves' CEO accused an outside trading firm of manipulating the $WAVES price and "organiz[ing] FUD campaigns to trigger panic selling".

User loses £55,000 (~$72,000) to Trezor phishing email

A black plastic rectangle that tapers towards the bottom. It has a "TREZOR" logo and a square screen displaying a lock icon.Trezor hardware wallet (attribution)
A Bitcoin holder using a Trezor hardware wallet fell victim to a phishing scam after attackers stole email lists from a third-party vendor use by Trezor. The user wrote on Reddit that they were "not paying attention and was on autopilot, just doing what it said. Was arguing with my gf via Telegram at the time... had not slept enough, was a bit hungover and was distracted" when they received the email.

The email in question appeared to be from Trezor, and claimed that users' funds were in jeopardy. It prompted them to download a new (fake) version of the Trezor wallet software, and when users entered their seed phrase to restore their wallet from a backup, it drained their crypto. "What a mug I am," wrote the affected user. "Had been building up my BTC for seven years and lost it in a few minutes' utter stupidity."

The Reddit post also included two follow-up edits, displaying the victim blaming that is common when users are hit with phishing scams and other attacks. The user wrote "Edit: yes I entered my keys, because I'm a twat Edit 2: a lot of people saying they'd never fall for it. I hope they're right."

Attack on Inverse Finance results in a $15.6 million loss

An attacker targeting the defi project Inverse Finance was able to manipulate the price oracle of INV/ETH, artificially inflating the apparent price of INV and allowing the attacker to borrow against it. The attacker was ultimately able to turn the borrowed DOLA, ETH, WBTC, and YFI tokens, priced at a total of around $15.6 million, into around 4300 ETH (priced at around $14.5 million). As of early April 2, the attacker had transferred 1,300 ETH (around $4.5 million) to a tumbler to make it more difficult to trace.

Taiwanese singer Jay Chou has Bored Ape stolen

An illustration of a grimacing ape with pink fur and diamond teeth wearing a colorful stunt jacket on an orange backgroundBAYC #3738 (attribution)
Taiwanese singer Jay Chou fell victim to an apparent phishing scam, in which a malicious actor transferred his pricey Bored Ape NFT to their own wallet. The scammer then flipped the NFT for sale on LooksRare for 130 ETH (~$425,000).

The theft prompted security researchers at Check Point Research to investigate what ended up being a serious bug in Rarible, where malicious NFTs could execute JavaScript and trick users into signing a contract that would then empty their wallets.

Class action lawsuit filed against "Let's Go Brandon" coin creators for alleged pump-and-dump

NASCAR driver poses standing against a racecar with American flag detailing, the domain "LGBcoin.io", and the number 68 painted on itBrandon Brown poses with LGB coin branded car before sponsorship deal is cancelled (attribution)
A class-action lawsuit filed by Missouri investor Eric De Ford claims that the people behind the pro-Trump "Let's Go Brandon" (LGB) memecoin misled investors about a NASCAR sponsorship deal and celebrity backing. LGB coin had nearly reached an agreement to be the primary sponsor for NASCAR driver Brandon Brown, but the sponsorship was axed by NASCAR shortly after LGB coin announced it. Regardless, those behind the coin allegedly continued to promote the coin as though the NASCAR sponsorship was in motion, even as the token value cratered. The lawsuit alleges that "Defendants pushed the LGB Tokens as a means of promoting the American dream, while simultaneously touting the prospects for LGB Tokens and the ability for investors to make significant returns from the LGB Tokens like other so-called 'meme coin' digital assets... In truth, Defendants cynically marketed the LGB Tokens to investors so that they could sell off their portion of the Float for a profit."

De Ford has named the LGB coin creators in the suit, as well as NASCAR, and promoters like Brandon Brown and Candace Owens.

Apparent scammers drop NFTs appearing to be from the Bored Ape Yacht Club project

3D-rendered piece of "land" crudely made from simple polygons, with block text reading "1x1" underneathFake BAYC land NFT (attribution)
An apparent scammer was able to create transactions that appeared as though they were coming from the smart contract belonging to the Bored Ape Yacht Club. OpenSea's UI doesn't differentiate these spoofed transfers from those that are actually coming from the project's contract, and so only users who carefully look at the transaction details can spot that the NFT is suspicious. "This is unfortunately just how the blockchain works", wrote gofannon.eth, the Director of Engineering for the company behind BAYC.

Whoever was behind these transactions airdropped fake NFTs purporting to be a part of an upcoming BAYC metaverse land project, sending them to owners of pricey NFTs and various NFT influencers. It's not clear whether the NFT can perform malicious actions, or if any individuals have been impacted by it if so. However, part of the scam appeared to be to try to entice other users hoping to get in on the next new BAYC project to fall for a phishing scam. Tracing the transactions back showed an OpenSea profile with a fake "verified" badge and a mint link to what appears to be a phishing website, which invites people to connect their wallets to supposedly mint their own BAYC land NFTs.

Discord servers of several big-name NFT projects including Bored Apes and Doodles are compromised

Another day, another Discord compromise — or in this case, many Discord compromises. Bored Apes wrote on their Twitter account in the early hours of the morning, "STAY SAFE. Do not mint anything from any Discord right now. A webhook in our Discord was briefly compromised. We caught it immediately but please know: we are not doing any April Fools stealth mints / airdrops etc. Other Discords are also being attacked right now."

Other Discords reported to be compromised include several other big-name projects including Doodles, which had previously endured a Discord compromise in late February. This particular compromise appeared to stem from a series of compromised Discord bots, including a very popular CAPTCHA bot used to fight spammers. It's unclear if anyone lost money to the fake links posted by seemingly-official Discord accounts, or how much, but these types of attacks often lure in at least some victims, and the higher-priced NFT projects like Bored Apes and Doodles enable scammers to ask for quite a lot of money without raising an eyebrow.

Nate Chastain, executive who was canned from OpenSea for alleged insider trading, creates a new NFT platform

Nate Chastain resigned from OpenSea at their request in September 2021 after it was discovered that he had allegedly been buying NFTs based on insider knowledge that they would be featured on the OpenSea front page, then reselling them at a profit. Fortunately for him, the crypto sphere is a great place for scammers and fraudsters to get second and third and fourth chances, and so Chastain is right back at NFTs with a new venture, "Oval". Oval is trying to raise a $3 million seed round and $30 million pre-money valuation, or a $7.5 million seed round and $50 million valuation, depending which pitch deck you look at.

Former Cosmic Cowgirls head community moderator accuses the project of rug-pulling

Illustration of a woman wearing a blue and pink cowboy hat, with blue hair, crying green tears, on a green backgroundCosmic Cowgirls #1128 (attribution)
The former head moderator of the Cosmic Cowgirls NFT project Discord, Esh, wrote on Twitter that that the project team had fired all moderators and scrapped all of their roadmaps. The previous roadmap had promised gamification, meetups, merchandise, comics, an animated series, and all sorts of other things, though no headway appeared to have been made on any of them. The team also removed around 300 ETH (a bit over $1 million) in funds from the project wallet.

The Cosmic Cowgirls team hit back with accusations against the head moderator, accusing him of falsifying allegations against the project out of anger at being fired along with the other moderators. The group also claimed that the funds had been moved for security and tax reasons, and sent a vaguely threatening message to the moderator in which they stated that he should "discontinue the spread of false information in attempts to harm us and the project" and "resolve [concerns] ... privately as the terms of our contract are still ongoing and applicable".

Lending protocol Ola Finance is hacked for $3.6 million

Ola Finance is a lending protocol that allows others to create their own lending networks. It promises to allow users to create their own loan platforms where "assets can be listed without needing to pass cumbersome and expensive governance schemes or comply with numerous requirements (deep liquidity, high trading volumes, low volatility, etc.)"

One of their networks, built on top of the Fuse chain, was exploited for crypto assets priced at around $3.6 million. By taking advantage of a re-entrancy vulnerability, the attacker was able to take loans on the platform, then withdraw the collateral without paying back the loans. They then took the stolen assets and transferred them to the BNB and Ethereum chains, making them more difficult to recover.

Creator of apparent $21 million Bored Bunny rug pull miraculously resurfaces following DOJ action against a different rug pull

A 3D-rendered humanlike bunny, with cow-print skin, a tie-dye shirt, and red irises.Bored Bunny #3258 (attribution)
Many had written off the Bored Bunny NFT project (and its subsequent spin-off NFT collections) as a rug pull. After releasing several new NFT collections that appeared to be little more than cash grabs, each less popular than the last, the team behind the project grew increasingly distant until going silent for over a month. Meanwhile, the team had pocketed over $21 million, largely thanks to the popularity the project had drummed up through influencer promotions from the likes of Jake Paul and Floyd Mayweather (both of whom, incidentally, are facing separate class-action lawsuits alleging impropriety in their promotions of crypto projects).

Suddenly, the project creator resurfaced on March 29, with a tweet claiming that he had been absent for a month because he had been... reading emails. The team then announced they would be handing the project reins over to a community member, though there was no mention of the $21.1 million that had already been pocketed by the original team.

The unexpected return came only days after the U.S. Department of Justice announced charges against two perpetrators of a different NFT rug pull, in which they stated unequivocally that "the same rules apply to an investment in an NFT or a real estate development. You can't solicit funds for a business opportunity, abandon that business and abscond with money investors provided you."

Popular blockchain game Axie Infinity suffers a $625 million exploit, the largest in defi history

One of the most popular play-to-earn games, Axie Infinity, suffered an enormous hack to the Ronin network on which it runs. The project announced that a majority of Ronin validator nodes had been compromised — four belonging to the Sky Mavis company that builds Axie Infinity, and one belonging to the Axie DAO. After gaining control of the validators, they were able to approve malicious withdrawals of 173,600 ETH (about $600 million) and 25.5M USDC (a stablecoin, worth $25.5M). The $625 million loss was possibly the largest to date in the history of defi projects.

Sky Mavis announced that they had halted the Ronin Bridge and Katana DEX, and were making changes to their network to try to guard against future attacks. They also wrote that they were "working with law enforcement officials, forensic cryptographers, and our investors to make sure all funds are recovered or reimbursed".

Would-be collectors of new Pak NFTs lose thousands of dollars in gas fees on failed transactions

A rendering of a clear glass-like sphere partially filled with black sand, with a white 3D x partially embedded in the sandOne of the Ash NFTs (attribution)
Collectors were excited for a chance to obtain NFTs from the artist Pak's upcoming collection, "Ash Chapter II: Metamorphosis". Pak is an extremely popular digital artist, and his newest collection boasted collaborators including Pussy Riot, Paris Hilton, and others.

Unfortunately, the drop did not go smoothly. Heavy botting caused gas fees to spike, and the project claimed there were issues with MetaMask's estimation of gas fees. Outside parties have suggested the issue was not with MetaMask, but rather with a poorly-implemented smart contract.

People wound up making transactions that ran out of gas before completing, meaning they lost their gas fees and did not successfully receive any NFTs. Others paid sufficient gas, but ran into other errors with the contract that meant they didn't get an NFT. The spiking gas fees meant some people lost a considerable amount of money — people reported failed transactions that cost them amounts ranging from 0.1 and 0.8 ETH (between $338 and $2,700). Some who did successfully receive NFTs also claimed to have lost value as a result of the rocky mint, which they said contributed to a lower-valued NFT.

manifold.xyz, the group behind the mint, reported that they planned to reimburse people who lost gas trying to mint NFTs. Some people seemed happy with this solution, while others were upset that they missed their chance to obtain an NFT they wanted as a result of the problems.

Artist for Andrew Yang's crypto lobbying DAO is offered $500 after being promised "a percentage" of revenue in a project that raised at least $790,000

An intricate, rainbow-colored digital art mural of a cityLobby3D mural (attribution)
In February, perennial political candidate Andrew Yang announced he had created "Lobby3", a DAO which he says will push for crypto-friendly regulation and "eradicate poverty". The website sports a cute illustration of a city, which was created by a group of artists, and which was also originally intended to be split into "puzzle pieces" to be minted as NFTs (though this apparently never came to pass).

One of the artists, Phillip Lietz, took to Twitter on March 28 to call out the group for the pittance he was offered for his work, posting screenshots of an email exchange he had had with a member of the project team. The emails show Lietz asking whether artists would receive compensation for their work, and a project team member replying: "Yes... any artist we select will receive a percentage of our revenue".

They went on to say that if they used his work, they would "negotiate a percentage of what we sell". The reply to Lietz's question about if there was a contract was: "No formal contract as we need to move fast, but I imagine this email would hold up in court as a written agreement if it ever came to that (it wouldn't! Andrew and I are men of our words!)" In a subsequent email, the team member wrote that they would "love to send you a Lobby3 Member token", and that "our artist commissions weren't huge, but [we] would love to send you $500 for your time and effort". Lietz replied to say that the DAO's NFT fundraising appeared to have raised at least $790,000, and that $500 was an unfair amount (although I suppose 0.06% is technically "a percentage"). The team member replied by basically negging Lietz, writing "Honestly, I didn't want to say this, but I will now mention: we weren't actually going to use your art in the project... but you seemed like a great guy and I wanted to throw you some cash and get you some exposure".

Anyway, nice job Andrew and team! Nothing says "eradicating poverty" and "empowering creatives" like paying them basically nothing.

Top Super Smash Bros. Ultimate player has his Twitter account hacked to shill NFTs

A pink robot with green drool and rolled-back eyes, with a head floating above the body.The profile picture of the hacked account (attribution)
MkLeo, who is widely considered to be the best Smash Ultimate player in the world, had his 217,000-follower Twitter account hacked and repurposed for NFT shilling. The scammers changed his profile picture to a pink robot creature with green drool, and began posting tweets talking about his supposed collaboration with The Possessed NFT project. The link in the tweets went to a scam website that claimed to allow people to mint NFTs from the actual Possessed NFT project. It's not yet clear how many people fell for the malicious link, but MkLeo's Twitter account appeared to be back under his control later that evening.

Another collector loses a Bored Ape to a phishing scam

A grey robot ape, making a confused face with an open mouth, wearing an orange beanie and black t-shirt on an orange backgroundBored Ape #5778 (attribution)
NFT collector Cameron Moulène was excited to see a link promising a merch drop in the bio of an account with the same branding as Bored Ape Yacht Club, but with the handle BoardApesYC (rather than BoredApesYC). Clicking the link, which matched the BAYC website link except with a character swapped in ("yarht"), the trader connected his wallet and soon found his favorite NFT transferred to the phisher. He had originally purchased Bored Ape #5778, which he described as his "forever ape" that he never planned to sell, in August 2021 for 53.88 ETH ($166,684 at the time). The scammer flipped the Ape within an hour for 110 ETH ($368,660).

When chastised by other NFT collectors who assumed he had stored the ape on a hot wallet, Moulène clarified that the NFTs had been stored in a Ledger hardware wallet. He later tweeted, "Since I've got a platform, here's what I learned today: COLD WALLET, does not just mean storing assets in a series of ledgers/trezors. It means a wallet that is NEVER Linked to anything besides MM or OS." Moulène went on to threaten legal action, saying, "Oh I will spend 10x that ape tracking these fucks down and suiting [sic] them into oblivion." and "I'm going to pursue legal action in the states and internationally (if need be) to find the people responsible and hold them accountable."

Owner of two pricey Ape NFTs sells them for $140 in a possible hack

A beige-furred ape with half-closed eyes, wearing sunglasses, smoking a cigarette, and wearing a leather jacket with no shirt underneath, on a yellow-green backgroundBored Ape #835 (attribution)
NFT trader Calvin Chan recently made some unusual NFT trades. He sold his Bored Ape, which he had bought in August 2021 for 16 ETH (then about $50,000), for 115 DAI ($115 — DAI is a stablecoin pegged to USD). Not only was this a near-total loss compared to the purchase price, Bored Apes' floor price is around 107 ETH (~$360,000), and this Ape likely could've sold for more than that. Chan also sold a Mutant Ape for 25 DAI/$25 to the same buyer — despite Mutant Apes' floor price of 22.5 ETH (~$75,000).

Some initially speculated that he may have mistaken the offer represented in DAI for ETH, as 115 ETH (~$387,500) and 25 ETH (~$84,000) would've been pretty reasonable trades for the respective NFTs. However, the trader posted on Twitter that he had been "swiped ... of his BAYC and MAYC... I am fine. In shock, but okay. Do i know what happened? No. Still trying to wrap my head around how and why."

NFT trader loses a Mutant Ape NFT to an NFT swap scam

An illustration of an ape that appears to be made out of volcanic rock and magma, with a green dripping face, smoking a pipe, wearing a sweater made out of wormsMutant Ape #232 (attribution)
A trader known by taylorRichie.eth agreed to swap their Morie NFT for a Doodle, in a trade they'd coordinated with a user on Discord. Because OpenSea doesn't support trading one NFT for another, only buying and selling them for crypto, the traders had to use a different, less-known swap platform to perform the trade. Although taylorRichie.eth took precautions, like typing in the URL themselves instead of clicking a link, they were still fooled into signing a malicious transaction that transferred a different NFT in their wallet, a Mutant Ape, to the scammer. The scammer then quickly flipped the stolen NFT to another buyer for 22 ETH ($73,585).

Revest Finance is hacked for $2 million

The Revest protocol was targeted with an attack that stole $BLOCKS, $ECO, and $RENA tokens from their vault. The protocol wrote that the attacker used a "highly sophisticated attack on a vulnerability that went unnoticed during our Solidity.Finance audit as well as ... multiple peer-reviews". The hacker quickly swapped the stolen tokens for ETH via various decentralized exchanges, then tumbled the funds using Tornado Cash. The protocol wrote that they "do not possess the funds needed for meaningful financial recompense, and are not covered by any DeFi insurance provider", but promised to try to "do everything within our power to make things as right as they can possibly be made".

Coinbase begins to require users in Canada, Singapore, and Japan to input personal information about the recipients of their crypto transactions

Coinbase began sending out notices to its customers who reside in Canada, Singapore, and Japan, to tell them that in early April, they will need to begin inputting information about the recipients of any crypto they send. Coinbase said the change was in order to comply with various regulations imposed by those countries. The specifics differ somewhat between the three countries: for example, in Canada, the verification is only required for amounts above CA$1,000 (about US$800); Japanese users need to provide verification for any amounts, but only if transferring to entities outside of Japan; and Singaporean users need to verify any amounts sent to anyone. Canadian and Singaporean residents will also need to provide the address of the recipient of their funds, whereas Japanese customers only need to supply the name and country of residence.

Some Coinbase customers in these jurisdictions seemed less than enthused at the announcement. One tweeted, "Wait, then what's the point of crypto/blockchain, being outside of fin.system and all.. I may be better off sending fiat money".