Sadly for the scammer, the scam was discovered and shut down when they had only managed to scam one person. The unsuspecting collector sent 0.3 ETH ($800), which the scammer transferred to Tornado Cash.
Someone hijacks a Ferrari domain to host scam NFT mint
- "Ferrari subdomain hijacked to push fake Ferrari NFT collection", BleepingComputer
Day of Defeat project rug pulls for $1.35 million
The project's website is one of the most absurd I've seen, promising that "all final holders will get 10,000,000x gains". Their project roadmap includes a "mystery plan" that results in a 1,000,000x price increase. Their FAQ states, "First of all, we promise that the team will not redeem the fund pool." Apparently projects based on pinky swears aren't great investments.
After the funds were drained, the project claimed that they had been compromised by an external actor, and had "reported to Binance and local authorities".
OpenSea Discord hacked
Given OpenSea's prominence, it's surprising that the hacker managed to obtain relatively few NFTs of much value. The wallet appeared to have successfully stolen only 13 NFTs, none of which were from high-value collections, that are worth a collective $20,000 if resold at the collections' floor prices.
OpenSea tweeted several messages acknowledging the hack and urging users not to click any links. They have not yet confirmed that they've conclusively re-secured their server.
"Double your money" scam using an old livestream of Elon Musk, Jack Dorsey, and Cathie Wood earns crypto scammers $1.3 million in 24 hours
McAfee identified 26 scam websites that were linked from the YouTube livestreams, which altogether took in $1.3 million in Bitcoin and Ether in a 24 hour period.
Mining Capital Coin CEO indicted for $62 million investment fraud scheme
Capuci was charged with conspiracy to commit wire fraud, conspiracy to commit securities fraud, and conspiracy to commit international money laundering. If convicted on all counts, he could be sentenced to up to 45 years in prison.
- "CEO of Mining Capital Coin Indicted in $62 Million Cryptocurrency Fraud Scheme", U.S. Department of Justice
Pragma defi protocol developers rug pull for $1.5 million
The rug pull appeared to have been perpetrated by one team member, although several other team members had to sign off on the transaction in order for it to go through.
The team had had their real-life identities verified by Obsidian, and remaining team members said they were working with Obsidian to try to investigate those behind the theft. Third-party KYC verification like the service Obsidian provides is often used by crypto projects to increase trust, though Pragma is hardly the first project with this kind of verification that stole funds anyway.
Juno accidentally transfers $36 million in seized funds to inaccessible wallet address
Juno intended to transfer the seized tokens from the individual whale's wallet to a community-controlled wallet. However, the person making the transfer accidentally copied and pasted the wrong value, resulting in the funds being sent to a wallet address that no one can access — effectively burning the tokens.
Daniel Hwang, who helps run one of the Juno validators, said to CoinDesk, "We fucked up big time". He also offered an unusual opinion: "Validators should have due diligenced for ourselves to actually check the code we're executing and running".
Shortly after the botched transaction, the Juno community began voting on a proposal to hard fork a second time to fix their mistake.
Attacker compromises MM.Finance to redirect $2 million in crypto assets to their own wallet
"Please do not perform any transactions or your funds will be sent to the exploiter wallet," MM.Finance tweeted shortly before taking the website offline. Three days earlier, MM.Finance had published a blog post to address "FUD" in their ecosystem stemming from a popular Reddit post that described MMF as an "inverse pyramid of derivatives" that the author believed would "topple", and outlined the project's "rosy future".
The project promised to try to compensate users, with its developers foregoing 45 days of trading fees to reimburse users. They also appealed to the OKC crypto exchange to intervene to help recover funds from someone they believed to be the attacker, and threatened the attacker with the FBI. "With all these information, we have more than what we need to bring this information to the FBI," they wrote on Twitter. "So here's the deal, return 90% of the funds you stole and we will let this go, no questions asked. You have 48 hours to return these funds."
- Tweet by MM.Finance
- "Mm Finance — The road ahead", MM.Finance blog
- "Personal Take on Events and Existing Tokenomics", post from r/MMFinance
- "DNS Hi-Jacking Post Mortem & Compensation", MM.Finance blog
ape holders can use multiple slurp juices on a single ape
ape holders can use multiple slurp juices on a single ape
so if you have 1 astro ape and 3 slurp juices you can create 3 new apes
Tonight's slurp juice mint event is essentially a minting event for both Lab Monkes and Special Forces
Video game company Square Enix agrees to sell much of their Western IP so they can go into the blockchain market
The sale agreement announcement came at a tough time for Square Enix, as it was published the same day as a report from the Wall Street Journal that "NFT Sales are Flatlining".
NFT sales drop 92% from peak, says Wall Street Journal
However, the article must be taken with a grain of salt. It's very difficult to determine in the moment what's simply a temporary lull rather than a death spiral, and notoriously inconsistent NFT and crypto data sources can tell wildly different stories.
- "NFT Sales Are Flatlining", Wall Street Journal
The Vatican plans a metaverse NFT gallery
For now it sounds like the project doesn't involve selling NFTs, which raises the question of why NFTs are required at all when the goal seems to just be to display artwork online — something the Vatican already does. Personally, until I can own the Popemobile in the metaverse, I'm not interested.
Juno whale threatens to sue network validators if community confiscates his tokens
The whale has repeatedly appealed to the community not to revoke his tokens, even trying to claim that the Juno developers had been secretly selling off $JUNO and damaging the community. Unfortunately for him, he didn't succeed in swaying the community, who voted on April 29 to confiscate his tokens.
The whale has threatened to take "legal action against each validator" if the community burns or locks the tokens that previously belonged to him, and which he claims to have been managing on behalf of clients in an investment scheme.
Wikimedia Foundation stops accepting cryptocurrency donations
The Wikimedia Foundation has accepted cryptocurrency donations since 2014, accepting donations in cryptocurrencies including Bitcoin, Bitcoin Cash, Ether, Ripple (XRP), Litecoin, Dogecoin, and the DAI and USDC stablecoins. However, it has made up a small portion of the non-profit's donation revenue — they received only $130,000 worth of crypto donations in the last fiscal year, which made up 0.08% of their revenue.
There has been strong pressure from crypto advocates on the WMF to accept crypto donations — both in 2014 when it was initially implemented, but also via brigading of the recent community discussion.
- Announcement from the Wikimedia Foundation
- Community discussion culminating in the request
Phishing sites appearing to be the "Otherside" Bored Ape land project steal NFTs valued at $6 million
Blockchain sleuth zachxbt found one such address that had netted around $1 million in NFTs just today, and tracing its transactions led to two other scammer wallets containing $5.1 million of other stolen NFTs.
Popular NFT mint spikes Ethereum gas prices; OpenSea transaction fees exceed $3,500
Most trading on OpenSea during this period was for the much-anticipated Otherside land deeds, which sell for around 5 ETH ($13,500) plus gas. However, some people oddly continued to buy and sell cheaper NFTs, including one person who bought a 0.1 ETH ($275) NFT and paid $3,850 in transaction fees.
- Tweet thread by Molly White
- "Goat Soup #3672" sale on Etherscan
- Archived gas fee page showing high prices
Solana goes down again
This is hardly the first instability the network has demonstrated, much to the chagrin of its users. Transaction flooding is an issue on Solana in part because of the low transaction fees compared to networks like Bitcoin and Ethereum, which have relatively high gas fees that would make flooding extremely expensive.
"Official" Teenage Mutant Ninja Turtles NFT project buys a fake IP rights contract
In late April, the Twitter account was suddenly suspended. On April 30, the TMNT project announced in their Discord that they had discovered that they had been sold a "fake IP rights contract", which they learned after communication from Paramount. They, probably overly optimistically, wrote that they would be pausing the project but they were hoping to "continue the project hand in hand" with Paramount.
Saddle Finance loses more than $11 million to hack
Saddle Finance had lost money once before, right after it launched in January 2021. An individual was able to arbitrage Saddle Finance pools for a profit of around $275,000.
- Tweet thread by PeckShield
- "Update on Saddle’s Launch", Saddle Medium
$80 million stolen from Fei Protocol and Rari
Fei Protocol tweeted that they had paused borrowing to avoid further thefts, and offered a $10 million bug bounty if the hacker returned the money.
SEC files fraud complaint against NASGO organizers
- "SEC Alleges Fraud in Digital Asset Securities Offerings", U.S. Securities and Exchange Commission
Deus Finance exploited for $13.4 million in the second hack in two months
Deus had suffered a similar attack in March, with an attacker using a flash loan attack to steal more than $3.1 million. Deus reimbursed users who were liquidated in the incident.
According to Deus' CEO, the exploit in this incident was not the same one used in the previous attack. He wrote on Twitter that the exploit was "the first of its kind, a zero-day exploit on Solidly [decentralized crypto exchange] swaps".
Central African Republic adopts Bitcoin as legal tender
The Bank of Central African States (BEAC) has expressed surprise at the CAR's choice, saying that they only learned about it along with the rest of the public. Two former prime ministers of the CAR co-authored a letter stating that adopting Bitcoin as legal tender without guidance from the BEAC was a "serious offence".
Scammers create fake Louis Vuitton NFT project
The project airdropped these NFTs to NFT whales, causing some trackers used by people who follow and imitate whales' behavior to believe the whales themselves had minted the NFTs. The site then used a random counter to make it appear that the NFTs were quickly selling out, causing people to quickly mint their NFTs in fear of missing out. One NFT collector recounted her experience falling for the scam, buying five of the NFTs for a total of 0.6 ETH (~$1700) in hopes of striking it rich on a newly-launched project before it became widely known.
An examination of the website source code shows that the project is reusing code from a different scam based around World Cup themed NFTs.
Representative Madison Cawthorn faces accusations of insider trading and disclosure violations related to Let's Go Brandon coin
Fidelity plans to allow people to put retirement savings into Bitcoin
The Employee Retirement Income Security Act of 1974 requires plan fiduciaries to act solely in the financial interest of plan participants, and the U.S. Department of Labor issued guidance in March reminding plan fiduciaries of this duty, urging them to "exercise extreme care before including direct investment options in cryptocurrency". In a blog post shortly after, the DoL wrote that they had "serious concerns" about plans that would expose participants in cryptocurrencies and related products, outlining risks including valuation concerns, obstacles to making informed decisions, price volatility, and a still-developing regulatory landscape.
A Fidelity executive said that the company "believe[s] they should withdraw that guidance".
MetaDocs NFT project wants TikTok-famous doctors to diagnose you, but they don't have a license
Whether they actually get close to that dream very much remains to be seen. The project has faced several setbacks, including complaints from doctors whose likenesses were used without permission, and lack of any telemedicine license that would allow doctors to actually provide remote medical services. The project has also faced criticism for hosting "Ask a Doc" chats where physicians answered various questions without clarifying they weren't providing medical advice, for listing "physicians" in their whitepaper who were still completing residency, and for pledging to donate its first $1 million in revenue to an autism-related charity which has promoted the false claim that vaccines cause autism and has described autism as a disorder that needs to be "cured".
Reggie Fowler pleads guilty to fraud in Crypto Capital case
After initially rejecting a plea offer that would have allowed him to plead guilty to one felony if he forfeited up to $371 million, Fowler ultimately decided to enter an open plea to the charges against him and skip a trial. He pled guilty to five charges: bank fraud, conspiracy to commit bank fraud, operating a money transmitter business, conspiracy to operate a money transmitter business, and wire fraud. Fowler faces a maximum sentence of 90 years in prison.
FTX founder Sam Bankman-Fried tries to explain yield farming and it's just a ponzi
Levine responded, "I think of myself as like a fairly cynical person. And that was so much more cynical than how I would've described farming. You're just like, well, I'm in the Ponzi business and it's pretty good."
- "FTX/ Defi: If it looks like a duck and quacks like a duck . . . ", Financial Times
133 NFTs valued at $2.4 million stolen when hacked Bored Apes Instagram advertises fake land airdrop
The post invited people to visit a website that prompted users to connect their wallets in order to receive the airdrop. Users who did so found their NFTs transferred out of their wallet to the scammer. So far, 44 people have fallen for the scam site, transferring a total of 133 NFTs with an estimated value of around $2.4 million. The stolen NFTs included items from pricey collections including Bored Apes, Mutant Apes, Bored Ape Kennel Club, and CloneX. Several of the NFTs had previously been sold for over $100,000 each.
- Tweet by Bored Ape Yacht Club
- Scammer wallet on Etherscan
Epoch Times writers mass-mail unsolicited "newspaper" promoting crypto
Byrne and Collins published the paper via their co-founded company Streetlight Equity. The firm has also published ostensibly economic-focused articles that include conspiracy theories about how U.S. sanctions on Russia are all a part of a plan to "force the left's green agenda", and rail against pandemic lockdowns.
This is not the first unsolicited newspaper from the Epoch Times or its associates; the Falun Gong-associated and strongly anti-Chinese Communist Party publication previously distributed an unsolicited "special edition" which described COVID-19 as the "CCP virus". This led to pushback from Canadian postal union, who urged the Canadian government to ban its distribution as hate speech they feared would endanger Asian Canadians. Epoch Times have also spread QAnon and anti-vaccine conspiracy theories, spread false claims of fraud in the 2020 United States presidential election, and promoted far-right politicians in Europe.
Binance gave Putin regime information on users who donated to opposition leader Alexei Navalny
Navalny has been imprisoned in Russia since returning in January 2021, shortly after recovering from poisoning: an attempt on his life reportedly ordered by Putin. While in prison, Navalny's foundation has encouraged people to donate cryptocurrency using Binance. They have raised more than 670 Bitcoin ($28 million) so far, despite the Russian government outlawing the foundation and labeling it a terrorist organization. Donors to Navalny's cause now face potentially serious danger as they've been identified to the Putin regime by Binance.
Crypto proponents have long promoted the technology's potential to fund individuals who are targeted by oppressive regimes, and to allow anonymous and untraceable donations.
AkuDreams NFT project earns $34 million that its team will never be able to withdraw
The contract suffered from several flaws, however. The first allowed an exploiter to stop all refunds and withdrawals from the contract. Luckily for the team, the exploiter was well-intentioned and only intended to highlight the issue; they removed the block shortly after, leaving a message urging the team to have their contracts audited before release.
AkuDreams were not so lucky with the second issue. A bug in the code failed to account for users minting multiple NFTs in a single transaction, which made it so that the claimProjectFunds function that would allow the team to withdraw their earnings can never successfully execute. This means that the team can never withdraw the 11,539 ETH ($34 million) earned from the NFT sales — it is stuck there forever.
Hacker pulls $1 million from defi project, then destroys contract without withdrawing the funds
Scammers phish $4.3 million from Terra users in ten days using Google Ads
52 different people fell for the scam, losing a total of around $4.3 million in assets. The scammers appeared to be targeting high-value wallets, with only two accounts transferring less than $1,000. 24 individual wallets were scammed for more than $10,000 each, 7 wallets lost more than $100,000, and one user lost almost $1.4 million.
Rogue Society team resurfaces after being called out for rug pulling $5.5 million
Following a thread by zachxbt outlining the team's rug pull, the project founder made the first post in the project Discord since December, announcing a theme song competition with no acknowledgement of the team's absence and lack of progress.
This event once again shows how it is people like zachxbt who are left to try to hold project creators accountable in the absence of reasonable regulation or enforcement.
Binance adds a branded hashtag to Twitter that closely resembles a swastika
More than a few people expressed shock at seeing what they believed to be a hate symbol on their Twitter feeds from a large brand. The date of release only made things worse — April 20 is celebrated among fascists because it is Hitler's birthday. Tweets from Binance's official Twitter account and the Twitter account of founder and CEO Changpeng Zhao (known as "CZ") were quickly deleted, though the emojis remained. Several hours later, Binance changed the emoji to a globe with the Binance logo.
Twitter doesn't publicly list how much it costs to obtain a branded hashtag, though most articles I could find listed the price at around $1 million. I'm not sure if this is per hashtag or per emoji — the new emoji appears on several related hashtags.
Rich Bulls Club team resurfaces after being called out for rug pulling $3.7 million
Two hours after zachxbt published his research, the team made their first post in three months, with multiple excuses for the issues zachxbt highlighted.
NFT influencer 0x_fxnction suffers $240,000 wallet compromise
He said he hadn't used the wallet to mint any NFTs since October, and said he had revoked all access to minting websites since then. He wrote that he was unsure how the compromise had happened: "My best guess: an old minting site from October still had access to my wallet, even after 'revoking' happened in Phantom.... But honestly, it's just a guess."
Developers drain over $1.1 million from $CHEDDA
Members of the Chedda team claimed on Discord that they were not behind it, and that it had been done by an outsourced development team who was working on the projects farming and staking. "They technically should've been within contract, but they robbed us," wrote Discord moderator Ali Michelle (referring to legal contracts rather than smart contracts). "They were in contract so it would be illegal and full on theft, i believe". Despite the devastating loss, Michelle urged remaining members of the community to "hodl and help us bring this back to life!"
The project had been audited by CertiK, who were quick to note that the contract containing the function used to drain funds was "not in CertiK's audit scope".
Atari cuts ties with their "Atari Token" partner
Atari Token was described as "decentralized cryptocurrency that was created to become the token of reference for the interactive entertainment industry". It launched in November 2020, tanking in price immediately on release. Despite a brief boom around March 2021, the token has mostly traded below its launch price.
In the press release, Atari wrote, "Atari disclaims any interest in the [...] Joint Venture, currently promoted as Atari Tokens, and related websites, whitepapers and social media channels are unlicensed, unsanctioned and are outside the control of Atari." They also wrote that they would be replacing existing $ATRI tokens with new tokens in the future. Atari wrote that the termination of the hotel and casino agreements resulted in an €11 million ($11.8 million) write-off, but that financial impact of the token changes wouldn't be disclosed until the FY22 report.
$650,000 phishing attack against MetaMask user reveals that credentials are automatically backed up to iCloud
It's not yet clear if others have been affected by the same type of attack, but MetaMask tweeted instructions for iCloud users on how to turn off the automatic backups. Most people seemed to have previously been unaware that this data was being backed up in iCloud. MetaMask turned off replies on their tweet announcement, apparently anticipating the outrage from their users. Iacovone was among the outraged, writing, "Keep exposing MetaMask until they do what is right and take care of this issue and the people affected by it".
Palisade discloses infectious XSS vulnerability on Rarible that could have arbitrarily changed NFT listing data and transactions
The researchers were able to inject malicious code into the profile photo on Rarible, which only required a person to visit the malicious profile in order to run. This code could have then "infected" other signed-in users' profile photos, increasing the spread of the vulnerability to anyone who then visited their profiles. Once infected, the code would persist across all pages on Rarible, and could change arbitrary data on NFT listings, modify smart contract interactions, leak or modify profile information, or prompt users to sign arbitrary messages.
In an example, the researchers showed how a listing of a Bored Ape (pricey NFTs which currently have a floor price ~100 ETH / $290,000) could be modified for an impacted user to appear as though it was listed for only 1 ETH (~$2,900). A user who attempted to buy the apparently massively-discounted NFT could then be prompted to approve a sale transaction which would actually run a setApprovalForAll call that would allow the attackers to steal crypto and NFTs from the user's wallet.
This bug was the second Rarible vulnerability that was publicly disclosed this week, following a vulnerability with SVG NFTs disclosed by Check Point Research on April 14.
After the security researchers responsibly disclosed the vulnerability, which could have quickly wreaked havoc across Rarible's entire userbase, Rarible patched the issue and awarded them a bug bounty of $5,000. Good luck to Rarible if the next people who find a bug are even slightly more motivated by money than they are by ethics.
Prominent former defi developer Andre Cronje calls for crypto regulation as he founds an investment banking company
The reasoning may have just become clear, as Cronje published a blog post titled "The rise and fall of crypto culture" in which he wrote, "Crypto culture has strangled crypto ethos... I now more than ever see the need, or even necessity for regulation, not as a mechanism to prevent, but as a mechanism to protect. Its like a child trying to stick their finger into a electric outlet, you stop them, before they can learn why they shouldn't. One day they will understand, but not today." He remained optimistic about the prospects of crypto if regulation is introduced: "We will see the rise of a new blockchain economy, not one driven by greed, but instead driven by trust, not trustlessness."
Not everyone was impressed by his apparent change in tune. Twitter user 0xCana wrote, "andre cronje with the gigagrift walking away with over 1 billion dollars generated from crypto and then exits the space, rails against 'get rich quick mentalities' and advocates for strict regulations and then founds an investment banking company. incredible."
- "The rise and fall of crypto culture", Andre Cronje on Medium
- Tweet by 0xCana
2omb and Redemption defi projects endure repeated flash loan attacks
Starting on April 18, the projects were targeted with a series of flash loan attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.
Beanstalk Farms stablecoin project loses $182 million to exploit
Estimated damages to the project were higher than the amount the hacker was able to take for themselves — around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.
Someone successfully games raffle for popular NFT allowlist with Sybil attack
This did not go over so well for the people who were eager to get a spot in line to mint NFTs that cost 2.5 ETH ($7,650), but was selling with a floor price of 13.1 ETH ($40,000) on the secondary market shortly after the mint completed. If the person behind the Sybil scheme flipped their NFTs for the current floor price, they could make upwards of $1.6 million in profit.
Pseudonymous Gem cofounder revealed to be hiding a history of alleged sexual abuse, some targeting children
Following the publication of the BuzzFeed article on April 16, the Gem Discord erupted in anger — apparently discovering for the first time that Gem had known Thompson's real identity for quite a lot longer than they had let on. Some members accused the team of lying and trying to cover up who Thompson was, demanding the team explain themselves. The Gem Discord bot was subsequently configured to block links to BuzzFeed.com, so people couldn't post the exposé article.
Crypto culture has embraced pseudonymity to such an enormous degree that not only is it common for everyday traders to cloak their identities behind wallet addresses or pseudonyms, but for founders and prominent members of major projects to do so as well. This is not the first time this has enabled deception, such as in the case where a chief developer of a defi project later being unmasked as a man with a history of financial crimes and other shadiness.