Web3 is Going Just Great

The attackers have distributed the tampered applications through websites that clone the legitimate applications' websites. Through search engine poisoning, primarily via Chinese search engines like Baidu, the attackers have successfully gotten unsuspecting users to install the malicious programs.

Crypto researcher Small Cap Scientist suggested on June 9 that the sell-offs may have been triggered by a "canary in the coal mine": a 50,000 stETH (nominally worth $45.8 million) sell-off by Alameda Research, a trading firm founded by Sam Bankman-Fried. SCS also reported that Celsius Network was "quickly running out of liquid funds to pay back their investors", and "they are taking massive loans" against "billions in illiquid positions" to pay back customers.

There has been a lot of concern lately about Celsius' reserves and its ability to honor redemptions, with some speculating that the platform might be underwater and forced to default. Celsius released a blog post on June 7 titled, "Damn the Torpedoes, Full Speed Ahead" where they accused "vocal actors" of "spreading misinformation and confusion", and promised that "Celsius continues to process withdrawals without delay", and that "Celsius has the reserves (and more than enough ETH) to meet obligations".

Celsius' June 12 announcement did not include any details on what their plans would be, just that they hoped it would allow them to "stabilize liquidity and operations while we take steps to preserve and protect assets".

On June 14, the Wall Street Journal reported that Celsius had hired restructuring attorneys.

Anyway, a project called Offline Cash has sprung up. In a stunning example of Poe's Law, the project seeks to provide a physical form of that digital physical cash people have spent so much time working on.

Hear me out: imagine you had paper notes that you could transfer to people in lieu of making a Bitcoin transaction! And unlike regular cash, it has an expiration date to keep track of!

One of the wallets used by the scammers had stolen 64 NFTs, though most of them were low in value. The address had also pulled in 16.5 ETH (~$30,000). However, most scammers rotate wallets, and this likely doesn't reflect the total damage from the scam.

Wintermute published a blog post taking responsibility for the error, and announced that they would "proceed to buy OP every time the attacker sells it to make the protocol whole eventually". So far the attacker has sold 1 million $OP for about $1 million USD.

Wintermute wrote that they were "open to see this as a white hat exploit", but if the funds were not returned within a week, they were "100% committed to returning all the funds, tracking the person(s) responsible for the exploit, fully doxxing them and delivering them to the corresponding juridical system".

Remarkably, the attacker returned 17 million of the tokens two days later, keeping 2 million as a "bounty". Wintermute agreed to reimburse the Optimism Foundation for the remaining 2 million $OP.

Although the project team promised that "every single one of our holders will win something", the collectors were in for a lot of disappointment: players never showed up for events, and Zoom meetups were never scheduled despite repeated requests, and merchandise was never sent. One person who was promised a signed jersey instead received a t-shirt, apparently devoid of any signature.

In mid-May, two project creators announced they would be "stepping back on the project as [they] cannot seem to please the community". The announcement broadly blamed the project's failures on "lack of interest" in the project. They said they would no longer be providing physical items, and would focus on "athlete utility", though in the time since then the project has remained similarly stagnant.

Collectors minted Players Only NFTs in early December for 0.08 ETH each (~$144). One NFT from the project has been sold on the secondary market in the last month, for $0.001 ETH (less than $2).

The Baby Elon token is of course not to be confused with Baby Musk, a different BNB Chain-based, baby Elon Musk-themed memecoin that rug pulled in February after a $2 million ICO.

The exchange has announced plans to repurchase $APX to boost the price, so far spending $600,000 to do so.

Developers halted the chain before liquidity pools were fully drained, but estimated that about $5 million was lost. They wrote that they were working on recovery plan; perhaps they will also encourage their community to report bugs privately, rather than via public Reddit post.

GYM Network promised to use the entire project treasury to bolster the price of their token, which tanked as a result of the massive sell-off. "We can't promise that it will bring the price back to 0.20$ but we will use it All to recover this attack," they wrote on Telegram.

On June 8, Cawthorn filed more reports of crypto trades he made in January to March, reflecting 24 purchases totaling between $290,000 to $950,000 in crypto projects including Kryll, Ethereum, Solana, Bitcoin, Let's Go Brandon, and Request.

Senator Lummis has long been a strong supporter of Bitcoin and crypto more generally, sporting a "laser eyes" profile picture on Twitter and speaking at Bitcoin Miami, where she was introduced as a "champion of Bitcoin".

500 attendees of the "Galaverse" event (a gathering put on by Grit's creators, Gala Games) were airdropped "epic" rarity horse NFTs, which those with keen eyes were quick to observe are simply a premade asset the developers purchased from the Unreal Engine Marketplace.

The Apocalyptic Apes Discord attackers stole around 21 NFTs. Bubbleworld attackers stole 171 NFTs, with combined floor prices amounting to around $243,000.

Maiar's founder and CEO has claimed that "most exploited funds have been either recovered in full, or will be covered by the Elrond Foundation", though it's not clear how (or if) any of the funds were recovered.

The collector had bought or minted the NFTs at various points over the past year, spending a total of 84 ETH on the ten stolen NFTs (worth ~$312,000 based on ETH prices at the time of each purchase). The thief has so far flipped seven of the Cool Cats NFTs for a total of 34.5 ETH (~$62,000). This collector doesn't appear to be the phisher's only victim; their Ethereum wallet shows a total balance of $365,000.

The Bored Apes Discord was also compromised on April 1, along with those of several other big-name NFT projects.

Next, the bill will go to Governor Hochul to sign or veto.

The report also detailed that 25% of the monetary amount lost to fraud since the beginning of 2021 was lost via cryptocurrency, and that the median individual loss was around $2,600. Most of the crypto scams were investment frauds, followed by romance scammers and business and government impersonators.

Not only did their roadmap include play-to-earn game (of course), collaborations with a Swiss shoe and apparel store that would send them actual gear, and real-life trips, but they promised that 15 "legendary" cards would "automatically generate" their owners $2,500 each month, for life. The project was promoted by Jake Paul, an influencer whose crypto promotions don't have a great track record to say the least.

The project team began to grow more distant after launch, posting less frequently. Promised apparel shipments never arrived. The team changed the legendary rewards from $2,500 a month to "a percentage of incomes from the game", which they said "could be a lot more than $2500 monthly" despite no game actually existing. The project team eventually disappeared, took down the Twitter account and website, and disabled the general chat in their Discord project.

Personally, I'm looking forward to telling my landlord that I can only pay half my rent because I lost the money I'd set aside for it in the crypto markets.

Crypto companies are not the only tech companies that have been slowing down hiring or even laying off employees recently, though rescinding already accepted offers is extremely unusual. A would-be employee wrote on the anonymous employee message board app Blind that their offer had been rescinded, and that "this feels like a nightmare that I can't wait to wake up from". A current Coinbase employee replied, "Dodged a bullet".

All my goblin asses gone.

The announcement came on the same day that the CFTC announced a lawsuit against Gemini for allegedly making false or misleading statements.

After the token plummeted, Hern received an email from the developers, who spun a story about how they were just fans of his, and that it was just an unfortunate mistake that people has mistaken their usage of his name and "Guardian" to mean he was involved.

It's not quite clear what happened, but it seems likely that it may have been a listing error. Onekiller had posted and then canceled listings for the ape several times in the past week and as recently as four hours before the sale, all between 250 and 145 ETH, suggesting that they had control of their account and made a mistake while entering the listing value.

The Financial Times writes, "While individuals have made similar warnings about the safety and reliability of digital assets, it marks a more organised effort to challenge the growing influence of crypto advocates who want to resist attempts to regulate the frothy sector."

However, Solana has been plagued with stability issues, and on June 1 it was taken offline by its developers for what CryptoWhale says was the eighth time this year. This occurred only days after an incident in which the Solana blockchain clock drifted significantly behind real-world time.

After leaving OpenSea in the wake of the allegations, Chastain began pitching a new NFT platform called "Oval" to investors, seeking $3 million in seed funding.

Chastain was arrested on June 1. The two charges he faces each carry a maximum sentence of twenty years in prison. The Attorney's Office described the charges as the first ever relating to insider trading of digital assets, and stated that, "today's charges demonstrate the commitment of this Office to stamping out insider trading — whether it occurs on the stock market or the blockchain."

Moeel responded to the criticism in a slew of tweets, writing in one: "Why did i trace tank girl art? Why did Occidental soldiers raid the Iraqi national museum of art and steal all of our cultural artifacts and history? Many questions to answer". Moeef also accused those expressing concerns about her appearance of racism, and described them all as "people who love the central banking system". "Big organizations come out to try to destroy my community of 90% women, mostly WOC like me", she wrote.

One other TCAF featured guest, Ngozi Ukazu, withdrew from the Festival, writing, "Not only do I disagree with the platforming of NFTS, but I also will not be a featured guest alongside an influencer who traces art and explicitly commodifies Black culture." TCAF wrote on Twitter that they were preparing a response to "valid concerns", and the subsequent day announced that they had rescinded the invitation due to "code of conduct violations and the concerns expressed by the comics community".

The project has been plagued with issues including missed deadlines, accusations of plagiarism (somehow), and connections to another rug-pulled project. Additionally, a flawed staking contract required the team to have holders migrate their NFTs to a new contract — a slow and painful process that has resulted in most of the NFTs being "stuck" in a temporary contract. People who have questioned the project or accused them of rug pulling have been banned from the Discord and blocked on Twitter.

Despite the team's repeat (though very infrequent) claims that the project is still going and is not a rug pull, this appears to be a classic "slow rug" — that is, when a project team engages just enough to keep the community from accusing them of wrongdoing, while still effectively abandoning the project. On May 7, a former community moderator for the project stepped down, publicly stating that "the team has all but given up on the project, they come back every 4 weeks to put forth just enough 'minimal' (understatement) effort to not get sued", and accusing the project team of not paying them as agreed.

Terra sleuth FatMan wrote on Twitter on May 30, "So far, the mBTC, mETH, mDOT and mGLXY pools have been drained. In around 12 hours, the market feed will kick in, and the attacker will be able to drain all of the mAsset pools (such as mSPY and mAAPL, mAMZN, etc.)". He begged Mirror developers to fix the oracle, writing that they are "completely MIA".

The trader later confirmed on Twitter that it was their mistake rather than an account compromise or some other hack: "Yep, was a fat finger. Was trying to list at 105. Never thought it'd happen to me. Devastating."

Meanwhile, the NFT's new owner has it listed for sale for 110 ETH (about $219,000), which will net them a tidy profit if they find a buyer.

The price of the new $LUNA token has been volatile on its first day, starting at around $17 and later valued around $5.70. This would make the attacker's holdings of airdropped tokens worth around $12.1 million, assuming they could find liquidity to cash out.

The project creators claimed it was a hack, and stuck around to try to keep the hope alive. They claimed on Telegram that for some reason they couldn't access the project Twitter account, and so couldn't inform their community of the hack. They also began rallying their community around hopes for a project relaunch. Meanwhile, they announced a "CHAT MUTE UNTIL TOMORROW TO AVOID FUD" — as any reputable, not-rug-pulled project would do, I'm sure.

According to BleepingComputer, only about $1,700 in deposits appeared to have gone to addresses associated with the scam, although they acknowledged that the addresses are likely rotated and so the true amount may be larger.

Someone brought the scam to Musk's attention on Twitter, where he replied, "Yikes. Def not me." The YouTube channel hosting the videos was taken down shortly after.

Bitso is a major Latin American exchange, with mor than four million users across Mexico, Argentina, Colombia, and Brazil.

FatMan discovered one instance where a person deposited $10,000 and later withdrew $4.3 million. According to FatMan, they found repeated exploits of this type that earned attackers "well over $30 million". Another researcher on Terra forums estimated about $88 million had been exfiltrated from the project in this way, over the many months the bug went undiscovered and unpatched by Mirror developers.

Blockchain timekeeping is also selling point of Solana, which talks up its "proof of history" algorithm in a blog post where Solana Labs co-founder Anatoly Yakovenko says, "our clocks never drift".

Billy Markus, one of the original creators of the Dogecoin cryptocurrency (both of whom have since left the project), tweeted, "luna 2.0 will show the world just how truly dumb crypto gamblers really are".

The highly exclusive group of NFT collectors known as Proof Collective, of which this trader was a member, was reportedly preparing a report for the FBI and police. Because the attacker used an exchange that requires KYC there may be some possibility that their identity could be traced, although falsified KYC is also increasingly common.

The company has already raised $70 million in token sales and a Series A funding round led by Andreessen Horowitz (aka a16z), which seems like a startling amount of money to give to someone who resigned from his previous company amidst accusations of some serious self-dealing and the creation of toxic corporate culture.

On May 26, Cawthorn filed a disclosure to say he had bought between $100,000 and $250,000 of the "Let's Go Brandon" ($LGB) coin on December 21 — eight days before posting that the coin would "go to the moon" just before a deal with NASCAR was announced. The coin then went up in price and Cawthorn sold at least $100,000 of his holdings. This timing led to accusations that Cawthorn had advance knowledge of the partnership.

Cawthorn also disclosed in the same May 26 filing that he bought between $101,000 and $265,000 of Ethereum in late December. Although Congressmembers are required by the STOCK Act to disclose purchases of various assets (including cryptocurrencies) within 45 days of the transaction, Cawthorn's disclosure came five months after the purchase. Cawthorn recently lost his primary, ending his chances of re-election, but his current term isn't slated to end until January 2023.