As with many of these attacks, it's not immediately clear if there was truly an outside party who gained unauthorized access, or if the "attack" was actually a rug pull or an inside job. The project tweeted on July 16 that they were "continu[ing] to investigate" and had hired outside security firms to try to help them identify the hacker and recoup lost funds.
One single wallet targeted by the phishing attack lost more than $6.5 million worth of Ether and Bitcoin, and another targeted by attackers lost around $1.68 million worth of those currencies.
Rival firm Nexo has said it is considering acquiring Vauld, though some have expressed skepticism that Nexo is in a position to afford such an acquisition.
The usage of the exchange by residents of sanctioned countries could draw the attention of US regulators. It's also the latest in several investigative reports by Reuters into Binance, in addition to a June report that the exchange facilitated $2.35 billion in illicit transfers from 2017–2021, and an April report that Binance supplied the Putin regime with information about crypto donors to opposition leader Alexei Navalny.
Bifrost wrote in their post-mortem analysis that because the attack was limited to the BTC address registration server, and the hack didn't exploit any smart contract or protocol vulnerabilities, a security audit performed by Theori "is still valid"—leading one to wonder why anyone should trust an "audited" platform if $2.25 million in assets can be stolen without invalidating an audit.
- "Post-mortem: BiFi-BTC illegal address registration", Bifrost blog
Hackers used NFTs from the popular Doodles collection as collateral to borrow wETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency tumbler.
According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.
- "Hacker drains $1.4 million worth of ETH from NFT lender Omni", The Block
- Exploiter wallet on Etherscan
Although they initially dodged naming the counterparty, CEO Mark Lamb eventually publicly stated that this counterparty was Roger "Bitcoin Jesus" Ver, who he said failed to meet a $47 million margin call. However, Ver publicly refuted this claim, stating that CoinFLEX in fact owed him money. Both parties went back and forth, each accusing the other of misrepresenting the situation.
On July 9, the company stated that they would be seeking arbitration to recover $84 million from Ver—an updated figure that they said factored in the "significant loss in liquidating his significant FLEX coin positions".
In late June, the exchange laid off 30% of staff and took other measures to cut costs. They later disclosed they were short $70 million, partly from exposure to the Terra ecosystem which collapsed in May.
- "Peter Thiel-Backed Crypto Lender Vauld Files for Protection Against Creditors", The Wall Street Journal
What he didn't mention was the lawsuit that had just been filed against the company, by investors who allege that Ravlich and his co-founders lied to investors and never created any usable product or service. Investors claim to have lost millions in cryptocurrency, and one alleged that Ravlich and his compatriots used a shell company in the Cook Islands to make it harder for him to recoup his losses.
Hypernet initially promised to build a system for renting unused computing power, and in 2018 raised around $20 million in an initial coin offering. In late 2021, Hypernet "pivoted hard" into NFTs, which one investor stated was a "knee jerk reaction to the flavour of the day" and a "last-ditch attempt to find a non-existent market for a non-existent product".
The legal complaint reads, "Prior to Plaintiff coming on board, Defendants had no unified, organized, or overarching investment strategy other than lending out the consumer deposits they received. Instead, they were desperately seeking a potential investment that could earn them more than they owed to their depositors. Otherwise, they would have to use additional deposits to pay the interest owed on prior deposits, a classic 'Ponzi scheme.' The recent revelation that Celsius does not have the assets on hand to meet its withdrawal obligations shows that Defendants were, in fact, operating a Ponzi-scheme."
This is not Reddit's first foray into NFTs. The platform launched four 1-of-1 "CryptoSnoo" NFTs in June 2021, which allow the four holders to display the NFTs on their profile. The "Collectible Avatars" appear to be an attempt to open this same functionality to a broader group of Redditors, while simultaneously appearing to try to sidestep the more negative sentiment around NFTs that has developed since their last project.
2gether had previously made news in August 2020, when hackers stole 114 Bitcoin and 276 ETH—then worth around €1.183 million ($1.2 million), and representing 15% of customer funds. The company successfully raised €1.5 million ($1.52 million) in a financing round several months later to cover the loss.
- La plataforma de criptomonedas 2gether cierra y deja a 100.000 afectados, La Vanguardia (in Spanish)
Luckily for them, they were able to pause the contract before anyone exploited it in ways that were not so easily rectified. The ability to receive $1 trillion in USN out of $1 could have easily been used to drain the USN/USDT liquidity pool.
The plans enraged some of their users, who called the company a scam and questioned the decision to charge only the users with the least funds. Following the backlash, Bitstamp walked back the decision to impose the fee.
Genesis is owned by the deep-pocketed Digital Currency Group (DCG), which may enable it to weather this loss better than some of its crypto brethren. CEO Michael Moro tweeted that "DCG has assumed certain liabilities of Genesis" relating to Three Arrows Capital's inability to meet a margin call.
Report reveals that crypto investment firm Uprise lost 99% of customer funds trying to short Luna during its collapse
The firm advertised its AI-enabled automatic trading strategies, which it said would reduce the risk involved with leveraged crypto trading.
A spokesperson for Uprise stated, "It is true that damage to customer assets has occurred due to unexpected great volatility in the market."
- "Uprise lost 99% of client funds while shorting LUNA during its price crash: SE Daily", The Block
- [단독] '카카오·KB 베팅' 코인투자사, 루나로 267억 날렸다, Seoul Economic Daily (in Korean)
Voyager CEO Stephen Ehrlich wrote on Twitter that he expected that Voyager would "emerge as a stronger company", certainly an optimistic prediction for a crypto broker that froze customer funds with no promise they will ever be able to access them, then filed for bankruptcy.
U.S. Office of Government Ethics issues guidance prohibiting executive branch employees who hold crypto from working on crypto policy
The OGE's purview is limited to the executive branch, meaning that although this impacts White House employees and federal agencies like the Federal Reserve and Treasury Department, it unfortunately does not apply to legislators.
The website advertises specifications for an eventual console that contradict—it will be both 4K and 8K, for example—and promises to integrate Apple's TouchID (despite the fact that Apple does not allow non-Apple products to use that technology). The product's Medium page describes their plans to take pre-orders before the console hardware is built (good sign), and estimates a release date of Q3 2024.
Polium has also gotten flak for its logo, which quite resembles the GameCube logo. Although they claimed in a tweet that "we did not copy the Nintendo's GameCube logo", they also promised to "illustrate a new logo that is original"—apparently acknowledging that theirs is not.
Apparently forgetting the industry they're in, CoinLoan also wrote that their "strategy bars risky activities that could endanger CoinLoaners' funds".
Vauld, which is based in Singapore, also announced that they would be bringing on financial and legal advisors to "explore and analyse all possible options, including potential restructuring options".
- "Corporate statement" by Vauld
- "Peter Thiel-Backed Crypto Lender Vauld Suspends Withdrawals", Wall Street Journal
Twitter and YouTube accounts for the British Army simultaneously hacked and used to promote NFT and crypto scams
On Twitter, the account details were changed to resemble the Possessed NFT project (as also happened to top Super Smash Bros. Ultimate player MkLeo in March). Tweets from the account announced a "new NFT collection" and linked to a fake minting website, complete with a fake counter showing the number of available NFTs appearing to dwindle.
Meanwhile, the YouTube account was rebranded to resemble ARK Invest, the investment management firm founded by Cathie Wood. It ran a steady stream of fake videos cribbed from an old, real livestream with Elon Musk and Jack Dorsey, but surrounded with borders promoting "double your money" Bitcoin and Ether scams. This is a common YouTube scam, and one such scam earned crypto scammers $1.3 million in 24 hours back in May.
Crema Finance sent a message to the hacker via Ethereum transaction, writing that "you have 72h from now to consider becoming a white hat and keeping $800k as the bounty... Otherwise the police and legal force will officially get involved and there will be endless tracing waiting for you." On July 6, Crema announced that they had reached an agreement with the hacker, who returned most of the funds and kept 45,455 SOL ($1.68 million) as a "bounty".
Crema Finance is not to be confused with C.R.E.A.M. Finance, a crypto lending service that was hacked three separate times in 2021 for a total of nearly $200 million.
Libra-now-Diem ground to a halt after concerns from regulatory bodies and the general public, with Facebook-now-Meta abandoning the project in January 2022. Now they've announced they'll be shutting down Calibra-now-Novi, too, and have advised users to withdraw their balance "as soon as possible". Users won't be able to add money to their accounts beginning on July 21.
- "Meta to Shutter Novi Crypto Payments Wallet in September, Ending Libra Saga", CoinDesk
- "Welcome to Novi", Meta Newsroom
Quixotic is the largest NFT marketplace on Optimism, a layer 2 Ethereum network. Despite being the largest marketplace on the network, it still does fairly little in volume compared to NFT marketplaces on other networks, boasting only around $420,000 in trading volume in the last 30 days.
Quixotic paused marketplace activity after discovering the hack, and promised to reimburse all users who had tokens stolen from them.
Polygon's chief information security officer Mudit Gupta told CoinDesk that day that "no funds [were] lost as far as we know but we are still investigating", and that dApps using the Ankr RPC endpoint were non-functional. Ankr later announced that the RPC systems had been fully restored, and that the breach had come from a "third-party vendor" that enabled attackers to change Ankr's domain hosts.
Voyager announced that they were making the decision "given current market conditions", and that it "gives us additional time to continue exploring strategic alternatives with various interested parties". They also released some financial and balance sheet updates that painted a pretty grim picture.
- "Voyager Digital Provides Market Update", press release from Voyager
At that price, Coca-Cola will only be earning about $21,500 (minus any expenses) if the project mints out, plus any resale fees. A many-billion-dollar company like Coca-Cola might consider just donating the 20 grand themselves.
Mirror Trading International was founded and operated by Cornelius Johannes Steynberg, who had been on the run from South African police until recently being detained in Brazil on an INTERPOL warrant. The CFTC is seeking full restitution, disgorgement, and bans from future trading.
The scheme ultimately drew in about $12 million from investors, beginning in late 2017. Saffron was charged with one count of conspiracy to commit wire fraud, four counts of wire fraud, one count of conspiracy to commit commodities fraud, and one count of obstruction of justice. If convicted of all charges, he faces up to 115 years in prison.
Previously, in April 2021, the a court ordered Circle Society and Saffron to pay $32 million in relation to the scheme after a default judgment in a lawsuit from the CFTC, who described the whole thing as a Ponzi scheme.
- "Justice Department Announces Enforcement Action Charging Six Individuals with Cryptocurrency Fraud Offenses in Cases Involving Over $100 Million in Intended Losses", U.S. Department of Justice
- "Federal Court Orders Nevada Company and its Owner to Pay More Than $32 Million for Cryptocurrency Fraud and Misappropriation Scheme", CFTC
Operator of fraudulent Titanium Blockchain Infrastructure Services ICO charged with securities fraud
The DoJ alleges that Stollery falsified the TBIS whitepaper, wrote fake testimonials on the project website, and made up business relationships with the U.S. Federal Reserve Board and large companies including Apple, Pfizer, and Disney.
If convicted on all counts, Stollery faces up to 20 years in prison.
All three are facing charges of conspiracy to commit wire fraud and conspiracy to commit securities fraud, and Pires and Goncalves have also been charged with conspiracy to commit international money laundering. If convicted on all counts, Pires and Goncalves face up to 45 years in prison and Nicholas faces up to 25 years in prison.
BlockFi was last valued at $4.8 billion, but FTX is expected to pay around $25 million to buy the company. BlockFi CEO Zac Prince refuted what he described as a "market rumor": "I can 100% confirm that we aren’t being sold for $25M." A leaked call with Morgan Creek Digital investors suggested they were trying to counter FTX's offer, and that BlockFi was being valued at less than $500 million. The call also revealed that BlockFi's loan to Three Arrows Capital had been $1 billion, and that it was backed by collateral of $1.33 billion in Bitcoin and GBTC.
CNBC reported that, according to one of their sources, "equity investors in BlockFi are 'wiped out' and are now writing off the value of their losses."
Cryptocurrency has long been touted as a tool for the unbanked, including those who don't have access to banking because they're undocumented, and for people hoping to operate free from government observation. Coinbase, however, has actively courted government contracts such as this one, which has not won them favor among the more libertarian-leaning crypto enthusiasts.
Also on the 29th, the SEC rejected an application from Bitwise to create a Bitcoin exchange-traded product (ETP).
Grayscale immediately announced they would be suing the SEC, a course of action they'd been suggesting for several months. Don't hold your breath, though—a litigation analyst estimated such a lawsuit would take 12–18 months to reach resolution.
W3itch.io apparently decided the best way to accomplish their goal would be to not only steal itch.io's site design, but the source code itself. The games hosted on the website were also taken without the consent from their creators.
After being called out by the KennyNL Twitter account, W3itch.io admitted to stealing the CSS, as well as buying Twitter followers. However, they refused to take the website down, and seemed to claim they were unable to remove listings of stolen games.
The court action followed lawsuits from several creditors over its failure to pay debts. Those creditors included Voyager Digital, who reduced their platform's withdrawal limit after reporting their exposure to 3AC, as well as the crypto exchange Deribit.
- "Crypto Hedge Fund Three Arrows Ordered by Court to Liquidate", Wall Street Journal
A hacker was able to exploit a flaw in the smart contract for the project, stealing crypto notionally worth $3.8 million. The loss to the protocol was likely higher. XCarnival paused its smart contract after learning about the hack from a crypto watchdog.
On June 26, XCarnival announced that they had reached an agreement to give a 1,500 ETH "bug bounty" to the attacker, who agreed to return the remaining 1,587 ETH ($1.9 million) with an agreement that XCarnival would not pursue legal action.
The NFT went up for sale on June 20, with bidding scheduled to last for four days, and a starting bid of 206 ETH (around $240,000). Apparently collectors decided the NFT wasn't enough to justify dropping that kind of cash on a car that is expected to sell for around $90,000, because the auction received no bids.
SuperRare, the marketplace used for the auction, explained that users must have missed the opportunity to bid "due to the craziness of NFT NYC" (a cryptocurrency conference that ran from June 20–23), and the project extended the bidding time by 24 hours. After the 24 hours had elapsed, they still had zero bids.
The Times later updated the story, writing that the company's co-founder told them that the restaurant shuts off the payment system "'from time to time' for upgrades", but was still accepting crypto.
The menu lists prices in USD, not Ether or Apecoin, and most people buy their $13 hamburgers with plain old fiat.
- Inside the crypto restaurant after the crypto crash, Los Angeles Times
The company announced they would be "scal[ing] down to a target organisational size of about 730 people". The company seems to have had around 1,000 employees, which means they are laying off around a quarter of their workforce. They also announced they would be rescinding employment offers they had extended recently.
- "The Way Forward", BitPanda
On June 23, someone was able to steal assets from the bridge that they then converted to more than 85,800 ETH. The stolen funds are notionally valued at almost $100 million, assuming the thief can cash them out successfully. Hours after the attack, most of the funds remained in the thief's wallet and had not yet been laundered.
A June 29 analysis by blockchain research firm Ellipsis claimed that "there are strong indications that North Korea’s Lazarus Group may be responsible for this theft". Lazarus was also behind the $625 million bridge hack in March, targeting the Axie Infinity game.
Senators Lummis and Gillibrand solicit feedback on their proposed crypto legislation via Github and it's off to a predictably chaotic start
As one might expect, apparently-unmoderated open comments from some of the most online people out there has been off to a chaotic start. The first comment on the proposal, by a user with a Pepe the Frog avatar, is titled "Taxation is theft!" and reads, "Why should we pay any taxes to a corrupt government that prints money out of thin air and gives it away for free! Eliminate the FED!!! BITCOIN FOREVER!"
Another comment thread begins, "Feds are not looking post floppa" and accumulated over 100 replies containing photos of caracals within half an hour.
A different person submitted a pull request replacing the entire text of the bill with "cryptocurrencies are banned lmao".
On July 13, the creators of the Github repository removed all the issues and archived the repository, apparently bringing the experiment to its end.
The company then posted an announcement that they would be "pausing all withdrawals" due to "extreme market conditions last week & continued uncertainty involving a counterparty". They were cagey about the identity of the counterparty, though the announcement explicitly stated it was not the underwater hedge fund Three Arrows Capital, which has been causing a domino effect throughout the crypto industry. They later alleged the counterparty was Roger Ver, though he denied the claim.
CoinFLEX began allowing customers to withdraw up to 10% of their funds on July 14, but the remaining 90% continued to be inaccessible to them.
- "Update on withdrawals", CoinFLEX
- "Hostess launches $TWINKcoin snack cakes", Food Business News