Blur Finance rug pulls for over $600,000

The yield aggregator Blur Finance rug pulled, taking more than $600,000 in assets from the BNB Chain and Polygon-based projects before deleting their website and social media accounts. The project had only been active for about a month, and had accumulated about 750 users on its original BNB Chain implementation, and on August 5 had announced their launch on Polygon. In the announcement, they boasted returns of over 4,000% APR.

Hotbit crypto exchange suspends trading due to criminal investigation

Tweet from Hotbit News: 📢Announcement on the Suspension of Hotbit Website Service on August 10th, 2022 Details👉https://hotbit.zendesk.com/hc/en-us/articles/8074249353495 ⚠️User's assets are safe, please don't worry. We are sorry for any inconvenience caused!😢
Followed by a GIF of Anya Forger from Spy x Family cryingHotbit announcement tweet (attribution)
The Hotbit cryptocurrency exchange abruptly announced they would be suspending services because they were under criminal investigation, and law enforcement had frozen some of their assets. Hotbit claims that the investigation pertains to a former employee who was involved in a "project" unbeknownst to Hotbit, which investigators believe was illegal. Hotbit urged that all customer funds were safe, which seems a bit of a bold statement when their funds are currently frozen to the point where the exchange can no longer operate.

Hotbit announced the suspension on Twitter with a GIF of a crying Anya from the anime series Spy × Family which, despite demonstrating their good taste in shows, does not seem like it would exactly inspire confidence among customers.

CoinFLEX files for restructuring

The cryptocurrency exchange CoinFLEX announced they had filed for restructuring, a move that probably didn't surprise too many people after they stopped customer withdrawals in June, sued Roger Ver over $84 million they claimed he owed them in July, and then significantly cut staff in order to try to massively reduce their costs.

As tends to happen with insolvent exchanges, they are hoping to "compensate" their depositors with a mix of CoinFLEX-issued tokens and equity, rather than actual money or more liquid, established cryptocurrencies.

Nuri crypto exchange files for insolvency

The German cryptocurrency exchange Nuri, formerly known as Bitwala, filed for insolvency. Interestingly, they did not stop customer withdrawals — as have many exchanges who later announced they were insolvent — allowing its existing users to continue to withdraw funds and otherwise use their services.

Their announcement began by saying, "We would like to inform you about an important development that does not affect our services, funds or investments with Nuri," and throughout the post they stressed that customer funds were safe.

Nuri blamed the insolvency on everything from "the ongoing after-effects of the Corona pandemic" to "the economic and political uncertainties in the markets after Russia's invasion of Ukraine" to the more recent crypto bear market.

On October 18, the company announced they would be shutting down after failing to find someone to acquire the company. They asked customers to withdraw their funds by December 18. Unlike many of the services that faced insolvency crises this summer, Nuri is closing without any loss of customer funds.

Curve Finance frontend compromised, $620,000 stolen but later recovered by exchanges

Curve Finance's frontend at curve.fi was compromised, prompting users to give token approval to a malicious smart contract. Stolen funds were then transferred out to the FixedFloat cryptocurrency exchange and the Tornado Cash tumbler. It appears that at least 362 ETH (~$620,000) have been stolen.

Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.

FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. 😂"

Truth in Advertising sends letters to 17 celebrities about undisclosed promotion of NFTs

A collage of sixteen of the seventeen recipients of TINA's letters: Drake Bell, Tom Brady, DJ Khaled, Eminem, Jimmy Fallon, Paris Hilton, Eva Longoria, Madonna, Floyd Mayweather, Meek Mill, Von Miller, Neymar, Shaquille O'Neal, Gwyneth Paltrow, Logan Paul, and Snoop DoggSome of the recipients (attribution)
Non-profit advertising watchdog organization Truth in Advertising (TINA) sent letters to seventeen celebrities, urging them to follow FTC requirements on clearly disclosing when they are being paid to promote a brand. TINA had also previously sent such letters to Justin Bieber in relation to his promotion of the inBetweeners NFT project, and to Reese Witherspoon in relation to her endorsement of World of Women.

The celebrities who received letters from TINA were Drake Bell, Tom Brady, DJ Khaled, Eminem, Jimmy Fallon, Paris Hilton, Eva Longoria, Madonna, Floyd Mayweather, Meek Mill, Von Miller, Neymar, Shaquille O'Neal, Gwyneth Paltrow, Logan Paul, Snoop Dogg, and Timbaland.

At least 101 NFT Discord servers compromised in July

A fluorescent green skull with blond hair, a piece of cheese floating above its head, a rainbow connecting its eye sockets, and padded armorTasty Bones' Discord was hacked twice in July (attribution)
I've largely stopped covering crypto Discord compromises because they occur so frequently it would drown out everything else. OKHotshot has been keeping count, though, and according to them, at least 101 servers have been compromised in the month of July. Four of the projects — EY3KON, Tasty Bones, Universe by Barnabe, and Angry Dinos — were each compromised twice in that month.

"Animate your Bored Ape" scammers linked to more phishing attacks amounting to more than $2.5 million

Screenshot of an Instagram post promising to animate users' Bored Ape NFTs. Text reads "Wanna turn your Ape or Mutant into a cool GIF? - High quality - All attributes working - Only gas fees to pay (50$) boredapeyachtclub.github.io (LINK IN BIO) PM @exyt to get gas fees refunded!"Screenshot of an Instagram post promising to animate users' Bored Ape NFTs (attribution)
Crypto sleuth zachxbt has uncovered a French scam duo, Mathys and Camille, who he believes were behind the March "turn your BAYC animated" phishing scam in which they stole a collector's Bored Ape NFT and flipped it for 264 ETH (at the time worth $764,000). He has also tied them to four other Bored Ape holders who fell victim to fake "animator" phishing schemes that also stole pricey NFTs including Doodles and Mutant Apes. Among them, they lost NFTs collectively valued at $1.7 million. In his investigation, zachxbt also uncovered other crypto wallets that appeared to contain proceeds from other phishing scams, totaling around 497 ETH (~$851,000). "Undoubtedly there is more to uncover, but there is only so much that can be tracked through Tornado Cash," he wrote.

Tornado Cash added to U.S. sanctions list

The U.S. Office of Foreign Assets Control (OFAC) added Tornado Cash to its SDN list: a list of "Specially Designated Nationals And Blocked Persons" with whom U.S. individuals and organizations are prohibited from doing business.

Tornado Cash is the most prominent cryptocurrency tumbler (or "mixer") and has been used in a multitude of instances to launder proceeds from cryptocurrency hacks and scams. In a press release, the Treasury Department named the North Korea-sponsored Lazarus Group's $625 million hack of Axie Infinity in March, the $100 million theft from Horizon Bridge in June, and the $190 million hack of the Nomad bridge in August as contributing to the decision.

Although Tornado Cash had claimed to be complying with sanctions in the wake of the Axie hack, the Treasury Department wrote in their press release that, "Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks".

Tornado Cash is also widely used to maintain privacy in a world where transactions are publicly visible, and it remains to be seen how the cryptocurrency ecosystem will react to this major development. Tornado Cash is also relatively decentralized in its operations, meaning it may be difficult for the sanctions list to be kept up to date and for the sanctions to be enforced.

The fallout from the sanction was swift: in the days following the action, Tornado's source code repository was removed from Github and the accounts of some of its developers were suspended; the project's Gitcoin funding page was taken down; and the project's own website, governance pages, and Discord server went offline.

Bitcoin mining operation Riot Blockchain earns more money in July by not mining, effectively mines without paying for power

An aerial photo of large warehouse-style buildings, electricity infrastructure, and shipping containers on a large dirt plotRiot Blockchain's Rockdale, Texas facility (attribution)
The Bitcoin mining firm Riot Blockchain produced 318 BTC in July, valued at around $6.88 million, from its mining operations located in central Texas. The firm also received $9.5 million in power credits for switching off their power-hungry Bitcoin miners during all-time-high energy demands in a month where the state has been experience extreme heat waves.

A press release from Riot proudly announced that "Riot curtailed a total of 11,717 megawatt hours in July, enough to power 13,121 average homes for one month", as though it is acceptable that they are normally using this amount of electricity solely to churn out Bitcoins.

They also wrote that "When applied to anticipated power costs for the month, the power credits and other benefits are expected to effectively eliminate Riot's power costs for July" — meaning that Texas residents are effectively subsidizing the cost of Bitcoin mining whether they like it or not. Meanwhile, the Texas Tribune and The Dallas Morning News report that many Texans are paying 50–70% more for electricity than this time last year.

Hodlnaut halts withdrawals

Crypto lending firm Hodlnaut announced they would be suspending withdrawals "due to recent market conditions". They also announced they would be withdrawing their license application with the Monetary Authority of Singapore, and that "Hodlnaut is therefore no longer providing regulated digital payment token (DPT) services, ie our token swap feature. For the avoidance of doubt, Hodlnaut will also cease all borrowing and lending services."

In an FAQ attached to the announcement, Hodlnaut told users that "it will not be a short process" to re-enable withdrawals and token swaps.

No one wants to admit to owning the WazirX crypto exchange

Tweet by Nischal Shetty, quote-tweeting a tweet by Changpeng Zhao.

CZ tweet reads: Sad that these have to be debated on Twitter:
Binance provides wallet services for WazirX.
WazirX domain is transferred to our control.
We were given a shared access to an AWS account.
We could shutdown WazirX. But we can't, because.. 1/2

Shetty's tweet reads:'We could shut down WazirX' - Proves you have control
'Shared access of AWS' - You have ROOT access of AWS! Anyone with root access controls AWS
'WazirX domain transferred to our control' - Good to see you confirm that
Only control now is Zanmai, why are you not taking it?Tweet by WazirX founder Nischal Shetty (attribution)
After India froze the assets of the WazirX cryptocurrency exchange due to suspicions they were enabling money laundering, suddenly no one wants to admit to operating it.

Despite a 2019 blog post by Binance titled, "Binance Acquires India's Leading Digital Asset Platform WazirX to Launch Multiple Fiat-to-Crypto Gateways", Binance CEO Changpeng Zhao ("CZ") tweeted that "Binance does not own any equity in Zanmai Labs, the entity operating WazirX", and that besides wallet services and an off-chain transaction integration, "WazirX is responsible all other aspects of the WazirX exchange". These statements were disputed by Nischal Shetty, the founder of WazirX, who stated in no uncertain terms that WazirX was acquired by Binance. "Binance owns WazirX domain name. Binance has root access of AWS servers. Binance has all the Crypto assets. Binance has all the Crypto profits", Shetty wrote on Twitter.

Brand new Dragoma "move-to-earn" game rug pulls for around $3.5 million

An illustration of a purple dragon with white spikes all around its head, perched on the text "Dragoma" in blue all caps. Underneath that it says "Dragoma Web 3.0" in white text. In the background is an illustrated scene of trees and sky.Dragoma promotional image (attribution)
The Polygon-based Dragoma app promised to be a new move-to-earn game, the term for a category of web3 apps that promise to reward people in tokens when they exercise. This particular app promised to be a dragon-themed "adventure game" where users could hatch dragon eggs by walking 500 meters a day (about 1/3 of a mile) for 40 days.

The project launched only days before it rug pulled. On August 7, the $DMA token dropped in price over 99% as funds were removed from the project and moved to exchanges. According to CoinDesk, around $3.5 million was taken. The project's website, Telegram channel, and Twitter accounts were all taken offline.

Someone makes NFTs out of photographs from the Xinjiang Victims Database

A 3D rendering of a man, standing in a T-pose and pictured from above his head. The rendering itself is shown on what appears to be a polaroid-style photograph inside a black plastic sleeve with stickers on itMade in Uyghur NFT (blurring added by W3IGG) (attribution)
The Xinjiang Victims Database is a database that aims to collect records on ethnic minority citizens in China's Xinjiang Uyghur Autonomous Region who have been imprisoned in concentration camps as a part of the Uyghur genocide. According to the project, "The goal of this database consists in documenting the aforementioned individuals, so as to both protect them now and hold the Chinese authorities accountable later."

Someone apparently decided this was perfect material for an NFT project, which they named "Made In Uyghur". They took 100 images from the database, clumsily projected them onto 3D-rendered human models in a T-pose, and listed them for $25 apiece.

Upon becoming aware of the NFTs, the Xinjiang Victims Database updated their site licensing to CC BY-NC, a Creative Commons license that forbids commercial reuse. "Commercial use of the data, including images of victims, is not okay", they wrote on Twitter, "[Made In Uyghur] never contacted us about this".

"Saxon James Musk" token developer rug pulls for around $442,000

Who could have predicted that the shitcoin named after one of Elon Musk's 16-year-old sons could turn out to be a scam? Well, besides the people who fell for previous rug pulls of tokens based on the Musk family, such as Baby Elon coin in June or the Baby Musk Coin in February...

The project developer suddenly sold off their share of the coin for around 1355 WBNB (~$442,000), sending the coin price plummeting by more than 68% as a result.

Beanstalk Farms comes back for round two after $182 million exploit

The algorithmic stablecoin project Beanstalk Farms suffered a devastating hack in April 2022, suffering $182 million in losses from a governance attack and flash loan exploit on the project. The project tried a fundraiser to restore the stolen money, but only raised $10 million.

Now, Beanstalk is re-launching, saying they've made changes to their governance model and security practices, and have received audits from two major firms.

In June, the project creator stated that "The thing about a system like Beanstalk is that it works until it doesn't. You can never actually know if it works, only that it has worked so far."

Hacker compromises wallet of Steven Galanis, CEO of Cameo app, stealing $231,000

An illustration of an ape with grey-brown fur, with heavily lidded eyes, wearing 3D glasses and a togaBored Ape #9012 (attribution)
A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).

Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.

Researchers identify an attack strategy actively being used by the second-largest Ethereum mining pool to earn outsized mining rewards

Researchers from The Hebrew University have identified an attack on the consensus mechanism used by Ethereum which they describe as risk-free and which can used to "obtain consistently higher mining rewards compared to the honest protocol". They also identified that the attack was being actively used by F2Pool's Ethereum mining pool to attack other mining operations. F2Pool is the second-largest Ethereum mining pool.

By manipulating the timestamps of blocks to be added to the chain, a miner can replace other miners' main-chain blocks with their own blocks, obtaining the fees that would have gone to the other miners. The attack has been called an "Uncle Maker" attack because Ethereum refers to valid but not main-chain blocks as "uncles".

F2Pool co-founder Chun Wang responded on August 8 to the allegations against his mining pool, apparently acknowledging their behavior and suggesting that manipulating a vulnerability in a system is not a "blatant disregard [of] the rules" as the researchers had characterized it. He tweeted: "We respect the *consensus* as is. If you don't like the consensus, convince [Ethereum developer Tim Beiko] to send me another Announcement and change it." Quote-tweeting a tweet by the lead author of the paper who described F2Pool's technique, he wrote, "I can't stop appreciate this elegant implementation of what we've done over the past two years... A robust system must withstand all kind of tests."

India freezes assets of WazirX, Binance's Indian exchange

India's Enforcement Directorate froze $8.16 million of assets belonging to WazirX, a Binance-owned cryptocurrency exchange that is one of the largest exchanges in India. According to the ED, its action was a result of an investigation into WazirX allegedly laundering the proceeds of a crime by allowing it to be converted into cryptocurrencies.

The ED wrote in a press release, " ED found that large amounts of funds were diverted by the fintech companies to purchase crypto assets and then launder them abroad...(a) maximum amount of funds were diverted to WazirX exchange and the crypto assets so purchases have been diverted to unknown foreign wallets".

Ian Macalinao revealed to have pumped the total value locked on the Solana ecosystem by pretending to be 11 developers working on over a dozen projects

Ian Macalinao sitting in a folding chair and speaking into a microphone, gesturing at someone out of frameIan Macalinao (attribution)
CoinDesk revealed that eleven developers behind Solana projects including Sunny Aggregator and Cashio were all actually personas created by Ian Macalinao. Macalinao created the Saber protocol on Solana, and used his personas to build what appeared to be independent projects that all used Saber. In doing so, he was able to artificially inflate the apparent total value locked (TVL) on Solana by double-counting the same tokens. At their peak popularity, Saber and Sunny were responsible for the $7.5 billion of Solana's $10.5 billion TVL.

In an unpublished blog post where he confessed to his deception, he wrote, "I believe it contributed to the dramatic rise of SOL". He wrote the post shortly after one of his persona's projects, Cashio, was hacked for $52 million, but apparently shelved it.

Ian Macalinao's brother Dylan, the other co-founder of Saber protocol, aided in the scheme by lending credibility to Ian's various personas to those who had doubts about trusting money to projects led by pseudonymous individuals.

All told, Ian Macalinao was responsible for the Saber protocol, the Protagonist VC firm and incubator, and Ubeswap under his real name. He created Sunny Aggregator as Surya Khosla, Cashio as 0xGhostchain, Goki as Goki Rajesh, Quarry as Larry Jarry, TribecaDAO as Swaglioni, Crate as kiwipepper, aSOL as 0xAurelion, Arrow as oliver_code, Traction.Market as 0xIsaacNewton, Sencha as jjmatcha, and VenkoApp as ayyakovenko.

CoinGape and Binance publicize scam recovery address after Nomad hack

After the August 1 Nomad bridge exploit, Nomad created an address where people who took money out of the bridge could return it.

However, that was not the address that CoinGape published in their article titled "Breaking: Nomad Announces ENS Address And Bounty For Returning Funds" article, which was syndicated to Binance's news feed. Instead, they indicated that people should send funds to a different address, a scammer who had been sending on-chain messages to various people who took money out of Nomad during the exploit, asking they return it.

Although CoinGape removed the article fairly quickly, it remained live on Binance's site for over an hour. Fortunately, it doesn't appear anyone besides the writers have fallen for the scam, as no cryptocurrency has been sent to the address.

ZB crypto exchange exploited for more than $3.5 million

The self-described "world's most secure digital asset exchange", ZB, suffered an exploit in which attackers stole a large number of different cryptocurrencies, estimated by various researchers to be valued at around $3.6 million and $4.8 million.

ZB announced that they were suspending deposit and withdrawal services due to "sudden failure of some core applications".

Robinhood cites crypto market crash in decision to lay off 23% of employees

Stock and crypto trading app Robinhood announced they would be laying off 23% of their staff: 780 people. The layoffs followed a prior round of layoffs in April, which saw 9% of their staff (~342 people) out of jobs.

Robinhood CEO Vlad Tenev wrote, "Since that time, we have seen additional deterioration of the macro environment, with inflation at 40-year highs accompanied by a broad crypto market crash. This has further reduced customer trading activity and assets under custody. Last year, we staffed many of our operations functions under the assumption that the heightened retail engagement we had been seeing with the stock and crypto markets in the COVID era would persist into 2022."

The announcement came the same day that Robinhood was fined $30 million by the state of New York for insufficient anti-money laundering and cybersecurity protections in the crypto portions of their offering.

Thousands of Solana wallets drained in attack that nets over $6 million

Nearly 8,000 Solana wallets were drained for at least $6 million worth of assets, including native SOL tokens and SPL tokens like USDC. The attack went on for nearly a day before Solana identified the likely cause: private keys that were exposed to an application monitoring service used by the crypto wallet Slope. Both Solana and Slope were vague about further details but explained that they were continuing to investigate.

CoinShares investment firm reports $21.5 million loss from Terra collapse

In their Q2 earnings report, European cryptocurrency investment firm CoinShares reported that they'd only made $120,000 in net income in the most recent quarter, down from more than $32 million in Q1. They explained this was largely because of an enormous loss that resulted from the May collapse of the Terra ecosystem, costing the firm £17.7 million ($21.5 million).

Michael Saylor steps down as MicroStrategy CEO as the company reports a $918 million impairment charge on Bitcoin holdings

Michael Saylor sitting in front of a large model shipMichael Saylor (attribution)
Bitcoin maximalist Michael Saylor announced he would be stepping down as CEO of MicroStrategy, which is ostensibly a software company but in recent years appears to be mostly a Bitcoin-purchasing company. Saylor is extremely pro-Bitcoin, with an emphasis on "extreme". In March 2021, when Bitcoin was at around $57,000, he urged people to "go mortgage your house and buy Bitcoin with it... if you've got a business that you love because your family works for the business and it's been in your family for 37 years, and you can't bear to sell it, mortgage it, finance it, and convert the proceeds into ... Bitcoin. If you're working for a company that's got $100m in the treasury, you ought to convince the CEO and the board of directors to convert the treasury into Bitcoin... that'd be worth billions to them."

Unfortunately, that treasury strategy — which in his case also includes taking on more debt to buy more Bitcoin — is not currently working out so well for MicroStrategy, which reported a $918 million impairment charge on their Bitcoin holdings in their most recent earnings report. Saylor stepped down as CEO the same day.

Robinhood fined $30 million over lackluster cybersecurity and anti-money laundering protections in their crypto offering

The New York Department of Financial Services levied a $30 million fine against Robinhood, an app used for stock trading that has also branched into crypto. According to the DFS, Robinhood Crypto demonstrated "significant failures" in its anti-money laundering and cybersecurity obligations.

Robinhood Crypto had certified to the DFS in 2019 that they were in compliance with those regulations, despite the fact that they were not. The DFS imposed a $30 million fine to the company, and also ordered them to hire an outside party to evaluate their regulatory compliance and efforts to remediate the problems with their platform.

Reaper Farm exploited for around $1.7 million

Yield farming project Reaper Farm suffered an exploit that resulted in a $1.7 million loss. The attackers discovered a vulnerability that allowed them to withdraw anyone else's funds. They then bridged funds to Ethereum, then laundered them through Tornado Cash. After discovering the exploit, Reaper Farms used the same vulnerability to remove funds from the remaining vulnerable vaults to prevent the attacker from stealing more.

Shortly after the exploit, Reaper Farms announced they plained to raise capital via "the sale of vested $OATH tokens from our treasury with desirable terms", which would then be used alongside other assets in their treasury to compensate users.

Operators of Dropil crypto scam sentenced to federal prison

Two men who ran an "investment management service" called Dropil were sentenced to 2½ and 3 years in prison after stealing around $1.9 million from more than 2,000 people. They convinced people to buy DROP tokens, which they said would provide access to an automated trading bot that would return up to 63% in annual returns. In reality, there was no functional trading bot. When the SEC inquired, the two men forged profitability reports and lied under oath about the project.

SEC charges perpetrators of $300 million Forsage crypto pyramid scheme

The SEC charged eleven people who helped to create and promote the crypto pyramid and Ponzi scheme Forsage. The scam operated from January 2020 into 2021, despite multiple cease and desist actions from regulators in the US and the Philippines.

Users deposited their money into projects running on the Ethereum, Tron, and Binance blockchains, and earned rewards for recruiting others to the scheme. The project also used payments from newer investors to pay out earlier investors — a Ponzi scheme.

Players in the National Women's Soccer League may be "out money" after Voyager bankruptcy

Half of the money in a large deal between the crypto platform Voyager Digital and the National Women's Soccer League was supposed to be distributed to players in cryptocurrency accounts. According to a press release from Voyager, this was intended to "provide NWSL players with financial education on crypto, including key lessons and tools, to help develop long-term financial growth opportunities for players potentially well after their competitive playing careers have ended."

Those players have certainly learned something about crypto, as the league informed them that they're not likely to get the funds they were promised after Voyager Digital filed for bankruptcy in early July.

People rush to steal some of the $190 million in the Nomad bridge after an exploit is discovered

After an attacker began exploiting a vulnerability in the Nomad bridge, many people rushed to replicate the attack and steal some of the roughly $190 million of various cryptocurrencies in the bridge. Some didn't seem to think through the consequences of using wallets tied to their real-life identities to exploit the vulnerability, which should be interesting to watch.

Nomad posted on Discord and tweeted that they were "aware of the incident" and "investigating", but the attack was ongoing over an hour after the acknowledgement.

Four days before the attack, Nomad announced that they'd raised a $22.4 million seed round from investors including Coinbase, OpenSea, and Crypto.com.

CoinFLEX cuts "significant number" of staff

CoinFLEX, a yield farming platform that stopped withdrawals in late June, announced they had made major staff cuts to reduce their cost base by 50–60%. "The intention is to remain right-sized for any entity considering a potential acquisition of or partnership opportunity with CoinFLEX," they wrote in a blog post.

Restructuring plans reveal Babel Finance's $225 million losses during crypto market dip

Babel Finance, a crypto lender that suspended withdrawals in mid June, sustained "massive losses" thanks to its proprietary trading desk, which was trading with customer funds. According to a restructuring plan viewed by Bloomberg, Babel's prop desk lost around 8,000 BTC and 56,000 ETH, valued at around $225 million at the time of the loss. The trading team was not using risk controls, and their unhedged position led to forced liquidations that made Babel's lending and trading departments unable to meet its margin calls from counterparties like Zipmex.

Helium caught lying that Lime and Salesforce use their network

A graphic from Helium's website, with the header "Helium is used by:" and then a collage of logos including Lime and SalesforceScreenshot of Helium's website (attribution)
Helium, a network of wireless hotspots for low-power devices whose operators are incentivized by a crypto token, has been lying about its relationship with scooter rideshare company Lime. According to an investigation by Matt Binder in Mashable, Helium has been boasting that Helium is used by Lime on their website and describing them in press coverage as a prominent user of the network despite the fact that Helium and Lime never had a formal relationship. "Helium has been making this claim for years and it is a false claim", said a Lime spokesperson.

Helium is a common name that comes up when people are pressed to provide examples of web3 use cases. The New York Times ran a feature on the company in February 2022, titled "Maybe There's a Use for Crypto After All", where Kevin Roose lavished praise on the company and wrote that they had "largely avoided the hype and inflated claims that surround many crypto projects" (oops) and repeated the false claim about a Lime partnership (double oops). Lime said that the Times never contacted them to fact-check the claim; meanwhile, Helium founder Amir Haleem prominently points people to the article with a pinned tweet.

However, a recent Twitter thread by Liron Shapira drew attention to the fact that the company's total monthly revenue from network usage is only $6,500 — raising questions about the feasibility of hotspot operators actually earning much in the way of rewards (as the rewards are distributed based on network usage).

Following the publication of Binder's article, Helium quietly removed Lime's logo from their website, along with that of Salesforce, a CRM software company. Salesforce also confirmed to The Verge that they had no partnership with Helium, and that the graphic on the Helium website where Salesforce's logo was displayed as a user of Helium was "not accurate".

Regulators order Voyager to stop saying they're FDIC insured

One of the ways Voyager Digital drew in customers was by promising that their funds in USD were protected from a collapse of the company by FDIC deposit insurance, which normally applies to bank accounts. When Voyager declared bankruptcy earlier this month, some of their customers were horrified to discover this was not the case.

The Federal Reserve and the FDIC sent a cease-and-desist to Voyager, asking them to remove the misleading statements about deposit insurance. It would have been nice if this had come a bit earlier — perhaps before people had deposited money into accounts with the company and could no longer get it out.

Nirvana Finance drained of $3.5 million

The Solana-based yield farming project, Nirvana Finance, was exploited by an attacker who used flash loans to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to mint ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.

The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."

They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "bounty" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."

The project had promised its users over 60% APY, and its Twitter account described ANA as "the balanced risk investment with adaptive yield".

No more Dune or DAO for the Dune DAO

Photograph of the Dune storyboard bookDune script bible (attribution)
"DAO delusion was at its peak when the community went into this journey together", wrote SpiceDAO founder Soban "Soby" Saqib. SpiceDAO (named for the Dune drug) won an auction to buy a copy of the Dune script bible in January — at $3 million, far above its usual selling price, likely because it was public knowledge how much the DAO had raised. DAO members celebrated afterwards, excitedly anticipating an animated television series based on the book, apparently not realizing that buying a book (even for a very high price) does not confer rights to publish derivative works.

The DAO has stumbled along somewhat since its January victory, encountering issues with making the bible viewable to DAO members without breaking copyright laws, a diminishing treasury due to declining crypto prices, and controversy after Soby was linked to the Remilia Collective.

After all that, the project leader suddenly and apparently unilaterally announced a plan where members could redeem their SPICE for ETH, and stated that they would be removing project leaders, converting the DAO to a private company, and selling the Dune bible (likely at a major loss). It was nice knowing you, SpiceDAO.

KuCoin announces "Anti-FUD Fund" to track down and sue critics

Those in the crypto ecosystem have long claimed to embrace the principles of censorship resistance and freedom of speech, but apparently some of them draw the line at speech that's critical of them. Johnny Lyu, CEO of the KuCoin crypto exchange, announced on Twitter that the company would be creating an "Anti-FUD Fund" to combat "FUD" — an acronym for "fear, uncertainty, and doubt" that has come to be used to describe any criticism or tough questions directed at crypto projects.

In his Twitter thread, Lyu outlines how the fund will "implement Anti-FUD education", "motivate and acclaim industry leaders and influencers who are always responsible, delivering trusted information", and "effectively trace FUDers who intentionally spread FUD and take legal actions against them if needed".

Something tells me his list of "industry leaders and influencers" to "acclaim" won't include those who are rightfully skeptical of crypto.

OFAC has been investigating Kraken over suspected sanctions violations

The New York Times reported on July 26 that the Treasury Department's Office of Foreign Assets Control (OFAC) has been investigating major US-based crypto exchange Kraken for suspected sanctions violations. They reportedly believe that Kraken has been providing services to people in Iran and other sanctioned countries. The Times' sources have said that OFAC is likely to impose a fine on the company, which would make Kraken the largest crypto company to face enforcement from OFAC relating to the Iranian sanctions.

CEO of Titanium Blockchain Infrastructure Services pleads guilty to securities fraud

CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.

Crypto platform Immutable lays off 17% of its gaming division staff

Screenshot of gameplay of a digital trading card game. There is a streamer overlaid in the bottom left corner.Gods Unchained gameplay (attribution)
The Australian crypto company Immutable fired 17% of staff from its gaming division. Immutable has said this amounted to 18 workers, though the Games Workers Australia union disputed the number and said that 30 roles were cut. The fired employees all worked on the Gods Unchained blockchain-based trading card game, and were given 24–48 hours notice of their firing.

The fired employees quickly began preparing a legal fight against immutable, questioning whether their firing was legitimate when many of the people who were sacked were about to reach the vesting date for more than $1 million in stock options.

Brazilian authorities challenge NFT company Nemus after it claims ownership to land in the Amazon, allegedly pressures Indigenous people to sign documents they could not read

Aman in a polo shirt stands in the rainforest with a sign reading "NFT"Image from Nemus's "Non-Fungible Territory" press release (attribution)
Nemus is an NFT project already described in W3IGG for its plans to become "Guardians" of the Amazon rainforest and saviors of its Indigenous populations by selling Ethereum NFTs and reopening a Brazil nut plantation.

On July 20, they issued a press release claiming that "the World's First Non-Fungible Territory has been officially renamed by indigenous people in Brazil in coalition with Nemus". The company claims to own 41,000 hectares (~100,000 acres) of land in the Amazon.

On July 25, Brazil's Federal Prosecution Office (MPF) issued a statement that they had demanded Nemus provide proof of ownership of the areas they claim, clarification on the projects they've been promising online they would undertake, and proof that they've received authorization by the National Indian Foundation (FUNAI) or any other public body that would allow them to operate in the area and engage with various Indigenous groups.

According to the MPF, members of Indigenous groups in the area reported the company had violated their rights. They also explained that Nemus had expressed to them their plans to use heavy machinery to open an airstrip and build a road in order to access Brazil nut groves in the area. Apurinã leaders alleged that company representatives had pressured Indigenous people who do not read well to sign documents, and did not provide them with copies.

After five years in prison for a Ponzi scheme and a lifetime ban from the pharmaceutical industry, Martin Shkreli announces his new venture: a web3 drug discovery platform

Martin Shkreli sits at a table, arms crossed and smirkingMartin Shkreli (attribution)
Martin Shkreli, sometimes known as "Pharma Bro", earned notoriety after obtaining the patent for an anti-parasitic drug and hiking the price from $13.50 a pill to $750. An FTC lawsuit ordered Shkreli in January 2022 to return almost $65 million in wrongfully obtained profits, and banned him for life from the pharmaceutical industry.

In 2018, he was sentenced to federal prison for unrelated securities fraud; a U.S. Attorney stated he "essentially ran his company like a Ponzi scheme". He spent five years in prison, and was released in May 2022.

Shkreli is also banned from the securities industry, and from serving as an officer or director of any publicly traded company.

If this was anyone other than Martin Shkreli, I might have been surprised to hear that, only a little over two months out of prison and while still staying in a halfway house, Shkreli is launching a "web3 drug discovery software platform".

$4.5 million taken from Teddy Doge project in apparent rug pull

The Teddy Doge defi project saw its token price plummet over 99% as 30 billion TEDDY were transferred from the project's deployer and distributed to various wallets, which then converted the TEDDY to over 10,000 BNB ($2.56 million) and 2 million BUSD, a dollar-pegged stablecoin.

Although the project admins blamed the theft on an outside attacker, writing on Telegram that they were "not certain whether it is a bug in our cross-chain bridge or a leaked developer wallet", that is a common refrain by developers who rug pull their own projects.

Attacker makes off with $1.1 million after successful governance attack on the Audius web3 music platform

An attacker was able to create and pass a governance proposal to transfer out 18.5 million AUDIO tokens from the community treasury. They then successfully swapped these for 705 ETH (~$1.1 million).

Audius halted the token and smart contracts while they patched the bug, and brought the network back online shortly afterward. The attacker had found and exploited a vulnerability in the way the contracts were written which allowed them to rewrite the governance voting rules and delegate 10 trillion AUDIO tokens to themselves for voting purposes. They then used those tokens to pass the malicious proposal. The contracts had been audited by OpenZeppelin and Kudelski, but neither group caught the vulnerability. Audius stated that a plan for dealing with the loss of community funds was still under discussion.

GameStop's new NFT platform features an NFT mimicking a victim of 9/11

A rendering resembling the famous "The Falling Man" photo. A man in an astronaut suit falls headfirst, with a striped background resembling a tall office tower.Falling Man NFT (attribution)
GameStop's brand new NFT platform, which launched on July 12, is off to a less than promising start. Unlike some other NFT platforms like OpenSea, Gamestop does not allow just anyone to create and list NFTs — creators have to apply and be approved individually.

One of their artists, "Jules", created an NFT clearly modeled after The Falling Man, a well-known photograph of a man falling from the upper floors of the World Trade Center during the September 11 attacks in New York City. The NFT is also titled Falling Man, and pictures a model in the same position, but wearing an astronaut suit.

Not only is GameStop selling an NFT of the victim of a tragedy, it's a featured image when Googling "GameStop".

Celsius customers send letters to the judge in the bankruptcy case

Correspondences of my email sent to support on 15 Jun 2022:  To: support@celsius.network Cc: ceo@celsius.network  Dear Alex and Celcius support, I am writing this email to ask for your special consideration to allow me to make a small withdrawal on my BTC held in Celcius. I understand that Celsius made the decision to pause withdrawals in a volatile market condition, but do hope that you review my case and give me special permission.  I am 5.5 months pregnant with my third child. I am expecting to give birth in early October and I do need the fund to pay for the hospital, doctor and baby items such as cot, clothes, nappies etc. I also need the fund to pay for school fees for my two other schools aged children.  I have attached a recent scan of my baby and a letter from my obstetrician confirming my pregnancy and planning for admission into the hospital.  Scan of my baby that am carrying: [ultrasound photo of a fetus]Email to Alex Mashinsky and Celsius support (attribution)
Celsius customers have begun to send letters to the judge presiding over Celsius Network's bankruptcy case in the Southern District of New York. More than fifty letters have been entered into the docket since July 15, and new letters are continually being added.

Many customers write of being convinced by Alex Mashinsky personally, particularly in his weekly "AMA"s where he regularly claimed that Celsius was a safe platform with substantial reserves that could cover any potential losses. Mashinsky often denigrated traditional banks, referring to Celsius as a better and safer option.

Some of the letters are particularly heartbreaking, with customers referring to suicidal ideation or saying that they've been too ashamed to share the news of their financial losses with their family. One woman included a copy of an email she sent to Mashinsky and Celsius support, pleading for them to allow her access to her crypto, and including an ultrasound photo of a baby. "I do need the fund to pay for the hospital, doctor and baby items such as cot, clothes, nappies etc. I also need the fund to pay for school fees for my two other school aged children," she wrote.

Founder of My Big Coin convicted of $6 million crypto fraud

Randall Crater, founder of the cryptocurrency company My Big Coin, was convicted of multiple charges including wire fraud for a crypto scheme in which he stole more than $6 million from investors. Crater falsely marketed his business, which he operated between 2014 and 2017, as operating "a fully functioning cryptocurrency backed by $300 million in gold, oil and other valuable assets", which he fraudulently stated was partnered with MasterCard. According to the U.S. Attorney's Office, Crater used the $6 million in stolen funds "for his own personal gain and spending on goods, including hundreds of thousands of dollars' worth of expenses on antiques, artwork and jewelry".

Former Coinbase product manager charged with tipping off co-conspirators about tokens that were about to be listed on the exchange

Ishan Wahi, a former product manager for Coinbase, was indicted on two charges of wire fraud and two charges of wire fraud conspiracy for allegedly tipping off his brother and friend to make trades based on his insider knowledge.

Wahi allegedly used his access to highly confidential information around which cryptocurrency tokens would be listed and when the news would be announced to tip off his brother and friend, who would then use multiple anonymous Ethereum wallets to purchase large quantities of the token before the prices spiked on the news. According to the press release, the two took positions in at least six tokens before Coinbase announced in April 2022 that they would be listing them on the exchange. The DoJ said that the scheme had generated approximately $1.5 million in gains. The DoJ acknowledged a "Twitter account that is well known in the crypto community", likely referring to Cobie, who identified the suspicious activity.

The DoJ also reported that when Coinbase's director of security operations contacted Wahi in May asking him to attend a meeting regarding the suspicious activity, Wahi purchased a one-way flight to India in an attempt to flee the country. He was stopped by law enforcement.

The U.S. Attorney for the Southern District of New York stated in the press release, "Today's charges are a further reminder that Web3 is not a law-free zone... fraud is fraud is fraud, whether it occurs on the blockchain or on Wall Street."

Each of the charges (four against Wahi, two each against his brother and friend) carried a maximum sentence of 20 years. In May 2023, Ishan Wahi was sentenced to two years in prison; Nikhil was sentenced to ten months in prison.