Web3 is Going Just Great

All 22,000 customers of BlueBenx suddenly found them unable to withdraw funds from the platform. The platform also reportedly laid off the majority of its employees.

Acala paused the protocol shortly after the attack, and disabled the transfer functionality of the stolen aUSD and of Acala-based tokens the attacker had swapped for some of the aUSD. It's important to note that the attacker could not earn a profit anywhere near $1.2 billion USD from the erroneous creation of new, unbacked tokens — they likely made off with around $1.6 million. Acala subsequently burned most of the new tokens, which helped the aUSD token return to between $0.90 and $0.94 — much closer to its intended peg.

On August 13, Gabagool posted a long confession to his Twitter account, writing that he had stolen the $350,000, and had previously taken $56,000 over the course of two months, to try to "revenge trade" the money he had lost in the crypto crash. Explaining why he took the $350,000, he wrote, "I thought I could make the 56k back and return all of the funds, which was delusional". He also wrote that "the majority of the funds have been returned to the Velodrome team. The rest will be." Velodrome later confirmed they had recovered all of the stolen money.

Gabagool had become a somewhat prominent part of the crypto community, providing insights into various crypto happenings as someone who was adept at tracing blockchain transactions. In June, he was featured in a Vice documentary titled, "Is Everything in Crypto a Scam?". He spoke about, among other things, his October 2021 discovery that the crypto-focused venture capital firm Divergence Ventures was Sybil attacking airdrops to claim millions in rewards. That particular incident ended with Divergence returning the money they had gained from the strategy, and Ribbon awarding 5% of that amount — equivalent to about $545,000 at the time — to Gabagool as a "bounty".

Armstrong has claimed that the video cost him more than $75,000 in damages, and has caused him emotional distress including anxiety and depression.

Oddly, in the lawsuit, he writes that he is "in the business of providing advice and commentary on cryptocurrency investments" — a strange thing to do for someone who, like most crypto influencers, constantly tries to claim that his videos are not financial advice.

Armstrong has promoted crypto projects including Celsius. He has also posted and then deleted videos on cryptocurrency projects that later failed, such as Ethereum Yield, Cypherium, and MYX Network. According to a recent CNBC story, he claimed he "could easily make more than $100,000 per month in promotions alone", though it was not clear to which time period he was referring.

Armstrong announced on August 24 that he planned to drop the lawsuit against Mengshoel, stating that "I didn't understand that my name is now so big that if I file a lawsuit it would be found and be made public" — a strange thing to be blindsided by given he sued a YouTuber with 1 million followers who predictably told his audience about the suit. "We are going to drop the lawsuit, 100%. I'm sorry it became public."

However, some have pointed out that issues with Coinbase's API leaked information about which coins were about to be listed, which could have enabled people to obtain the information allowing them to make such trades without an insider connection.

According to India's ED, 23 entities deposited Rs 370 crore (~$46.5 million) into FlipVolt, which the ED says were the proceeds of criminal activity. FlipVolt had "very lax KYC norms, no EDD [enhanced due diligence] mechanism, no check on the source of funds of the depositors, no mechanism of raising STRs [suspicious transaction reports], etc" and reportedly enabled the entities to launder the proceeds of crimes via the exchange.

The value of $MSI, Martin Shkreli Inu (really), plummeted 90% from $0.000014 to a mere $0.0000014 when a wallet owned by Shkreli suddenly dumped its tokens. The MSI token originally was a fan-made token, but Shkreli adopted it as the token "powering" Druglike (despite zero information as to how it's actually used to power the project). The MSI were swapped for 239 ETH (~$459,000).

Shkreli claimed via his Twitter persona "Enrique Hernandez" that "I got hacked last night." (Shkreli was banned from Twitter after being creepy to a journalist, and so now uses the thinnest of veiled identities to somehow evade Twitter suspension). Shkreli claimed that when he had tried to torrent a file called, no joke, [BigTitsRoundAsses] 17.12.14 - Jazmyn [1080p], he ended up with a remote access trojan. However, crypto research project Rug Pull Finder tweeted, "Bruh - why is the attackers wallet funded by you then".

It's not immediately clear from the statement whether the activities that led to the arrest involved more than just contributing to the Tornado Cash codebase, but it would be very concerning if not. There are complexities around the sanctioning of Tornado Cash — a fairly decentralized software project — that raise concerns about the criminalization of code. For many, it brings to mind the "Crypto Wars" (where "crypto" is referring to cryptography rather than cryptocurrency).

This came as a shock to some crypto enthusiasts, who were taken aback that such a large number of blocks in a "decentralized" and "censorship-resistant" project would reject Tornado Cash transactions. Others worried that more miners would do the same, which could eventually prevent Tornado Cash transactions from being validated at all.

On August 11, about a year after the Kickstarter launched, the creators posted an update: they would be pausing development and putting the project on hold because they had run out of money. "We leaned into the crypto market and expanded rapidly off the back of the positive interest. When the crash came, we ended up heavily exposed with too short of a runway."

Project backers were not impressed by this announcement, with many asking for refunds — which the developers had promised if the game never launched. However, the game developers wrote that "Due to our cash reserves being empty, we are not in a position to refund our initial backers."

"Really disappointed by this- I put money into funding this game to back a game, not to throw money into the crypto market," wrote one backer. "Gutted and to be honest pretty appalled," wrote another.

Daniel Roberts, CEO of Decrypt, wrote on Twitter that they had used Mailchimp for more than four years, but that the company had "deactivated our newsletter account with no warning or explanation".

Mailchimp's acceptable use policy bans businesses offering "Cryptocurrencies, virtual currencies, and any digital assets related to an Initial Coin Offering". It's listed among other industries that they identify as having "higher-than-average abuse complaints, which can jeopardize deliverability" including work-at-home scams, make money online, and lead generation opportunities; gambling services or products; and multi-level or affiliate marketing. In an email reportedly sent to Friedland regarding his suspension, Mailchimp wrote, "We cannot allow businesses involved in the sale, transaction, trading, exchange, storage, marketing, or production of cryptocurrencies, virtual currencies and any digital assets."

In April, Mailchimp had experienced a security breach in which audience data was taken from around 100 accounts in finance and crypto-related industries.

Some have praised the change as a good step towards preventing false reports, whereas others have complained that the change does not apply retroactively to assets that have already been frozen from trading on the platform. Others have raised concerns about the new requirement that they engage with police.

While the choice could be chalked up to the end of an A/B test, some legal experts have expressed concern about the sudden and unannounced change in behavior: "It's potentially illegal... This seems straight up deceptive. They said we'll email you price alerts and then stopped doing it without saying they were [going to stop]." He also noted that even if a customer didn't sue for damages, depending on the number of users who saw the alerts, "if they caused harm to people who didn't sell crypto that they would have sold, that is potentially actionable by regulators." Another expert observed that a traditional brokerage firm would likely be penalized by FINRA if they did something similar.

CEL enjoyed an all-time-high of around $8 in June 2021, but has been trading for less than half that for this year. The token hit $0.15 on the day Celsius announced they would be pausing withdrawals, but has, oddly, recently spiked above $2. Some have attributed this to the ill-advised attempts at a short squeeze by a group of people who believe that exchanges are somehow running out of CEL tokens to provide to short-sellers, and that a properly-coordinated short squeeze could somehow realistically send the token to $100. Protos did a useful explainer on why this is unlikely to work, but those pushing the idea have a fervency not unlike what was seen with those pushing the GameStop short squeeze, and enjoy dismissing those who question the strategy as "CEL shorters" who are trying to ruin any chance of a Celsius recovery.

All the same, Mashinsky can possibly thank the short squeeze folks for helping him pump his bags, and sell off a pile of tokens for over 10x more than what he previously could have.

Elliptic singled out the RenBridge chain in particular, saying that at least $540 million in funds linked to crimes have been moved through the bridge in the last two years. $153 million of this, they say, originated from ransomware plots, and $53 million is allegedly linked to the Russia-based group behind the Conti ransomware.

Hotbit announced the suspension on Twitter with a GIF of a crying Anya from the anime series Spy × Family which, despite demonstrating their good taste in shows, does not seem like it would exactly inspire confidence among customers.

As tends to happen with insolvent exchanges, they are hoping to "compensate" their depositors with a mix of CoinFLEX-issued tokens and equity, rather than actual money or more liquid, established cryptocurrencies.

Their announcement began by saying, "We would like to inform you about an important development that does not affect our services, funds or investments with Nuri," and throughout the post they stressed that customer funds were safe.

Nuri blamed the insolvency on everything from "the ongoing after-effects of the Corona pandemic" to "the economic and political uncertainties in the markets after Russia's invasion of Ukraine" to the more recent crypto bear market.

On October 18, the company announced they would be shutting down after failing to find someone to acquire the company. They asked customers to withdraw their funds by December 18. Unlike many of the services that faced insolvency crises this summer, Nuri is closing without any loss of customer funds.

Curve acknowledged the apparent exploit, tweeting at the iwantmyname domain platform to say they believed the issue was on their end. Around an hour after the issue was widely noticed, Curve announced the "issue has been found and reverted", and to use the alternate Curve Finance domain until DNS changes propagated for the affected domain. They also urged users to revoke any recent contract approvals they'd made on the Curve platform.

FixedFloat tweeted that they had been able to freeze 112 of the stolen ETH (~$192,000) that had been transferred to their platform. Binance later announced that they'd recovered the remaining stolen funds, with founder CZ tweeting, "The hacker kept on sending the funds to Binance in different ways, thinking we can't catch it. 😂"

The celebrities who received letters from TINA were Drake Bell, Tom Brady, DJ Khaled, Eminem, Jimmy Fallon, Paris Hilton, Eva Longoria, Madonna, Floyd Mayweather, Meek Mill, Von Miller, Neymar, Shaquille O'Neal, Gwyneth Paltrow, Logan Paul, Snoop Dogg, and Timbaland.

Tornado Cash is the most prominent cryptocurrency tumbler (or "mixer") and has been used in a multitude of instances to launder proceeds from cryptocurrency hacks and scams. In a press release, the Treasury Department named the North Korea-sponsored Lazarus Group's $625 million hack of Axie Infinity in March, the $100 million theft from Horizon Bridge in June, and the $190 million hack of the Nomad bridge in August as contributing to the decision.

Although Tornado Cash had claimed to be complying with sanctions in the wake of the Axie hack, the Treasury Department wrote in their press release that, "Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks".

Tornado Cash is also widely used to maintain privacy in a world where transactions are publicly visible, and it remains to be seen how the cryptocurrency ecosystem will react to this major development. Tornado Cash is also relatively decentralized in its operations, meaning it may be difficult for the sanctions list to be kept up to date and for the sanctions to be enforced.

The fallout from the sanction was swift: in the days following the action, Tornado's source code repository was removed from Github and the accounts of some of its developers were suspended; the project's Gitcoin funding page was taken down; and the project's own website, governance pages, and Discord server went offline.

A press release from Riot proudly announced that "Riot curtailed a total of 11,717 megawatt hours in July, enough to power 13,121 average homes for one month", as though it is acceptable that they are normally using this amount of electricity solely to churn out Bitcoins.

They also wrote that "When applied to anticipated power costs for the month, the power credits and other benefits are expected to effectively eliminate Riot's power costs for July" — meaning that Texas residents are effectively subsidizing the cost of Bitcoin mining whether they like it or not. Meanwhile, the Texas Tribune and The Dallas Morning News report that many Texans are paying 50–70% more for electricity than this time last year.

In an FAQ attached to the announcement, Hodlnaut told users that "it will not be a short process" to re-enable withdrawals and token swaps.

Despite a 2019 blog post by Binance titled, "Binance Acquires India's Leading Digital Asset Platform WazirX to Launch Multiple Fiat-to-Crypto Gateways", Binance CEO Changpeng Zhao ("CZ") tweeted that "Binance does not own any equity in Zanmai Labs, the entity operating WazirX", and that besides wallet services and an off-chain transaction integration, "WazirX is responsible all other aspects of the WazirX exchange". These statements were disputed by Nischal Shetty, the founder of WazirX, who stated in no uncertain terms that WazirX was acquired by Binance. "Binance owns WazirX domain name. Binance has root access of AWS servers. Binance has all the Crypto assets. Binance has all the Crypto profits", Shetty wrote on Twitter.

The project launched only days before it rug pulled. On August 7, the $DMA token dropped in price over 99% as funds were removed from the project and moved to exchanges. According to CoinDesk, around $3.5 million was taken. The project's website, Telegram channel, and Twitter accounts were all taken offline.

Someone apparently decided this was perfect material for an NFT project, which they named "Made In Uyghur". They took 100 images from the database, clumsily projected them onto 3D-rendered human models in a T-pose, and listed them for $25 apiece.

Upon becoming aware of the NFTs, the Xinjiang Victims Database updated their site licensing to CC BY-NC, a Creative Commons license that forbids commercial reuse. "Commercial use of the data, including images of victims, is not okay", they wrote on Twitter, "[Made In Uyghur] never contacted us about this".

The project developer suddenly sold off their share of the coin for around 1355 WBNB (~$442,000), sending the coin price plummeting by more than 68% as a result.

Now, Beanstalk is re-launching, saying they've made changes to their governance model and security practices, and have received audits from two major firms.

In June, the project creator stated that "The thing about a system like Beanstalk is that it works until it doesn't. You can never actually know if it works, only that it has worked so far."

Galanis wrote on Twitter that he "Just got my Apple ID hacked". Although he didn't offer more details on how he had determined iCloud was to blame, it's likely he's referring to an attack vector where MetaMask automatically backs up users' seed phrases to iCloud unless it's disabled, meaning that a hacker who successfully accesses a person's iCloud account can also compromise any of their MetaMask wallets. The same type of attack saw a user lose $650,000 in April, and brought wider attention to the app's behavior.

By manipulating the timestamps of blocks to be added to the chain, a miner can replace other miners' main-chain blocks with their own blocks, obtaining the fees that would have gone to the other miners. The attack has been called an "Uncle Maker" attack because Ethereum refers to valid but not main-chain blocks as "uncles".

F2Pool co-founder Chun Wang responded on August 8 to the allegations against his mining pool, apparently acknowledging their behavior and suggesting that manipulating a vulnerability in a system is not a "blatant disregard [of] the rules" as the researchers had characterized it. He tweeted: "We respect the *consensus* as is. If you don't like the consensus, convince [Ethereum developer Tim Beiko] to send me another Announcement and change it." Quote-tweeting a tweet by the lead author of the paper who described F2Pool's technique, he wrote, "I can't stop appreciate this elegant implementation of what we've done over the past two years... A robust system must withstand all kind of tests."

The ED wrote in a press release, " ED found that large amounts of funds were diverted by the fintech companies to purchase crypto assets and then launder them abroad...(a) maximum amount of funds were diverted to WazirX exchange and the crypto assets so purchases have been diverted to unknown foreign wallets".

In an unpublished blog post where he confessed to his deception, he wrote, "I believe it contributed to the dramatic rise of SOL". He wrote the post shortly after one of his persona's projects, Cashio, was hacked for $52 million, but apparently shelved it.

Ian Macalinao's brother Dylan, the other co-founder of Saber protocol, aided in the scheme by lending credibility to Ian's various personas to those who had doubts about trusting money to projects led by pseudonymous individuals.

All told, Ian Macalinao was responsible for the Saber protocol, the Protagonist VC firm and incubator, and Ubeswap under his real name. He created Sunny Aggregator as Surya Khosla, Cashio as 0xGhostchain, Goki as Goki Rajesh, Quarry as Larry Jarry, TribecaDAO as Swaglioni, Crate as kiwipepper, aSOL as 0xAurelion, Arrow as oliver_code, Traction.Market as 0xIsaacNewton, Sencha as jjmatcha, and VenkoApp as ayyakovenko.

However, that was not the address that CoinGape published in their article titled "Breaking: Nomad Announces ENS Address And Bounty For Returning Funds" article, which was syndicated to Binance's news feed. Instead, they indicated that people should send funds to a different address, a scammer who had been sending on-chain messages to various people who took money out of Nomad during the exploit, asking they return it.

Although CoinGape removed the article fairly quickly, it remained live on Binance's site for over an hour. Fortunately, it doesn't appear anyone besides the writers have fallen for the scam, as no cryptocurrency has been sent to the address.

ZB announced that they were suspending deposit and withdrawal services due to "sudden failure of some core applications".

Robinhood CEO Vlad Tenev wrote, "Since that time, we have seen additional deterioration of the macro environment, with inflation at 40-year highs accompanied by a broad crypto market crash. This has further reduced customer trading activity and assets under custody. Last year, we staffed many of our operations functions under the assumption that the heightened retail engagement we had been seeing with the stock and crypto markets in the COVID era would persist into 2022."

The announcement came the same day that Robinhood was fined $30 million by the state of New York for insufficient anti-money laundering and cybersecurity protections in the crypto portions of their offering.

Unfortunately, that treasury strategy — which in his case also includes taking on more debt to buy more Bitcoin — is not currently working out so well for MicroStrategy, which reported a $918 million impairment charge on their Bitcoin holdings in their most recent earnings report. Saylor stepped down as CEO the same day.

Robinhood Crypto had certified to the DFS in 2019 that they were in compliance with those regulations, despite the fact that they were not. The DFS imposed a $30 million fine to the company, and also ordered them to hire an outside party to evaluate their regulatory compliance and efforts to remediate the problems with their platform.

Shortly after the exploit, Reaper Farms announced they plained to raise capital via "the sale of vested $OATH tokens from our treasury with desirable terms", which would then be used alongside other assets in their treasury to compensate users.

Users deposited their money into projects running on the Ethereum, Tron, and Binance blockchains, and earned rewards for recruiting others to the scheme. The project also used payments from newer investors to pay out earlier investors — a Ponzi scheme.

Those players have certainly learned something about crypto, as the league informed them that they're not likely to get the funds they were promised after Voyager Digital filed for bankruptcy in early July.

Nomad posted on Discord and tweeted that they were "aware of the incident" and "investigating", but the attack was ongoing over an hour after the acknowledgement.

Four days before the attack, Nomad announced that they'd raised a $22.4 million seed round from investors including Coinbase, OpenSea, and Crypto.com.