This attack was executed similarly to the Mango Markets exploit a week prior. Moola Market tweeted that they had "contacted law enforcement and taken steps to make it difficult to liquidate the funds. We are willing to negotiate a bounty payment in exchange for returning the funds within the next 24 hours." The attacker did eventually return 93% of the funds, keeping the remaining $588,000 as a "bug bounty".
Needless to say, there were more than a few questions around the legal and tax ramifications of this. Some of the more crypto-minded spoke excitedly of "the ability to easily fractionalize your properties or take loans against it in a decentralized way" that this might unlock, while the rest of us were left wondering what a defi loan default and foreclosure would look like.
As much as I agree the real estate system could use some improvements, introducing the ability for someone to hack my crypto wallet and take my house is not quite what I had in mind.
Much-anticipated "speedy" Aptos chain launches, processing 4 transactions per second and with 80% of tokens allocated to insiders
This was not the only criticism of Aptos upon launch. The Aptos token was quickly put up for sale on exchanges including FTX and Binance, but Aptos had not yet published information about their tokenomics — leaving would-be investors trying to make decisions about whether to purchase a token about which they couldn't find even basic information. Once the tokenomics were published, people expressed concerns about the distribution: 80% were allocated to the team and investors and staked, enabling them to dump the staking rewards on retail investors.
According to Rotunda, there is an ongoing investigation by the TSSB into whether FTX has been offering unregistered securities to United States residence in the form of yield-bearing accounts. He alleged that FTX's claimed attempts to segregate US users to the separate FTX.US exchange, the software makes no apparent attempt to do so, and offered yield-bearing accounts to customers who had signed up with a U.S. address — potentially in violation of securities laws.
Rotunda submitted the filing in the Voyager bankruptcy case to argue that FTX should not be permitted to buy Voyager's assets until they have been determined to be compliant with securities law. He wrote, "[FTX yield-bearing] products appear similar to the yield-bearing depository accounts offered by Voyager Digital LTD et al., and the Enforcement Division is now investigating FTX Trading, FTX US, and their principals, including [FTX CEO] Sam Bankman-Fried."
This is the second hack in October of the swap functionality of a crypto wallet, with Transit Swap suffering a $21 million hack on October 1 — although in that case, the attacker subsequently returned a large portion of the stolen funds.
Some supporters of Syntropy have questioned the team's decision to take a deal like this from a VC firm after the firm claimed to be fully funded, and without communicating with the community. Others questioned how the deal could have possibly gone so wrong in the way Syntropy claimed.
This 51% threshold doesn't pose an immediate threat to Tornado Cash users, because even validators that censor transactions will still attest to the validity of blocks created by non-censoring validators. However, if 51% or more of validators were to also stop attesting to non-censored blocks, they would no longer be able to be added to the chain.
Amusingly, one of the transactions by the hacker was frontrun by a MEV bot known as 0xa57, which made a tidy 480 ETH (~$623,000) from the attack. The second transaction succeeded, landing the attacker 268 ETH (~$348,000). According to a MEV researcher, 0xa57 has been known to return funds that were obtained as a result of a hack.
Now that year mark is approaching, and a report from Rekt alleges that DAO Maker is trying to wiggle out of their promises through a governance vote, which they've framed as trying to "prevent major $DAO DUMP from USDR distributions". Meanwhile, they've deleted the post that explained the original distribution plan.
Most members of the DAO today were not affected by the attack, and so stand to benefit from not honoring the payout. One voting option suggests that these users "had their chance" to cash out their USDR, apparently ignoring that people were holding out for the promised 110% redemption.
Some whistleblowers have also claimed that team members have recently moved large quantities of DAO tokens to various wallets to vote. Some have also claimed that those team members recommended buying USDR tokens several months ago for below $1.10, as a safe arbitrage opportunity when they became redeemable for that amount.
On October 11, a crypto developer advocate wrote a thread about the group, starting by saying "Most of the members of Blu3DAO are great people working towards a good cause. Despite this, there have been things around their finances that I personally have found questionable. I've refrained from calling them out & it's something that has bothered me for a long time". She went on to allege that the group had solicited over $1 million in grant money from the Harmony community, misusing a personal relationship with a member of Harmony to continue to obtain grant funding while the group had paused grant allocations, and using funds to personally benefit the founders.
"I run an organization dedicated to advancing womens & nb ppls careers. And this type of grifting only hurts everyone," wrote the developer advocate in her Twitter thread. She also wrote, "In the coming days they'll post some fraudulent report clearing them from wrongdoing. They're running an elaborate scam with many wallets. One of them is literally married to a decision maker at harmony. Lmaooo. Fuck the[m] scammers"
Blu3DAO's founders responded to the allegations by claiming that they had only ever received $75,000 of the $1 million they were committed by Harmony, and that the funds were still in the DAO treasury. They also claimed that the Blu3 DAO members were never paid for their work, and that the money from Harmony was "flow-through reimbursements for scholars/hackers' travel expenses".
The man in the photo subsequently tweeted his version of events, in which he described encouraging the woman and her friends to jump up while taking a 3D photograph, and then gave them a thumbs-down gesture when they reacted in annoyance to him. He then claimed that they harassed him throughout the conference, by stalking him throughout the conference and posting his photo online with vague allegations of harassment.
The woman later elaborated on the event that had precipitated her report to Devcon staff, saying the man had been "verbally boo'ing and taunting us" at the photo booth.
It's a little unclear what actually happened at the event and who is at fault, something I don't intend to speculate on as a complete outsider. However, what's not unclear is the reaction from some people in the crypto community, who have used the incident (and their belief that the woman fabricated the harassment story) as evidence that all women, people of color, and "wokeness" are a blight on the crypto space. Various crypto enthusiasts have used the opportunity to denigrate what they view as a general issue of "feminazis", "purple hairs", or "SJWs" in crypto, and DAOs that aim to encourage gender minorities to engage with crypto. "Letting SJWs infiltrate into crypto was a huge mistake", wrote one person. "This is the woke crowd we didn't have to deal with last cycle. They came into crypto with their distorted vision of everything. [Crypto Twitter] got your back, mate."
The OFAC sanction was imposed due to 116,421 reported sanctions violations in which Bittrex failed to prevent people in Crimea, Cuba, Iran, Sudan, and Syria from using their service. In total, these prohibited individuals performed more than $263 million in transactions on the platform.
The FinCEN fine was imposed due to "willful violations" of the Bank Secrecy Act's requirements pertaining to anti-money laundering (AML) and suspicious activity reports.
Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.
On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.
The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.
The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.
This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).
The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.
Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.
As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.
Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).
This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.
Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.
A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.
TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".
NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).
Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.
Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.
Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.
Celsius exposes the names of all customers and their recent transactions in court filing – including their execs
Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.
Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.
The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.
South Korea reportedly freezes $39.6 million in crypto belonging to Terra founder Do Kwon, Kwon says it isn't his
Kwon claims that the report is a "falsehood", and "I don't know whose funds they've frozen". This joins his other claims, such as that he is "not 'on the run' or anything similar" (he is), and that Interpol didn't issue a red notice for him (they have).
According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.
- "Bitcoin Defi Protocol Sovryn Gets Hacked for Over $1 Million", CryptoPotato
- "Interim Exploit Update", Sovryn
- "Non-Payment of Federal Income Tax on Cryptocurrency Earnings Leads to Conviction for South Florida Resident", U.S. Attorney's Office of the Southern District of Florida
SEC Chair Gary Gensler said, "Ms. Kardashian's case also serves as a reminder to celebrities and others that the law requires them to disclose to the public when and how much they are paid to promote investing in securities".
Kardashian is also named in an ongoing class action lawsuit pertaining to the EthereumMax project, along with Floyd Mayweather and Paul Pierce.
- "SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security", U.S. Securities and Exchange Commission
Multiple cryptocurrency security companies collaborated to investigate the hack shortly after it occurred. Transit Swap announced that "through the joint efforts of the SlowMist security team, the Bitrace security team, the PeckShield security team, the TokenPocket team and the TransitFinance technical team, we now have a lot of valid information such as hacker's IP, email address, and associated on-chain addresses." They subsequently announced that the attacker had returned around 70% of the stolen funds ($14–$15 million).
NFT trading fantasy league emerges to provide traders with the "sweet adrenaline" of flipping NFTs that they're missing in the bear market
A validator operator reported that "It appears a misconfigured node caused an unrecoverable partition in the network." It's a bit startling that, in a supposedly decentralized network, one single node can bring the entire network offline.
In a text sent to his brother, Musk wrote, "I have an idea for a blockchain social media system that does both payments and short text messages/links like twitter. You have to pay a tiny amount to register your message on the chain, which will cut out the vast majority of spam and bots. There is no throat to choke, so free speech is guaranteed." In another message, to the president of his Boring Company, Musk narrowed in on an amount: 0.1 Doge per tweet or retweet. At today's prices, at 0.1 Doge per tweet, 1¢ would buy you about 160 tweets.
Musk's idea that there is some magical amount of money that ordinary people are willing to pay to send out a tweet or a retweet, but that spammers are not willing to pay to spam, seems preposterous. And given that "free speech is guaranteed" and blockchains are immutable, he would really need to hope that he finds this amount, because otherwise there's going to be a lot of spam permanently stored on Web3 Twitter.
As with many of Musk's ideas, the idea for a blockchain-based "free speech" social network is not new. On one of the more popular such services, BitClout, the home page shows posts such as "are there actually real ppl here, or only 'marketing' and ai-generated art?" It costs $0.01 to create a profile or to begin a tutorial on how to use the site. Out of the list of ten top-ranked creators on the site, the top two (Elon Musk and Naval Ravikant) haven't even signed up yet, and another five haven't posted in months.
Musk appeared to later toss out his blockchain social network idea, though not for spam reasons: "Blockchain twitter isn't possible, as the bandwidth and latency requirements cannot be supported by a peer to peer network, unless those 'peers' are absolutely gigantic, thus defeating the purpose of a decentralised network".
One hour later, a hacker exploited a vulnerability in the bad code of 0xbadc0de, which allowed them to withdraw all of the ETH in the contract: not just the ETH they'd recently earned in the huge trade, but all 1,101 ETH (~$1.5 million).
The bot operator subsequently sent a message to the thief via an Ethereum transaction, writing that if the thief returned the funds, they would give them 20% as a "bounty". Otherwise, they wrote, "we will have no choice but to pursue accordingly with everything in our power with the appropriate authorities to retrieve our funds". The thief replied by mimicking the message, writing, "What about normal people who you have mev'ed and literally fucked them? Will you return them?" and suggesting that if they returned all of the funds they'd extracted, the thief would pay them 1%.
- "RIP MEV BOT", Rekt
So far, the stunt has resulted in two NFTs being minted by outside parties, for total proceeds of 7 ETH (~$9,400) — not quite the millions the drawing allegedly cost the NFT project creator. Meanwhile, Mexican authorities have said they are investigating whether the businessman committed a crime in intentionally damaging an artistic monument.
Now, Genesis' managing director has stepped down after five years. Kraken CEO Jesse Powell relinquished his title, planning to remain at the firm as a chairman. Alex Mashinsky has resigned as the CEO of Celsius Network in the midst of bankruptcy proceedings. And FTX US president Brett Harrison will also be stepping down.
- "Genesis director to step down and move into advisory role", Cointelegraph
- "C.E.O. of Kraken, the Cryptocurrency Exchange, Steps Down", The New York Times
- "C.E.O. of Celsius, the Crypto Bank, Resigns", The New York Times
- "Brett Harrison will step down as FTX US president, move into advisory role", Cointelegraph
Nexo had previously been warned to stop offering services in New York state and to register under securities regulations, but hadn't done so. Several states called into question Nexo's "real-time audit", which they describe as bogus. Kentucky also noted in their lawsuit that when the company's holdings of their own $NEXO token was taken out of the equation, the company appears to be insolvent.
On September 25, Falovitch tweeted "I got hackled last night on Opensea. Apes, doodles, eth. It's not pretty." Four NFTs had been stolen from his wallet — two Doodles, and a Mutant and Bored Ape — along with 6 ETH (~$7,750). The Mutant and Bored Apes were both resold, for 15.99 ETH (~$20,700) and 82.69 ETH (~$107,000) respectively. Factoring in Doodle floor prices, the hacker is looking at at least $150,000 in profit.
The loss, however, is larger for Falovitch, who spent ~$377,000 on the four NFTs based on the price of ETH at the times of purchase. Falovitch tweeted after the hack, "Now I'm over $1M hacked in ETH and NFTs." It's not clear if he's referring to other wallets he may control that were compromised, previous hacks he's suffered, or if he's massively overestimating the value of the stolen NFTs. He also tweeted that he discovered his car was broken into as he went to drive to the police department to report the NFT thefts.
Well-known crypto researcher zachxbt, who is known for helping victims of wallet hacks recover their assets, tweeted to Falovitch: "Karma for all of the people you rekt with the scams promoted on your Instagram page. Definitely won't be tracking this one."
The press release stated, "Based on its recent experiences with cryptocurrencies, the IRS has strong reason to believe that many virtual currency transactions are not being properly reported on tax returns."
- "IRS Obtains Court Order Authorizing Summons For Records Relating To U.S. Taxpayers Who Failed To Report And Pay Taxes On Cryptocurrency Transactions"U.S. Attorney's Office, Southern District of New York
This will certainly be interesting to watch. DAOs — decentralized autonomous organizations — are a popular form of web3 project governance where (typically) anyone who holds the governance token can vote on the actions of the DAO. There is little precedent in the way of filing charges against a DAO, and DAOs often don't have the liability protections of more traditional organizational structures.
- "CFTC Penalizes Blockchain Protocol $250K, Files Action Against Successor DAO", CoinDesk
- "CFTC Imposes $250,000 Penalty Against bZeroX, LLC and Its Founders and Charges Successor Ooki DAO for Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act", CFTC
In one, he conned two victims for $1.7 million by claiming to sell a powerful Bitcoin miner that didn't exist; instead, a fake machine in the office was connected to a monitor displaying prerecorded video to make it appear as though the machine was mining cryptocurrencies.
In another, he created a business he claimed would "Bank the Unbankable" by providing financial services to people who couldn't access them. Instead, the millions of dollars were spent on unrelated businesses.
- "Spanish Fork Man and His Two Businesses Charged with Wire Fraud and Money Laundering Offenses", U.S. Attorney’s Office District of Utah
- "Utah Man Charged With 7 Felonies in Connection to Alleged $1.7M Crypto Mining Scam", CoinDesk
Coinbase has refuted the WSJ claims in a blog post, accusing the paper of confusing "client-driven activities" with prop trading. In a statement to the WSJ, published in the article alongside the allegations, a Coinbase spokesperson said that "Coinbase does not, and has never, had a proprietary trading business. Any insinuation that we misled Congress is a willful misrepresentation of the facts".
So far, the court has seized two McLarens, two BMWs, and a Lamborghini — only a few cars out of the eleven luxury cars Pleterski owned, plus another four he was renting. Investors have also asked about the $45,000-a-month lakefront mansion he was renting in Ontario, watches, and gold bars, hoping they could be liquidated to repay some of his debts.
Pleterski had promised investors that he would invest on their behalf, taking 30% of any capital gains, with a goal of achieving 10–20% gains biweekly. He also promised that any loss on the initial investment would be paid back in full. Pleterski had made some money in crypto as a teenager, but according to him, he lost most of the money he was given to invest in late 2021 and early 2022 "in a series of margin calls and bad trades". An investor claims that at one point, he was given pictures and videos of financial statements showing an account with $311 million, but when he checked with the company supposedly maintaining the account, they said they had no accounts with that kind of funds. So far, the court and investors alike have struggled to untangle Pleterski's mess — according to him, he was unorganized and didn't track his finances or debts.
Wintermute hasn't disclosed more about the attack, but it's possible that the hacker may have exploited the vulnerability in the vanity wallet address generator Profanity, which was disclosed five days prior. The crypto asset vault admin had a wallet address prefixed with
0x0000000, a vanity address that would have been susceptible to attack if it was created using the Profanity tool.
This is the second incident involving Wintermute in the past few months. In June, the group provided the wrong wallet address to the Optimism project, and Optimism sent 20 million OP tokens to a non-existent address. Another person noticed the error before they did and was able to take the tokens. They ultimately returned 17 million of the tokens to Wintermute, keeping the rest as a "bounty". $OP have been trading at around $1 as of mid-September.
The United States Securities and Exchange Commission filed an emergency action to stop the fraud and freeze assets, which was granted on September 29, 2022. The SEC then filed a complaint against the company and its leaders Mauricio Chavez and Giorgio "Gio" Benvenuto. The SEC alleged CryptoFX had raised at least $12 million from 5,000 investors, which ostensibly would be put into crypto markets but instead was primarily used to "fund [Chavez's] real estate company and extravagant lifestyle".
- "SEC Halts Crypto Asset-Related Fraud Victimizing Latino Investors", United States Securities and Exchange Commission
The SEC also charged crypto influencer Ian Balina for his involvement with the scheme. He allegedly accepted a 30% bonus on the $5 million worth of SPRK tokens he purchased in an agreement to promote the project on YouTube, Telegram, and other channels, but did not disclose his compensation. He also organized an investing pool with more than 50 investors, and also didn't register it with the SEC. Balina had advertised that he could help people "make millions with initial coin offerings".
- "Sparkster to Pay $35 Million to Harmed Investor Fund for Unregistered Crypto Asset Offering", U.S. Securities and Exchange Commission
- U.S. SEC v. Ian Balina
A spokesperson from FTX said they believed that "a scammer is impersonating FTX", which they said they thought led to the warning. However, that statements in the warning are accurate: FTX is not registered with the FCA, and they serve UK customers.
- FTX, Financial Conduct Authority
- "UK Regulator Issues Warning on Crypto’s FTX to Consumers", Bloomberg
The trader ended up with a worthless counterfeit and a measly 0.5 ETH for his pricey NFT. The scammer quickly flipped the real Mutant for 13.5 ETH, making a tidy $17,500 profit.
A whale was able to take advantage of this "feature" by taking large positions in AVAX, the token belonging to the Avalanche blockchain, which has relatively low liquidity compared to larger tokens like Bitcoin or Ether. The whale then manipulated the price by making large trades on a centralized exchange, taking an estimated profit of between $400,000 and $450,000 after fees.
Some had publicly expressed concerns about the possibility of such an exploit earlier in September: Taureau, a founder of another decentralized exchange, had outlined the possibility of an exploit like this on a podcast episode on September 1.
GMX responded to the incident by capping the size of positions that users can take on AVAX. Another project, MM.Finance, announced they would be pausing order execution on their MadMex platform, which is a fork of GMX.