SEC files emergency action to stop CryptoFX scam

CryptoFX is a crypto-based scheme targeted specifically to Latines, promising to invest its victims' assets in cryptocurrencies and teach its customers how to trade crypto. It also reportedly functioned as a pyramid scheme, using a "referral program" to incentivize people to recruit friends, family, and people in their communities.

The United States Securities and Exchange Commission filed an emergency action to stop the fraud and freeze assets, which was granted on September 29, 2022. The SEC then filed a complaint against the company and its leaders Mauricio Chavez and Giorgio "Gio" Benvenuto. The SEC alleged CryptoFX had raised at least $12 million from 5,000 investors, which ostensibly would be put into crypto markets but instead was primarily used to "fund [Chavez's] real estate company and extravagant lifestyle".

Sparkster settles for $35 million with the SEC; SEC charges crypto influencer

The firm Sparkster and its CEO Sajjad Daya settled with the U.S. SEC after a cease-and-desist arguing that Sparkster sold securities worth at least $30 million without registration. The firm and Daya agreed to settle with the SEC, and will pay more than $35 million to a fund that will be distributed to the investors who were harmed.

The SEC also charged crypto influencer Ian Balina for his involvement with the scheme. He allegedly accepted a 30% bonus on the $5 million worth of SPRK tokens he purchased in an agreement to promote the project on YouTube, Telegram, and other channels, but did not disclose his compensation. He also organized an investing pool with more than 50 investors, and also didn't register it with the SEC. Balina had advertised that he could help people "make millions with initial coin offerings".

UK financial regulator warns against FTX exchange

The United Kingdom's Financial Conduct Authority issued a warning that FTX is not authorized by them, but is targeting consumers in the UK. "Almost all firms and individuals offering, promoting or selling financial services or products in the UK have to be authorised or registered by us," they wrote in the announcement, noting that FTX is not. Because of this, "you are unlikely to get your money back if things go wrong".

A spokesperson from FTX said they believed that "a scammer is impersonating FTX", which they said they thought led to the warning. However, that statements in the warning are accurate: FTX is not registered with the FCA, and they serve UK customers.

Scammer earns 13 ETH ($17,500) from fake Mutant Ape scheme

An illustration of an ape with skin made from various animal prints, a bright green muzzle with a tongue stuck out and wrapped around a beer can, X-ed out eyes, a bone necklace, and a WW2 pilot helmet with teeth around the brimMutant Ape #21080 (attribution)
The owner of Mutant Ape #21080 was approached with an offer to trade their ape for another Mutant Ape (#55) and an extra 0.5 ETH ($675) to sweeten the deal. The trader agreed, and moved forward with performing the trade on SudoSwap, one of several platforms that allows people to set up NFT-for-NFT swaps. Unfortunately, he didn't check that the "Mutant Ape #55" that the trader was offering was actually the genuine article. The scammer had created a bunch of fake Mutant Apes that look identical through the SudoSwap frontend, but are clearly fakes if you look at the contract.

The trader ended up with a worthless counterfeit and a measly 0.5 ETH for his pricey NFT. The scammer quickly flipped the real Mutant for 13.5 ETH, making a tidy $17,500 profit.

Whale illustrates price manipulation risk in GMX exchange, profits more than $400,000

A candles chart showing a pattern of the AVAX token dropping in price and then going back up as a whale manipulates the price.AVAX chart (attribution)
GMX is a decentralized cryptocurrency exchange that boasts zero price impact trades. On most exchanges, users have to contend with slippage: a difference between the price of a token when the user goes to enter the trade and the price when the trade is executed. A sufficiently large trade can itself cause slippage, particularly with crypto assets with lower liquidity.

A whale was able to take advantage of this "feature" by taking large positions in AVAX, the token belonging to the Avalanche blockchain, which has relatively low liquidity compared to larger tokens like Bitcoin or Ether. The whale then manipulated the price by making large trades on a centralized exchange, taking an estimated profit of between $400,000 and $450,000 after fees.

Some had publicly expressed concerns about the possibility of such an exploit earlier in September: Taureau, a founder of another decentralized exchange, had outlined the possibility of an exploit like this on a podcast episode on September 1.

GMX responded to the incident by capping the size of positions that users can take on AVAX. Another project, MM.Finance, announced they would be pausing order execution on their MadMex platform, which is a fork of GMX.

Binance accounting bug involving Helium tokens results in $19 million of erroneous payouts

Helium has two different tokens: HNT, which is paid out to people who run Helium hotspots, and MOBILE, which is paid to those maintaining the new Helium 5G network. However, Binance erroneously treated both tokens as HNT within their exchange. As a result, anyone who sent MOBILE to Binance wound up with that same number of HNT tokens in their wallet — a big benefit, given that HTN has traded between $4 and $7 this past month, and MOBILE is not yet easily tradable.

Binance distributed around 4.8 million HNT before discovering and patching the bug, valued at around $19 million.

Hours after Ethereum transition to proof-of-stake, SEC Chair says PoS crypto could be classed as securities

Official portrait of Gary GenslerSEC Chairman Gary Gensler (attribution)
In the early hours of September 15, Ethereum completed "The Merge —  the long-awaited transition from its original proof-of-work consensus mechanism to proof-of-stake.

Later that day, SEC Chairman Gary Gensler pointed to the staking mechanism as a signal that an asset might be a security as determined by the Howey test.

There has been much discussion over whether cryptocurrencies in general or individually should be considered securities, commodities, or possibly even something else. Broadly, people within the crypto community don't want to see the assets fall under SEC jurisdiction, as the SEC is seen as much less friendly to the industry than the CFTC.

Vulnerability discovered in vanity wallet generator puts millions of dollars at risk

The 1inch Network disclosed a vulnerability that some of their contributors had found in Profanity, a tool used to create "vanity" wallet addresses by Ethereum users. Although most wallet addresses are fairly random-looking, some people use vanity address generators to land on a wallet address like 0xdeadbeef52aa79d383fd61266eaa68609b39038e (beginning with deadbeef), or one with lots of 0s at the end, or some other address the user thinks looks cool.

However, because of the way the Profanity tool generated addresses, researchers discovered that it was fairly easy to reverse the brute force method used to find the keys, allowing hackers to discover the private key for a wallet created with this method.

Attackers have already been exploiting the vulnerability, with one emptying $3.3 million from various vanity addresses. 1inch wrote in their blog post that "It's not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions."

The maintainer of the Profanity tool removed the code from Github as a result of the vulnerability. Someone had raised a concern about the potential for such an exploit in January, but it had gone unaddressed as the tool was not being actively maintained.

"No politics at work" Coinbase rolls out a feature to promote crypto-friendly politicians

A mobile screenshot of a list titled "explore legislators", showing various representatives and their "Crypto sentiment". Carolyn Maloney of New York, District 12 is displayed with a negative crypto sentiment.Coinbase crypto policy feature (attribution)
When the "politics" were widespread civil unrest in the summer of 2020 triggered by the police murder of George Floyd, and pressure on the company to release a statement in support of Black Lives Matter, Coinbase CEO Brian Armstrong announced that there would be no political discussion or activism at work, and those who didn't like it could leave.

Now, he's just announced that Coinbase will be "integrating our crypto policy efforts right into our app" by providing a rating of Congressmembers' negative or positive "crypto sentiment". He also said that they plan to "help pro-crypto candidates solicit donations from the crypto community (in crypto)", and wish to get their users to attend town hall events. "We've also added a very easy way for you to contact your member of Congress to urge them to support pro-crypto policies," Armstrong said in a video demonstrating the feature.

"Double your money" scammers capitalize on Ethereum merge

Tweet by Twitter account with the verified display name "vitalik.eth" but the account handle "iThinkBuzz". Tweet reads "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH! 🎉

First come, first serve ➡️https://ETH-MERGE.BLOGSPOT.COM

You can only apply once."Tweet by hacked verified account (attribution)
If it seems like you've been seeing a lot of Ethereum co-founder and figurehead Vitalik Buterin around Twitter lately, it may be due to the influx of hacked verified Twitter accounts that have been retrofitted to resemble Vitalik's account. They've been used to share a litany of scam links to supposed Ethereum giveaways in celebration of "The Merge": the much-anticipated change to Ethereum's consensus model that's scheduled to happen on September 15.

Most of the tweets say something like "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH!", and link out to various websites that invite people to send some amount of Ethereum with the promise that they'll receive twice as much in return — a classic double-your-money scam.

At least 36 verified Twitter accounts were compromised and used for the scam, including the 6 million-follower Cityarabia account that normally tweets for Arabic-speaking fans of the Manchester City football club. On the afternoon and evening of September 14 alone, at least 195 ETH (~$314,000) was drawn in by the accounts and scam websites I found.

South Korea issues arrest warrant for Terra founder Do Kwon

A South Korean court has issued a warrant for the arrest of Do Kwon, the founder of the Terra ecosystem, as well as five other people. According to Bloomberg the allegations include violations of Korea's capital markets law.

Kwon and the others named in the warrant are currently in Singapore. In June, Korea banned current and former Terraform Labs employees from leaving the country, and in July Korean authorities raided multiple exchanges in connection to their investigation.

Starbucks wants you to have an "immersive coffee experience" with their web3 rewards program

A glitchy photograph of a coffee farm, with the text "Starbucks Odyssey" atop it in white capitalsStarbucks Odyssey promotional image (attribution)
When Starbucks CEO Howard Schultz first announced at an employee town hall in April that the company was looking to get into NFTs, I assumed he was just hoping for a headline to distract from all the union busting they'd been doing. After all, they already have a rewards program that by all appearances seems to be quite successful.

Despite that, Starbucks has apparently decided that what its rewards program really needs are "digital collectible stamps", a euphemism for NFTs that somehow makes them sound even less appealing.

These NFTs promise to provide their holders with "immersive coffee experiences", which sounds an awful lot like what cost McDonald's a few million in the mid-nineties.

Unfortunately for Starbucks, between the time they came up with the idea, announced it at their town hall, and are now inviting people to sign up to the waitlist, the NFT craze has died down considerably. Even at the peak of NFT mania, though, I'm not sure if people would have been lining up to buy "digital collectible stamps" that allow them to "claim an ownership stake in their loyalty to Starbucks" (what??)

Ubisoft now claims its forceful introduction of NFTs was only "research"

Remember when Ubisoft decided it was going to shoehorn NFTs into their Tom Clancy's Ghost Recon Breakpoint game, to the nearly universal disappointment of their fans? Remember when one of their execs said that gamers just "don't get what a digital secondary market can bring to them"? Remember when their employees were so unhappy with the NFT plan that they had to hold an internal workshop about it, shortly before giving all employees NFTs of hats?

Well, despite being pretty bullheaded about their stance on NFTs and web3, even Ubisoft is now backing away from it all. In April, only a few months after launch, Ubisoft announced that there would be no more NFTs for the Ghost Recon Breakpoint title. Now, the CEO is putting a different spin on the company's once determination to introduce NFTs: "we are still in research mode" when it comes to web3 technologies, he said. "We probably were not good at saying we are researching. We should have said we were working on it, and when we have something that gives you a real benefit, we'll bring it to you." I imagine that might come as a shock to the handful of people who actually bought the Ghost Recon Breakpoint NFTs, given they were promised "real benefit" back in December and are now left with useless collectibles.

Algorand Foundation discloses $35 million exposure to Hodlnaut

The Algorand Foundation is a group responsible for managing Algorand, a proof-of-stake blockchain. On September 9 they disclosed that they had put $35 million of the project's treasury into Hodlnaut, a lending firm that halted withdrawals on August 8 and applied for creditor protection a week later. Hodlnaut was in turn heavily exposed to Terra, the ecosystem that collapsed in May.

The Algorand Foundation reassured people that the funds potentially lost to Hodlnaut were less than 3% of the Foundation's assets, and "we do not anticipate operational or liquidity issues due to this action". They also wrote that they would be "pursuing all legal remedies to maximize asset recovery".

New Free DAO loses $1.25 million in flash loan attack

A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.

Shiba Inu developers leak AWS credentials on Github

If Amazon would like to buy the rights to the slogan "Web3, powered by AWS™️", feel free to reach out, because I'm registering it.

On September 8, a security researcher published a blog post reporting that the developers behind the Shiba Inu coin — one with reality-defying levels of popularity at #13 on the list of coins by market cap — had apparently published their AWS credentials to Github. After making the discovery, his team attempted to contact the developers, but were not able to find a bug bounty program, responsible disclosure policy, or even people they could reach out to personally.

Luckily for Shiba Inu (and somewhat miraculously), the tokens were invalidated two days later before anyone malicious apparently took advantage of the vulnerability. The researcher wrote that the exposure had "the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc."

Coinbase funds lawsuit against the Treasury Department over Tornado Cash sanctions

In the wake of OFAC adding Tornado Cash to the U.S. sanctions list in early August, Coinbase has announced they will fund a lawsuit against the Treasury Department to challenge the decision. Coinbase itself is not a plaintiff in a lawsuit, though two of the plaintiffs are Coinbase employees, who along with four other individuals filed suit in a Texas court. They say they previously used Tornado Cash for licit purposes, and are now suffering financial damages because they can't legally use the service.

In the suit, they argue that the Treasury Department overstepped its authority in what it can sanction, claiming that "Tornado Cash software, including the smart contracts, consists of immutable open-source software code, which is not property, a foreign country or a national thereof, or a person of any kind." They've also argued that the designation is unconstitutional under both the free speech protections of the First Amendment and the due process protections of the Fifth Amendment.

Crypto reacts to Queen Elizabeth's death

A pixel art illustration of Queen Elizabeth in skeletal form, inside a gilded frameQueenE 74 (attribution)
The news of Queen Elizabeth II's death resulted in the creation of at least 40 memecoins, multiple Queen Elizabeth-themed NFT collections, and special edition NFTs in various existing NFT projects.

Is there a way to include in one's will that you don't wish to be turned into an NFT or commemorated with a "Queen Inu" token when you die? Asking for a friend.

Company begins selling Celsius-themed Monopoly game... three months after Celsius suspends withdrawals

A Monopoly game themed after the company Celsius, with a large Celsius logo in the middleCelsiusopoly (attribution)
After what USA Strong Head of Sales & Partnerships described as "months and months" of work, apparently the company had decided they had sunk too much effort into the Celsius-themed game of Monopoly to scrap the project, and opted to push ahead. What could be more fun to any of the large group of users who have significant funds locked up in the platform than gathering around the table to play "Celsiusopoly", which they can buy for $99 (if they have that kind of money to spare). The center of the board is adorned with the Celsius logo and the slogan "Do Good. Then do well", and there is a "HODL Mode activated" square that might have been a lot funnier before the company involuntarily activated "HODL mode" for all its users.

If you were wondering who might decide to sell such a product, well, USA Strong's founder and CEO is none other than Krissy Mashinsky, wife of Celsius founder Alex Mashinsky.

Both the announcement tweet and the game product page were taken down shortly after the announcement, likely due to the less-than-enthused response from Celsius users.

Investors face $11 million loss in VBit Technologies/Advanced Mining Group, an alleged crypto Ponzi scheme

The Philadelphia Inquirer published a report on VBit Technologies, later Advanced Mining Group, a company that promised investors to buy and operate Bitcoin miners on their behalf and pay them out the returns. Much of the group's operations relied on a system of "affiliates" bringing in more investors — a sort of suspicious triangular-shaped scheme — and executives and top-performing affiliates enjoyed lavish rewards including expensive wines, six-figure sports cars, and fancy vacations.

However, customers trying to withdraw their "rewards" saw increasing delays in receiving their payouts — days, then weeks, then an indefinite pause. A COO hired by the group left the company only three weeks later. On June 27, the group sent an email to its customers explaining that there was a "potential pending settlement" with the SEC — the first customers heard of the existence of any investigation — and that they would no longer serve customers in the U.S. On July 15, the company promised to refund customers what they paid to sign up with the program, but no refunds or further updates have materialized.

The company has faced lawsuits in Washington state and Delaware, and apparently operated for two years after executives had acknowledged they were violating securities laws. The Delaware lawsuit describes the operation as a Ponzi scheme, and alleges that the company sold packages that would have required far more computing power than the company actually had access to.

David Bowie NFTs anger fans

A screenshot of a tweet by the official David Bowie account, which reads "Out of respect for the people of the UK and Queen Elizabeth II, we will be postponing the 'Bowie on the Blockchain' sale. We will update soon." Another user has screenshotted the tweet and crossed out "the people of the UK and Queen Elizabeth II" and replaced it with "David Bowie", making it read "Out of respect for David Bowie, we will be postponing the 'Bowie on the Blockchain' sale."Tweet by Jonathan Dean (attribution)
The latest entry in "group launches NFTs, fans hate it" comes from the David Bowie estate, who decided that "Bowie on the Blockchain" would be a cool idea to raise money for charity.

A tweet from OpenSea announcing the project received some positive replies, and a lot of other NFT projects trying to promote Bowie-themed NFTs they'd included in their collections. However, the tweet from David Bowie Twitter account seemed to be received almost universally negatively, with many commenters writing that they wished the estate would just raise money for charity without getting into NFTs, and others writing that they didn't think Bowie would have supported NFTs.

On September 10, the account announced that "Out of respect for the people of the UK and Queen Elizabeth II, we will be postponing the 'Bowie on the Blockchain' sale. We will update soon."

Flash loan attack nets attacker $370,000 from several sources

An attacker using the Avalanche blockchain successfully executed a flash loan attack impacting one contract and several other liquidity providers. The attacker made around $370,000 in USDC from the attack.

Binance plans to convert USDC and other stablecoins into their own BUSD stablecoin

Binance users who hold USDC (USD Coin), USDP (Pax Dollar), or TUSD (True USD) will find their holdings "converted" into Binance's stablecoin, BUSD, on September 29. The three stablecoins that Binance plans to convert are the second, fifth, and sixth largest stablecoins on the market as of September 5.

Binance claims the move is to "enhance liquidity and capital-efficiency for users", but the conversion and Binance's related decision to stop trading on spot pairs involving those same stablecoins seems like an attempt to increase the status of its own stablecoin against that of rivals.

Poolin suspends withdrawals from their wallet service

PoolinWallet is a crypto wallet service provided by Poolin, which runs the fourth-largest Bitcoin mining pool and third-largest Ethereum mining pool in the world. In the announcement they wrote that "Poolin Wallet is currently facing some liquidity problems due to recent increasing demands on withdrawals. But please be assured, all user assets are safe and the company's net worth is positive." The firm also urged users to ignore rumors of a rug pull.

Poolin users had been complaining about issues withdrawing from their Poolin wallets since at least August, which had sparked rumors of liquidity problems prior to the announcement. Poolin said in their announcement that they would announce their plans to resume withdrawals within two weeks. However, a week later, they instead told customers they would be receiving "IOU" tokens.

Bitcoiner gets 6–15 months in prison, warns others about making peer-to-peer Bitcoin trades

Mark Hopkins, also known as "Doctor Bitcoin" or "Rizzn", announced on social media that he would be spending between 6 and 15 months in federal prison "for the crime of selling Bitcoin a few years ago". His charge carried a maximum sentence of five years imprisonment.

In 2019, his home was raided in connection to a Nigerian lottery scam, for which he converted between half a million and $1.5 million to cryptocurrency over the span of half a year. He was ultimately charged with "illegally operating a cash-to-cryptocurrency conversion business", to which he pleaded guilty (by his telling, in an attempt to get charges against his family members dropped).

Hopkins claims that "any time anyone with a crypto trades p2p (i.e., not with an exchange), they're legally liable under this statute as it's currently interpreted", though authorities have claimed that Hopkins knowingly aided the lottery scammer by telling them "I'm set up as a marketing company, so tell them you're paying for a marketing campaign".

Islamic State tests out NFTs

In the apparent "first known nonfungible token created and disseminated by a terrorist sympathizer", a supporter of the Islamic State has minted an NFT with a message praising an attack on a mosque in Kabul, Afghanistan. According to former U.S. intelligence officials cited by The Wall Street Journal the NFT is likely an experiment with new funding and channels for propaganda.

The token was briefly listed on OpenSea, Rarible, and various other marketplaces before those marketplaces took it down. However, because it was minted on the blockchain, the token itself cannot be removed. "It's very much an experiment...to find ways to make content indestructible," said Raphael Gluck, a co-founder of a jihadist research group.

Crypto scam watchdog group launches NFT project, which is then exploited

An illustration of a man in a brown suit, brown fedora, and sunglasses, smoking a cigar and holding a noose.Bad Guys promotional artwork (attribution)
The group Rug Pull Finder aims to combat fraud, scams, and hacks in the NFT space, often investigating crypto rug pulls and offering audits for projects and smart contracts. They decided to launch their own NFT project, "Bad Guys", which is themed around a group of baddies who steal NFTs.

Ironically, a flaw in the project's smart contract allowed individual wallets to mint many NFTs at once, rather than one per wallet, allowing two people to game the system and snap up more than 450 NFTs rather than the one they were allowed. Rug Pull Finder wrote that "An exploit was shared with us 30 minutes before mint went live. After reviewing it with 3 different dev teams, we did not believe the credibility of the information sent to us... We were clearly wrong, and we are truly truly sorry".

Rug Pull Finder announced that they had reached an agreement with the people who gamed the mint, and would buy back the 366 NFTs the duo still held for 2.5 ETH (~$4,000).

Crypto security researcher OKHotshot wrote, "I think its concerning when security minded projects like RugPullFinder get their discord breached and their code exploited yet they're offering those exact services to customers."

Georgian Coinbase customers take advantage of 100x price bug

Some Coinbase customers in Georgia (the country, not the state) took advantage of an hours-long price bug where a misplaced decimal point altered the exchange rate of the Georgian Lari (GEL) to 100x its actual value. Users were able to sell their cryptocurrencies for GEL to receive, in some cases, thousands of dollars more than the trades were worth. According to Blockworks, some users exchanged $150 worth of crypto for $15,000, more than three times the national average salary in the country.

Some users who took advantage of the bug and withdrew funds to their bank accounts found their accounts frozen shortly after, when Coinbase noticed the error and began working to claw back the funds. According to Coinbase, about 1,000 users took advantage of the error.

Attacker exploits bug in ShadowFi to empty $300,000 liquidity pool

An attacker discovered that anyone could call the burn function on the liquidity pool contract for the ShadowFi project. They were able to exploit this vulnerability by calling the burn function and then taking advantage of the price difference (based on the new circulating supply) to remove all 1078 BNB (~$298,000) in the project's liquidity pool.

The project had only just launched that same day, after running a presale of their SDF tokens. The project promised to allow people to "Take your spending away from the floodlights of surveillance capitalism" and apparently involves sending people prepaid Visa cards to help them cash out their cryptocurrency without connecting a bank account or providing KYC information.

Holding company for Mercado cuts 15% of employees

2TM, the holding company for the Brazilian crypto exchange Mercado, announced they would be laying off 15% of their workforce — about 100 people. The company had previously laid off more than 80 employees in June. Mercado raised a $200 million Series B funding round in July 2021, which valued the company at $2.1 billion — the highest-valued crypto exchange in Brazil.

Describing the layoffs, a spokesperson for 2TM said that Mercado was suffering for playing by the rules. "The competitive environment remains deteriorated and unfair, lacking the approval of the legal framework for crypto-activities, as players following the law are penalized by companies that ignore local rules."

dYdX infuriates users by requesting "liveness checks" via webcam, cancels campaign due to "overwhelming demand"

The decentralized crypto exchange dYdX announced on August 31 that they would give users $25 if they completed a "liveness check", which is accomplished by taking webcam facial scans that can then be compared with scans from other accounts on the exchange in an attempt to combat Sybil attacks.

This infuriated many crypto users, who were horrified that dYdX would try to collect this kind of biometric data. "DYDX just nuked itself. I would never use this platform," wrote a prominent trader.

On September 1, dYdX tweeted that "Due to extremely overwhelming demand of the $25 deposit bonus promotion, we are ending the campaign, effective immediately. Thank you to the many thousands of new users that onboarded to dYdX today. We truly underestimated the amount of interest the campaign garnered." They made no mention of the backlash against the liveness checks, but quietly removed the mentions of the system from their website.

Bill Murray's NFT charity auction nets $185,000, which is then immediately stolen

Black and white photorealistic painting of Bill Murray. The only colors are the lenses in a pair of cardboard 3D glasses that Murray is wearing, and a green bowtie.Token #0 from Bill Murray's NFT collection (attribution)
Bill Murray auctioned off an NFT representing the right to drink a beer with him, during which a painter will paint a picture of the scene that the buyer can keep. The auction benefits Chive Charities, which is a veteran- and first responder-focused non-profit. The NFT sold for 119.2 ETH (~$185,000).

However, hours after the auction, a hacker gained access to Murray's crypto wallet and snagged the ETH for themselves. They also attempted to steal 800 NFTs from the remaining collection by Bill Murray, though a wallet security team was able to safeguard those NFTs in time.

Murray's team confirmed the theft, and said they are working with the police and Chainalysis to identify the hacker.

Attackers steal around $265,000 of user funds from KyberSwap exchange

An attacker was able to insert malicious code into the frontend of the decentralized exchange KyberSwap and steal $265,000 of user funds. The project used Google Tag Manager to allow code to be injected into the project frontend (often for analytics, ads, or marketing purposes), which was used by the attacker to insert malicious code into the project UI that specifically targeted whale accounts — that is, those with large balances.

Kyber identified and remedied the issue after two hours of investigating it, and only two wallets were affected. Kyber promised to compensate the users who lost funds, and also tried to tempt the hacker into returning funds by allowing them to keep 15% of the stolen money as a "bounty" (~$40,000).

Snapchat abandons its web3 plans

Snap Program Manager Jake Sheinman tweeted that "As a result of the company restructure, decisions were made to sunset our web3 team. The same team that I co-founded last year with other pirates who believed in digital ownership and the role that AR can play to support that." Snap, the company behind Snapchat, had been working on a feature that would enable users to import their NFTs and use them as augmented reality filters.

This news came amidst the announcement that Snap would be laying off 20% of its staff, a whopping 1,300 people.

Unable to recover from the April Rari exploit, Babylon Finance shuts down

In April, an attacker exploited vulnerabilities in the defi lending project Rari Capital to steal $80 million. The asset management project Babylon Finance was a major lending pool on Rari, and lost $3.4 million in the hack. After the incident, users withdrew more than 3/4 of the assets on the project.

Since April, Babylon tried to recover from the hack. However, they described it as "the domino that kickstarted a series of unfortunate events". Rari canceled their planned reimbursement, users withdrew their funds from Babylon Finance, the Fuse pool on Rari was abandoned, and the token price decreased from around $20 to around $5.

On August 31, Babylon Finance's founder Ramon Recuero published a blog post announcing that Babylon would be shutting down. They promised to distribute the remaining project treasury among holders. Users were told to withdraw their funds by November 15.

Lawyer Kyle Roche withdraws from several crypto class-action lawsuits after allegations that he was involved in "gangster-style" schemes to hurt competitor projects

Kyle Roche sitting in a dim restaurant setting, speaking and gesturing. A caption on the video reads "I'm just a crazy motherfucker".Roche in one of the secretly recorded videos (attribution)
Kyle Roche, a founding partner and namesake of the Roche Freedman law firm, has withdrawn from class-action lawsuits filed by the company against projects including Tether and Bitfinex, the Tron Foundation, and BitMEX. This change came less than a week after a whistleblower website alleged he had been paid to attack competitors of the Avalanche blockchain with lawsuits intended to harm them and reveal corporate secrets.

Although Roche has denied the claims by the site, and stated that someone deliberately got him drunk and then took clips of videos out of context, it probably doesn't look so good for a lawyer to be referring to jurors as "10 idiots", or plaintiffs in class-action lawsuits as "100,000 idiots".

Helium ditches its blockchain

Helium is a network of wireless hotspots that decided to bolt on a cryptocurrency layer a few years after it was created. Through this, they hoped to convince people to spend hundreds of dollars on Helium hotspots, which earn an average of 0.07 HNT ($0.37) a day (2.1 HNT/$11.24 a month) for supplying connectivity to internet of things devices.

Now, Helium is ditching its custom Helium chain in favor of a Solana-based token, and scrapping the blockchain entirely for the portions of its service that actually used the blockchain for anything beyond handling rewards.

Helium seems to have realized, finally, that blockchains tend to be slow as hell. In a blog post about the change, they wrote that "specific transactions, including Proof-of-Coverage and Data Transfer Accounting, are processed on-chain unnecessarily. This data bottleneck can cause efficiency issues such as device join delays and problems with data packet communications, which bloats the Network and causes slow processing times." They outline their plans to move these portions of the project to a "more traditional large data pipeline" — that is, infrastructure that's actually well-suited to that kind of processing.

DC Attorney General sues Michael Saylor and MicroStrategy for tax evasion

Michael Saylor sitting in front of a large model shipMichael Saylor (attribution)
DC-based Bitcoin evangelist and former CEO (now chairman) of MicroStrategy has been accused by the DC Attorney General of avoiding years of taxes by pretending to live in Florida, a state without personal income tax. The AG says he evaded more than $25 million in DC taxes this way, with the help of MicroStrategy (which is also named in the suit for helping to enable the tax evasion).

DC permits the court to impose "treble damages" on Saylor if he is determined to have evaded the taxes he owes, which could end up costing him and MicroStrategy more than $100 million in taxes and penalties.

Compound Finance breaks their cETH market for a week

Compound Finance released an update to change the price feed used by the Compound v2 protocol. Despite being audited by three firms, no one caught a bug that caused all transactions for ETH borrowers and lenders to revert, effectively freezing the entire cETH market on the protocol. Because code changes require a seven-day-long vote, the change can't be reverted until a new proposal passes. In the meantime, users with positions they can't access will need to add collateral or repay loans carefully in order to avoid being liquidated if the price of ETH drops by the time the market is operational again.

Thodex CEO arrested over a year after fleeing Turkey in the wake of the exchange's collapse

Faruk Fatih Özer, the CEO of the Thodex cryptocurrency exchange, swore that when they halted trading and shut off customers' access to accounts in April 2021, it was just to investigate suspicious activity. Then he disappeared, leaving behind a collapsed exchange and total losses estimated to be anywhere from $24 million and $2.5 billion in assets (depending who you ask). He left a statement in which he claimed that he was only on the lam in order to "work and repay my debts" to customers, after which he would turn himself in to Turkish authorities.

His plan to somehow work off anywhere from $24 million to $2.5 billion in debts was stymied when he was apprehended by Albanian authorities. He faces extradition to Turkey, where a prosecutor has asked for sentences of 40,564 years for him and other executives (just in case, I guess).

Thai SEC punishes Bitkub CTO for trading Bitkub Coin on insider information

The Securities and Exchange Commission in Thailand took action against Samret Wajanasathian, the chief technology officer of the Thai crypto exchange Bitkub. The SEC fined him 8.5 million baht (~$234,000), and said they would bar him from serving as a director or executive at any crypto firms for a year.

The SEC reported that Wajanasathian had purchased around $61,000 of Bitkub Coin ($KUB) just before it was publicized that the Siam Commercial Bank would purchase a 51% stake in Bitkub. After the announcement, the value of KUB rose 100%.

Earlier that week, the SCM had announced they would not be following through on purchasing the planned $500 million stake in Bitkub, due to concerns over "various issues" that were raised by the Thai SEC.

Crypto.com wants back the $7.2 million they accidentally sent a customer last year

Crypto.com somehow managed to not only send a woman AUD$10.5 million (US$7.2 million) in May 2021, but not notice it for months afterwards. The woman had requested a $100 refund, but someone accidentally entered an account number into the refund amount section and granted this woman a sudden windfall.

Rather than contacting Crypto.com about the error, she put the money into a joint account shared with her sister, and purchased her sister a five-bedroom home with nearly US$1 million of the funds.

Crypto.com only discovered the error in a December 2021 audit, and sued the woman for the erroneously-sent funds. She's just been ordered by the Victoria Supreme Court to sell the home and return the remaining money.

Unlike with many crypto transactions, erroneous transactions on centralized exchanges can typically be reversed by the exchange. However, Crypto.com would have had to notice the error much sooner, before the recipient transferred the funds elsewhere.

Hacktivists make NFTs out of the stolen passports of Belarusian officials

The inside and outside of a Belarusian passport, with a photo and the name of Alexander Lukashenko. Identifying details have been blurredOne of the NFTs (attribution)
A hacktivist group calling themselves the Belarusian Cyber Partisans managed to gain access to the entire passport records of Belarus last year. On August 30, they began selling NFTs created from the passport data of various Belarusian officials, including the country's authoritarian president, Alexander Lukashenko. Other passports include those of the head of the Belarusian KGB, Lukashenko's press secretary, and the country's prime minister.

The group is selling the NFTs for between 0.2 and 6.5 ETH ($300–$9,700), and say that all proceeds will go towards "our work in hitting bloody regimes in minsk & moscow".

OpenSea took down the NFT collection shortly after it was published.

OptiFi developer accidentally closes the project contract, irretrievably locking $661,000

OptiFi, a derivatives defi project, accidentally and permanently shut down the project smart contract, irretrievably locking up $661,000 — the project's entire fund. A developer had been trying to push an update to the project, and ran into issues related to Solana network congestion (a recurring issue). While trying to clean up from a partially-executed transaction, the developer accidentally ran a command that closed the project's primary smart contract.

OptiFi has promised to return user deposits and settle all positions. In a post-mortem, they wrote that they had learned that "Every deployment needs a rigorous process and single point failure can be avoided. Please don't rush like what we did, especially for defi projects". They further outlined a "peer-surveillance approach" in which three people would be required to deploy any changes together. They also asked the Solana team to implement a two-step confirmation for such a potentially destructive command.

Whistleblower website alleges that the creators of the Avalanche blockchain paid lawyers to attack competitors

Kyle Roche sitting in a dim restaurant setting, speaking and gesturing. A caption on the video reads "I'm just a crazy motherfucker".Roche in one of the secretly recorded videos (attribution)
An anonymous whistleblower website called "CryptoLeaks" has alleged that Ava Labs, the company behind the Avalanche blockchain, paid lawyers to sue competitors and obtain confidential information through legal discovery. The site includes secretly recorded videos of Kyle Roche, a founding partner of the Roche Freedman law firm which has filed class action lawsuits against numerous companies including Solana, Binance, and others. In some of the surreptitiously recorded videos, Roche is visibly drunk.

"A pact was formed that involved Ava Labs granting Roche Freedman a massive quantity of Ava Labs stock and Avalanche cryptocurrency (AVAX), now worth hundreds of millions of dollars, in exchange for Roche Freedman agreeing to pursue a hidden purpose," the site claims.

The site does include video clips of Roche saying some surprising things, although the clips are very short and devoid of context. The whole thing should be taken with a grain of salt.

Ava Labs founder Emin Gün Sirer dismissed the claims on the site as "conspiracy theory nonsense". Roche published a statement about the " numerous unsourced false statements and illegally obtained, highly edited video clips that are not presented with accurate context", in which he said that his statements about filing class action suits at the behest of Ava Labs were "false, and were obtained through deceptive means, including a deliberate scheme to intoxicate, and then exploit me, using leading questions. The statements are highly edited and spliced out of context."

CEO of Ragnarok metaverse game admits to treasury mismanagement, including nearly $2 million in trading losses and exorbitant salaries

Pixel art characters stand in a bar setting with a tiled floor made from hexagons. There are cardboard boxes, a jukebox, and a cook behind the bar.Ragnarok screenshot (attribution)
Ragnarok is a metaverse role-playing game that launched its character NFTs in April 2022. The project received $1.75 million in seed funding, plus another $17.5 million from NFT sales and royalties.

On August 26, CEO Fanfaron published a Substack post providing a breakdown of the project's finances, which he began by saying, "As a previous business owner, and because Ragnarok is a startup and not a DAO, our initial plan was never to operate our finances in public, which is why we have historically been closed and unwilling to share full accounting of our balance sheet." As the post went on, it became clear there might be other reasons they were reticent to publish it.

The post revealed that Fanfaron had lost $1.827 million buying ETH during the crypto downturn: "I made mistakes by buying ETH multiple times when I thought it was an advantageous investment for the project, but then to protect downside risk and with the plan to reinvest at a better time, I sold our position in ETH, multiple times.."

It also revealed that the project is paying its team members apparently enormous salaries: $5.4 million in team compensation, plus another $1.5 million spent to buy out a co-founder. "We're a scrappy startup," he wrote, after also acknowledging that he pays himself $50,000 a month ($600,000 a year) — a number he already reduced by $600,000 from his original salary of $1.2 million per year. He ultimately promised in the post to pay back his trading losses.

As for the game, well, it exists, which means it's already ahead of a lot of crypto games. They launched an alpha version of the game in late July after multiple delays, with Fanfaron explaining, "Our vision was to create something similar to WoW... we were, however, overeager and optimistic with regards to how much time it takes to create such a world." The alpha is a multiplayer pixel art world where characters can walk around and talk to each other, and interact with buildings. Battling, leveling, quests, missions, and breeding are apparently all yet to come.

Indian financial crimes authority searches the offices of CoinSwitch, the country's largest crypto company

Financial crime agents from India's Directorate of Enforcement searched the offices of CoinSwitch and the residences of some of its executives. CoinSwitch is the largest crypto company in India, and is backed by Andreessen Horowitz, Tiger Global, and Coinbase Ventures.

According to the CEO, there's nothing to worry about, the search had nothing to do with money laundering (that's specific), and the agency only executed the search to learn more about its business model and user onboarding. Seems like a pretty weird way to do that, but what do I know.

TechCrunch, however, reported that four people familiar with the investigation stated the investigation was to do with potential violations of foreign exchange laws, and that the agency suspects CoinSwitch acquired $200 million in shares in violation of forex laws.

eth.link service about to go offline because domain owner is in prison

Some people might be familiar with ENS, the "Ethereum Name Service", which seeks to be a web3 equivalent of DNS. If you've seen people with usernames ending in .eth, that's an ENS address. The problem is that .eth is not a functional top-level domain, and so many services relied on eth.link to surface these DNS records to other services.

However, the eth.link domain is only rented for a set period of time and needs to be renewed. ENS DAO tweeted that the domain's owner, Virgil Griffith, is "unavailable". By this, they mean that he is currently serving his first of five years in prison for helping North Korea evade sanctions. With Griffith "unavailable", the project has found itself at the mercy of GoDaddy. Welcome to the decentralized web3 we've all been promised!

Although GoDaddy previously allowed another person to renew the domain on Griffith's behalf, they reversed that decision, and now say they intend to allow the domain to expire on September 5.

The ENS DAO issued a series of tweets urging people to switch to a different service, given the risk that the domain could be snapped up. "If the name expires and is acquired by someone with ill intent, the damage they could do via phishing is substantial - so please update your links and alert your users of the issue immediately," they wrote.

The latest Pokémon-themed rug pull nets $708,000

It's not much compared to at least three separate crypto Pokémon ripoffs since February that have each taken millions, but apparently the love of Pokémon still drew people in to the tune of $708,000.

One might think the blatant rip-off of the Pokémon IP (which belongs to a notoriously litigious company) might have been a red flag, but nevertheless, people bought in to PokémonFi — a play-to-earn game that seems like a much worse version of the original thing.

The project and tokens first launched in April. After apparently running off with the money, the project deleted its Twitter account, though its website remained live.

Researcher zachxbt alleges that teenager who stole crypto worth $37 million in 2020 is responsible for a spate of crypto-related Twitter hacks

BirdPartner - The Secret Twitter Panel
Today, I will start to lease out access to my exclusive Twitter panel. This support hub allows you to request usernames, ban accounts, restore access to stolen/locked accounts, report instances of rule violations, and more.
Due to the extreme nature and power of the panel, access will be restricted to a limited amount of users at once. There are several packages; each becoming more discounted the bigger package you buy.Post on SWAPD advertising access to Twitter panel (attribution)
In 2020, a Canadian teenager used SIM swapping to steal US$37 million in Bitcoin and Bitcoin Cash from a single person. Canadian police announced his arrest in November 2021 after he tried to buy a rare gaming username, also writing that they had seized around $5 million of the stolen funds.

Now, crypto investigator zachxbt thinks the same individual is indirectly responsible for a slew of compromised Twitter accounts that have then been used to promote crypto scams, including those of Beeple, DeeKay, and others. According to zachxbt, he has been selling access to a Twitter admin panel, which allows employee-level access to Twitter tools. This might explain how many of the accounts were compromised despite being protected by multi-factor authentication. According to zachxbt, "It's still unclear as to how Redman gained access to the panel to make elevated requests & reset passwords. As of now it appears the method stopped working".