Mango Markets suffers loss of more than $116 million

Mango Markets, a Solana-based defi project offering borrowing, lending, and leverage trading, was exploited for $116 million. An attacker manipulated the supposed value of their collateral on the platform, allowing them to take out massive loans from the project treasury that they never repaid. In total, they stole around $116 million worth of Solana tokens. However, only a few exchanges have sufficient liquidity to support exchanging or withdrawing that quantity of tokens, and those exchanges (Coinbase, Binance, and Kraken) froze the attacker's wallets.

Mango Markets posted on Twitter to urge users not to deposit into the project, and asked the hacker to contact them "to discuss a bug bounty". The hacker had their own plans, instead submitting a governance proposal in which they would return $46 million of the stolen funds (keeping $70 million) in exchange for a promise that the protocol would not try to freeze the assets or pursue criminal charges. The hacker then used their 32 million governance tokens to vote in support, but ultimately were not able to get the proposal to pass. A different proposal with largely the same terms, but which left the attacker with only $47 million of the stolen funds, passed shortly after.

QANX Bridge suffers $1.16 million loss caused by the Profanity vanity address vulnerability

On September 15, a blockchain security firm disclosed a vulnerability affecting Profanity, a tool that allowed people to generate "vanity" crypto wallet addresses: addresses containing specified strings of characters. This affected some individuals with vanity addresses, but has also enabled subsequent attacks on projects that used vanity addresses, such as the Wintermute exploit on September 20.

On October 11, the QANX Bridge's deployer wallet was compromised thanks to the vanity address generator bug. Although QAN had not directly used the Profanity project to generate the address, they used a project called vanity-eth-gpu, which had derived its code from Profanity and so inherited the bug. QAN is a layer 1 blockchain that claims to be quantum-resistant.

The thief stole 1.44 billion QANX from QANX's BNB Chain bridge, which they traded for 3,090 BNB (~$837,000) and tumbled through Tornado Cash. One minute later, they drained 1.43 billion QANX from QANX's Ethereum bridge, traded it for 255.4 ETH (~$327,000), and tumbled it as well. In total, $1.16 million was cashed out via Tornado. News of the attack, and the attacker's sell-off, caused the QANX price to plummet by 94%.

The attacker still holds more than 1 million QANX, nominally worth $608,000. However, QAN withdrew liquidity for the project on Uniswap and Pancakeswap, which will make it more difficult for the attacker to sell off their remaining tokens.

This was the second theft affecting the QAN platform this year. In May, an attacker stole 4.4 million QANX, which they traded for 370 ETH (valued at ~$707,000 at the time).

Rabby Wallet's swap feature exploited a month after launch

Rabby Swap, a feature of the Rabby crypto wallet, was exploited a month after it was first rolled out. An attacker discovered an apparent vulnerability in the Rabby Swap smart contract that enabled them to arbitrarily transfer other users' funds. Rabby urged its users to revoke approvals for the contracts across multiple chains.

The attack impacted assets on multiple chains. The attacker tumbled 114 ETH (~$146,000) through Tornado Cash shortly after the hack, along with 179 BNB (~$48,500). The full extent of the attack is still being measured. The buggy contract that enabled the attack had been audited by blockchain security firm PeckShield, but the vulnerability had apparently gone undetected.

CNN accused of rug pull after ditching their Vault NFT project

In June 2021, CNN launched "Vault": a project to "make moments from history available for purchase". The project involved minting as NFTs various clips of CNN footage and photographs from their archives, such as CNN's predictions that Bush and Obama would win their presidential elections, or "War Notes": a series of photos and accompanying handwritten notes from Ukrainians impacted by the Russian war on Ukraine. On October 11, CNN announced they would "no longer be developing or maintaining this [Vault] community".

Although CNN claimed in their shutdown announcement that "Vault was originally launched as a 6-week experiment", CNN had not mentioned that the project was an experiment that was expected to possibly end. As recently as last month, Vault had been teasing upcoming events scheduled around election day in November, and encouraging users to buy more Vault NFTs to access the upcoming drops.

As an apparent attempt to placate angry users worried that the value of their NFTs might drop, CNN promised to return "either FLOW tokens or stablecoins" for "roughly 20% of the original mint price". However, the project is built on the Flow blockchain, where users can only withdraw stablecoins $10 at a time — and with a $4 fee on each withdrawal. Some angry users in the project's Discord channel threatened legal action, claiming that CNN had rug pulled.

STAX Finance exploited for $2.3 million

A hacker discovered a vulnerability in the smart contract for the STAX project, which is built on the TempleDAO defi protocol. STAX is a liquidity provider for $TEMPLE/$FRAX.

Poor access control on a function in the smart contract allowed them to withdraw 321,155 xLP tokens, which they subsequently converted to 1,831 ETH (approximately $2.34 million).

This amount represents about 4% of the assets in the TempleDAO protocol. STAX replaced its homepage with a "disclaimer" about the hack, took down the project's dApp, and urged people not to deposit into the STAX contracts.

U.S. SEC is investigating Bored Apes creator Yuga Labs

An illustration of a bright pink ape, wearing a captain's hat, with heart-shaped sunglasses, with eyes on its neck, and a gold jacket and chainBored Ape #648 (attribution)
According to a scoop in Bloomberg, the United States Securities and Exchange Commission has been probing whether NFTs from Yuga Labs should be considered securities regulations, and may be in violation of federal law.

Yuga Labs is the company behind the Bored Apes NFTs and spinoff projects (Mutant Apes, and Bored Ape Kennel Club), and in March also acquired the blue-chip NFT collections CryptoPunks and Meebits.

A probe does not necessarily mean that Yuga has violated the law, but such an investigation could have major ramifications for the world of NFTs.

Blockwater Technologies is insolvent

Blockwater Technologies, a crypto investment firm based in South Korea, missed a payment on their $3.4 million loan from TrueFi, a decentralized borrowing platform. According to TrueFi, the group had previously amended their loan to extend the loan period and increase the borrowing rate, but were still unable to meet their required payment. TrueFi wrote that they intended to undergo a "court-supervised administrative proceeding", a route they said they chose due to "the complexity around the sudden insolvency".

TrueFi claims the default is not a major risk to them, making up 2% of the platform's total value outstanding. They announced that the loan was "currently in an active restructuring to maximize recovery for affected BUSD lenders".

NFT collector loses Bored Apes he bought for nearly $2 million in two consecutive scams

An illustration of an ape with pink fur and an angel halo. The ape's eyes are closed and its mouth is open. It's wearing no shirt, and has a silver stud earring.BAYC #2951 (attribution)
In an incredible display of misfortune and perhaps ineptitude, an NFT collector was scammed out of a Bored Ape and then scammed out of six more Bored Apes when he tried to revoke the permissions he'd granted for the first scam.

NFT trader Laszlo_btc went to swap his Bored Ape #8274 for another Bored Ape after reaching a deal with someone he met on Discord. He opened up Sudoswap to do the swap, but was tricked into trading his pricey NFT for a worthless NFT that was disguised to look like a Bored Ape. This is how Laszlo was scammed out of his first Bored Ape, which he'd only purchased three days prior, for 80 ETH (~$108,000). The scammer quickly flipped the NFT for around 70 ETH (~$92,000).

Realizing he'd been scammed, Laszlo went to revoke the permissions he'd granted in case he'd opened himself up to other thefts. However, instead of using the real permission revocation service Revoke.cash, he ended up using a phishing site: Revokecash.net. Only fifteen minutes after the first theft, six more Bored Apes were transferred out of his wallet.

Altogether, Laszlo had paid over $1.9 million for the collection of seven apes, which he purchased between January and October 2022. The priciest was Bored Ape #2951, which he bought for 173 ETH on May 1 — at the time, $490,000. The two sets of scammers quickly flipped all the NFTs, selling them for a total of $608,000.

CoinDesk reports that Decentraland has just 38 daily active users

A 3D virtual world with various logos on buildings. An avatar of a woman stands alone in the foregroundDecentraland (attribution)
According to CoinDesk, the metaverse platform Decentraland is entertaining roughly 38 users a day these days. This isn't much for its "valuation" of $1.3 billion — although CoinDesk seems to be estimating this on "market cap". Its competitor, the Sandbox (also "valued" at around $1.3 billion), is doing a bit better — with a whopping 522 daily active users.

Not only that, the most users Decentraland has ever had in one day is only 675; The Sandbox had 4,503 at one point.

Celsius exposes the names of all customers and their recent transactions in court filing – including their execs

Celsius Network is undergoing bankruptcy proceedings after its impressive implosion earlier this year. The company's latest court filing is 14,532 pages long — because it contains the names and recent transactions of every user on the platform. Although the judge allowed Celsius to redact individuals' home and email addresses, the names and details of recent transactions are all publicly available — much to some users' horror.

Among those listed in the court filing were Alex Mashinsky, his wife Krissy, and various other executives. The records show that Mashinsky withdrew $10 million from Celsius shortly before the company's collapse, and his wife withdrew another $2 million. Chief Strategy Officer Daniel Leon also withdrew $7 million.

Binance Smart Chain halts after $570 million bridge exploit

Binance Smart Chain, the relatively popular blockchain that Binance is trying to rebrand as "BNB Chain", was halted when an attacker exploited "BSC Token Hub", the bridge between the old Binance Beacon Chain and BSC. The attacker successfully moved around $127 million of the stolen crypto assets off the chain before it was paused. The attacker's wallet contained 2 million BNB, valued at $586 million based on the price at the time of the hack, but as a result of the chain halt, they were not able to exfiltrate the entire amount.

Binance CEO Changpeng Zhao ("CZ") tweeted that "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." A BSC developer later confirmed that "we coordinated with validators to temporarily suspend BSC after having determined an exploit on a cross-chain bridge, BSC Token Hub- which resulted in extra BNB". The value of the $BNB token dropped from $293.10 to $280.40 after the news.

The chain operators and CZ seemed to feel a little awkward about the ramifications of unilaterally deciding to halt a supposedly decentralized blockchain. CZ claimed he was asleep and that the chain had already been halted by the time he woke up. The BSC team published a blog post saying that "Decentralized chains are not designed to be stopped, but by contacting community validators one by one, we were able to stop the incident from spreading. It was not that easy as BNB Smart Chain has 26 active validators at present and 44 in total in different time zones. This delayed closure, but we were able to minimize the loss." They also promised to try to decentralize the project even further going forward.

South Korea reportedly freezes $39.6 million in crypto belonging to Terra founder Do Kwon, Kwon says it isn't his

South Korean prosecutors have reportedly frozen $39.6 million in crypto assets belonging to Do Kwon, the founder of Terraform Labs and creator of the failed Terra blockchain project. South Korea had also previously issued a warrant for his arrest.

Kwon claims that the report is a "falsehood", and "I don't know whose funds they've frozen". This joins his other claims, such as that he is "not 'on the run' or anything similar" (he is), and that Interpol didn't issue a red notice for him (they have).

Zcash continues to suffer from spam attack that started months ago

Zcash is a privacycoin which, unlike popular blockchains like Bitcoin and Ethereum, allows users to obscure who they are sending money to and how much. Since June or July, the network has been suffering from a spam attack in which attackers have been submitting massive transactions that quickly fill up block space. The chain has exploded in size, nearly tripling to more than 100GB since the attack began. Unlike other chains which are prohibitively expensive to attack, each spammed transaction costs less than a cent, and the attacker is estimated to be spending roughly $10 a day to execute the attack.

More than $1.1 million stolen from Sovryn defi protocol

Bitcoin-based defi protocol, Sovryn, lost $1 million to a price manipulation attack. An exploiter was able to use the project's legacy lend and borrow functionality to maliciously withdraw 44.93 RBTC (~$915,000) and 211,045 USDT.

According to the protocol, their developers "were able to identify and recover funds as the attacker was attempting to withdraw the funds". They have also announced that Exchequer, the project's treasury committee, would "reinject" the remaining stolen funds.

Buyer and seller of hacked account logins busted for $1 million tax fraud

A Floridian who was in the business of buying and selling hacked account logins on the dark web was busted for attempted income tax evasion when he tried to hide more than $1 million in crypto earnings from the IRS in 2014–2017. Despite using services like cryptocurrency mixers (or "tumblers"), the man was unable to successfully hide the money from the IRS. He faces up to five years in prison for the tax fraud. Remember, folks, always make sure to report your ill-gotten profits to the IRS!

Kim Kardashian pays $1.26 million fine for promoting a cryptocurrency without sufficient disclosure

Instagram story post from Kim Kardashian, which reads "Are you guys into crypto???? This is not financial advice but sharing what my friends just told me about the Ethereum Max token! A few minutes ago Ethereum Max burned 400 trillion tokens—literally 50% of their admin wallet giving back to the entire E-Max community. SWIPE UP"Kim Kardashian's Instagram post (attribution)
Kim Kardashian agreed to settle with the SEC over allegations that she had promoted a "crypto asset security" without disclosing how much she had been paid, or when. In June 2021, Kardashian posted an ad to her Instagram story where she claimed that she was "sharing what my friends just told me about the Ethereum Max token". Although she did include "#ad" in the post, she did not disclose to her 251 million followers that she was being paid $250,000 to post it — a requirement if they decide to post ads pertaining to securities investments. She will pay $1.26 million in the settlement.

SEC Chair Gary Gensler said, "Ms. Kardashian's case also serves as a reminder to celebrities and others that the law requires them to disclose to the public when and how much they are paid to promote investing in securities".

Kardashian is also named in an ongoing class action lawsuit pertaining to the EthereumMax project, along with Floyd Mayweather and Paul Pierce.

Coinbase experiences major outage related to U.S. bank accounts

The largest crypto exchange in the U.S., Coinbase, suffered a six-hour-long outage in which they couldn't take payments or make withdrawals involving U.S. bank accounts. They later narrowed down the problem to an issue creating ACH transfers, and tweeted "rest assured, your funds are safe". Six hours later, the company marked the incident as resolved.

Transit Swap hacked for $21 million, hacker returns large portion

Transit Swap is a multi-chain decentralized exchange aggregator. Users of the project were collectively exploited for approximately $21 million when an attacker took advantage of a bug in the project's smart contract that allows arbitrary external calls. The attacker used this vulnerability to steal tokens that had been approved for swap by Transit Swap users. Amusingly, the hacker lost about $1 million of their ill-gotten funds to a MEV bot that was able to successfully front-run the swap.

Multiple cryptocurrency security companies collaborated to investigate the hack shortly after it occurred. Transit Swap announced that "through the joint efforts of the SlowMist security team, the Bitrace security team, the PeckShield security team, the TokenPocket team and the TransitFinance technical team, we now have a lot of valid information such as hacker's IP, email address, and associated on-chain addresses." They subsequently announced that the attacker had returned around 70% of the stolen funds ($14–$15 million).

NFT trading fantasy league emerges to provide traders with the "sweet adrenaline" of flipping NFTs that they're missing in the bear market

"Most of us are too poor to be spending the [ether] we have left on huge sweeps, but we still want that sweet adrenaline rush of flipping JPEGs" said Brian Krogsgard, co-founder of the Flip NFT platform, in a statement you would think might have raised a red flag or two in his own mind. Evidently NFT traders are now being pitched NFT trading fantasy leagues, where they will be able to paper trade NFTs without risking their real-life fake money. Unfortunately for the traders, the app uses actual NFT price data, so the huge NFT project bull runs that some traders experienced during the NFT mania of 2021 will likely not emerge here, either.

One misconfigured node apparently takes the entire Solana network offline

In the latest illustration of our marvelous new decentralized, resilient blockchain future, one single Solana node apparently was able to take down the entire Solana network. Solana outages are nothing new, and tend to end (as this one did) with Solana issuing instructions to the people who run their validators, asking them all to turn them off and on again.

A validator operator reported that "It appears a misconfigured node caused an unrecoverable partition in the network." It's a bit startling that, in a supposedly decentralized network, one single node can bring the entire network offline.

Elon Musk's texts reveal his ideas for a blockchain-based Twitter

Texts exposed in the discovery process during the Elon Musk v. Twitter lawsuit have exposed not just a number of high-profile people embarrassingly simping for Musk, but also Musk's ideas about Twitter-but-on-the-blockchain.

In a text sent to his brother, Musk wrote, "I have an idea for a blockchain social media system that does both payments and short text messages/links like twitter. You have to pay a tiny amount to register your message on the chain, which will cut out the vast majority of spam and bots. There is no throat to choke, so free speech is guaranteed." In another message, to the president of his Boring Company, Musk narrowed in on an amount: 0.1 Doge per tweet or retweet. At today's prices, at 0.1 Doge per tweet, 1¢ would buy you about 160 tweets.

Musk's idea that there is some magical amount of money that ordinary people are willing to pay to send out a tweet or a retweet, but that spammers are not willing to pay to spam, seems preposterous. And given that "free speech is guaranteed" and blockchains are immutable, he would really need to hope that he finds this amount, because otherwise there's going to be a lot of spam permanently stored on Web3 Twitter.

As with many of Musk's ideas, the idea for a blockchain-based "free speech" social network is not new. On one of the more popular such services, BitClout, the home page shows posts such as "are there actually real ppl here, or only 'marketing' and ai-generated art?" It costs $0.01 to create a profile or to begin a tutorial on how to use the site. Out of the list of ten top-ranked creators on the site, the top two (Elon Musk and Naval Ravikant) haven't even signed up yet, and another five haven't posted in months.

Musk appeared to later toss out his blockchain social network idea, though not for spam reasons: "Blockchain twitter isn't possible, as the bandwidth and latency requirements cannot be supported by a peer to peer network, unless those 'peers' are absolutely gigantic, thus defeating the purpose of a decentralised network".

MEV bot earns over $1 million in profit, loses almost $1.5 million in hack an hour later

MEV bots are a controversial category of bots who frontrun transactions in ways that are often detrimental to users. One such bot, known as 0xbadc0de, earned a windfall when a trader tried to sell 1.8 million cUSDC (USDC on the Compound protocol) — notionally worth $1.85 million — but only received $500 in assets in return due to low liquidity. The MEV bot, however, profited 800 ETH (~$1 million) from arbitrage trades surrounding the sale.

One hour later, a hacker exploited a vulnerability in the bad code of 0xbadc0de, which allowed them to withdraw all of the ETH in the contract: not just the ETH they'd recently earned in the huge trade, but all 1,101 ETH (~$1.5 million).

The bot operator subsequently sent a message to the thief via an Ethereum transaction, writing that if the thief returned the funds, they would give them 20% as a "bounty". Otherwise, they wrote, "we will have no choice but to pursue accordingly with everything in our power with the appropriate authorities to retrieve our funds". The thief replied by mimicking the message, writing, "What about normal people who you have mev'ed and literally fucked them? Will you return them?" and suggesting that if they returned all of the funds they'd extracted, the thief would pay them 1%.

Someone claims to have burned a Frida Kahlo drawing to "transition it into the Metaverse" as NFTs

a ghostly figure with enormous eyes intertwined with a giant fish, a broom, duck, bird, and other creatures against a green backdrop, with the phrase “Here are the sinister ghosts” scrawled across it.Fantasmones Siniestros (Sinister Ghosts) (attribution)
A businessman has published a video in which he burns a drawing that he claims is an original Frida Kahlo drawing worth more than $10 million — though its value and its authenticity have both been questioned. The entrepreneur created 10,000 NFTs from the drawing, which he's selling for 3 ETH (~$4,000) (reduced from the original 3.5 ETH/$4,700) for a hoped total of $40 million. He claims that in burning the artwork, he has "transitioned [it] into the Metaverse".

So far, the stunt has resulted in two NFTs being minted by outside parties, for total proceeds of 7 ETH (~$9,400) —  not quite the millions the drawing allegedly cost the NFT project creator. Meanwhile, Mexican authorities have said they are investigating whether the businessman committed a crime in intentionally damaging an artistic monument.

Crypto executive exodus continues

The wave of crypto executives stepping down from their roles is continuing, after Genesis' CEO left the company and Michael Saylor gave up his CEO title (but stayed on as chairman) in August.

Now, Genesis' managing director has stepped down after five years. Kraken CEO Jesse Powell relinquished his title, planning to remain at the firm as a chairman. Alex Mashinsky has resigned as the CEO of Celsius Network in the midst of bankruptcy proceedings. And FTX US president Brett Harrison will also be stepping down.

Eight state regulators file enforcement actions against Nexo

Crypto lending service Nexo was hit with a barrage of cease-and-desist lawsuits from eight states: California, Vermont, Oklahoma, Kentucky, Washington, South Carolina, New York, and Maryland. Several of them also tacked on fines, with Washington levying a hefty $1 million against the company, and Maryland fining them $5,000 per violation.

Nexo had previously been warned to stop offering services in New York state and to register under securities regulations, but hadn't done so. Several states called into question Nexo's "real-time audit", which they describe as bogus. Kentucky also noted in their lawsuit that when the company's holdings of their own $NEXO token was taken out of the equation, the company appears to be insolvent.

Four NFTs valued at at least $150,000 stolen from Jason Falovitch

An illustration of a golden brown ape with closed eyes, biting its lower lipBored Ape #7779 (attribution)
Sports manager turned crypto entrepreneur Jason Falovitch is now perhaps best known for his influence in the NFT space. He co-founded the Leverage Game Media company along with Mark Cuban, a group that owns many NFT assets and helps promote NFT projects through their control of major sports social media pages. Falovitch also co-founded @NFT, a group of social media pages that earned a ban from Twitter in February after accusations that they promoted scammy NFT projects without proper disclosure.

On September 25, Falovitch tweeted "I got hackled last night on Opensea. Apes, doodles, eth. It's not pretty." Four NFTs had been stolen from his wallet — two Doodles, and a Mutant and Bored Ape — along with 6 ETH (~$7,750). The Mutant and Bored Apes were both resold, for 15.99 ETH (~$20,700) and 82.69 ETH (~$107,000) respectively. Factoring in Doodle floor prices, the hacker is looking at at least $150,000 in profit.

The loss, however, is larger for Falovitch, who spent ~$377,000 on the four NFTs based on the price of ETH at the times of purchase. Falovitch tweeted after the hack, "Now I'm over $1M hacked in ETH and NFTs." It's not clear if he's referring to other wallets he may control that were compromised, previous hacks he's suffered, or if he's massively overestimating the value of the stolen NFTs. He also tweeted that he discovered his car was broken into as he went to drive to the police department to report the NFT thefts.

Well-known crypto researcher zachxbt, who is known for helping victims of wallet hacks recover their assets, tweeted to Falovitch: "Karma for all of the people you rekt with the scams promoted on your Instagram page. Definitely won't be tracking this one."

IRS gets permission for summons to go after taxpayers who didn't report crypto transactions

The IRS was granted authorization to issue a "John Doe summons", which will require M.Y. Safra Bank to provide them with information on U.S. customers who may have failed to report taxable cryptocurrency transactions. This summons is specifically aimed at customers who used sFOX, a crypto broker that used M.Y. Safra Bank's services. The IRS was also previously authorized to serve a John Doe summons on sFOX directly.

The press release stated, "Based on its recent experiences with cryptocurrencies, the IRS has strong reason to believe that many virtual currency transactions are not being properly reported on tax returns."

CFTC files suit against a DAO

The Commodity Futures Trading Commission fined the bZeroX blockchain project and its founders $250,000 for allowing illegal trading of digital assets, engaging in activities only allowed by registered futures commission merchants, and not performing proper KYC. They have also filed a civil suit against Ooki DAO, the successor to bZeroX, for violating the same laws.

This will certainly be interesting to watch. DAOs  —  decentralized autonomous organizations  —  are a popular form of web3 project governance where (typically) anyone who holds the governance token can vote on the actions of the DAO. There is little precedent in the way of filing charges against a DAO, and DAOs often don't have the liability protections of more traditional organizational structures.

Man charged with seven felonies over crypto scams

The U.S. Attorney's Office for the District of Utah announced seven felony charges against a man who is accused of several crypto-related scams.

In one, he conned two victims for $1.7 million by claiming to sell a powerful Bitcoin miner that didn't exist; instead, a fake machine in the office was connected to a monitor displaying prerecorded video to make it appear as though the machine was mining cryptocurrencies.

In another, he created a business he claimed would "Bank the Unbankable" by providing financial services to people who couldn't access them. Instead, the millions of dollars were spent on unrelated businesses.

Compute North, one of the largest crypto mining datacenters, files for bankruptcy

Aerial photo of dozens of containers housing crypto mining infrastructure on a large plot of landCompute North facility (attribution)
Compute North has filed for Chapter 11 bankruptcy, in what may be a blow to the crypto mining industry. Compute North is a major datacenter provider, and have deals with crypto mining companies including Marathon Digital, Compass Mining, and others. Compute North had just raised $385 million in February through a Series C equity round and debt financing.

Wall Street Journal suggests that Coinbase tested proprietary trading

According to a report in the Wall Street Journal, US-based cryptocurrency exchange Coinbase tested a group to speculate on cryptocurrencies in hopes of earning funds for the business. The WSJ said they performed a $100 million "test trade" before ending the initiative. Some Coinbase employees described the project as proprietary trading — something Coinbase has testified in front of Congress to say they don't do. Prop trading is controversial because of the potential conflicts of interest, in which firms can end up effectively trading against their own customers.

Coinbase has refuted the WSJ claims in a blog post, accusing the paper of confusing "client-driven activities" with prop trading. In a statement to the WSJ, published in the article alongside the allegations, a Coinbase spokesperson said that "Coinbase does not, and has never, had a proprietary trading business. Any insinuation that we misled Congress is a willful misrepresentation of the facts".

Investors seek to recoup around $35 million from Canadian "Crypto King" in his early 20s

Aidan Pleterski and a woman with her face blurred stand in front of a lime green Lamborghini in what appears to be an upscale suburbAidan Pleterski with one of his many cars (attribution)
"[I] was a 20-something-year-old kid" said Aiden Pleterski, when asked why he kept his "investment" scheme going when he knew he couldn't repay his existing customers. Although he once described himself as the "Crypto King" in several articles he paid to have run, Pleterski is now undergoing a bankruptcy process and facing multiple lawsuits, where creditors are trying to first find and then recoup the more than $35 million they've collectively entrusted to him.

So far, the court has seized two McLarens, two BMWs, and a Lamborghini — only a few cars out of the eleven luxury cars Pleterski owned, plus another four he was renting. Investors have also asked about the $45,000-a-month lakefront mansion he was renting in Ontario, watches, and gold bars, hoping they could be liquidated to repay some of his debts.

Pleterski had promised investors that he would invest on their behalf, taking 30% of any capital gains, with a goal of achieving 10–20% gains biweekly. He also promised that any loss on the initial investment would be paid back in full. Pleterski had made some money in crypto as a teenager, but according to him, he lost most of the money he was given to invest in late 2021 and early 2022 "in a series of margin calls and bad trades". An investor claims that at one point, he was given pictures and videos of financial statements showing an account with $311 million, but when he checked with the company supposedly maintaining the account, they said they had no accounts with that kind of funds. So far, the court and investors alike have struggled to untangle Pleterski's mess — according to him, he was unorganized and didn't track his finances or debts.

Wintermute hacked for $160 million

The algorithmic market maker Wintermute suffered a major hack, according to their CEO. He estimated the loss at around $160 million, also writing that the company is "solvent with twice over that amount in equity left".

Wintermute hasn't disclosed more about the attack, but it's possible that the hacker may have exploited the vulnerability in the vanity wallet address generator Profanity, which was disclosed five days prior. The crypto asset vault admin had a wallet address prefixed with 0x0000000, a vanity address that would have been susceptible to attack if it was created using the Profanity tool.

This is the second incident involving Wintermute in the past few months. In June, the group provided the wrong wallet address to the Optimism project, and Optimism sent 20 million OP tokens to a non-existent address. Another person noticed the error before they did and was able to take the tokens. They ultimately returned 17 million of the tokens to Wintermute, keeping the rest as a "bounty". $OP have been trading at around $1 as of mid-September.

SEC files emergency action to stop CryptoFX scam

CryptoFX is a crypto-based scheme targeted specifically to Latines, promising to invest its victims' assets in cryptocurrencies and teach its customers how to trade crypto. It also reportedly functioned as a pyramid scheme, using a "referral program" to incentivize people to recruit friends, family, and people in their communities.

The United States Securities and Exchange Commission filed an emergency action to stop the fraud and freeze assets, which was granted on September 29, 2022. The SEC then filed a complaint against the company and its leaders Mauricio Chavez and Giorgio "Gio" Benvenuto. The SEC alleged CryptoFX had raised at least $12 million from 5,000 investors, which ostensibly would be put into crypto markets but instead was primarily used to "fund [Chavez's] real estate company and extravagant lifestyle".

Sparkster settles for $35 million with the SEC; SEC charges crypto influencer

The firm Sparkster and its CEO Sajjad Daya settled with the U.S. SEC after a cease-and-desist arguing that Sparkster sold securities worth at least $30 million without registration. The firm and Daya agreed to settle with the SEC, and will pay more than $35 million to a fund that will be distributed to the investors who were harmed.

The SEC also charged crypto influencer Ian Balina for his involvement with the scheme. He allegedly accepted a 30% bonus on the $5 million worth of SPRK tokens he purchased in an agreement to promote the project on YouTube, Telegram, and other channels, but did not disclose his compensation. He also organized an investing pool with more than 50 investors, and also didn't register it with the SEC. Balina had advertised that he could help people "make millions with initial coin offerings".

UK financial regulator warns against FTX exchange

The United Kingdom's Financial Conduct Authority issued a warning that FTX is not authorized by them, but is targeting consumers in the UK. "Almost all firms and individuals offering, promoting or selling financial services or products in the UK have to be authorised or registered by us," they wrote in the announcement, noting that FTX is not. Because of this, "you are unlikely to get your money back if things go wrong".

A spokesperson from FTX said they believed that "a scammer is impersonating FTX", which they said they thought led to the warning. However, that statements in the warning are accurate: FTX is not registered with the FCA, and they serve UK customers.

Scammer earns 13 ETH ($17,500) from fake Mutant Ape scheme

An illustration of an ape with skin made from various animal prints, a bright green muzzle with a tongue stuck out and wrapped around a beer can, X-ed out eyes, a bone necklace, and a WW2 pilot helmet with teeth around the brimMutant Ape #21080 (attribution)
The owner of Mutant Ape #21080 was approached with an offer to trade their ape for another Mutant Ape (#55) and an extra 0.5 ETH ($675) to sweeten the deal. The trader agreed, and moved forward with performing the trade on SudoSwap, one of several platforms that allows people to set up NFT-for-NFT swaps. Unfortunately, he didn't check that the "Mutant Ape #55" that the trader was offering was actually the genuine article. The scammer had created a bunch of fake Mutant Apes that look identical through the SudoSwap frontend, but are clearly fakes if you look at the contract.

The trader ended up with a worthless counterfeit and a measly 0.5 ETH for his pricey NFT. The scammer quickly flipped the real Mutant for 13.5 ETH, making a tidy $17,500 profit.

Whale illustrates price manipulation risk in GMX exchange, profits more than $400,000

A candles chart showing a pattern of the AVAX token dropping in price and then going back up as a whale manipulates the price.AVAX chart (attribution)
GMX is a decentralized cryptocurrency exchange that boasts zero price impact trades. On most exchanges, users have to contend with slippage: a difference between the price of a token when the user goes to enter the trade and the price when the trade is executed. A sufficiently large trade can itself cause slippage, particularly with crypto assets with lower liquidity.

A whale was able to take advantage of this "feature" by taking large positions in AVAX, the token belonging to the Avalanche blockchain, which has relatively low liquidity compared to larger tokens like Bitcoin or Ether. The whale then manipulated the price by making large trades on a centralized exchange, taking an estimated profit of between $400,000 and $450,000 after fees.

Some had publicly expressed concerns about the possibility of such an exploit earlier in September: Taureau, a founder of another decentralized exchange, had outlined the possibility of an exploit like this on a podcast episode on September 1.

GMX responded to the incident by capping the size of positions that users can take on AVAX. Another project, MM.Finance, announced they would be pausing order execution on their MadMex platform, which is a fork of GMX.

Binance accounting bug involving Helium tokens results in $19 million of erroneous payouts

Helium has two different tokens: HNT, which is paid out to people who run Helium hotspots, and MOBILE, which is paid to those maintaining the new Helium 5G network. However, Binance erroneously treated both tokens as HNT within their exchange. As a result, anyone who sent MOBILE to Binance wound up with that same number of HNT tokens in their wallet — a big benefit, given that HTN has traded between $4 and $7 this past month, and MOBILE is not yet easily tradable.

Binance distributed around 4.8 million HNT before discovering and patching the bug, valued at around $19 million.

Hours after Ethereum transition to proof-of-stake, SEC Chair says PoS crypto could be classed as securities

Official portrait of Gary GenslerSEC Chairman Gary Gensler (attribution)
In the early hours of September 15, Ethereum completed "The Merge —  the long-awaited transition from its original proof-of-work consensus mechanism to proof-of-stake.

Later that day, SEC Chairman Gary Gensler pointed to the staking mechanism as a signal that an asset might be a security as determined by the Howey test.

There has been much discussion over whether cryptocurrencies in general or individually should be considered securities, commodities, or possibly even something else. Broadly, people within the crypto community don't want to see the assets fall under SEC jurisdiction, as the SEC is seen as much less friendly to the industry than the CFTC.

Vulnerability discovered in vanity wallet generator puts millions of dollars at risk

The 1inch Network disclosed a vulnerability that some of their contributors had found in Profanity, a tool used to create "vanity" wallet addresses by Ethereum users. Although most wallet addresses are fairly random-looking, some people use vanity address generators to land on a wallet address like 0xdeadbeef52aa79d383fd61266eaa68609b39038e (beginning with deadbeef), or one with lots of 0s at the end, or some other address the user thinks looks cool.

However, because of the way the Profanity tool generated addresses, researchers discovered that it was fairly easy to reverse the brute force method used to find the keys, allowing hackers to discover the private key for a wallet created with this method.

Attackers have already been exploiting the vulnerability, with one emptying $3.3 million from various vanity addresses. 1inch wrote in their blog post that "It's not a simple task, but at this point it looks like tens of millions of dollars in cryptocurrency could be stolen, if not hundreds of millions."

The maintainer of the Profanity tool removed the code from Github as a result of the vulnerability. Someone had raised a concern about the potential for such an exploit in January, but it had gone unaddressed as the tool was not being actively maintained.

"No politics at work" Coinbase rolls out a feature to promote crypto-friendly politicians

A mobile screenshot of a list titled "explore legislators", showing various representatives and their "Crypto sentiment". Carolyn Maloney of New York, District 12 is displayed with a negative crypto sentiment.Coinbase crypto policy feature (attribution)
When the "politics" were widespread civil unrest in the summer of 2020 triggered by the police murder of George Floyd, and pressure on the company to release a statement in support of Black Lives Matter, Coinbase CEO Brian Armstrong announced that there would be no political discussion or activism at work, and those who didn't like it could leave.

Now, he's just announced that Coinbase will be "integrating our crypto policy efforts right into our app" by providing a rating of Congressmembers' negative or positive "crypto sentiment". He also said that they plan to "help pro-crypto candidates solicit donations from the crypto community (in crypto)", and wish to get their users to attend town hall events. "We've also added a very easy way for you to contact your member of Congress to urge them to support pro-crypto policies," Armstrong said in a video demonstrating the feature.

"Double your money" scammers capitalize on Ethereum merge

Tweet by Twitter account with the verified display name "vitalik.eth" but the account handle "iThinkBuzz". Tweet reads "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH! 🎉

First come, first serve ➡️https://ETH-MERGE.BLOGSPOT.COM

You can only apply once."Tweet by hacked verified account (attribution)
If it seems like you've been seeing a lot of Ethereum co-founder and figurehead Vitalik Buterin around Twitter lately, it may be due to the influx of hacked verified Twitter accounts that have been retrofitted to resemble Vitalik's account. They've been used to share a litany of scam links to supposed Ethereum giveaways in celebration of "The Merge": the much-anticipated change to Ethereum's consensus model that's scheduled to happen on September 15.

Most of the tweets say something like "To celebrate the Merge, Ethereum Foundation giving away 50,000 ETH!", and link out to various websites that invite people to send some amount of Ethereum with the promise that they'll receive twice as much in return — a classic double-your-money scam.

At least 36 verified Twitter accounts were compromised and used for the scam, including the 6 million-follower Cityarabia account that normally tweets for Arabic-speaking fans of the Manchester City football club. On the afternoon and evening of September 14 alone, at least 195 ETH (~$314,000) was drawn in by the accounts and scam websites I found.

South Korea issues arrest warrant for Terra founder Do Kwon

A South Korean court has issued a warrant for the arrest of Do Kwon, the founder of the Terra ecosystem, as well as five other people. According to Bloomberg the allegations include violations of Korea's capital markets law.

Kwon and the others named in the warrant are currently in Singapore. In June, Korea banned current and former Terraform Labs employees from leaving the country, and in July Korean authorities raided multiple exchanges in connection to their investigation.

Starbucks wants you to have an "immersive coffee experience" with their web3 rewards program

A glitchy photograph of a coffee farm, with the text "Starbucks Odyssey" atop it in white capitalsStarbucks Odyssey promotional image (attribution)
When Starbucks CEO Howard Schultz first announced at an employee town hall in April that the company was looking to get into NFTs, I assumed he was just hoping for a headline to distract from all the union busting they'd been doing. After all, they already have a rewards program that by all appearances seems to be quite successful.

Despite that, Starbucks has apparently decided that what its rewards program really needs are "digital collectible stamps", a euphemism for NFTs that somehow makes them sound even less appealing.

These NFTs promise to provide their holders with "immersive coffee experiences", which sounds an awful lot like what cost McDonald's a few million in the mid-nineties.

Unfortunately for Starbucks, between the time they came up with the idea, announced it at their town hall, and are now inviting people to sign up to the waitlist, the NFT craze has died down considerably. Even at the peak of NFT mania, though, I'm not sure if people would have been lining up to buy "digital collectible stamps" that allow them to "claim an ownership stake in their loyalty to Starbucks" (what??)

Ubisoft now claims its forceful introduction of NFTs was only "research"

Remember when Ubisoft decided it was going to shoehorn NFTs into their Tom Clancy's Ghost Recon Breakpoint game, to the nearly universal disappointment of their fans? Remember when one of their execs said that gamers just "don't get what a digital secondary market can bring to them"? Remember when their employees were so unhappy with the NFT plan that they had to hold an internal workshop about it, shortly before giving all employees NFTs of hats?

Well, despite being pretty bullheaded about their stance on NFTs and web3, even Ubisoft is now backing away from it all. In April, only a few months after launch, Ubisoft announced that there would be no more NFTs for the Ghost Recon Breakpoint title. Now, the CEO is putting a different spin on the company's once determination to introduce NFTs: "we are still in research mode" when it comes to web3 technologies, he said. "We probably were not good at saying we are researching. We should have said we were working on it, and when we have something that gives you a real benefit, we'll bring it to you." I imagine that might come as a shock to the handful of people who actually bought the Ghost Recon Breakpoint NFTs, given they were promised "real benefit" back in December and are now left with useless collectibles.

Algorand Foundation discloses $35 million exposure to Hodlnaut

The Algorand Foundation is a group responsible for managing Algorand, a proof-of-stake blockchain. On September 9 they disclosed that they had put $35 million of the project's treasury into Hodlnaut, a lending firm that halted withdrawals on August 8 and applied for creditor protection a week later. Hodlnaut was in turn heavily exposed to Terra, the ecosystem that collapsed in May.

The Algorand Foundation reassured people that the funds potentially lost to Hodlnaut were less than 3% of the Foundation's assets, and "we do not anticipate operational or liquidity issues due to this action". They also wrote that they would be "pursuing all legal remedies to maximize asset recovery".

New Free DAO loses $1.25 million in flash loan attack

A flash loan attack against the New Free DAO project resulted in a $1.25 million loss. The project's token also crashed 99% in the wake of the theft. The hacker quickly sent 1,500 BNB (~$415,000) of the stolen funds through the Tornado Cash cryptocurrency mixer, and sent another 2,900 (~$803,000) to the PancakeSwap decentralized exchange.

Shiba Inu developers leak AWS credentials on Github

If Amazon would like to buy the rights to the slogan "Web3, powered by AWS™️", feel free to reach out, because I'm registering it.

On September 8, a security researcher published a blog post reporting that the developers behind the Shiba Inu coin — one with reality-defying levels of popularity at #13 on the list of coins by market cap — had apparently published their AWS credentials to Github. After making the discovery, his team attempted to contact the developers, but were not able to find a bug bounty program, responsible disclosure policy, or even people they could reach out to personally.

Luckily for Shiba Inu (and somewhat miraculously), the tokens were invalidated two days later before anyone malicious apparently took advantage of the vulnerability. The researcher wrote that the exposure had "the potential to cause serious security breaches, including but not limited to user fund theft, token embezzlement, disruption of services, etc."

Coinbase funds lawsuit against the Treasury Department over Tornado Cash sanctions

In the wake of OFAC adding Tornado Cash to the U.S. sanctions list in early August, Coinbase has announced they will fund a lawsuit against the Treasury Department to challenge the decision. Coinbase itself is not a plaintiff in a lawsuit, though two of the plaintiffs are Coinbase employees, who along with four other individuals filed suit in a Texas court. They say they previously used Tornado Cash for licit purposes, and are now suffering financial damages because they can't legally use the service.

In the suit, they argue that the Treasury Department overstepped its authority in what it can sanction, claiming that "Tornado Cash software, including the smart contracts, consists of immutable open-source software code, which is not property, a foreign country or a national thereof, or a person of any kind." They've also argued that the designation is unconstitutional under both the free speech protections of the First Amendment and the due process protections of the Fifth Amendment.