Terraport Finance launched on March 31, apparently having gone live without any sort of audit. On April 10, Terraport disclosed that an attacker had apparently managed to drain all project liquidity pools, making off with assets priced at around $2 million.
Today, Sifu himself was the victim of a theft as a bug in the SushiSwap decentralized exchange allowed a hacker to make off with around 1,800 ETH (more than $3.3 million) belonging to him. According to SushiSwap leader Jared Grey, around 300 ETH (~$557,000) of Sifu's funds were subsequently recovered.
Analysts have found that almost 200 addresses on the Ethereum network have approved the vulnerable contract, and around 2,000 addresses approved the vulnerable contract on Arbitrum, Polygon, and other chains. It's not yet clear how much was stolen in total. SushiSwap leader Grey urged users via Twitter to revoke approval for the vulnerable smart contract.
Bitcoin mining firm sues business partner after they allegedly lose $500,000 in Bitcoin to fraudster
The lawsuit also alleges that Gryphon has " dutifully collected its exorbitant Management Fee while shirking its duties under the MSA and delivering abhorrent management services" and "skimm[ed] off the top (i.e., st[ole]) from Sphere's assets".
Canada has become more strict on cryptocurrency exchanges in recent months, particularly following the collapse of FTX.
The Bored Ape would likely fetch somewhere around $125,000 if resold. The other three NFTs would likely resell for somewhere around $8,700. Together with around $3,400 in stolen tokens, Bryant's total loss is around $139,000.
After some observers spotted the suspicious-looking transactions, Bryant confirmed on Twitter: "Yes my ape was stolen and I don't know how this is crazy".
.transfer()— a common function used with Ethereum projects that is not supported by zkSync.
The zkSync project evidently came to the rescue of Gemholic, announcing that they would change the protocol in a new release to add support for Solidity functions such as
.transfer(), which will ultimately free Gemoholic's locked funds.
Binance will continue to operate its spot exchange product in Australia, but customers will no longer be able to trade derivatives on the platform after April 21.
A trader apparently trying to bid $100 for one of the NFTs seems to have mistakenly entered 100 ETH, or around $190,000. The trade was of course quickly accepted by a seller who made a tidy 1666x the typical floor price.
Some have speculated the massive offer was money laundering, but the fact that the bid was an open offer that could be accepted by anyone seems to make that theory less likely.
- "NFT trader accidentally bids 100 eth on a freely minted NFT", r/CryptoCurrency
- Transaction on Etherscan
The attacker apparently took advantage of a re-entrancy vulnerability to execute the theft, then swapped the tokens and bridged them to the Ethereum main chain.
Sentiment tweeted that they were aware of the attack and investigating what had happened. They also stated that they were working with law enforcement. Later that evening, they sent a message to the hacker, offering to let them keep 10% of the stolen funds as a bounty if they returned the rest. Sentiment was audited by two crypto security firms.
On April 6, Sentiment announced that the exploiter had returned 90% of the funds, keeping $95,000 and receiving a promise from the organization that they would not try to prosecute the theft.
Youssef was vague as to the reasons for the closure, writing that "While I cannot share the full story now, I can say that we unfortunately have had some key staff departures. Also, regulatory challenges for the industry continue to grow, especially in the peer-to-peer market and most heavily in the U.S."
Youssef later elaborated in a Twitter Space, explaining that he feared for the safety of user funds because of a lawsuit from his co-founder, who he also accused of "[driving] away all of our senior level staff".
Some had trouble withdrawing funds from the platform, though this seemed to be due to the overload. Youssef tweeted, "Paxful database is a bit overloaded now as everyone is withdrawing funds. It is making transfers slow. I promise funds r safe and they will clear soon".
On May 8, Paxful came back online, though it was unclear whether or in what capacity the business would continue to operate going forward.
Cobie decided he wanted to make a record of his prediction, so he tweeted the SHA-256 hash of the string "Interpol Red Notice for CZ". Typically, this would allow him to later reveal the seed, allowing him to prove after the fact that he had indeed made a correct prediction. Why? I don't know. Bragging rights I guess?
Anyway, according to Cobie, one of Cobie's inner circle leaked the seed, and the contents of Cobie's prediction were widely circulated on Twitter. Some thought the prediction was inside knowledge of events that had already transpired. Someone else began circulating a doctored screenshot of the Interpol website, purporting to show a red notice. People began offloading their BNB tokens (the native token for Binance and Binance's blockchain), causing a sudden 3% dip in the token price. Bitcoin also fell on the news.
MEV bots are a phenomenon that became popular in recent times: bots that use various techniques to extract value by inspecting pending blockchain transactions and then sending advantageous transactions of their own. In this case, a bot was performing a "sandwich attack": sending transactions just before and just after a pending transaction, which manipulate the price of the underlying asset, allowing the bot operator to "steal" value from the victim — "steal" in quotes, because there is some debate over whether MEV bots are really stealing, or are operating within the rules laid out for them.
In order to manipulate prices in this way, they have to put a substantial amount of money at risk. A "rogue" Ethereum validator appeared to replace some of the transactions that were being executed by the bot, leading to a loss of WBTC, USDT, Dai, and WETH totaling a bit over $25 million.
First Arbitrum DAO vote spirals into disaster: DAO rejects $1 billion spending proposal, but Arbitrum already started spending
The vote, which still has a day left before completion, is currently standing at 75% against and 25% in support. However, it was discovered that Arbitrum had already begun spending those 750 million tokens, including via the movement of a substantial amount of tokens, and "conversion of some funds into stablecoins for operational purposes".
Another Arbitrum team member subsequently published a post in which they claimed that the proposal was not really a vote but rather a "ratification" of decisions that had already been made by the Arbitrum team, leading many to question what the DAO was even for in the first place. Others questioned the fact that Arbitrum was receiving so much money to use however they liked, not subject to DAO approval.
Things got even messier when the Arbitrum Twitter account "clarified" that "40M $ARB tokens have been allocated as a loan to a sophisticated actor in the financial markets space", and the rest had been sold off for "operational costs". The loan of $52 million worth of ARB to an unnamed actor and the conversion of another $13 million to stablecoins led some to accuse the Arbitrum team of "selling off", cashing in far more than would likely be required for foundation costs in a brief period of time.
In April, four employees filed a lawsuit against the company, claiming around CAD$519,000 in unpaid wages.
Allbridge announced that they were investigating the theft, and were working with law enforcement. Meanwhile, the project suspended operations and announced that they were preparing a user compensation plan.
In October 2022, Bittrex was fined a combined $29 million by the US Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN). The OFAC fine pertained to Bittrex's service of users based in Crimea, Cuba, Iran, Sudan, and Syria, who altogether performed $263 million in transactions using the platform. FinCEN's fine was imposed as a result of alleged "willful violations" of requirements around anti-money laundering and suspicious activity reports.
Bittrex will continue operations outside of the US, and currently operate in Europe, South America, and elsewhere.
However, the airdrop had a bumpy start, with scammers latching on to the event to proliferate fake airdrop websites. Phishers reportedly scammed more than 10,000 people using these schemes. At one point, Twitter even suspended the real Arbitrum Twitter account after mistaking it for one of the many phishing accounts. Attackers also compromised a Discord account belonging to an Arbitrum developer, using it to post a phishing link to the official Arbitrum Discord server.
Then, when the time for the airdrop came, the token claiming website crashed on the traffic, as did the Arbitrum block explorer. Those who were able to claim their tokens paid exorbitant gas fees, and some wallets attempting to estimate required gas fees malfunctioned, showing estimates in the billions of dollars.
Finally, the airdrop was widely gamed by people commandeering hacked vanity addresses to receive the airdrop tokens allocated to them, with at least $500,000 worth of tokens reportedly claimed by one attacker. Other attackers scrambled to compete with one another to claim tokens allocated to compromised wallets whose private keys had been shared publicly on Github and elsewhere, trying to be the first to siphon the funds. Two additional exploiters siphoned a combined total of more than 1 million ARB tokens from other wallets. One sold them for 713 ETH ($1.27 million); the other transferred the ARB tokens to other wallets.
- "Arbitrum Shows Just How Messy (and Tricky) Crypto Airdrops Can Be", CoinDesk
- "Arbitrum Foundation Homepage Crashes as Users Rush to Claim ARB Tokens", Decrypt
- "Arbitrum airdrop: Hacked vanity addresses used to siphon $500K", Cointelegraph
- "Hackers exploit Discord server to launch fake Arbitrum airdrop", Cryptopolitan
- "Over 1M Arbitrum tokens lost to phishing attack", CryptoSlate
According to the SEC, the BXY token sale raised more than $8 million. At least $900,000 of that was misappropriated by Hamazaspyan, who used it for personal purposes, including gambling.
Some of the defendants agreed to permanent injunctions, and to pay fines of around $166,000 and disgorgement of around $62,800. The agreement also stipulates that the Beaxy platform shut down. The SEC announced they were continuing to litigate charges against Hamazaspyan for securities fraud and against Hamazaspyan and his company for the unregistered securities offering.
- "SEC Charges Crypto Trading Platform Beaxy and its Executives for Operating an Unregistered Exchange, Broker, and Clearing Agency", U.S. Securities and Exchange Commission
The CFTC has alleged that "Binance has taken a calculated, phased approach to increase its United States presence despite publicly stating its purported intent to 'block' or 'restrict' customers located in the United States from accessing its platform... All the while, Binance, Zhao, and Lim, the platform's Chief Compliance Officer ('CCO'), have each known that Binance's solicitation of customers located in the United States subjected Binance to registration and regulatory requirements under U.S. law. But Binance, Zhao, and Lim have all chosen to ignore those requirements and undermined Binance's ineffective compliance program by taking steps to help customers evade Binance's access controls."
The CFTC is only one of several US groups looking into Binance, with the SEC also reportedly scrutinizing the exchange and the Department of Justice considering charges.
After raising user funds, the project's creators drained its liquidity pools. They also convinced users to send funds to them with a technique known as "ice phishing". They then deleted their social media accounts and disappeared.
- "Kokomo Finance", CertiK
It seems perhaps even Sotheby's prestige is not sufficient to overcome the NFT downturn.
However, some confusing instructions resulted in the owner sending the punk to the burn address, effectively destroying the NFT. "I was trying to wrap it and don't know what I was doing... Thought I was following the directions exactly..." they later wrote. They also later shared that they had borrowed money in order to purchase the CryptoPunk.
The criminal charges out of the US add to civil charges he's facing from the SEC, as well as an investigation out of South Korea.
After the collapse, Kwon became a fugitive. South Korea issued a warrant for his arrest in September, and Interpol issued a red notice. However, he's remained on the lam for some time, reportedly hiding in Serbia for a time — a country with no extradition agreement with South Korea.
Now, officials in Montenegro have announced they arrested Do Kwon, who was attempting to travel through the country using falsified documents. Montenegro is a Balkan country bordering Serbia.
According to Coinbase, the Wells notice related to "aspects of the company's exchange, our staking service Coinbase Earn, and Coinbase Wallet". It's not terribly surprising that the SEC might have Coinbase Earn in its crosshairs, as it has recently taken action against similar products, such as Kraken's staking service. In the wake of the action against Kraken, Coinbase seemed to try to pre-empt SEC arguments by sending an email to customers emphasizing things like "You earn rewards from the protocol, not Coinbase". It doesn't look like this has shifted the SEC's thoughts much, though.
This should be an interesting saga to watch, partly because Coinbase has expressed willingness in the past to go head to head with the SEC.
With the exception of Soulja Boy and Mahone, the celebrities paid a total of more than $400,000 in disgorgement, interest, and penalties to settle the charges without admitting or denying them.
In a tweet announcing the shutdown, SpankPay reassured customers, "Rest assured your money is safe and we'll get it to you as soon as possible" — always a scary thing to hear from a crypto company.
It seems that only the payments processing side of the business is shutting down, with projects including SpankChain and SpankMatch continuing to operate.
In addition to standalone servers, General Bytes' cloud service was impacted, and the company announced that it would be permanently shuttering it. "It is theoretically (and practically) impossible to secure a system granting access to multiple operators at the same time where some of them are bad actors," wrote the company in their statement explaining the decision, apparently unaware that this is something software companies find themselves doing all the time.
This exploit was the second breach suffered by General Bytes this year, after hackers exploited a vulnerability in August 2022 that allowed them to steal customer funds. It's unknown how much was stolen in that attack. The company also patched multiple hardware and software issues in their ATMs in September 2021, after Kraken Security Labs discovered issues including poor security practices that would allow attackers to "walk up to an ATM and compromise it".
- "General Bytes Bitcoin ATMs hacked using zero-day, $1.5M stolen", BleepingComputer
- "Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug", BleepingComputer
- "Kraken Security Labs Identifies Vulnerabilities In Commonly Used Bitcoin ATM", Kraken Security Labs
According to the BBC, dozens of high-profile individuals in Romania, including members of the government and academics, lost money to the scam after it was promoted by technology expert Gabriel Garais — who also says he lost money in the scheme.
iEarn Bot claims to be a US-based company, although its website is full of false information. The person named as the company's founder told the BBC he has nothing to do with the scheme, and companies and institutions listed as "strategic partners" say there is no such partnership.
The BBC identified one cryptocurrency wallet that received payments from around 13,000 others totaling nearly $1.3 million.
On March 17, blockchain security company BlockSec observed an attacker trying to exploit a vulnerability in the NFT lending project Paraspace. Although they had successfully identified a vulnerability that could have allowed them to steal 2,900 ETH (a bit over $5 million), their attempt to execute the hack failed because they didn't correctly estimate what it would cost them in gas fees.
After observing the attempt, BlockSec executed a whitehat rescue, where they successfully executed the same attack to remove the funds from Paraspace and secure them until they could return them to the project team.
Incredibly, the exploiter sent an on-chain message to BlockSec: "hey man, I am the one who made the contract you just copied, I couldn't make it work for a stupid gas estimation error. since I lost a lot of money trying to make it work, it would be cool to get at least some of them back... best of luck". Altogether, the would-be attacker spent around 0.7 ETH (~$1,200) on gas fees while trying to pull off the hack.
According to the US DOJ, ChipMixer had been used to process, among other things, proceeds of the massive March 2022 Axie Infinity hack by a North Korean cybercrime group.
US law enforcement seized two domains and a Github account tied to the organization, and German law enforcement seized ChipMixer's back-end servers and $46 million in cryptocurrency.
Holders trying to use the exchange approved transactions which they didn't realize allowed the phishers to drain their ETH. So far, the scammers have stolen around 74 ETH ($130,500).
Around $11.9 million of tokens were sent from the Balancer defi liqiuidity project to Euler during the attack, prompting Balancer to pause the project.
The Angle Protocol decentralized stablecoin project also disclosed that almost half of the total value locked in the project — around $17.6 million in the USDC stablecoin — were sent to Euler during the hack.
Mark Zuckerberg had once talked about eventually using NFTs for Meta's metaverse projects, suggesting that eventually "the clothing that your avatar is wearing in the metaverse, you know, [could] be basically minted as an NFT and you can take it between your different places". It sounds like that plan may no longer be on the table now.
Euler announced that they were aware of the exploit, and were "working with security professionals and law enforcement".
On April 3, Euler Finance announced that they had completed successful negotiations, and that "all of the recoverable funds taken from the Euler protocol on March 13th have now been successfully returned by the exploiter". Unfortunately, based on on-chain transfers, this appeared to only be around $31 million.
A joint statement from federal regulators announced that "All depositors of this institution will be made whole... no losses will be borne by the taxpayer. Shareholders and certain unsecured debtholders will not be protected. Senior management has also been removed."
The shutdown of Signature and the collapse of Silvergate leave many companies in the crypto industry without much access to the US banking system.
When team leads reviewed the spreadsheet to sign off on the payments, they didn't see the row, and there was no rollup showing total payments or anything else that would've helped them catch the malicious activity. The transactions were uploaded to a tool allowing asset transfers via CSV, and the required six out of nine multisig members approved the transaction.
PeopleDAO have reported that they're working with various security researchers to track the funds, and have reported the theft to the FBI and FTC.
That evening, Coinbase announced they would be pausing USDC redemptions for dollars until the following Monday, claiming it was only because in times of high volume, they needed to process transfers via the traditional banking system. Despite their stated reason, this deepened fears about the stability of USDC, which is supported in part by Coinbase.
The price of USDC began to wobble on smaller, less liquid exchanges like Gemini and Kraken before the issue was reflected more widely. However, most exchanges were showing USDC trading at prices between $0.90 and $0.98 later that night — a noticeable departure from USDC's normally fairly steady peg.
A sustained de-peg would wreak havoc on the crypto industry, where USDC is the second largest stablecoin and boasted a $43 billion market cap (at least before substantial outflows surrounding the SVB concern). Other stablecoins even have exposure to USDC, with both FRAX and DAI using USDC for significant portions of their collateral.
Kyber seemed to acknowledge that the issue was on their end, tweeting that "We have been in touch with him and are investigating the issue. We will provide an update soon."
On the evening of the tenth, Coinbase announced that they would be "temporarily pausing USDC:USD conversions over the weekend while banks are closed," stating that "during periods of heightened activity, conversions rely on USD transfers from the banks that clear during normal banking hours".
"Your assets remain safe & available for on-chain sends," they said: cold comfort for those who are afraid their USDC may not be worth $1 come Monday.
Coinbase is one of the firms behind USDC, and its decision to stop processing redemptions is likely to add to the concern over the stablecoin's... stability.
The US Trustee reportedly warned BlockFi counsel on March 6 that the company needed to "immediately take steps to safeguard these funds in compliance with" the depository agreement, because a MMMF was not in compliance. BlockFi responded that the account was FDIC insured (up to the FDIC's $250,000 limit), but the Trustee maintains that that is not accurate.
- "BlockFi has $227 million in uninsured funds in Silicon Valley Bank", The Block
- Motion, In re: BlockFi
SVB was also the preferred bank for various giants in the crypto VC world, including Andreessen Horowitz and Sequoia Capital. Pantera Capital also used SVB as a custodian.
Sun also announced that he had transferred $100 million to Huobi to provide more liquidity. He also announced that "Huobi will bear all leverage-through position losses on the platform resulted from this market volatility event of HT."
Although the token recovered quickly, the flash crash sparked rumors that Huobi was insolvent.
The NYAG took the additional step of alleging that ETH is a security. Many have argued that Bitcoin and ETH, the native token of Ethereum, are not securities because they are "sufficiently decentralized". The NYAG, however, wrote in the press release announcing the lawsuit that, "This action is one of the first times a regulator is claiming in court that ETH, one of the largest cryptocurrencies available, is a security. The petition argues that ETH, just like LUNA and UST, is a speculative asset that relies on the efforts of third-party developers in order to provide profit to the holders of ETH."
The NYAG is also going after KuCoin for offering a lending and staking product, a category of product that has recently been a focus of various enforcement actions. They claim that KuCoin did not comply with a subpoena.
Hedera has not disclosed how much had been stolen. Total value locked (TVL) on the network dropped 33% from $36.1 million to $24.6 million.
Some balked at Hedera's ability to simply turn off user access to the network, despite claiming to be a decentralized project.