Web3 is Going Just Great

On May 23, crypto sleuth zachxbt tweeted that the project appeared to have executed their exit scam, bridging around 31.6 million Tether to various addresses. Platform users began to report that they could not withdraw funds.

The attacker has already drained locked votes and sold some of the $TORN tokens, which are governance tokens that both entitle the holder to a vote but also were being traded for $5–$7 around the time of the attack. The attacker has since tumbled 360 ETH (~$655,300) through Tornado Cash to obscure its final destination. Meanwhile, $TORN plummeted in value more than 30% as the attacker dumped the tokens.

The attacker now has full control over the DAO, which according to crypto security researcher Sam Sun grants them the ability to withdraw all of the locked votes (as they did), drain all of the tokens in the governance contract, and "brick" (make permanently non-functional) the router.

Some have expressed the opinion that BitLucky was a Ponzi scheme all along, given the unreasonable promises of 5–25% monthly returns. The editor of a crypto news outlet also expressed that "there was a 'line of [red] flags'", including that Burazer never wanted to appear in the media or have his picture shown online.

The funds are not at risk, but it will take at least a week before the funds are unstuck because any code change requires a DAO vote. "Considering governance times, if approved, the fix will be applied in approximately 7 days from now: 1 day of delay to start voting, 3 days of voting, 1 day of timelock on Ethereum, and 2 extra days of timelock on Polygon," explained a post by Bored Ghost Developing, a contributor to Aave.

One Inferno Drainer victim lost assets worth around $417,000. They later sent an on-chain message to the thief, writing: "you are ruining my life and for me this money was a lifetime's work, I won't have enough my family..." They asked the attacker to return 50% of the funds stolen from them, offering to not report the scammer to Interpol and other authorities in return, and even offering to "sign a contract allowing you to use legally the stolen crypto".

However, Grumpy Cat's owner owns trademarks associated with Grumpy Cat, and it seems she has become aware of the coin. On May 18, she minted an NFT and transferred it to the Grumpy Cat Coin deployer address. The NFT image is a copy of a cease and desist letter representing Grumpy Cat Limited. The letter describes the coin offering as a "blatant and willful infringement of our client's trademark rights", and insists that the coin creators stop all activities related to the coin offering or face legal action. The letter also mentioned that the URL of the project website — grumpycat.fyi — was a violation of the Anti-Cybersquatting Consumer Protection Act. The project subsequently changed its domain to gccoin.fyi in an apparent effort to avoid this issue.

Simultaneously, a message addressed to holders of the Grumpy Cat Coin was posted to Grumpy Cat's Twitter account, describing the token as a "desperate, sad attempt to scam unwitting traders" by "SlumDoge Millionaire and their cohorts".

The New York Attorney General found that Coin Cafe's misleading fee structure was still in effect even after the company obtained a BitLicense from the Department of Financial Services.

The project had been audited by blockchain security firm CertiK, and displayed the "audited by CertiK" badge on their website. This added to criticisms of CertiK, who have come under fire for auditing multiple projects that later turned out to be scams. CertiK defended themselves, writing that, "As an auditor, we cannot force projects to implement our recommendations, but we can clearly and publicly call out vulnerabilities where we find them". They argued that they had identified vulnerabilities within their audit that ultimately allowed for the exploit, including the high degree of centralization and the upgradability of the smart contracts.

Sam Altman's Worldcoin project, a dystopian effort to use chrome orbs to scan the irises of people (often in developing nations) in exchange for vague promises of crypto compensation, is encountering even more difficulties. In April 2022, BuzzFeed News and MIT Technology Review both published in-depth reporting on some of the technical and ethical issues the project has run up against.

Now, the project is facing reports that people in China, who are not allowed to sign up legitimately, have been purchasing iris scans from individuals in Africa and Southeast Asia in order to circumvent the restriction. According to the news outlet BlockBeats, Chinese individuals have been engaging in "eyeball speculation": buying biometric data scanned en masse from villagers in Cambodia, Kenya, and elsewhere by people who then sell it for $30 or less, allowing the buyer to receive the associated Worldcoin payout (currently ~$20).

Worldcoin has said they are rolling out various measures to try to discourage this activity, including changing the in-person sign-up process. However, the project acknowledged that they have not figured out how to prevent this, writing: "Despite these precautions, it is important to acknowledge that they do not entirely safeguard against collusion or other attempts to bypass the one-person-one-proof principle. To address these challenges, innovative ideas in mechanism design and the attribution of social relationships will be necessary."

According to the grand jury indictment, Shetty planned to put the funds into cryptocurrency positions that "could have yielded returns of 20 percent or more annually", and planned to return 6% to Fabric, keeping the difference. This so-called "investment" contradicted the conservative investment strategy that Shetty had helped to draft for Fabric, and he concealed both the existence of the transfer and his involvement with HighTower.

Shetty "lost virtually all of [Fabric's] money" "within a matter of weeks", at which point he fessed up to Fabric. Shetty had placed all of the funds into protocols based around the Terra stablecoin, which collapsed dramatically only a month later.

Shetty has pled not guilty, and has been released on bond.

Other concerns arose regarding the discovery of the assets. Some were worried about possible conflicts of interest, particularly in relation to Kim's 2021 proposal of a bill that would delay taxation of crypto profits. Others were worried about the source of the funds used by Kim for crypto trading; Kim claims he did not receive money from anyone to use for trading, and obtained the money through the sale of stocks.

On May 10, the Democratic Party recommended Kim sell his crypto holdings, and launched an investigation. Kim said later that day that he would perform the sales, and "transparently disclose data to the investigation team and undergo the inquiry faithfully".

On May 14, Kim resigned from the Democratic Party "for a while", continuing to deny the allegations but expressing wishes to not burden the party and its members over the controversy.

The subsequent day, Korean authorities raided the offices of Korean crypto exchanges Bithumb and Upbit in connection to the scandal, seeking transaction records and other information. Kim was reported to use those services for his crypto wallets.

Now, the company has announced that the project will be paused "for the indefinite future", blaming "lack of clarity" and "regulatory confusion" in the United States. The company simultaneously announced "SOL 4 Cocks", in which they will repurchase the Mecha Fight Club NFTs for 18 SOL (~$380). The NFTs had originally minted for 6.969 SOL (~$290 on mint date).

Irreverent Labs' website and social media now describe the company as an AI firm building "text to 3D and video prediction tools that facilitate the creation of AI-generated 3D content".

The decision was announced only a few weeks after the US Department of Justice announced charges against a group of individuals including Chorlian. Chorlian was charged with conspiracy to commit securities price manipulation and wire fraud in connection to an alleged scheme to manipulate the market for the HYDRO crypto token. If convicted, Chorlian faces a maximum of five years in prison.

A spokesperson stated that the delisting was a reaction to "the most up-to-date regulatory guidance and the latest industry developments". The decision is likely related to mounting industry pressure, and statements from SEC Chair Gary Gensler that most crypto assets are securities.

This is only the latest in a string of events involving regulatory pressure on Binance. In April, Binance canceled the acquisition of the bankrupt Voyager platform by its Binance.US arm, citing a "hostile and uncertain regulatory climate in the US". This move came shortly after a March lawsuit from the US CFTC against Binance and its CEO. Elsewhere, Binance closed its derivatives arm in Australia in April, citing issues with the Australian securities regulator.

In June and October 2022, the Aragon DAO — that is, all holders of the $ANT token or (later) their delegates — voted on several proposals supporting a move to place the Aragon treasury under DAO control. The treasury is a pool of crypto assets currently priced at around $174 million. However, the tokens continued to remain under control of the Aragon Association.

On May 9, 2023, the Aragon Association announced that they would not be following through with the treasury change, and instead would be "repurposing the Aragon DAO into a grants program". They attributed the decision to "coordinated social engineering and 51% attack" on the DAO that began shortly after a small portion of the treasury assets were transferred.

A week before the announcement, Aragon also banned a group of token holders from the group's Discord channel. Aragon characterized the group as appearing "coordinated" and alleged the group was "engaging in harassment". They claimed the group were members of the "Risk Free Value Raiders", which they described as "a sophisticated, well-resourced, and coordinated group of actors that target crypto projects with an imbalance between the value of their token and treasury". They also accused the group and its members of coordinating governance attacks on other DAOs, including Invictus DAO and Mango Markets. Aragon wrote that they believed the RFV Raiders were aiming to "[extract] value from Aragon for financial profit" rather than pursue the DAO's goals of supporting developers building DAO infrastructure.

One of the banned members told a different story, publishing and later taking down a statement in which he claimed that they were trying to get answers to questions about why the Aragon team was so slow to enact the DAO vote. "We find these bans, failure to empower the community with treasury transfers, and overall lack of transparency to be frustrating and against the ethos of both what DAOs are meant to be and what Aragon team members have repeatedly said they stood for. However, these actions have become a common pattern for Aragon," he wrote.

On May 11, Aragon apologized for how they handled the crisis, unbanned the banned Discord members, and announced that they would "keep following a gradual [treasury] transfer approach, making sure it aligns with the mission of the project", but continued to characterize the members as attackers and reiterated that "we won’t stand for hostile and coordinated attacks".

Everledger had in the past raised US$37 million in funding. AUD$3 million (~US$2 million) of that funding came from the Australian government's blockchain grants program in 2021.

Bittrex used to be a much larger presence in the US, enjoying more than 20% of US market share in 2018. It has since dropped to below 1%.

The entity that filed for bankruptcy in the US is Bittrex, Inc., which is separate from Bittrex Global. "This announcement does not impact Bittrex Global, which will continue operations as normal for its customers outside the U.S.," said a Bittrex spokesperson.

In the most recent hack, around $7 million was stolen as attackers discovered a vulnerability in the contracts of the DEI token. Some of the attackers were apparent whitehats, who executed the exploit to safeguard the funds until they could be returned to a secure address. As of May 8, $5.5 million of the $7 million stolen had been returned.

On September 6, Binance announced that they were working to return the frozen 1,909 ETH to the people who had purchased it in the funding rounds.

The WSB coin launched as an "official memecoin of r/wallstreetbets". The whitepaper explains the token allocation, saying that "It's the fairest launch memecoin you will find with no team allocation and no presale. Just a free airdrop and some coins for the community. 10% of the $WSB supply is reserved as a treasury for the r/wallstreetbets sub to do with as they please. I’m sure they will spend it wisely and definitely not waste it gambling or convincing each other to drink their own urine." Compelling!

The token launched, and quickly achieved a $50 million "market cap". However, on May 3 the token suddenly lost 90% of its value as one of the token creators, "zjz", dumped a massive quantity of the tokens allocated to the team, trading them for 334 ETH (~$635,000).

zjz has claimed that he only sold the tokens because another creator — "WSBMod" — was secretly draining the token by creating huge airdrops and then claiming them for himself. WSBMod, on the other hand, claims that zjz's actions were theft, and has threatened to involve the police and FBI.

Crypto sleuth zachxbt has since gotten involved in the fray, and along with another prominent crypto figure has joined a multi-sig wallet to try to help secure the funds' return without giving any of the creators involved in the dispute unilateral control.

Chastain was asked to resign by OpenSea in September 2021 after a Twitter user discovered apparent evidence that he had been engaging in insider trades. He was arrested and charged with money laundering in June 2022.

Chastain unsuccessfully argued in his defense that information about which NFTs would be prominently featured on OpenSea wasn't insider knowledge, and "nobody told Nate that he couldn't use or share that information". However, prosecutors argued that attempt to use anonymous accounts to make the trades suggested that he knew what he was doing was wrong.

This case has been described as the first NFT-related insider trading case, and could set a precedent for other similar charges.

It's not clear when precisely the change went into effect, but reports of the limitation began appearing in April 2023.

The end of FTX seems to have directly spelled the end of Storybook Brawl, which stopped announcing updates in November. However, Protos has pointed out that the game may likely be auctioned off as a part of FTX bankruptcy proceedings.

Indeed, it later turned out that Sun's team had farmed around 279,000 SUI (SUI does not yet have a reliable dollar price because it is set to launch later this month). Sun blamed the event on a TUSD market maker, writing, "Regrettably, some of our team members were not fully aware of the intended purpose for these funds and inadvertently used a portion of them to participate in exchange campaigns. Upon realizing this error, we immediately contacted the exchange team and arranged for a full refund of the funds." Those replying to his comment seemed more than a little skeptical that the incident was truly a mistake.

The attack caused the LVL token to drop substantially in price, plunging from around $9.00 to as low as $4.20 before recovering to around $7 — a loss of 22%.

Poloniex was a US-based crypto exchange founded in 2014, which in 2018 was purchased by Circle, who intended to get rid of the illegal activity for which it was known. However, when they discovered that the customers who used Poloniex no longer wanted to use it once they were subjected to scrutiny, they sold the platform to Justin Sun in late 2019, who relocated it to the Seychelles and shut down US operations. It appears that the OFAC fine will apply to the US entity most recently controlled by Circle, and not to Justin Sun's operation.

In August 2021, Poloniex also paid more than $10.3 million to settle allegations from the U.S. Securities and Exchange Commission that it had operated as an unlicensed exchange.

On March 11, ScamSniffer tweeted that they had detected 162 instances of the scam, totaling almost $4 million stolen, over the prior two days. On March 24, an individual wallet lost $4 million. Similar attacks on April 19, April 21, and April 30 saw individual wallets lose $449,000, $1.04 million, and $2.28 million, respectively.

The protocol was paused following the attack. 0VIX later tweeted that they had been collaborating with security firms to investigate the hack, and had offered to let the attacker keep $125,000 if they returned the remaining funds in a bug bounty agreement that would also involve 0VIX not pursuing legal action.

The thief's activity began shortly before the Russian invasion of Ukraine. After the invasion, the thief stopped destroying the Bitcoin and instead began transferring it to addresses identified for Ukrainian aid.

Steynberg has been ordered to pay a total of $3.4 billion — $1.7 billion in restitution and another $1.7 billion penalty. Steynberg was arrested in Brazil in December 2021 on an INTERPOL arrest warrant, where he has remained since pending extradition.

Salame was also a major donor to Republican candidates in the 2022 midterm elections, splashing out around $24 million in campaign contributions. However, court filings suggest that much of the money donated to political and other causes by FTX executives may truly have been misappropriated customer funds.

Salame is, at the moment at least, not facing charges in connection to the FTX collapse. In July 2023, the Wall Street Journal reported that the search was likely a part of an investigation into Salame and his girlfriend Michelle Bond over possible campaign finance violations pertaining to Bond's 2022 congressional campaign, and was not related to FTX.

"To date we have no indication that the virtual currencies held on behalf of our customers with CoinLoan will not be recovered," they wrote in their announcement. Reassuring!

An anonymous source corresponding with TechCrunch claims that the total amount of cryptocurrency stolen is somewhere between $15 million and $20 million. The tipster also claimed that the hackers have the ability to gain access to any AT&T account via the AT&T employee portal; AT&T has denied this and instead claimed that "the bad actors used an API access."

The Merlin DEX had been audited by the CertiK security firm, which stated it was working with the remaining team members to try to trace the thieves. Meanwhile, they wrote that they would be working to compensate affected users.

Some didn't seem to buy the story that the theft was carried out by a few rogue developers, accusing the entire Merlin project team of rug-pulling.

Protos speculated that the suspension could be related to Vauld, an exchange that collapsed last July. Vauld is rumored to have tens of millions of assets on CoinLoan.

The same day as Vauld's collapse, CoinLoan implemented a withdrawal limit of $5,000/day.

Binance cited "hostile and uncertain regulatory climate" as its reason for calling off the acquisition. A recent lawsuit from the CFTC against Binance and its CEO Changpeng "CZ" Zhao likely contributed to the cancellation, as it seems clear that Binance is being increasingly scrutinized by US regulatory and law enforcement bodies.

The acquisition had been supported by a massive majority of Voyager creditors, who were looking forward to recovering 73% of their assets trapped on the platform. Now that number is uncertain, but likely to be a good deal lower. Attorneys for Voyager estimated the recovery now would likely be between 40 and 65%.

On April 24, the project developer withdrew 256 million OFI tokens and swapped them to ETH worth around $1 million. They then laundered the funds through the Tornado Cash crypto mixer. The project creator deleted the project's Twitter account and took down its website.

Not everything has gone smoothly, though. As developers rushed to release wallets to support these new tokens, the UniSat wallet claimed to be the first. However, shortly after it launched, the developers made the Chrome extension inaccessible. They later revealed that the code had contained a vulnerability that exposed it to double-spend attacks. "Currently, we have preliminary investigation results, and out of all 383 transactions, 70 transactions have been identified as affected," they wrote.

It's not yet clear how much was stolen, but the UniSat team promised to compensate affected users. They later tweeted that they had determined the identity of the thief, though the funds have not yet been returned.

The NFT buyers — er, "co-producers" — were promised credit in the film credits, voting rights on the script, and a split of 80% of the profits. "Although there is nothing guaranteed, on average, you will make six to seven times what you put in 24 months. Which is huge, when you think, you go to the Caisse d'Epargne, a traditional bank, and you make less than 1% in the year," said one promotional video.

A report from French investigative newspaper Mediapart discovered that the project was backed by a Dubai-registered company called "Illuminart", which played on confusion between its name and that of the France-based Universal Studios subsidiary Illumination. An Illuminart marketing campaign even used Illumination titles, such as The Lorax, Minions, and Despicable Me, and their box office proceeds to suggest Plush buyers were in for a 516% profit.

Meanwhile, the project has gone silent, and its Twitter account last posted in September 2022. NFTs are no longer offered for sale on the official project website, and Illuminart's business license has expired.

However, the Kyiv Post has recently been asking questions about the organization. Earlier in April, the newspaper published an article claiming that the group had fabricated its claims that it was supported by Ukrainian governmental bodies. Now, they've published another article claiming that at least $500,000–$700,000 of funds seem to have been misappropriated.

One point of contention has been that the organization claims that 100% of money raised is donated, but in reality the project leader Alona Shevchenko takes a $5,000/month salary. This led to a split between Shevchenko and Pussy Riot's Nadya Tolokonnikova, who had once been active in promoting Ukraine DAO.

The Kyiv Post has raised questions about other transactions from the Ukraine DAO wallet, which went to other leaders of the project, or to centralized exchanges.

Shevchenko a London-based Ukrainian, who has in the past led the FreeRossDAO — a project to raise funds to support Ross Ulbricht, the jailed creator of the crypto-powered darknet Silk Road marketplace. Shevchenko's most recent project is Iran DAO, which claims to support "Iran's women-led revolution".

Blur disabled bid acceptance functionality while investigating the bug. Amusingly, this led people to begin placing huge bids they knew couldn't be accepted in order to farm Blur points, some kinds of which are awarded based on bids rather than purchases.

It's not clear how much money was lost due to the bug, but Blur cofounder "Pacman" announced that "any losses will be refunded once the issue is resolved".

Although the project promised to provide ongoing access to Bella Hadid and various other perks, the project website has already dropped offline, the Twitter account hasn't posted since October 2022, and the Discord is a ghost town save for occasional questions about whether the project is dead. Hadid made $1.5 million for her involvement in the project.

Things at Rebase seem to have devolved, because now Gagacki has filed suit against Truong, alleging that he "has gone rogue". The suit alleges that Truong tried to oust Gagacki from the company, stole around $2 million from a shared wallet, and damaged Gagacki's reputation. In particular, Gagacki is concerned that Truong is attempting to launch the project on the Arbitrum network without Gagacki's involvement, and that tokens minted there "could reach many times over the Rebase app's last round valuation of $150,000,000" without being shared with Gagacki.

Altogether, Gagacki is claiming damages of no less than $77 million, representing the stolen funds, the value of the app, and the profits from the possible Arbitrum deal.

The complaint also alleges that Bittrex and Shihara had coordinated with token issuers to dodge potential SEC action by having them remove public "problematic statements" predicting price, describing an expectation of profit, or describing offerings in terms of investments.

Hundred Finance announced that they were trying to communicate with the attacker to try to convince them to return some of the funds.

This was not the first exploit to impact Hundred Finance: in March 2022, both Hundred Finance and Agave Finance were targeted with a flash loan attack by a hacker who stole a total of $12 million from the two projects.