Web3 is Going Just Great

"To date we have no indication that the virtual currencies held on behalf of our customers with CoinLoan will not be recovered," they wrote in their announcement. Reassuring!

An anonymous source corresponding with TechCrunch claims that the total amount of cryptocurrency stolen is somewhere between $15 million and $20 million. The tipster also claimed that the hackers have the ability to gain access to any AT&T account via the AT&T employee portal; AT&T has denied this and instead claimed that "the bad actors used an API access."

The Merlin DEX had been audited by the CertiK security firm, which stated it was working with the remaining team members to try to trace the thieves. Meanwhile, they wrote that they would be working to compensate affected users.

Some didn't seem to buy the story that the theft was carried out by a few rogue developers, accusing the entire Merlin project team of rug-pulling.

Protos speculated that the suspension could be related to Vauld, an exchange that collapsed last July. Vauld is rumored to have tens of millions of assets on CoinLoan.

The same day as Vauld's collapse, CoinLoan implemented a withdrawal limit of $5,000/day.

Binance cited "hostile and uncertain regulatory climate" as its reason for calling off the acquisition. A recent lawsuit from the CFTC against Binance and its CEO Changpeng "CZ" Zhao likely contributed to the cancellation, as it seems clear that Binance is being increasingly scrutinized by US regulatory and law enforcement bodies.

The acquisition had been supported by a massive majority of Voyager creditors, who were looking forward to recovering 73% of their assets trapped on the platform. Now that number is uncertain, but likely to be a good deal lower. Attorneys for Voyager estimated the recovery now would likely be between 40 and 65%.

On April 24, the project developer withdrew 256 million OFI tokens and swapped them to ETH worth around $1 million. They then laundered the funds through the Tornado Cash crypto mixer. The project creator deleted the project's Twitter account and took down its website.

Not everything has gone smoothly, though. As developers rushed to release wallets to support these new tokens, the UniSat wallet claimed to be the first. However, shortly after it launched, the developers made the Chrome extension inaccessible. They later revealed that the code had contained a vulnerability that exposed it to double-spend attacks. "Currently, we have preliminary investigation results, and out of all 383 transactions, 70 transactions have been identified as affected," they wrote.

It's not yet clear how much was stolen, but the UniSat team promised to compensate affected users. They later tweeted that they had determined the identity of the thief, though the funds have not yet been returned.

The NFT buyers — er, "co-producers" — were promised credit in the film credits, voting rights on the script, and a split of 80% of the profits. "Although there is nothing guaranteed, on average, you will make six to seven times what you put in 24 months. Which is huge, when you think, you go to the Caisse d'Epargne, a traditional bank, and you make less than 1% in the year," said one promotional video.

A report from French investigative newspaper Mediapart discovered that the project was backed by a Dubai-registered company called "Illuminart", which played on confusion between its name and that of the France-based Universal Studios subsidiary Illumination. An Illuminart marketing campaign even used Illumination titles, such as The Lorax, Minions, and Despicable Me, and their box office proceeds to suggest Plush buyers were in for a 516% profit.

Meanwhile, the project has gone silent, and its Twitter account last posted in September 2022. NFTs are no longer offered for sale on the official project website, and Illuminart's business license has expired.

However, the Kyiv Post has recently been asking questions about the organization. Earlier in April, the newspaper published an article claiming that the group had fabricated its claims that it was supported by Ukrainian governmental bodies. Now, they've published another article claiming that at least $500,000–$700,000 of funds seem to have been misappropriated.

One point of contention has been that the organization claims that 100% of money raised is donated, but in reality the project leader Alona Shevchenko takes a $5,000/month salary. This led to a split between Shevchenko and Pussy Riot's Nadya Tolokonnikova, who had once been active in promoting Ukraine DAO.

The Kyiv Post has raised questions about other transactions from the Ukraine DAO wallet, which went to other leaders of the project, or to centralized exchanges.

Shevchenko a London-based Ukrainian, who has in the past led the FreeRossDAO — a project to raise funds to support Ross Ulbricht, the jailed creator of the crypto-powered darknet Silk Road marketplace. Shevchenko's most recent project is Iran DAO, which claims to support "Iran's women-led revolution".

Blur disabled bid acceptance functionality while investigating the bug. Amusingly, this led people to begin placing huge bids they knew couldn't be accepted in order to farm Blur points, some kinds of which are awarded based on bids rather than purchases.

It's not clear how much money was lost due to the bug, but Blur cofounder "Pacman" announced that "any losses will be refunded once the issue is resolved".

Although the project promised to provide ongoing access to Bella Hadid and various other perks, the project website has already dropped offline, the Twitter account hasn't posted since October 2022, and the Discord is a ghost town save for occasional questions about whether the project is dead. Hadid made $1.5 million for her involvement in the project.

Things at Rebase seem to have devolved, because now Gagacki has filed suit against Truong, alleging that he "has gone rogue". The suit alleges that Truong tried to oust Gagacki from the company, stole around $2 million from a shared wallet, and damaged Gagacki's reputation. In particular, Gagacki is concerned that Truong is attempting to launch the project on the Arbitrum network without Gagacki's involvement, and that tokens minted there "could reach many times over the Rebase app's last round valuation of $150,000,000" without being shared with Gagacki.

Altogether, Gagacki is claiming damages of no less than $77 million, representing the stolen funds, the value of the app, and the profits from the possible Arbitrum deal.

The complaint also alleges that Bittrex and Shihara had coordinated with token issuers to dodge potential SEC action by having them remove public "problematic statements" predicting price, describing an expectation of profit, or describing offerings in terms of investments.

Hundred Finance announced that they were trying to communicate with the attacker to try to convince them to return some of the funds.

This was not the first exploit to impact Hundred Finance: in March 2022, both Hundred Finance and Agave Finance were targeted with a flash loan attack by a hacker who stole a total of $12 million from the two projects.

Bitrue didn't release details on how the attack had been achieved, but explained that one of their hot wallets had been impacted. They announced that they would be pausing withdrawals for several days as they investigated the incident, and that they would be compensating affected users.

Franklin disclosed on Twitter that "Due to an unfortunate IRL issue, I have had to sell off a lot of BAYC apes to pay off BendDAO loans while the liquidity was available". He had recently sold 27 of the Bored Apes. He later wrote, "I got rug pulled on an investment I put almost 2000 ETH into, thinking it was credible due to who else invested (not naming anyone for privacy reasons). Someone used our $$ as a casino gambling Ponzi and flushed it down the drain. Please learn any lessons possible from this." 2,000 ETH is worth around $4.23 million at today's ETH prices.

People immediately began to speculate about what project he could be referring to. Some wondered if perhaps he was trying to cover up losses on the Rollbit crypto casino, which he was known to use, and where he could be observed on-chain depositing more than 6,000 ETH (~$12.7 million) since the beginning of the year alone. Later in the day, he wrote another tweet: "For partial transparency: My personal PnL [profit and loss] of my Rollbit gambles is about -650 ETH total. So yes I lost a lot of money myself on Rollbit, but that didn’t require me to sell off today." At today's prices, 650 ETH is around $1.375 million.

Franklinisbored expressed that he would be taking a break from NFT trading and social media following the incident: "I won't get involved in NFT trading/twitter for a while, and will just focus on my private life for the time being with my remaining apes."

The attacker began swapping tokens out for other stablecoins shortly after the exploit, moving them into lending projects like Aave and laundering them through the Tornado Cash cryptocurrency mixer. There were early concerns that Aave itself was impacted by an exploit, but it was later clarified that Aave had simply been used to swap tokens involved in the Yearn exploit, and did not appear to itself be vulnerable.

This is not the first exploit involving Yearn Finance, which was hacked for $11 million in 2021, and which lost around $1.4 million in connection to the massive Euler Finance attack in March 2023.

Writer, journalist, and now web3 influencer Nicole Behnam helped pump Dogecoin founder Billy Marcus' new free-to-mint "Blocky Doge 3" NFT project, writing on Twitter, "No roadmap or utility? I'm in 👀" and talking it up on large Twitter spaces. A wallet belonging to her then received 250 NFTs from Marcus early on, then dumped around 220 of the NFTs on the market all at once, tanking the secondary market price while earning her around 20 ETH (~$38,000). At the moment, the NFTs are selling for an average of 0.031 ETH apiece (~$59).

After being found out, she wrote on Twitter that "There were mistakes made in a wallet that I controlled," but claimed that she had tried to make it up by returning the profits and buying up low-priced NFTs. "How the last 24 hours went down was not cool and I’m doing my best to rectify the situation," she wrote. "Listening, learning, moving forward." Shortly afterwards, she was removed from a "NFT100" list that had published only days prior by NFT Now, for what they described as violations of their ethics policy.

Now, the Ren team has announced that they have transferred all assets on the Ren Protocol "to the FTX Debtors' cold storage wallets for safeguarding".

The announcement mentioned "possible shutdowns of infrastructure and systems," possibly referring to Ren's plans — announced shortly after the FTX collapse — to "move on from Alameda" by launching "Ren 2.0" and sunsetting the 1.0 version. However, there has been little public evidence that Ren 2.0 has been progressing.

Although NFTs are often thought to be immutable, permanent links to their associated artwork, that's often not the case in practice. Many NFTs store metadata off-chain, or otherwise enable after-the-fact changes.

Goblintown is a collection of NFTs that launched in May 2022, quickly going viral and sparking a phenomenon of Twitter spaces where members spent hours making goblin noises into their microphones. Originally free to mint, the NFTs began selling for thousands of dollars on the secondary market. Now they trade for around 0.38 ETH (~$800) apiece.

In an apparent protest against the willingness of traders and marketplaces to stop honoring royalties, Truth Labs (the group behind Goblintown) changed the artwork for Goblintown and all of their NFT collections to an illustration of a dancing middle finger, with smaller middle fingers emerging from where its arms and genitals would be. The new image reads, "Fuck royalties. Fuck supporting building and creatives. Flipping is the heart of what makes Web3 special. Honor the flipper, fuck the community. Long live the slow rug." At the bottom, the image states: "Goblintown, Illuminati, The187, and Grumpls will be migrating to new contracts before Monday the 17th of April. All holders will be airdropped identical replacement NFTs." The new NFTs will enforce royalties on-chain, preventing marketplaces from allowing users to circumvent them.

Some embraced the new NFTs, while others accused Truth Labs of "rugging". Some people were horrified by the fact that NFTs that they owned could be changed after the fact without their consent, a fact they were not previously aware of. One owner wrote, "So your telling me I spent $1,000s of dollars and have 10 goblintowns for them all to now be dudes shaking their weiners?"

The announcement seemed to come as a relief to many in the Ingress community, with commenters remarking on the "scammy" nature of NFTs. Some wrote that they liked the idea, but that the web3 factor felt like it was "shoehorned" in. "I'll miss the Trading Post, please never bring NFTs or in fact any blockchain into future projects, or if you do at the very very least make it actually matter to the thing it's being put into, but still preferably just don't," said one.

GDAC halted deposits and withdrawals shortly after the attack, and stated that they had reported the exploit to South Korean law enforcement to investigate.

Terraport Finance launched on March 31, apparently having gone live without any sort of audit. On April 10, Terraport disclosed that an attacker had apparently managed to drain all project liquidity pools, making off with assets priced at around $2 million.

Today, Sifu himself was the victim of a theft as a bug in the SushiSwap decentralized exchange allowed a hacker to make off with around 1,800 ETH (more than $3.3 million) belonging to him. According to SushiSwap leader Jared Grey, around 300 ETH (~$557,000) of Sifu's funds were subsequently recovered.

Analysts have found that almost 200 addresses on the Ethereum network have approved the vulnerable contract, and around 2,000 addresses approved the vulnerable contract on Arbitrum, Polygon, and other chains. It's not yet clear how much was stolen in total. SushiSwap leader Grey urged users via Twitter to revoke approval for the vulnerable smart contract.

The lawsuit also alleges that Gryphon has " dutifully collected its exorbitant Management Fee while shirking its duties under the MSA and delivering abhorrent management services" and "skimm[ed] off the top (i.e., st[ole]) from Sphere's assets".

Canada has become more strict on cryptocurrency exchanges in recent months, particularly following the collapse of FTX.

The Bored Ape would likely fetch somewhere around $125,000 if resold. The other three NFTs would likely resell for somewhere around $8,700. Together with around $3,400 in stolen tokens, Bryant's total loss is around $139,000.

After some observers spotted the suspicious-looking transactions, Bryant confirmed on Twitter: "Yes my ape was stolen and I don't know how this is crazy".

The zkSync project evidently came to the rescue of Gemholic, announcing that they would change the protocol in a new release to add support for Solidity functions such as .transfer(), which will ultimately free Gemoholic's locked funds.

Binance will continue to operate its spot exchange product in Australia, but customers will no longer be able to trade derivatives on the platform after April 21.

A trader apparently trying to bid $100 for one of the NFTs seems to have mistakenly entered 100 ETH, or around $190,000. The trade was of course quickly accepted by a seller who made a tidy 1666x the typical floor price.

Some have speculated the massive offer was money laundering, but the fact that the bid was an open offer that could be accepted by anyone seems to make that theory less likely.

The attacker apparently took advantage of a re-entrancy vulnerability to execute the theft, then swapped the tokens and bridged them to the Ethereum main chain.

Sentiment tweeted that they were aware of the attack and investigating what had happened. They also stated that they were working with law enforcement. Later that evening, they sent a message to the hacker, offering to let them keep 10% of the stolen funds as a bounty if they returned the rest. Sentiment was audited by two crypto security firms.

On April 6, Sentiment announced that the exploiter had returned 90% of the funds, keeping $95,000 and receiving a promise from the organization that they would not try to prosecute the theft.

Youssef was vague as to the reasons for the closure, writing that "While I cannot share the full story now, I can say that we unfortunately have had some key staff departures. Also, regulatory challenges for the industry continue to grow, especially in the peer-to-peer market and most heavily in the U.S."

Youssef later elaborated in a Twitter Space, explaining that he feared for the safety of user funds because of a lawsuit from his co-founder, who he also accused of "[driving] away all of our senior level staff".

Some had trouble withdrawing funds from the platform, though this seemed to be due to the overload. Youssef tweeted, "Paxful database is a bit overloaded now as everyone is withdrawing funds. It is making transfers slow. I promise funds r safe and they will clear soon".

On May 8, Paxful came back online, though it was unclear whether or in what capacity the business would continue to operate going forward.

Cobie decided he wanted to make a record of his prediction, so he tweeted the SHA-256 hash of the string "Interpol Red Notice for CZ". Typically, this would allow him to later reveal the seed, allowing him to prove after the fact that he had indeed made a correct prediction. Why? I don't know. Bragging rights I guess?

Anyway, according to Cobie, one of Cobie's inner circle leaked the seed, and the contents of Cobie's prediction were widely circulated on Twitter. Some thought the prediction was inside knowledge of events that had already transpired. Someone else began circulating a doctored screenshot of the Interpol website, purporting to show a red notice. People began offloading their BNB tokens (the native token for Binance and Binance's blockchain), causing a sudden 3% dip in the token price. Bitcoin also fell on the news.

MEV bots are a phenomenon that became popular in recent times: bots that use various techniques to extract value by inspecting pending blockchain transactions and then sending advantageous transactions of their own. In this case, a bot was performing a "sandwich attack": sending transactions just before and just after a pending transaction, which manipulate the price of the underlying asset, allowing the bot operator to "steal" value from the victim — "steal" in quotes, because there is some debate over whether MEV bots are really stealing, or are operating within the rules laid out for them.

In order to manipulate prices in this way, they have to put a substantial amount of money at risk. A "rogue" Ethereum validator appeared to replace some of the transactions that were being executed by the bot, leading to a loss of WBTC, USDT, Dai, and WETH totaling a bit over $25 million.

The vote, which still has a day left before completion, is currently standing at 75% against and 25% in support. However, it was discovered that Arbitrum had already begun spending those 750 million tokens, including via the movement of a substantial amount of tokens, and "conversion of some funds into stablecoins for operational purposes".

Another Arbitrum team member subsequently published a post in which they claimed that the proposal was not really a vote but rather a "ratification" of decisions that had already been made by the Arbitrum team, leading many to question what the DAO was even for in the first place. Others questioned the fact that Arbitrum was receiving so much money to use however they liked, not subject to DAO approval.

Things got even messier when the Arbitrum Twitter account "clarified" that "40M $ARB tokens have been allocated as a loan to a sophisticated actor in the financial markets space", and the rest had been sold off for "operational costs". The loan of $52 million worth of ARB to an unnamed actor and the conversion of another $13 million to stablecoins led some to accuse the Arbitrum team of "selling off", cashing in far more than would likely be required for foundation costs in a brief period of time.

In April, four employees filed a lawsuit against the company, claiming around CAD$519,000 in unpaid wages.

Allbridge announced that they were investigating the theft, and were working with law enforcement. Meanwhile, the project suspended operations and announced that they were preparing a user compensation plan.

In October 2022, Bittrex was fined a combined $29 million by the US Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN). The OFAC fine pertained to Bittrex's service of users based in Crimea, Cuba, Iran, Sudan, and Syria, who altogether performed $263 million in transactions using the platform. FinCEN's fine was imposed as a result of alleged "willful violations" of requirements around anti-money laundering and suspicious activity reports.

Bittrex will continue operations outside of the US, and currently operate in Europe, South America, and elsewhere.

However, the airdrop had a bumpy start, with scammers latching on to the event to proliferate fake airdrop websites. Phishers reportedly scammed more than 10,000 people using these schemes. At one point, Twitter even suspended the real Arbitrum Twitter account after mistaking it for one of the many phishing accounts. Attackers also compromised a Discord account belonging to an Arbitrum developer, using it to post a phishing link to the official Arbitrum Discord server.

Then, when the time for the airdrop came, the token claiming website crashed on the traffic, as did the Arbitrum block explorer. Those who were able to claim their tokens paid exorbitant gas fees, and some wallets attempting to estimate required gas fees malfunctioned, showing estimates in the billions of dollars.

Finally, the airdrop was widely gamed by people commandeering hacked vanity addresses to receive the airdrop tokens allocated to them, with at least $500,000 worth of tokens reportedly claimed by one attacker. Other attackers scrambled to compete with one another to claim tokens allocated to compromised wallets whose private keys had been shared publicly on Github and elsewhere, trying to be the first to siphon the funds. Two additional exploiters siphoned a combined total of more than 1 million ARB tokens from other wallets. One sold them for 713 ETH ($1.27 million); the other transferred the ARB tokens to other wallets.

According to the SEC, the BXY token sale raised more than $8 million. At least $900,000 of that was misappropriated by Hamazaspyan, who used it for personal purposes, including gambling.

Some of the defendants agreed to permanent injunctions, and to pay fines of around $166,000 and disgorgement of around $62,800. The agreement also stipulates that the Beaxy platform shut down. The SEC announced they were continuing to litigate charges against Hamazaspyan for securities fraud and against Hamazaspyan and his company for the unregistered securities offering.

The CFTC has alleged that "Binance has taken a calculated, phased approach to increase its United States presence despite publicly stating its purported intent to 'block' or 'restrict' customers located in the United States from accessing its platform... All the while, Binance, Zhao, and Lim, the platform's Chief Compliance Officer ('CCO'), have each known that Binance's solicitation of customers located in the United States subjected Binance to registration and regulatory requirements under U.S. law. But Binance, Zhao, and Lim have all chosen to ignore those requirements and undermined Binance's ineffective compliance program by taking steps to help customers evade Binance's access controls."

The CFTC is only one of several US groups looking into Binance, with the SEC also reportedly scrutinizing the exchange and the Department of Justice considering charges.

After raising user funds, the project's creators drained its liquidity pools. They also convinced users to send funds to them with a technique known as "ice phishing". They then deleted their social media accounts and disappeared.

It seems perhaps even Sotheby's prestige is not sufficient to overcome the NFT downturn.

However, some confusing instructions resulted in the owner sending the punk to the burn address, effectively destroying the NFT. "I was trying to wrap it and don't know what I was doing... Thought I was following the directions exactly..." they later wrote. They also later shared that they had borrowed money in order to purchase the CryptoPunk.

The criminal charges out of the US add to civil charges he's facing from the SEC, as well as an investigation out of South Korea.

After the collapse, Kwon became a fugitive. South Korea issued a warrant for his arrest in September, and Interpol issued a red notice. However, he's remained on the lam for some time, reportedly hiding in Serbia for a time — a country with no extradition agreement with South Korea.

Now, officials in Montenegro have announced they arrested Do Kwon, who was attempting to travel through the country using falsified documents. Montenegro is a Balkan country bordering Serbia.

According to Coinbase, the Wells notice related to "aspects of the company's exchange, our staking service Coinbase Earn, and Coinbase Wallet". It's not terribly surprising that the SEC might have Coinbase Earn in its crosshairs, as it has recently taken action against similar products, such as Kraken's staking service. In the wake of the action against Kraken, Coinbase seemed to try to pre-empt SEC arguments by sending an email to customers emphasizing things like "You earn rewards from the protocol, not Coinbase". It doesn't look like this has shifted the SEC's thoughts much, though.

This should be an interesting saga to watch, partly because Coinbase has expressed willingness in the past to go head to head with the SEC.