Web3 is Going Just Great

This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.

Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.

AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.

AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.

People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.

Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.

A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"

Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.

"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".

BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).

BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.

The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".

One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.

The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.

On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!

It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.

Several hours later, Multichain wrote that they had stopped service, and that "all bridge transactions will be stuck on the source chains. There is no confirmed resume time."

In May, Multichain suffered a bizarre slew of issues, culminating in the project team admitting that their CEO had gone missing and could not be contacted. So far, they have not reported his return.

This is also not the first hack suffered by Multichain. In January 2022, the project, bafflingly, publicly announced a security vulnerability that was affecting their tokens, without first instructing users to safeguard their tokens. Attackers quickly followed the instruction manual provided to them by Multichain, making off with around $3 million in assets.

So anyway, that's exactly what happened. NFTPerp announced that they would be sunsetting their popular beta project after accruing bad debt.

How they're going about it has been controversial among the successful traders on the platform: essentially, those who were in profit will lose their unrealized gains, while those who had lost money in their trades will have their losses waived. "Nftperp stealing profits from winner [unrealized profit and loss] to backstop losers UPNL is insane to me", wrote one commenter. Another wrote, "If anyone else is considering NFT perps, please have the 'what happens when the illiquid market goes to zero overnight' plans clearly in place from the beginning."

Not to be deterred, the team is already preparing to launch a "v2". May it go as well as their first attempt.

LoveMake wrote on Twitter that "I am dyslexic and didn't notice that the Burnt Toast acc was scam. It was very similar to the original & Verified." They appeared to blame Twitter's new verification process, writing, "@Twittersupport can you explain the meaning of the word 'verified'? we're waiting for days every time we change pfp or display name and then I got scammed by verified account with exact the same name and pfp as Doodles founder in million views thread?"

Several days later, they posted a thread again criticizing the prevalence of crypto scammers on Twitter. "I put millions $ into web3 projects, with over 90k$ into Twitter ads. I was rugged many times and finally robbed but not broken. Thanks to twitter the most profitable web3 activity now is a scam. Shouldn't Twitter pay more attention to its own security?"

However, shortly after the DAO was created, the governance token was exploited. Attackers were able to take advantage of a flaw in the smart contract, with two exploiters stealing around 35 ETH (~$69,000). The DAO paused the contract to prevent further thefts.

File this one under "adding insult to injury".

The developer reportedly posted a message to Telegram, apologizing for taking the funds. "I must confess that I have fallen into a severe addiction to online gambling and casinos," the developer reportedly wrote. "Despite being only 22 years old, I have struggled to overcome this addiction, and unfortunately, I have lost nearly $300,000 over the past few months, including after the launch of [Encryption AI]."

They added, "Although I cannot guarantee when or if I will be able to make amends and relaunch [Encryption AI], I promise that I will make every effort to become a better person." Oh, well, in that case.

Now, it's happened again, and some reports are throwing around even more massive numbers like $42 billion. In reality, the exploiters were able to mint massive quantities of tokens on multiple networks, with their wallet balances showing numbers in the billions. However, complete lack of liquidity for these tokens meant their "billions" are worth substantially less.

According to crypto research firm Beosin, the attackers have so far cashed out around 5,196 ETH (~$10.1 million) in liquid assets. Poly Network suspended services shortly after the attack.

Although Kraken argued against the order, describing it as an "unjustified treasure hunt", the judge determined that the IRS was justified in its request, and ordered Kraken to cough up the records. The IRS alleged that although the exchange has more than 4 million users, and has processed $140 billion in trades since its inception in 2011, only 288,330 of those users have filed tax returns.

According to Phillips, it took months before he was able to get in touch with Huobi and convince them to act on the leak. Phillips first notified Huobi of the leak in June 2022, and after repeated efforts to contact the company, the credentials were only revoked in June 2023.

Huobi has tried to downplay the hack, first stating that the user data leak was "on a small scale (4,960 individuals)" and "does not involve sensitive information and does not affect user accounts and fund security". They also claimed the leaked OTC data was test data. "The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused," they wrote.

According to CoinGecko, Huobi is the seventeenth-largest cryptocurrency exchange by volume.

"Product market fit continues to be difficult to find, and the reality is that members of our team are feeling the itch to explore other pursuits," they wrote. "We’d hoped that by now the rest of the world’s industries would have begun adopting blockchain tech at a larger scale, but that still feels a ways away."

The mint itself was plagued with issues, with many collectors complaining they weren't able to buy NFTs due to technical difficulties. A team member apologized for the issues, writing that they were "gutted over what happened" but that "we have an amazing reveal experienced planned that will kick off soon".

When the reveal happened, people were disappointed to say the least. They expected a unique look that would not "dilute" the value of the original Azuki collection, and were met with what many feel is a low-effort clone of the original Azukis. Some observed NFTs in the Elementals collection that appeared to be direct duplicates of ones in the original collection, which Azuki later wrote was a "technical glitch" that was quickly corrected. The floor price of the Elemental NFTs, as well as those of other Azuki projects, immediately suffered. While people paid 2 ETH for the NFTs, they're now going for 1.5 ETH (~$2,825) at floor, a 0.5 ETH (~$925) loss. The floor price of the original Azuki collection tanked from ~15 ETH (~$28,200) to ~9 ETH (~$16,920), a 6 ETH ($11,280) loss.

Azuki wrote an apologetic thread on Twitter, writing that they had "missed the mark... the mint process was hectic, the PFPs feel similar and, even worse, dilutive to Azuki." Perhaps they will wipe their tears with some of the 20,000 ETH they're sitting on.

Only eleven days later, on June 27, the team boasted that the project "has grown to over $1m TVL in 2 working days". An hour after that, they announced that they would be suspending the protocol and beginning an immediate investigation into an apparent theft. Themis boasts in its documentation that "security is the highest priority" of the project, and lists multiple audits from PeckShield.

An attacker was apparently able to exploit the project, draining around 220 Themis-wrapped ETH (nominally worth ~$417,000). Due to liquidity issues, they could only swap these for around 94 ETH (~$178,000) and almost $190,000 in stablecoins, for a total haul of around $368,000.

On June 27, the developers set the governance role to a malicious smart contract, which used a "panic" function to withdraw funds from the Chibi project. They then quickly swapped the funds to 555 wETH (~$1.05 million), bridged them to the Ethereum main chain, and laundered them through Tornado Cash.

Chibi Finance has since deleted its website and Twitter profile. Meanwhile, some crypto influencers who had promoted the project caught heat for doing so.

In the filing, NFID alleges that Prime Trust discovered in December 2021 that it couldn't access some customer wallets, and so "purchased additional digital currency using customer money from its omnibus customer accounts" in order to satisfy withdrawals from said wallets.

Prime Trust reportedly has liabilities of around $82.8 million in fiat currency, plus another $860,000 of digital asset-denominated liabilities. "[Prime Trust] is in an unsafe financial condition and/or is insolvent. Additionally, [Prime Trust's] condition will only progressively worsen as customers continue to withdraw," wrote the regulator.

Now, a report from the New Zealand Herald suggests that the company's director Colin Salisbury took more than NZ$3.24 million (~US$2 million) in customer funds, put it into multiple cryptocurrency platforms over a period of almost two years, and lost it all. Another ~US$800,000 was lost in at least four fraudulent crypto platforms which just "ceased to exist".

We Are Bamboo tried to blame the collapse of their business on the COVID-19 pandemic and on a group of customers whose "actions and online influence have broken us". "Our intentions here are not to play the victim but simply share with you the levels to which this group has gone to ensure our downfall, and made it their sole purpose to attack us, our families, our staff, and our customers with the intent to destroy Bamboo," they wrote. However, a liquidator in the We Are Bamboo bankruptcy says they discovered the cryptocurrency transactions, which explained the true demise of the company.

Salisbury reportedly engaged in the crypto trading because he was concerned that the US dollar might lose value. Guess he found out the hard way what crypto could do for the value of his customers' funds.

Jarryd Hayne is a convicted rapist once known for his careers in rugby league and, briefly, American football. He's serving several years in jail, after being convicted of rape, winning an appeal, being retried, and once again being found guilty.

Hayne is one of several inmates apparently convinced by the Ponzi schemer inmate, Ishan Seenar Sappidee, that he could make them massive returns. Hayne provided around AU$780,000 (~US$521,000) in Bitcoin to the enterprising inmate, who apparently amassed more than AU$2 million (~US$1.3 million)from at least seven inmates.

SpireBit claimed to be partnered with established companies within and outside of the crypto ecosystem, and took on the name of a real company as its supposed "parent" firm. Its online footprint was convincing at a glance, but a little digging revealed LinkedIn profiles using stock photos as portraits.

After NPR began poking around, the UK's Financial Conduct Authority issued a warning that SpireBit "is an unauthorised firm that uses the details of a genuine FCA-regulated firm when offering products and services. This makes the unauthorised firm appear as if it is regulated."

NPR could not determine how many people had fallen for the scheme, or how much money had been lost in total.

The regulator also demanded Binance return all crypto assets to customers, or transfer them to a company authorized in Belgium. They also noted that "The Crown Prosecutor of Brussels has been informed of the acts that are liable to constitute a criminal offence."

Around $1.25 million in various assets have been stolen thus far, with the largest single loss exceeding $150,000.

The project was real, and they had in fact brought on Bryan as an advisor and investor. Bryan later stated in a YouTube video that he had "[taken] the majority of my Bitcoin and rolled it into this technology". However, the firm scrapped its plans for an initial coin offering in 2019. Despite this, Bryan continued pitching the ICO to friends and family with the promise of big returns. One investor, a college student, he reeled in after matching with her on the dating app Bumble. Various sources told The Hollywood Reporter they'd lost between $5,000 and $25,000, for a total of almost $50,000.

In October 2020, Producers Market cut ties with Bryan. This coincided with Bryan being arrested for felony strangulation and other charges in regards to a drunken assault on a girlfriend, which he later pled down to misdemeanor menacing and fourth-degree assault.

As for the noseprint reader, well, it was found to be a fake product that (shockingly) didn't use a blockchain at all. The company had also promised to build "theme parks for pets", but had not leased any of the sites it had identified.

Now, the cease and desist, filed June 21, has become public. It alleges that "the overall financial condition of [Prime Trust] has considerably deteriorated to a critically deficient level" and that "On or about June 21, 2023, Respondent was unable to honor customer withdrawals due to a shortfall of customer funds". The NFID alleged that Prime Trust "has materially and willfully breached its fiduciary duties to its customers by failing to safeguard assets under its custody and is unable to meet all customer disbursement requests."

Prime Trust had been a partner of the TrueUSD stablecoin, which halted minting on June 10 for undisclosed reasons.

Shortly after BitGo's announcement, Prime Trust client Stably announced that they had received a letter from Prime Trust announcing that deposits and withdrawals would be halted. Prime Trust stated that the halt was by order of the Nevada Financial Institution Division, which had been issued the previous day.

As it turned out, Elena had actually directly copied the pixel art from various sources. When accused of copying it, she published a screen capture video claiming to show that she had created the artwork "pixel by pixel", but people were quickly able to find the true sources of the artwork.

Eventually, she came as close to an admission as she is apparently going to get in an announcement that she would be pausing the sale: "I have heard your concerns about the art and I will be working to fix the file quality and any images that might be seen as 'copied' as they were only retraces and I never had any ill intent whatsoever."

Binance had applied for registration after being warned by the FCA in July 2021 to seek registration before launching its business in the region.

Since the beginning of June, Binance has also announced it will exit the Netherlands and Cyprus amid regulatory issues.

Sources cited by the FT allege that Crypto.com made "absolutely dramatic sworn statements that Crypto.com was in no way involved in trading" to other trading houses, and claim that employees were asked to lie about the existence of internal market makers. Crypto.com has refuted these allegations, and acknowledged that they run a market maker.

"This is not a controversial practice," Crypto.com said about the controversial practice.

Huang is also annoyed at zachxbt's observations about the multiple hacks of C.R.E.A.M. Finance, which zachxbt wrote had been exploited three times "due to negligence". "Putting aside that Cream Finance was exploited two, not three times", Huang hilariously writes in the lawsuit, taking issue with the fact that zachxbt supposedly intentionally omitted that some funds were returned and that Huang claims to have been no longer involved with the project by that point. It's not made clear in the lawsuit which of the three hacks recorded on Web3 is Going Just Great — to the tune of $37.5 million (February 2021), $25–30 million (August 2021), and $130 million (October 27, 2021) — supposedly didn't happen.

Wyre had been a partner of Binance US, through which Binance was able to accept USD deposits. However, Binance US is now the target of SEC regulatory action, and has suspended US dollar deposits. Wyre wrote in their announcement that the closure "is not due to any regulatory agency direction". Sure thing.

Sadly for them, they were unable to obtain a VASP registration in the country, and their "many alternative avenues to service Dutch residents in compliance with Dutch regulations" didn't pan out either. They announced that, effective immediately, they would no longer be accepting new customers from the region. Existing customers in the country will soon be only able to withdraw assets, and will not be able to purchase assets or trade on the platform.

Shroder is, of course, referring to the recent lawsuit from the SEC as well as a lawsuit from the CFTC that was filed in March.

The company is also banned from operating in the state going forward. The agreement requires CoinEx to implement geoblocking to prevent people with New York IP addresses from accessing the platform, and prohibits the company from creating new accounts for US customers or allowing US customers to do anything other than withdraw their assets.

The group announced that they were working with "the FBI, the Department of Homeland Security, our regulators and Chainalysis" to investigate the attack. The group had previously earned SOC 2 certification for its cybersecurity controls.

According to the complaint, although Abra claimed it stored customer funds with the Fireblocks crypto custodian, they had actually been "secretly transferring assets" to Binance.

The regulator also alleged that Abra had around $30 million in assets with Babel Finance, $30 million with Genesis, and $10 million with Three Arrows Capital — three companies in various stages of liquidation or bankruptcy. They also have $8.8 million with Auros, a firm that was in liquidation but has since exited the process.

Delio, like Haru, advertised yields of more than 10%.

In the bankruptcy filings, Banq alleges that $17.5 million in assets were stolen by former officers, described in the listing as "computers, trade secrets, proprietary information and technology, business records, etc." The transfer allegedly was made to Fortress NFT Group, a rival company founded by the former CEO, CTO, and CPO. A lawsuit from Banq filed against Fortress and the executives in May 2022 alleges that the executives "stole not only Banq's technology, but also significant other value of Banq's, and used the purloined property to launch Defendants Fortress NFT and Planet NFT using Banq's assets, employees, trade secrets and proprietary technology, claiming all of it to be their own." They also claim that the defendants deleted files and engaged in other fraudulent activity to try to cover up the theft.

The following day, the company named the partner as B&S Holdings (formerly Aventus), and announced that they were taking legal action against the company for filing falsified management reports.

Haru Invest advertised APR in the double digits.

On June 22, Haru laid off 100 employees. Haru explained in a blog post: "after much consideration, it comes with a heavy heart to inform you that we will be minimizing the operations of Haru Invest and its affiliated companies to prevent further damages that are likely to be incurred". Haru's CEO told local media that Haru's offices were empty because employees were working from home for their own safety. After Haru halted withdrawals, they closed their office, and CoinDesk reported that "all company officials disappeared".

The recent SEC lawsuit against Binance has caused the BNB token to plummet almost 25%, from $305 to ~$230. This puts the hacker's position dangerously close to the liquidation threshold of $220, which could cause substantial impact on the market via cascading liquidations.

In November, BNB Chain passed a governance proposal giving the BNB Chain core team the ability to liquidate the position if it approached the liquidation threshold, meaning they could repay the debt in a more controlled manner that wouldn't dump hundreds of thousands of BNB onto the market all at once.

On June 12 the Venus team tweeted a reminder: "BNBChain core team is ready to take over the $BNB position on Venus as planned if the BNB price hits the liquidation threshold. The liquidator address has prepared $30M already to refund the account loans with more to come if needed. No BNB will be dumped into the market and no shortfall is expected on Venus."

This is not the only bad debt on the Venus platform, which has been described as "opaque" by Protos and has been accused of trying to hide some of its liabilities.

Evidently, few people continued to pay much attention to the project, because an exploiter was able to come along and perform a governance attack targeting the users who still had active smart contract approvals with the defunct project. They published and voted on a proposal to allow them to upgrade the smart contract in such a way that they could then take advantage of the approvals to transfer the tokens to their own wallet address. Ultimately they made off with around assets notionally worth around $1.1 million.

Roughly an hour after the attack, the project tweeted that they were aware of the attack, and had paused all markets. On June 19 the project sent a message to the attacker, pleading with them to return the funds and threatening: "There are criminal organizations following the same evidence trails we are. This isn't going away until you return funds. We are your best option out of this."

The decision may have been related to insolvency rumors surrounding Prime Trust, a US-based fintech company. On June 8, BitGo announced a non-binding letter of intent to acquire Prime Trust.

After the announcement, the TUSD stablecoin dipped as low as $0.9951. This is a seemingly small deviation from the $1 peg, but in the stablecoin world, such small variances can be serious.