Blockchain security firm SolidProof had audited Kannagi in June.
Kannagi Finance rug pulls for over $2 million
Memecoin launch by Pauly0x costs traders at least $2.2 million
However, serious flaws in the Pond0x contract resulted in traders losing at least $2.2 million as people discovered that anyone could transfer coins belonging to other people. People quickly began rushing to steal coins from one another.
Pauly0x responded by blaming the traders who bought and sold the tokens, and spent the following day variously posting on Twitter that he was teaching people a lesson, that it wasn't his fault that people lost money, and suggesting that the flaw was part of a bigger plan for the project. "No one stole your tokens lol. The contract is literally designed as such," he wrote to angry traders accusing him of a rug pull. He added to the website a message reading, "GREED KILLS".
DeFiLabs rug pulls for $1.6 million
withdrawFunds
function to make off with the project's assets.DeFiLabs claimed on Twitter that the platform "encountered an unexpected issue" while "undergoing maintenance and updates".
DeFiLabs had been audited by blockchain security firm CertiK.
- "DeFiLabs", Rekt
CoinsPaid hacked for $37.3 million
After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.
Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.
EraLend exploited for $3.4 million
EraLend paused various functions of their protocol while they investigated the attack, and said they were working with various security research organizations and law enforcement to investigate the theft.
The BlockSec security research firm warned other projects that re-used a portion of code to be cautious if they re-used a portion of code from SyncSwap, because they could also be vulnerable.
IEGT token rug pulls for $1.14 million
Alphapo hacked for more than $60 million
HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."
Conic Finance exploited again, hours after first hack
- "Post Mortem — ETH and crvUSD Omnipool Exploits", Conic Finance Medium
Party Parrot team prepares to "vote" to allocate themselves 80% of initial offering funds, around $60 million
If the vote passes, and it likely will given the massive supply of tokens available to the team, the team will have just decided to distribute around $60 million in remaining funds to themselves, leaving $12 million to the token holders.
One commenter on the proposal described the move as "a pure financial crime". Another wrote, "The community has already explained in painstaking detail why we're not interested in this. The pro-rata value is an extreme lowball and fails to account for many of the team's misuses of the treasury without the community's consent. The team also prematurely unlocked the team and VCs' vesting tokens, so they are the majority token holders, making this vote meaningless and a total farce."
Conic Finance exploited for $3.2 million
Conic Finance announced that they had disabled deposits on the front-end of their project, and were working to patch the vulnerable smart contract. The team also attempted to contact the exploiter via blockchain message, asking if they "would be open to discussing any potential next steps".
Melania Trump's space NFTs likely violate NASA policy
As a photo produced by a federal agency, NASA's image is not copyrighted. However, NASA policy outlines "strict laws and regulations", including that "NASA is not approving any merchandising applications involving Non-Fungible Tokens (NFTs), as they are not consistent with the categories of products the agency is approved to merchandise... NASA does not wish for its images to be used in connection with NFTs."
The NFTs don't seem to be exactly flying off the shelves. The collection contains 500 copies, and according to the website, only 55 have been sold in the week following the project's release, garnering Mrs. Trump $4,125.
GMETA rug pulls for $3.6 million
Feds seize tens of millions from Deltec Bank in connection to fake crypto investment schemes
According to the court filing, the Secret Service was authorized to seize up to $58.5 million after establishing there was probable cause for wire fraud, bank fraud, or money laundering. The affidavit describes "organized, international criminal money laundering syndicates operating cryptocurrency investment and other wire fraud scams" which allegedly fraudulently induced victims to "transfer money into shell companies, at which point the money underwent a series of transfers, generally ending overseas, designed to conceal the source, nature, ownership, and control of the funds".
The scheme reportedly involved fake crypto sites that tricked victims into depositing money under the belief that they were investing it. Like many such scams, the sites appeared to show victims' investments increasing in value, inducing them to deposit more funds. However, when they tried to withdraw, they found they could not.
Neopets shuts down its Neopets Metaverse project
The announcement referred to wanting to "design a game that's more in line with what the community has been asking for", a nod to the backlash from the Neopets community when the company decided to go web3. In September 2021, one of the most popular Neopets fan communities tweeted, "The Neopets community overwhelmingly rejects the new NFT cashgrab project. We're hard pressed finding someone outside of the NFT community that wants this."
Holders of Neopets NFTs seemed somewhat split on the announcement that the NFTs would remain tradable on secondary markets, but would not be incorporated into any game. Some described the project as a "rug", and were disappointed that the NFTs they'd purchased would never be useful in-game. "Once an NFT has no use, the price tends to tank", one person (accurately) remarked. Another commented that they'd always viewed the NFTs as little more than a collectible, and were satisfied with it never going beyond that.
Five men, including inspector in bankruptcy proceeding, charged with kidnapping "Crypto King" alleged scammer
As an inspector in the bankruptcy, Heywood would have had access to details from the investigation by the bankruptcy trustee. Heywood is, incidentally, also charged with threatening the trustee in an attempt to get him to pay out $2 million in crypto. Shortly before the alleged kidnapping, Pleterski stated in an interview for the bankruptcy proceedings that Heywood had been "still, by the way, uttering threats, and very dangerous, violent threats, to me over Instagram comment sections and text messages".
Heywood has told reporters he is innocent.
Hector Network begins shutdown after Multichain collapse
On July 14, a community manager wrote on Discord that "Hector Network ha[d] suffered significant damage to its ability to operate" after the Multichain collapse, and that the project faced a choice between liquidating the treasury and winding down or migrating to a new blockchain and trying to rebuild. The community chose the former.
According to a post on Discord, the winding-down process will likely take 6 to 12 months as the project appoints a liquidator, legal counsel, and auditor.
Scammer "Soup" makes more than $1 million through Discord hacks
Soup was exposed by crypto sleuth zachxbt, who also described how the scammer had spent some of his ill-gotten funds on exclusive Roblox items that sell for "high 5 figs".
Geist Finance shuts down after Multichain-related losses
Geist paused their smart contracts on July 6, then reenabled the withdraw and repay functions on July 9, while waiting for news from Multichain. Now that Multichain has confirmed that the missing hundreds of millions will not be recovered, Geist has announced they will not reopen. If they were to do so, the platform would almost immediately take on bad debt as people exploited the price discrepancies.
Multichain added, "Just to be clear this is in no way an attempt to blame Chainlink oracles which worked as they should. There are no oracles for the Multichain assets themselves because there was the expectation to exchange them 1:1. Nobody is to blame except Multichain here."
Multichain finally confirms their CEO was arrested in China
The Multichain project claimed in a lengthy Twitter thread that the team attempted to keep the project running by using stored credentials on Zhaojun's home computer, thanks to access provided by his sister. However, they say that the July 6–7 movement of $130 million out of the project was an "abnormal" transfer by an unknown party. They claim that the July 9–10 transfer of around $107 million was his sister attempting to preserve assets by moving them into wallets she controlled. According to the team, his sister also was arrested on July 13, and "the status of the assets she has preserved is uncertain".
"Due to the lack of alternative sources of information and corresponding operational funds, the team is forced to cease operations," they wrote. They also claimed that they don't have control over the domain pointing to the frontend of the project, and so are unable to take the project offline, and resorted to pleading with GoDaddy for help in doing so.
"Honestly he deserves jail for this level of cryptography incompetence alone," wrote crypto personality 0xfoobar on Twitter.
SEC, CFTC, and FTC sue Celsius; CEO Alex Mashinsky arrested
Alongside the indictment from the DOJ, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Federal Trade Commission (FTC) each filed their own separate lawsuits against Mashinsky and Celsius.
These latest lawsuits join an existing lawsuit, filed in January 2023, against Mashinsky by the New York Attorney General.
Digitex Futures CEO to pay $15 million over commodities violations
According to Todd in a YouTube video, "We do not need to do KYC. [...] You should not have to give them because the U.S. government or whatever other [expletive] government in the world says that you need to. You do not need to. You just do not." Well, in that case.
Todd was also accused of trying to artificially inflate the price of the DGTX token by buying it on third-party exchanges, writing out his plans in excruciating detail with a customer who provided him funds to use on pumping the token.
OptyFi shuts down, citing regulatory threats and failed fundraising attempt
However, they stated that the main reason they decided to shut down the project was the "significant and mounting regulatory challenges", pointing to the recent claim by the BarnBridge defi project that they were under SEC investigation. According to OptyFi, they are concerned that the $OPTY token or OptyFi vault tokens could be deemed securities, or that the OptyFi vaults themselves could be determined to be a "Mutual Fund type vehicle".
OptyFi promised to refund any tokens purchased during the most recent token sale, but many community members still accused the project team of rug pulling. OptyFi had previously raised $2.4 million in a seed funding round in January 2022.
- "OptyFi Project Update", Medium
- "Press release: OptyFi raises $2.4M seed round, launches on mainnet", CoinTelegraph
Platypus Finance hacked for the second time
This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.
New Rodeo Finance project exploited for the second time in one week
This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.
NFT phisher charged over OpenSea lookalike scam
Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.
- "Press release: Defendant Charged With Theft Of Cryptocurrency And NFTs Through Spoofing Of OpenSea Marketplace"U.S. Attorney's Office, Southern District of New York
- United States of America v. Soufiane Oulahyane
AlgoFi announces shutdown
AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.
AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.
Multichain drained of another $107 million days after previous theft
People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.
Arkham Intelligence referral program exposes user emails
Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.
A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"
Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.
Arkham Intelligence releases "dox-to-earn" project
"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".
Dubai regulator cracks down on BitOasis
BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).
BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.
Arcadia Finance exploited
The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".
- "Arcadia Finance says exploiter contacted after $450K hack", Protos
- Tweet by PeckShield
- Etherscan transaction with message to the attacker
Hackers swipe pricey NFTs after compromising Gutter Cat Gang Twitter profile
One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.
The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.
"Decentralized" BarnBridge closes up shop after claiming they are under SEC investigation
On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!
It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.
Multichain shuts down amidst $130 million suspected hack
Several hours later, Multichain wrote that they had stopped service, and that "all bridge transactions will be stuck on the source chains. There is no confirmed resume time."
In May, Multichain suffered a bizarre slew of issues, culminating in the project team admitting that their CEO had gone missing and could not be contacted. So far, they have not reported his return.
This is also not the first hack suffered by Multichain. In January 2022, the project, bafflingly, publicly announced a security vulnerability that was affecting their tokens, without first instructing users to safeguard their tokens. Attackers quickly followed the instruction manual provided to them by Multichain, making off with around $3 million in assets.
NFTPerp blows up
So anyway, that's exactly what happened. NFTPerp announced that they would be sunsetting their popular beta project after accruing bad debt.
How they're going about it has been controversial among the successful traders on the platform: essentially, those who were in profit will lose their unrealized gains, while those who had lost money in their trades will have their losses waived. "Nftperp stealing profits from winner [unrealized profit and loss] to backstop losers UPNL is insane to me", wrote one commenter. Another wrote, "If anyone else is considering NFT perps, please have the 'what happens when the illiquid market goes to zero overnight' plans clearly in place from the beginning."
Not to be deterred, the team is already preparing to launch a "v2". May it go as well as their first attempt.
Trader loses $213,000 to phishing scam, blames Twitter
burnttoast
, but the handle was actually burntteoast
. LoveMake connected their primary wallet, which was immediately drained of 61.5 ETH (~$120,000) and $93,400 in the Tether stablecoin.LoveMake wrote on Twitter that "I am dyslexic and didn't notice that the Burnt Toast acc was scam. It was very similar to the original & Verified." They appeared to blame Twitter's new verification process, writing, "@Twittersupport can you explain the meaning of the word 'verified'? we're waiting for days every time we change pfp or display name and then I got scammed by verified account with exact the same name and pfp as Doodles founder in million views thread?"
Several days later, they posted a thread again criticizing the prevalence of crypto scammers on Twitter. "I put millions $ into web3 projects, with over 90k$ into Twitter ads. I was rugged many times and finally robbed but not broken. Thanks to twitter the most profitable web3 activity now is a scam. Shouldn't Twitter pay more attention to its own security?"
Angry over the Azuki Elementals fiasco, Azuki holders form a DAO and immediately get exploited
However, shortly after the DAO was created, the governance token was exploited. Attackers were able to take advantage of a flaw in the smart contract, with two exploiters stealing around 35 ETH (~$69,000). The DAO paused the contract to prevent further thefts.
File this one under "adding insult to injury".
Encryption AI rug pulls for $2 million, developer allegedly blames gambling addiction
The developer reportedly posted a message to Telegram, apologizing for taking the funds. "I must confess that I have fallen into a severe addiction to online gambling and casinos," the developer reportedly wrote. "Despite being only 22 years old, I have struggled to overcome this addiction, and unfortunately, I have lost nearly $300,000 over the past few months, including after the launch of [Encryption AI]."
They added, "Although I cannot guarantee when or if I will be able to make amends and relaunch [Encryption AI], I promise that I will make every effort to become a better person." Oh, well, in that case.
Poly Network exploited again
Now, it's happened again, and some reports are throwing around even more massive numbers like $42 billion. In reality, the exploiters were able to mint massive quantities of tokens on multiple networks, with their wallet balances showing numbers in the billions. However, complete lack of liquidity for these tokens meant their "billions" are worth substantially less.
According to crypto research firm Beosin, the attackers have so far cashed out around 5,196 ETH (~$10.1 million) in liquid assets. Poly Network suspended services shortly after the attack.
Kraken ordered to turn over user information to U.S. tax investigators
Although Kraken argued against the order, describing it as an "unjustified treasure hunt", the judge determined that the IRS was justified in its request, and ordered Kraken to cough up the records. The IRS alleged that although the exchange has more than 4 million users, and has processed $140 billion in trades since its inception in 2011, only 288,330 of those users have filed tax returns.
Huobi patches massive vulnerability after researcher allegedly tries for a year to disclose it
According to Phillips, it took months before he was able to get in touch with Huobi and convince them to act on the leak. Phillips first notified Huobi of the leak in June 2022, and after repeated efforts to contact the company, the credentials were only revoked in June 2023.
Huobi has tried to downplay the hack, first stating that the user data leak was "on a small scale (4,960 individuals)" and "does not involve sensitive information and does not affect user accounts and fund security". They also claimed the leaked OTC data was test data. "The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused," they wrote.
According to CoinGecko, Huobi is the seventeenth-largest cryptocurrency exchange by volume.
Cardinal Labs shuts down
"Product market fit continues to be difficult to find, and the reality is that members of our team are feeling the itch to explore other pursuits," they wrote. "We’d hoped that by now the rest of the world’s industries would have begun adopting blockchain tech at a larger scale, but that still feels a ways away."
Azuki community pays $38 million for recycled artwork that immediately drops in value
The mint itself was plagued with issues, with many collectors complaining they weren't able to buy NFTs due to technical difficulties. A team member apologized for the issues, writing that they were "gutted over what happened" but that "we have an amazing reveal experienced planned that will kick off soon".
When the reveal happened, people were disappointed to say the least. They expected a unique look that would not "dilute" the value of the original Azuki collection, and were met with what many feel is a low-effort clone of the original Azukis. Some observed NFTs in the Elementals collection that appeared to be direct duplicates of ones in the original collection, which Azuki later wrote was a "technical glitch" that was quickly corrected. The floor price of the Elemental NFTs, as well as those of other Azuki projects, immediately suffered. While people paid 2 ETH for the NFTs, they're now going for 1.5 ETH (~$2,825) at floor, a 0.5 ETH (~$925) loss. The floor price of the original Azuki collection tanked from ~15 ETH (~$28,200) to ~9 ETH (~$16,920), a 6 ETH ($11,280) loss.
Azuki wrote an apologetic thread on Twitter, writing that they had "missed the mark... the mint process was hectic, the PFPs feel similar and, even worse, dilutive to Azuki." Perhaps they will wipe their tears with some of the 20,000 ETH they're sitting on.
Themis Protocol hacked shortly after going live
Only eleven days later, on June 27, the team boasted that the project "has grown to over $1m TVL in 2 working days". An hour after that, they announced that they would be suspending the protocol and beginning an immediate investigation into an apparent theft. Themis boasts in its documentation that "security is the highest priority" of the project, and lists multiple audits from PeckShield.
An attacker was apparently able to exploit the project, draining around 220 Themis-wrapped ETH (nominally worth ~$417,000). Due to liquidity issues, they could only swap these for around 94 ETH (~$178,000) and almost $190,000 in stablecoins, for a total haul of around $368,000.
Chibi Finance rug pulls for $1 million
On June 27, the developers set the governance role to a malicious smart contract, which used a "panic" function to withdraw funds from the Chibi project. They then quickly swapped the funds to 555 wETH (~$1.05 million), bridged them to the Ethereum main chain, and laundered them through Tornado Cash.
Chibi Finance has since deleted its website and Twitter profile. Meanwhile, some crypto influencers who had promoted the project caught heat for doing so.
Prime Trust placed into receivership
In the filing, NFID alleges that Prime Trust discovered in December 2021 that it couldn't access some customer wallets, and so "purchased additional digital currency using customer money from its omnibus customer accounts" in order to satisfy withdrawals from said wallets.
Prime Trust reportedly has liabilities of around $82.8 million in fiat currency, plus another $860,000 of digital asset-denominated liabilities. "[Prime Trust] is in an unsafe financial condition and/or is insolvent. Additionally, [Prime Trust's] condition will only progressively worsen as customers continue to withdraw," wrote the regulator.
Eco-travel company We Are Bamboo loses millions of customer funds gambling on crypto
Now, a report from the New Zealand Herald suggests that the company's director Colin Salisbury took more than NZ$3.24 million (~US$2 million) in customer funds, put it into multiple cryptocurrency platforms over a period of almost two years, and lost it all. Another ~US$800,000 was lost in at least four fraudulent crypto platforms which just "ceased to exist".
We Are Bamboo tried to blame the collapse of their business on the COVID-19 pandemic and on a group of customers whose "actions and online influence have broken us". "Our intentions here are not to play the victim but simply share with you the levels to which this group has gone to ensure our downfall, and made it their sole purpose to attack us, our families, our staff, and our customers with the intent to destroy Bamboo," they wrote. However, a liquidator in the We Are Bamboo bankruptcy says they discovered the cryptocurrency transactions, which explained the true demise of the company.
Salisbury reportedly engaged in the crypto trading because he was concerned that the US dollar might lose value. Guess he found out the hard way what crypto could do for the value of his customers' funds.
Former NRL star and convict Jarryd Hayne reportedly loses more than $500,000 to a Bitcoin scam run by fellow inmate
Jarryd Hayne is a convicted rapist once known for his careers in rugby league and, briefly, American football. He's serving several years in jail, after being convicted of rape, winning an appeal, being retried, and once again being found guilty.
Hayne is one of several inmates apparently convinced by the Ponzi schemer inmate, Ishan Seenar Sappidee, that he could make them massive returns. Hayne provided around AU$780,000 (~US$521,000) in Bitcoin to the enterprising inmate, who apparently amassed more than AU$2 million (~US$1.3 million)from at least seven inmates.
Alleged SpireBit crypto scam loses one senior his life savings
SpireBit claimed to be partnered with established companies within and outside of the crypto ecosystem, and took on the name of a real company as its supposed "parent" firm. Its online footprint was convincing at a glance, but a little digging revealed LinkedIn profiles using stock photos as portraits.
After NPR began poking around, the UK's Financial Conduct Authority issued a warning that SpireBit "is an unauthorised firm that uses the details of a genuine FCA-regulated firm when offering products and services. This makes the unauthorised firm appear as if it is regulated."
NPR could not determine how many people had fallen for the scheme, or how much money had been lost in total.
Binance ordered to halt operations in Belgium
The regulator also demanded Binance return all crypto assets to customers, or transfer them to a company authorized in Belgium. They also noted that "The Crown Prosecutor of Brussels has been informed of the acts that are liable to constitute a criminal offence."