Scammers target victims via web3 job search boards

Job listing website called cryptojobs.com, with a highlighted "Premium Job" reading "Beta Testers Needed for... Eco Land"Scam job listing (attribution)
Scammers are constantly coming up with creative new ways to pull off their scams, and the latest seems to be targeting web3-interested individuals via dedicated web3 jobs portals. One Twitter user described an experience in which he applied for a beta testing job for a play-to-earn crypto game, only to have his wallet drained when he downloaded what was supposed to be the game file, but was actually malware. He lost 875 ARB ($1,032), 60 OP ($140), and various other tokens.

"Jobless and a bit poorer, thanks guys!" he wrote. "You're passionate about its technology, you wanna be part of it. You DCA. You hodl. You do everything you can to do things right... you're passionate, love the space, the tech. The people. Your willingness to get a job in Web3 is enormous! I stand for on-chain values, and I wanna be a part of the wave!" he wrote in frustration, trying to explain how he'd gotten scammed. "The apparent legitimacy of these [web3 job listing] sites made me remove the 'watch out filter', and boom."

Bitsonic CEO arrested for allegedly stealing $7.5 million

Jinwook Shin, CEO of the Bitsonic crypto exchange, was arrested in South Korea for allegedly stealing funds from users of his exchange. According to the prosecutors, he allegedly manipulated prices and trading volumes on the exchange in order to profit around ₩10 billion (~$7.5 million) the beginning of 2019 and mid-2021.

Bitsonic halted its services in August 2021, claiming "internal and external issues". However, even after halting withdrawals, Shin continued to offer cryptocurrency to new clients.

Cypher protocol exploited for around $1 million

An NFT message, contained in an orange frame with "New Message" at the top. Text: "give it back you shitlord"NFT message to the attacker (attribution)
The Solana-based Cypher protocol, a decentralized futures exchange, froze its smart contract after an attacker stole a little more than $1 million in Solana tokens and the USDC stablecoin.

The project attempted to contact the hacker to negotiate the return of some of the funds. Meanwhile, various community members sent NFTs to the attacker wallet, requesting the return of the funds. One of them tried to convince the hacker, writing that they believed the attacker's identity could be discovered because they used centralized exchanges with KYC to try to withdraw funds. Another simply said "give it back you shitlord".

Steadefi exploited for over $1 million

"NOTICE: Steadefi has been exploited and all funds are currently at risk," wrote Steadefi on Twitter after an attacker was able to change the contract owner to their own address — likely indicating a private key leak. So far, 624 ETH (~$1.14 million) have been siphoned from the project.

Rumors swirl that Huobi executives have been arrested, exchange is insolvent

Hong Kong crypto news outlet Techub cited two insiders when reporting on August 5 that "at least three executives" at Huobi had been detained by Chinese police for investigation. The report sparked panic, and the exchange has seen net outflows of more than $73 million in the past week. Huobi's stablecoin balances are down 33% over the same period. Investor and crypto analyst Adam Cochran tweeted of "likely Huobi insolvency", citing Binance's bulk Tether sales, paused "audit" reports, and "weird balance shifts" at the exchange.

Huobi and related people have been busy refuting the rumors, with Huobi's social media head dismissing them as "baseless malicious attacks". Huobi "advisor" Justin Sun tweeted "4".

Worldcoin warehouse in Nairobi raided by authorities

After Kenya shut down Worldcoin's operations in the country over data privacy concerns, police have raided a warehouse in Nairobi. Authorities reportedly took "machines they believe stores data gathered by the firm" as well as various documents, according to Kenyan newspaper Kahawa Tungu.

Kenya's Office of the Data Protection Commissioner has said that Worldcoin failed to accurately disclose its intentions with the project when corresponding with regulators.

Copytrader asks for "stolen" funds back after someone tricks their bot

An Azuki NFT: an anime-style side portrait of a person with short brown hair, a beige headband tied around their head, wearing a puffy coat and holding a fanAzuki #9745, one of the NFTs purchased at an inflated price (attribution)
After noticing someone set up a bot to copy his bids, NFT trader Hanwe Chang tricked the bot into purchasing multiple NFTs at hugely inflated prices. Chang purchased a large number of Azuki NFTs using an anonymous wallet, then placed an inflated 50 ETH (~$90,700) bid on one. The bot then came along and offered the same amount on the other NFTs, and Chang accepted the overpriced bids. Altogether, Chang made 800 ETH (~$1.45 million) from the scheme, draining the bot of its available funds. Azukis have been trading with a floor price of around 5 ETH (~$9,000).

The apparent operator of the bot tweeted at Chang, accusing him of theft: "We would like to discuss a bounty with you. We are offering a 10% bounty of any funds stolen from our bot, which are yours to keep if you return the remaining 90%." In other tweets they suggested they might try to take legal action against Chang for the "theft".

Revolut shuts down crypto business in the US

Revolut, a British fintech firm, has announced it will no longer offer cryptocurrency services to its US-based customer. As is becoming typical, they blamed US regulations and "crypto market uncertainty" for the decision.

Revolut had previously been one of the crypto platforms to limit US trading in Solana, Cardano, and Polygon tokens after the SEC identified those tokens as securities in lawsuits against Binance and Coinbase.

Web3 platform Nifty's shuts down

Nifty's was a web3 business backed by the likes of Mark Cuban, Joey Lubin, Coinbase, and Dapper Labs. In 2021, they raised a $10 million seed round, and launched as an NFT-focused company in July 2021 with a collection of Space Jam NFTs to accompany the widely panned box office disappointment, Space Jam: A New Legacy.

The platform later partnered with other companies to produce NFT collections for franchises including The Matrix and Game of Thrones, the latter of which featured hilariously bad artwork. The company then pivoted to a broader web3 focus as the NFT bubble collapse led the broader crypto downturn.

However, their promised web3 platform never materialized, and now the project has reached "the end of [its] runway".

Nifty's is not to be confused with Nifty Gateway, a separate NFT platform run by the embattled Gemini crypto platform.

Uwerx crypto-based freelancer platform exploited

Uwerx is a nascent project intending to build a blockchain-based freelancer marketplace, because what better concepts to combine than blockchains and the gig economy? Sadly for them, just after completing their token presale, it was hit with a flash loan exploit that enabled an attacker to siphon 176 ETH (~$324,000) from the platform.

The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".

LeetSwap exploited on Base

Although Coinbase's Base blockchain is at this stage intended for testing only, people have begun bridging substantial assets to the platform and using various services in anticipation of its official launch.

One such service is LeetSwap, which describes itself as the "The #1 DEX ecosystem for elite degens built on the leetest blockchains", and which recently launched its service on Base. On August 1, LeetSwap was exploited after an attacker discovered a function that allowed them to manipulate token prices on the project for a profit of around 342 ETH (~$624,000).

LeetSwap attempted to contact the hacker via social media, asking them to return all but 50 ETH (~$92,000, or around 15% of the stolen funds).

Phisher briefly snags $20 million before it's frozen by Tether

A zero-transfer attack, also called an address poisoning attack, occurs when a phisher creates a blockchain address very similar to that of a target victim's wallet, and sends zero-value token transactions to the victim's addresses from the phishing wallet in hopes that the victim will later mistake the phishing address for the real one and send funds to it. It sounds unlikely to work, but users often fail to verify every character of the destination address they're using, opting instead to copy it from their transaction histories, and this can profit scammers substantially.

Someone intending to transfer Tether stablecoins amounting to $20 million apparently didn't think it was important to double-check the address, and fell for such an attack.

However, only 51 minutes after the theft, the victim had managed to get Tether to add the thief's address to its blacklist, freezing the assets and thwarting the attack. The rapidity of the freeze led various people to question who the victim might be who could get Tether to intervene so quickly.

BALD memecoin plunges after $25.6 million rug pull

A memecoin called $BALD, built on the Coinbase Base test network, appears to have rug pulled for at least $25.6 million. Although the Base network is meant to be used for developer testing, some people have tried to trade on the network before its official launch.

A pseudonymous crypto user called "Bald" announced that they would be selling $BALD tokens on the Base network, and the token — apparently named after the hairless Coinbase CEO Brian Armstrong — quickly skyrocketed in price. However, the token deployer emptied tokens priced at around $25.6 million from the liquidity pool two days after launch in apparent rug pull. The token price quickly plunged by around 90%.

Conspiracy theories emerged that the Bald account was in fact operated by Sam Bankman-Fried, the former CEO of FTX who is on house arrest under strict supervision and without access to most websites as he awaits trial later this year.

SEC goes after Richard Heart and his projects Hex, PulseChain, and PulseX

Richard Heart, wearing a top hatRichard Heart (attribution)
The SEC filed charges against Richard Heart, the operator of Hex, PulseChain, and PulseX. Despite Heart's best attempts at evading securities laws — including by asking people to "sacrifice" tokens in exchange for PLS and PLSX to avoid using the term "invest" — the SEC says he's been conducting unregistered securities offerings amounting to more than $1 billion.

In addition to the unregistered offerings charge, the SEC alleges Heart and PulseChain misappropriated $12.1 million to fund Heart's lavish lifestyle. Among other things, he purchased a McLaren sports car, five luxury watches, and a $4.3 million 555-carat black diamond called "Enigma", allegedly using funds from the sale.

Bug in Vyper smart contract language enables multiple exploits on Curve and related projects

Some types of Curve factory pools, including one operated by AlchemixFi and one by JPEG'd, were exploited. The attack stemmed from an issue in the Vyper language, a smart contract programming language that is similar to Solidity. Early investigations suggested that versions of the Vyper compiler had improperly implemented a re-entrancy guard, leaving some projects vulnerable to that type of attack. Vyper tweeted an announcement that the versions were vulnerable, and urged "projects relying on these versions [to] immediately reach out to us".

Curve itself lost $61 million to the exploit. AlchemixFi was exploited for around $13 million in assets, and JPEG'd suffered a $11 million loss. MetronomeDAO suffered a $1.6 million loss, Ellipsis Finance lost $68,600, and Debridge Finance lost around $24,600.

Altogether, somewhere between $88 million and $100 million was taken, though some exploits appeared to be whitehat actions intended to preserve funds. The primary exploiter also later returned some of the stolen funds, refunding the entire amount to AlchemixFi and 90% of funds to JPEG'd in exchange for a 10% "bug bounty".

Kannagi Finance rug pulls for over $2 million

The defi yield aggregator project Kannagi Finance rug pulled on July 29 as its creators drained the $2.13 million total value locked. Kannagi Finance deleted its website and social media accounts following the exit scam.

Blockchain security firm SolidProof had audited Kannagi in June.

Memecoin launch by Pauly0x costs traders at least $2.2 million

Traders hoping to get in on the next big memecoin eagerly snapped up a token called Pond0x, a Pepe the Frog-branded memecoin launched by Pauly0x. Pauly0x is Jeremy Cahen, a crypto personality best known for his creation of CryptoPhunks, NotLarvaLabs, and involvement in the Ryder Ripps lawsuit.

However, serious flaws in the Pond0x contract resulted in traders losing at least $2.2 million as people discovered that anyone could transfer coins belonging to other people. People quickly began rushing to steal coins from one another.

Pauly0x responded by blaming the traders who bought and sold the tokens, and spent the following day variously posting on Twitter that he was teaching people a lesson, that it wasn't his fault that people lost money, and suggesting that the flaw was part of a bigger plan for the project. "No one stole your tokens lol. The contract is literally designed as such," he wrote to angry traders accusing him of a rug pull. He added to the website a message reading, "GREED KILLS".

DeFiLabs rug pulls for $1.6 million

A defi project called DeFiLabs was able to rug pull for $1.6 million thanks to a backdoor written into the smart contract. After traders bought into the project, its creator was able to call the withdrawFunds function to make off with the project's assets.

DeFiLabs claimed on Twitter that the platform "encountered an unexpected issue" while "undergoing maintenance and updates".

DeFiLabs had been audited by blockchain security firm CertiK.

CoinsPaid hacked for $37.3 million

The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".

After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.

Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.

EraLend exploited for $3.4 million

The EraLend crypto lending platform was exploited for around $3.4 million after an attacker took advantage of a re-entrancy vulnerability to manipulate token prices and drain funds from the project. The thief then quickly distributed the stolen funds across various wallets and blockchains.

EraLend paused various functions of their protocol while they investigated the attack, and said they were working with various security research organizations and law enforcement to investigate the theft.

The BlockSec security research firm warned other projects that re-used a portion of code to be cautious if they re-used a portion of code from SyncSwap, because they could also be vulnerable.

IEGT token rug pulls for $1.14 million

The IEGT token was created on Binance Smart Chain on July 13. However, its creators "covertly minted a large amount of tokens, primed for a rug pull", as blockchain security firm SlowMist described it. Although the project reportedly had only 5 million tokens in supply, this allowed the team to sell 1 billion tokens, cashing out approximately $1.14 million in the USDT stablecoin.

Alphapo hacked for more than $60 million

The crypto payment processor Alphapo suffered a hot wallet hack on July 22 in which at least $60 million in Ethereum, Tron, and Bitcoin was stolen. Alphapo processes payments for several gambling platforms including HypeDrop, Bovada, and Ignition.

HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."

Conic Finance exploited again, hours after first hack

Hours after suffering a $3.2 million exploit on their ETH pools, Conic Finance was hacked for a second time. Although Conic had assured the public that the incident was limited to the ETH pool and other pools were not at risk, an attacker successfully exploited their crvUSD pool. The attacker stole around $934,000, though ultimately only was able to realize around $300,000 in profit.

Party Parrot team prepares to "vote" to allocate themselves 80% of initial offering funds, around $60 million

You almost have to hand it to the Party Parrot team, they really figured out how to take advantage of ostensibly "decentralized" governance to line their own pockets. After raising $80 million in an "IDO" — initial DEX offering — in September 2021, the project is now embarking on a governance "vote" that would cash out the project treasury and distribute it to PRT token holders. However, the project team also unilaterally decided to unlock tokens held by the team in November 2022, meaning that the project now has access to 80% of the token supply — the same tokens that will decide the outcome of the vote.

If the vote passes, and it likely will given the massive supply of tokens available to the team, the team will have just decided to distribute around $60 million in remaining funds to themselves, leaving $12 million to the token holders.

One commenter on the proposal described the move as "a pure financial crime". Another wrote, "The community has already explained in painstaking detail why we're not interested in this. The pro-rata value is an extreme lowball and fails to account for many of the team's misuses of the treasury without the community's consent. The team also prematurely unlocked the team and VCs' vesting tokens, so they are the majority token holders, making this vote meaningless and a total farce."

Conic Finance exploited for $3.2 million

A re-entrancy vulnerability in the Conic Finance defi project enabled an attacker to steal 1,700 ETH (~$3.22 million) from the project's ETH pool.

Conic Finance announced that they had disabled deposits on the front-end of their project, and were working to patch the vulnerable smart contract. The team also attempted to contact the exploiter via blockchain message, asking if they "would be open to discussing any potential next steps".

Melania Trump's space NFTs likely violate NASA policy

A photo of Buzz Aldrin in a space suit on the surface of the moon, superimposed on an iPod Nano-esque object where the screen would beMan on the Moon NFT (attribution)
Melania Trump doesn't seem willing to let the flop of her first NFT project, which ended with her allegedly buying the NFT herself, slow her down. She's just announced a line of Apollo 11-themed NFTs, because apparently our former first lady is a big space buff. The Man on the Moon NFTs sell for $75 each, and feature a 1969 photo of Buzz Aldrin on the moon surface, bizarrely superimposed on what appears to be a 2007-era iPod Nano.

As a photo produced by a federal agency, NASA's image is not copyrighted. However, NASA policy outlines "strict laws and regulations", including that "NASA is not approving any merchandising applications involving Non-Fungible Tokens (NFTs), as they are not consistent with the categories of products the agency is approved to merchandise... NASA does not wish for its images to be used in connection with NFTs."

The NFTs don't seem to be exactly flying off the shelves. The collection contains 500 copies, and according to the website, only 55 have been sold in the week following the project's release, garnering Mrs. Trump $4,125.

GMETA rug pulls for $3.6 million

The GMETA project on BNB Chain saw its price plummet to near zero as the project creators drained the funds from the project. The contract creator was able to transfer large amounts of the token and swap them for the Tether stablecoin, cashing out a total of around $3.6 million.

Feds seize tens of millions from Deltec Bank in connection to fake crypto investment schemes

Documents unsealed on July 17 reveal that the U.S. Secret Service performed multiple asset seizures on U.S. bank accounts controlled by Deltec Bank, a Bahamian bank with close ties to the crypto industry. Deltec is known for its ties to the Tether stablecoin, and it has also done business with FTX/Alameda.

According to the court filing, the Secret Service was authorized to seize up to $58.5 million after establishing there was probable cause for wire fraud, bank fraud, or money laundering. The affidavit describes "organized, international criminal money laundering syndicates operating cryptocurrency investment and other wire fraud scams" which allegedly fraudulently induced victims to "transfer money into shell companies, at which point the money underwent a series of transfers, generally ending overseas, designed to conceal the source, nature, ownership, and control of the funds".

The scheme reportedly involved fake crypto sites that tricked victims into depositing money under the belief that they were investing it. Like many such scams, the sites appeared to show victims' investments increasing in value, inducing them to deposit more funds. However, when they tried to withdraw, they found they could not.

Neopets shuts down its Neopets Metaverse project

An "Acara" Neopet with a plushie body, sad expression, and squid hat and scarfNeopet #1315 (attribution)
After announcing a Neopets Metaverse project — complete with NFT collections and two different crypto tokens — in 2021, Neopets has announced they will be "transition[ing] away from the Neopets Metaverse game and redistribut[ing] those resources to the development of a game that we feel can better reflect our values and vision." The announcement came along with an announcement that the company had raised $4 million, and undergone a major change in leadership. They reassured their community that its new project, "World of Neopets", will not have any NFTs and "is NOT built on a crypto model".

The announcement referred to wanting to "design a game that's more in line with what the community has been asking for", a nod to the backlash from the Neopets community when the company decided to go web3. In September 2021, one of the most popular Neopets fan communities tweeted, "The Neopets community overwhelmingly rejects the new NFT cashgrab project. We're hard pressed finding someone outside of the NFT community that wants this."

Holders of Neopets NFTs seemed somewhat split on the announcement that the NFTs would remain tradable on secondary markets, but would not be incorporated into any game. Some described the project as a "rug", and were disappointed that the NFTs they'd purchased would never be useful in-game. "Once an NFT has no use, the price tends to tank", one person (accurately) remarked. Another commented that they'd always viewed the NFTs as little more than a collectible, and were satisfied with it never going beyond that.

Five men, including inspector in bankruptcy proceeding, charged with kidnapping "Crypto King" alleged scammer

Aidan Pleterski and a woman with her face blurred stand in front of a lime green Lamborghini in what appears to be an upscale suburbPleterski, in better days (attribution)
Five men are facing charges for allegedly kidnapping, confining, and beating Aiden Pleterski, the young, self-proclaimed "Crypto King" accused of losing $35 million in investor funds. One of the men, Akil Heywood, reportedly lost $740,000 to Pleterski's scam, and had been named by other investors to be an inspector in the bankruptcy proceeding, a role where he was intended to represent the interests of other investors. Perhaps that's what he was trying to do when he allegedly helped the group of other men kidnap Pleterski, beat him, and force him to record a video explaining what happened to the funds.

As an inspector in the bankruptcy, Heywood would have had access to details from the investigation by the bankruptcy trustee. Heywood is, incidentally, also charged with threatening the trustee in an attempt to get him to pay out $2 million in crypto. Shortly before the alleged kidnapping, Pleterski stated in an interview for the bankruptcy proceedings that Heywood had been "still, by the way, uttering threats, and very dangerous, violent threats, to me over Instagram comment sections and text messages".

Heywood has told reporters he is innocent.

Hector Network begins shutdown after Multichain collapse

Hector DAO, the governing body behind the Hector Network, voted to liquidate the project's $16 million treasury and distribute it to tokenholders, effectively putting an end to the project.

On July 14, a community manager wrote on Discord that "Hector Network ha[d] suffered significant damage to its ability to operate" after the Multichain collapse, and that the project faced a choice between liquidating the treasury and winding down or migrating to a new blockchain and trying to rebuild. The community chose the former.

According to a post on Discord, the winding-down process will likely take 6 to 12 months as the project appoints a liquidator, legal counsel, and auditor.

Scammer "Soup" makes more than $1 million through Discord hacks

A Mutant Ape wearing a leather aviator hat with teeth on the brim, with Xs for eyes, with a beer can wrapped in a serpentine tongue, and with leopard print furMutant Ape #21080, stolen by Soup (attribution)
A Canadian named Dan, who goes by "Soup" online, made more than $1 million through various phishing scams targeting Discord projects including those belonging to the Pika Protocol and Orbiter Finance. In one scam, he impersonated crypto journalist Luke Hamilton, trying to convince victims to join a fake Decrypt Discord server so he could steal their credentials.

Soup was exposed by crypto sleuth zachxbt, who also described how the scammer had spent some of his ill-gotten funds on exclusive Roblox items that sell for "high 5 figs".

Geist Finance shuts down after Multichain-related losses

Defi lending project Geist Finance announced they would be shutting down after more than $200 million was drained from the Multichain project in two separate events in early July. Geist Finance had previously allowed people to borrow against assets bridged via Multichain, and had over $29 million TVL. However, price oracles are no longer reporting accurate prices of the bridged equivalents of tokens, which are now largely unbacked thanks to the missing assets, and trading at a massive discount to the original tokens.

Geist paused their smart contracts on July 6, then reenabled the withdraw and repay functions on July 9, while waiting for news from Multichain. Now that Multichain has confirmed that the missing hundreds of millions will not be recovered, Geist has announced they will not reopen. If they were to do so, the platform would almost immediately take on bad debt as people exploited the price discrepancies.

Multichain added, "Just to be clear this is in no way an attempt to blame Chainlink oracles which worked as they should. There are no oracles for the Multichain assets themselves because there was the expectation to exchange them 1:1. Nobody is to blame except Multichain here."

Multichain finally confirms their CEO was arrested in China

After a months-long saga involving "stuck" transactions, Multichain announcing they couldn't get in contact with their CEO, rumors that the whole team was arrested, and several suspicious transactions of more than $100 million each, Multichain has finally announced that their CEO — known only as Zhaojun — was arrested on May 21. According to the project, all of his devices, hardware wallets, and mnemonic phrases were taken by Chinese police during the arrest. "Since the inception of the project, all operational funds and investments from investors have been under Zhaojun's control. This also means that all the team's funds and access to the servers are with Zhaojun and the police," they wrote.

The Multichain project claimed in a lengthy Twitter thread that the team attempted to keep the project running by using stored credentials on Zhaojun's home computer, thanks to access provided by his sister. However, they say that the July 6–7 movement of $130 million out of the project was an "abnormal" transfer by an unknown party. They claim that the July 9–10 transfer of around $107 million was his sister attempting to preserve assets by moving them into wallets she controlled. According to the team, his sister also was arrested on July 13, and "the status of the assets she has preserved is uncertain".

"Due to the lack of alternative sources of information and corresponding operational funds, the team is forced to cease operations," they wrote. They also claimed that they don't have control over the domain pointing to the frontend of the project, and so are unable to take the project offline, and resorted to pleading with GoDaddy for help in doing so.

"Honestly he deserves jail for this level of cryptography incompetence alone," wrote crypto personality 0xfoobar on Twitter.

SEC, CFTC, and FTC sue Celsius; CEO Alex Mashinsky arrested

Alex Mashinsky sitting onstage, wearing a Madonna microphone and a t-shirt reading "Banks are not your friends." with the Celsius logoAlex Mashinsky (attribution)
A multi-agency hammer came down on the bankrupt cryptocurrency lender and alleged Ponzi scheme that was Celsius. The co-founder and former CEO of the company, Alex Mashinsky, was arrested and charged with seven counts including securities and commodities fraud, wire fraud, and conspiracy to manipulate the price of Celsius' CEL token. The indictment also named Roni Cohen-Pavon, Celsius' former Chief Revenue Officer.

Alongside the indictment from the DOJ, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Federal Trade Commission (FTC) each filed their own separate lawsuits against Mashinsky and Celsius.

These latest lawsuits join an existing lawsuit, filed in January 2023, against Mashinsky by the New York Attorney General.

Digitex Futures CEO to pay $15 million over commodities violations

Adam Todd, the CEO of the Digitex Futures exchange, has been ordered to pay $3.9 million in disgorgement and $11.7 million in penalties. The Commodity Futures Trading Commission won a default judgment against him in their lawsuit alleging violations of the Commodity Exchange Act, including failing to register as a derivatives exchange, attempting to manipulate the price of the DGTX token, and failing to implement proper KYC and anti-money laundering programs.

According to Todd in a YouTube video, "We do not need to do KYC. [...] You should not have to give them because the U.S. government or whatever other [expletive] government in the world says that you need to. You do not need to. You just do not." Well, in that case.

Todd was also accused of trying to artificially inflate the price of the DGTX token by buying it on third-party exchanges, writing out his plans in excruciating detail with a customer who provided him funds to use on pumping the token.

OptyFi shuts down, citing regulatory threats and failed fundraising attempt

OptyFi, a so-called "AI-powered defi" project, announced it would be shutting down for a variety of reasons. First, they blamed their recent failed token sale, in which they had hoped to raise $600,000. They blamed this failed sale on their Discord project being hacked, and on various community members falling victim to a fake token sale link.

However, they stated that the main reason they decided to shut down the project was the "significant and mounting regulatory challenges", pointing to the recent claim by the BarnBridge defi project that they were under SEC investigation. According to OptyFi, they are concerned that the $OPTY token or OptyFi vault tokens could be deemed securities, or that the OptyFi vaults themselves could be determined to be a "Mutual Fund type vehicle".

OptyFi promised to refund any tokens purchased during the most recent token sale, but many community members still accused the project team of rug pulling. OptyFi had previously raised $2.4 million in a seed funding round in January 2022.

Platypus Finance hacked for the second time

Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.

This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.

New Rodeo Finance project exploited for the second time in one week

An attacker manipulated a price oracle to drain 472 ETH (~$884,000) from Rodeo Finance, a new Arbitrum-based leveraged yield protocol. The thief then used Tornado Cash to tumble the funds, some of which they placed into staking programs. According to Rodeo Finance, the attacker initially exploited the protocol for closer to $1.7 million, but $810,000 was recovered. Small victories. Anyway, Rodeo paused the protocol, and stated that they are working on recovery plans.

This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.

NFT phisher charged over OpenSea lookalike scam

A sad-looking Bored Ape wearing a yellow fisherman's hat and bandolier, smoking a cigar, on a bright orange backgroundBored Ape #7358, originally purchased by Hank666 for 49 ETH ($175,000 at the time) (attribution)
The U.S. Attorney's Office of the Southern District of New York announced the unsealing of charges against Soufiane Oulahyane, who they allege created a lookalike OpenSea website to trick victims into entering their login details, and used sponsored links in a "popular internet search engine" to cause his site to show up as the first result when a person searched "opensea". A victim with the OpenSea name "Hank666" entered his credentials into the scam website on September 26, 2021, and Oulahyane quickly used the credentials to transfer his crypto assets, sell his NFTs, and transfer the proceeds of those sales to his own wallet. Altogether, Hank666 lost assets that he had paid around $449,000 to obtain.

Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.

AlgoFi announces shutdown

AlgoFi, a lending protocol built on the Algorand blockchain, announced that they will begin winding down the project. They were vague about the specific reasons, writing only that "a confluence of events has taken place that no longer makes building and maintaining the Algofi platform to the highest standards a viable path for our company". Although AlgoFi is nominally decentralized, like many defi projects, its fate ultimately rested with the small team building it.

AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.

AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.

Multichain drained of another $107 million days after previous theft

Only five days after $130 million was emptied from the Multichain blockchain bridge, another $107 million in a wide range of assets has been taken. After the first theft, Multichain urged users to stop using the project and revoke contract approvals, but a large quantity of assets remained on the service.

People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.

Arkham Intelligence referral program exposes user emails

In a somewhat amusing complement to Arkham Intelligence's "on-chain intelligence exchange" announcement, a new product which seeks to allow people to buy and sell private information about blockchain wallet owners, Arkham has found themselves in hot water for exposing user email addresses without the users' knowledge.

Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.

A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"

Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.

Arkham Intelligence releases "dox-to-earn" project

Arkham Intelligence, a blockchain intelligence company with the tagline "deanonymizing the blockchain", announced the launch of its "on-chain intelligence exchange", inviting people to "buy and sell information on the owner of any blockchain wallet address—anonymously, via smart contract." In the crypto world where transaction data is largely public, maintaining pseudonymity is often a critical part of maintaining safety and privacy. Needless to say, this had a mixed reception, with many terming the exchange "dox-to-earn".

"hey isn't the most profitable use of this just to put a bounty on whale wallets and then kidnap people? like ... did that come up in any meetings?" wrote one Twitter user. "We are now one step closer to onchain assassination markets", wrote another. Others, however, were more optimistic, speaking about "doxx[ing] scammers", "democratiz[ing] tools [the government] already has", and, in the longer term, "accelerat[ing] privacy".

Dubai regulator cracks down on BitOasis

Dubai's Virtual Assets Regulatory Authority issued an alert that BitOasis was "under review for not meeting mandated conditions". In April, BitOasis received the first "MVP Operational License" issued under a new regulatory regime in Dubai, but has apparently already fallen out of compliance. VARA warned that further enforcement actions could follow, including rescinding the license.

BitOasis wrote on their website that the license had in fact been suspended, but stated that they had not begun offering services to the segments covered by the license (institutional and qualified investors).

BitOasis is among the most popular crypto exchanges in the Middle East and North Africa (MENA) region.

Arcadia Finance exploited

Arcadia Finance is a defi margin trading protocol that launched on Ethereum and the Optimism Ethereum layer 2 protocol in March 2023. On July 9, an attacker used a flash loan to drain liquidity pools in the lending portion of the project, resulting in a total loss to the project of around 160 ETH and $163,000 in stablecoins for a total loss of almost $460,000.

The Arcadia Finance team paused related smart contracts to prevent further attacks, and began working with various crypto security projects to investigate the attack. They also sent on-chain messages to the attacker, threatening law enforcement action and suggesting they "return 90% of the funds... and walk away".

Hackers swipe pricey NFTs after compromising Gutter Cat Gang Twitter profile

A leopard-spotted cat with half-lidded eyes, wearing a black doo-rag and white shirt with "HODL" printed on it, on a purple backgroundGutter Cat #707 (attribution)
An attacker successfully compromised the Twitter account belonging to the popular Gutter Cat Gang NFT project, as well as the one belonging to the project co-founder, and used them to post links to phishing sites claiming to be a new NFT airdrop. Instead of receiving the tokens they were promised, those who authorized the contract had their wallets drained.

One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.

The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.

"Decentralized" BarnBridge closes up shop after claiming they are under SEC investigation

A small and rather unknown project called BarnBridge aimed to build a variety of defi yield projects. BarnBridge claimed to be decentralized and governed by a DAO.

On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!

It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.

Multichain shuts down amidst $130 million suspected hack

Blockchain watchers observed $130 million in various assets flowing out of the Multichain blockchain bridge, questioning whether there had been an exploit. Multichain tweeted, "The team is not sure what happened and is currently investigating," and recommended users stop using the service and revoke contract approvals.

Several hours later, Multichain wrote that they had stopped service, and that "all bridge transactions will be stuck on the source chains. There is no confirmed resume time."

In May, Multichain suffered a bizarre slew of issues, culminating in the project team admitting that their CEO had gone missing and could not be contacted. So far, they have not reported his return.

This is also not the first hack suffered by Multichain. In January 2022, the project, bafflingly, publicly announced a security vulnerability that was affecting their tokens, without first instructing users to safeguard their tokens. Attackers quickly followed the instruction manual provided to them by Multichain, making off with around $3 million in assets.

NFTPerp blows up

A project called NFTPerp was, as the name suggests, a perpetual futures exchange for NFTs, allowing people to take long or short positions against NFTs. It relied on a vAMM — virtual automated market maker — which essentially simulates liquidity without there being any real money in the system. Such a system can be thrown out of whack if there is imbalance in the positions people are taking — for example, if everyone tries to go short on NFTs in a brutal bear market.

So anyway, that's exactly what happened. NFTPerp announced that they would be sunsetting their popular beta project after accruing bad debt.

How they're going about it has been controversial among the successful traders on the platform: essentially, those who were in profit will lose their unrealized gains, while those who had lost money in their trades will have their losses waived. "Nftperp stealing profits from winner [unrealized profit and loss] to backstop losers UPNL is insane to me", wrote one commenter. Another wrote, "If anyone else is considering NFT perps, please have the 'what happens when the illiquid market goes to zero overnight' plans clearly in place from the beginning."

Not to be deterred, the team is already preparing to launch a "v2". May it go as well as their first attempt.