Web3 is Going Just Great

The attack was a "classic price manipulation" exploit, according to the Ironblocks security firm. The attacker was able to steal 1,152 ETH ($2.13 million) from the protocol. They then tumbled the stolen funds through Tornado Cash.

Lin had created a project called "FrensTech", which aimed to capitalize on the popularity of a product called "friends.tech", and which ultimately accumulated the 14 ETH in fees before he decided to drain liquidity. Lin had not tried to conceal his identity. After the rug pull, Uniswap founder Hayden Adams wrote on Twitter: "Wanted to let people know this person is no longer with the company. Not behavior we support or condone."

Lin was unapologetic, tweeting: "got fired from uniswap, but gained 600 new followers and [crypto Twitter] villain status. net neutral tbh".

SpiritSwap was previously one of the most popular DEXes on Fantom, boasting an all-time-high TVL of $374 million in January. It now has less than $3 million TVL, thanks in part to the Multichain collapse and to the broader cryptocurrency bear market.

SpiritSwap is only the most recent project to announce its closure as a result of the Multichain fiasco. In July, Geist Finance and Hector Network also announced they would be shutting down due to Multichain contagion.

Nevertheless, when Distrust disclosed this to Libbitcoin, the team replied first that they were too busy, then twice that "they do not feel this is a bug".

The research team has not yet disclosed which wallets were affected by the vulnerability, but they have estimated that around $900,000 were stolen as a result.

The project undertook a vote to shut down the lending service, and use remaining funds in the project treasury to try to compensate those who lost funds in the attack. The project also aims to distribute to victims of the hack claims on any funds that might be returned or otherwise recovered in the future.

The vote passed with 99% of votes in support, effectively sunsetting the project.

"Jobless and a bit poorer, thanks guys!" he wrote. "You're passionate about its technology, you wanna be part of it. You DCA. You hodl. You do everything you can to do things right... you're passionate, love the space, the tech. The people. Your willingness to get a job in Web3 is enormous! I stand for on-chain values, and I wanna be a part of the wave!" he wrote in frustration, trying to explain how he'd gotten scammed. "The apparent legitimacy of these [web3 job listing] sites made me remove the 'watch out filter', and boom."

Bitsonic halted its services in August 2021, claiming "internal and external issues". However, even after halting withdrawals, Shin continued to offer cryptocurrency to new clients.

The project attempted to contact the hacker to negotiate the return of some of the funds. Meanwhile, various community members sent NFTs to the attacker wallet, requesting the return of the funds. One of them tried to convince the hacker, writing that they believed the attacker's identity could be discovered because they used centralized exchanges with KYC to try to withdraw funds. Another simply said "give it back you shitlord".

Huobi and related people have been busy refuting the rumors, with Huobi's social media head dismissing them as "baseless malicious attacks". Huobi "advisor" Justin Sun tweeted "4".

Kenya's Office of the Data Protection Commissioner has said that Worldcoin failed to accurately disclose its intentions with the project when corresponding with regulators.

The apparent operator of the bot tweeted at Chang, accusing him of theft: "We would like to discuss a bounty with you. We are offering a 10% bounty of any funds stolen from our bot, which are yours to keep if you return the remaining 90%." In other tweets they suggested they might try to take legal action against Chang for the "theft".

Revolut had previously been one of the crypto platforms to limit US trading in Solana, Cardano, and Polygon tokens after the SEC identified those tokens as securities in lawsuits against Binance and Coinbase.

The platform later partnered with other companies to produce NFT collections for franchises including The Matrix and Game of Thrones, the latter of which featured hilariously bad artwork. The company then pivoted to a broader web3 focus as the NFT bubble collapse led the broader crypto downturn.

However, their promised web3 platform never materialized, and now the project has reached "the end of [its] runway".

Nifty's is not to be confused with Nifty Gateway, a separate NFT platform run by the embattled Gemini crypto platform.

The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".

One such service is LeetSwap, which describes itself as the "The #1 DEX ecosystem for elite degens built on the leetest blockchains", and which recently launched its service on Base. On August 1, LeetSwap was exploited after an attacker discovered a function that allowed them to manipulate token prices on the project for a profit of around 342 ETH (~$624,000).

LeetSwap attempted to contact the hacker via social media, asking them to return all but 50 ETH (~$92,000, or around 15% of the stolen funds).

Someone intending to transfer Tether stablecoins amounting to $20 million apparently didn't think it was important to double-check the address, and fell for such an attack.

However, only 51 minutes after the theft, the victim had managed to get Tether to add the thief's address to its blacklist, freezing the assets and thwarting the attack. The rapidity of the freeze led various people to question who the victim might be who could get Tether to intervene so quickly.

A pseudonymous crypto user called "Bald" announced that they would be selling $BALD tokens on the Base network, and the token — apparently named after the hairless Coinbase CEO Brian Armstrong — quickly skyrocketed in price. However, the token deployer emptied tokens priced at around $25.6 million from the liquidity pool two days after launch in apparent rug pull. The token price quickly plunged by around 90%.

Conspiracy theories emerged that the Bald account was in fact operated by Sam Bankman-Fried, the former CEO of FTX who is on house arrest under strict supervision and without access to most websites as he awaits trial later this year.

In addition to the unregistered offerings charge, the SEC alleges Heart and PulseChain misappropriated $12.1 million to fund Heart's lavish lifestyle. Among other things, he purchased a McLaren sports car, five luxury watches, and a $4.3 million 555-carat black diamond called "Enigma", allegedly using funds from the sale.

Curve itself lost $61 million to the exploit. AlchemixFi was exploited for around $13 million in assets, and JPEG'd suffered a $11 million loss. MetronomeDAO suffered a $1.6 million loss, Ellipsis Finance lost $68,600, and Debridge Finance lost around $24,600.

Altogether, somewhere between $88 million and $100 million was taken, though some exploits appeared to be whitehat actions intended to preserve funds. The primary exploiter also later returned some of the stolen funds, refunding the entire amount to AlchemixFi and 90% of funds to JPEG'd in exchange for a 10% "bug bounty".

Blockchain security firm SolidProof had audited Kannagi in June.

However, serious flaws in the Pond0x contract resulted in traders losing at least $2.2 million as people discovered that anyone could transfer coins belonging to other people. People quickly began rushing to steal coins from one another.

Pauly0x responded by blaming the traders who bought and sold the tokens, and spent the following day variously posting on Twitter that he was teaching people a lesson, that it wasn't his fault that people lost money, and suggesting that the flaw was part of a bigger plan for the project. "No one stole your tokens lol. The contract is literally designed as such," he wrote to angry traders accusing him of a rug pull. He added to the website a message reading, "GREED KILLS".

DeFiLabs claimed on Twitter that the platform "encountered an unexpected issue" while "undergoing maintenance and updates".

DeFiLabs had been audited by blockchain security firm CertiK.

After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.

Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.

EraLend paused various functions of their protocol while they investigated the attack, and said they were working with various security research organizations and law enforcement to investigate the theft.

The BlockSec security research firm warned other projects that re-used a portion of code to be cautious if they re-used a portion of code from SyncSwap, because they could also be vulnerable.

HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."

If the vote passes, and it likely will given the massive supply of tokens available to the team, the team will have just decided to distribute around $60 million in remaining funds to themselves, leaving $12 million to the token holders.

One commenter on the proposal described the move as "a pure financial crime". Another wrote, "The community has already explained in painstaking detail why we're not interested in this. The pro-rata value is an extreme lowball and fails to account for many of the team's misuses of the treasury without the community's consent. The team also prematurely unlocked the team and VCs' vesting tokens, so they are the majority token holders, making this vote meaningless and a total farce."

Conic Finance announced that they had disabled deposits on the front-end of their project, and were working to patch the vulnerable smart contract. The team also attempted to contact the exploiter via blockchain message, asking if they "would be open to discussing any potential next steps".

As a photo produced by a federal agency, NASA's image is not copyrighted. However, NASA policy outlines "strict laws and regulations", including that "NASA is not approving any merchandising applications involving Non-Fungible Tokens (NFTs), as they are not consistent with the categories of products the agency is approved to merchandise... NASA does not wish for its images to be used in connection with NFTs."

The NFTs don't seem to be exactly flying off the shelves. The collection contains 500 copies, and according to the website, only 55 have been sold in the week following the project's release, garnering Mrs. Trump $4,125.

According to the court filing, the Secret Service was authorized to seize up to $58.5 million after establishing there was probable cause for wire fraud, bank fraud, or money laundering. The affidavit describes "organized, international criminal money laundering syndicates operating cryptocurrency investment and other wire fraud scams" which allegedly fraudulently induced victims to "transfer money into shell companies, at which point the money underwent a series of transfers, generally ending overseas, designed to conceal the source, nature, ownership, and control of the funds".

The scheme reportedly involved fake crypto sites that tricked victims into depositing money under the belief that they were investing it. Like many such scams, the sites appeared to show victims' investments increasing in value, inducing them to deposit more funds. However, when they tried to withdraw, they found they could not.

The announcement referred to wanting to "design a game that's more in line with what the community has been asking for", a nod to the backlash from the Neopets community when the company decided to go web3. In September 2021, one of the most popular Neopets fan communities tweeted, "The Neopets community overwhelmingly rejects the new NFT cashgrab project. We're hard pressed finding someone outside of the NFT community that wants this."

Holders of Neopets NFTs seemed somewhat split on the announcement that the NFTs would remain tradable on secondary markets, but would not be incorporated into any game. Some described the project as a "rug", and were disappointed that the NFTs they'd purchased would never be useful in-game. "Once an NFT has no use, the price tends to tank", one person (accurately) remarked. Another commented that they'd always viewed the NFTs as little more than a collectible, and were satisfied with it never going beyond that.

As an inspector in the bankruptcy, Heywood would have had access to details from the investigation by the bankruptcy trustee. Heywood is, incidentally, also charged with threatening the trustee in an attempt to get him to pay out $2 million in crypto. Shortly before the alleged kidnapping, Pleterski stated in an interview for the bankruptcy proceedings that Heywood had been "still, by the way, uttering threats, and very dangerous, violent threats, to me over Instagram comment sections and text messages".

Heywood has told reporters he is innocent.

On July 14, a community manager wrote on Discord that "Hector Network ha[d] suffered significant damage to its ability to operate" after the Multichain collapse, and that the project faced a choice between liquidating the treasury and winding down or migrating to a new blockchain and trying to rebuild. The community chose the former.

According to a post on Discord, the winding-down process will likely take 6 to 12 months as the project appoints a liquidator, legal counsel, and auditor.

Soup was exposed by crypto sleuth zachxbt, who also described how the scammer had spent some of his ill-gotten funds on exclusive Roblox items that sell for "high 5 figs".

Geist paused their smart contracts on July 6, then reenabled the withdraw and repay functions on July 9, while waiting for news from Multichain. Now that Multichain has confirmed that the missing hundreds of millions will not be recovered, Geist has announced they will not reopen. If they were to do so, the platform would almost immediately take on bad debt as people exploited the price discrepancies.

Multichain added, "Just to be clear this is in no way an attempt to blame Chainlink oracles which worked as they should. There are no oracles for the Multichain assets themselves because there was the expectation to exchange them 1:1. Nobody is to blame except Multichain here."

The Multichain project claimed in a lengthy Twitter thread that the team attempted to keep the project running by using stored credentials on Zhaojun's home computer, thanks to access provided by his sister. However, they say that the July 6–7 movement of $130 million out of the project was an "abnormal" transfer by an unknown party. They claim that the July 9–10 transfer of around $107 million was his sister attempting to preserve assets by moving them into wallets she controlled. According to the team, his sister also was arrested on July 13, and "the status of the assets she has preserved is uncertain".

"Due to the lack of alternative sources of information and corresponding operational funds, the team is forced to cease operations," they wrote. They also claimed that they don't have control over the domain pointing to the frontend of the project, and so are unable to take the project offline, and resorted to pleading with GoDaddy for help in doing so.

"Honestly he deserves jail for this level of cryptography incompetence alone," wrote crypto personality 0xfoobar on Twitter.

Alongside the indictment from the DOJ, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Federal Trade Commission (FTC) each filed their own separate lawsuits against Mashinsky and Celsius.

These latest lawsuits join an existing lawsuit, filed in January 2023, against Mashinsky by the New York Attorney General.

According to Todd in a YouTube video, "We do not need to do KYC. [...] You should not have to give them because the U.S. government or whatever other [expletive] government in the world says that you need to. You do not need to. You just do not." Well, in that case.

Todd was also accused of trying to artificially inflate the price of the DGTX token by buying it on third-party exchanges, writing out his plans in excruciating detail with a customer who provided him funds to use on pumping the token.

However, they stated that the main reason they decided to shut down the project was the "significant and mounting regulatory challenges", pointing to the recent claim by the BarnBridge defi project that they were under SEC investigation. According to OptyFi, they are concerned that the $OPTY token or OptyFi vault tokens could be deemed securities, or that the OptyFi vaults themselves could be determined to be a "Mutual Fund type vehicle".

OptyFi promised to refund any tokens purchased during the most recent token sale, but many community members still accused the project team of rug pulling. OptyFi had previously raised $2.4 million in a seed funding round in January 2022.

This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.

This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.

Oulahyane is charged with wire fraud, two counts of access device fraud, and aggravated identity theft.

AlgoFi had raised a seed funding round of $2.8 million in November 2021, and was backed by groups including Union Square Ventures, Arrington XRP Capital, Pillar VC, and Y Combinator. They had also received other investments from groups including Jump Capital and Coinbase Ventures.

AlgoFi accounts for over half of the value on the Algorand blockchain, which itself has experienced a marked decline from earlier this year.

People are becoming increasingly suspicious that the Multichain thefts may be an inside job, not least because Multichain's CEO suddenly disappeared in late May and hasn't been located since.

Like many platforms, Arkham Intelligence allows its users to earn rewards for referring new customers. Users are given a unique link to invite others to sign up, which then credits them for the referral. However, some people have observed that the unique string used to identify the user is simply their email address, base64-encoded. This is a simple way of encoding a piece of text, which is trivially reversed to expose the email address.

A user who noticed the encoding strategy tweeted: "ABSOLUTE LMAO. ALL #ARKHAM REFERRAL LINKS SHARED ON TWITTER IS DOXXING EVERYONE BECAUSE THE EMAIL IS IN THE REFERRAL URL". They then went on to decode some referral links from anonymous crypto personalities, writing "HOW DOES IT FEEL TO GET DOXXED???"

Arkham Intelligence quickly updated its referral program to use an encryption algorithm that can't easily be reversed in this way, and the CEO apologized for what he said was an early version of creating referral links that was never updated.