The scam was allegedly orchestrated by Subhash Sharma, who has not been apprehended. This particular fraud was uncovered in September, but has been ongoing since as long ago as 2018.
One also might think that a company embroiled in constant racism accusations might be cautious about screening its employees.
Neither of these things happened, though, and someone dug up vile tweets by Shpend Salihu, better known as NGBxShpend. Salihu resigned shortly after the tweets came to light, writing that they had "become a distraction from the [Bored Ape Yacht] Club and what we're all about."
The going theory is that event organizers skimped on lighting costs by using UV lights intended for sanitization, not for entertainment, causing burns to the eyes and skin. The eye condition, photokeratitis, is better known as "snow blindness" or "welder's flash", as it more typically affects people who haven't worn proper eye protection while welding or while exposed to sunlight reflected from ice and snow.
Several attendees reported having to seek emergency medical treatment after experiencing excruciating eye pain and vision problems, and tweet threads began circulating giving various other ApeFest attendees advice on recovering from the painful condition.
Bored Ape creator Yuga Labs belatedly issued a tweet two days after the incident, claiming only a small fraction of attendees had experienced "eye-related issues", but encouraging anyone with symptoms to "seek medical attention just in case".
Sentencing is scheduled for March 28, 2024, though scheduling could be affected by factors including whether the US decides to continue pursuing an additional five charges also set to be tried in March.
The other person with access to the wallet is a former Monero developer named "fluffypony", or Ricardo Spagni. He surrendered to US authorities in July 2023 for extradition to South Africa, where he has been charged with invoice fraud against a cookie company (think chocolate chip, not software). However, he was released in late September, and has been working to "address this matter" while free but under court supervision.
SafeMoon promised buyers it would "safely go to the moon" by locking the liquidity pool so that its developers couldn't rug pull. In reality, the "locking" didn't prevent the developers from removing tokens from the liquidity pool in other ways, which they did to the tune of millions of dollars. They then spent the proceeds of their crimes on personal expenses, like luxury sports cars and real estate.
Alongside the charges from the Department of Justice, the Securities and Exchange Commission simultaneously brought a lawsuit against the SafeMoon executives for violating registration and anti-fraud provisions of securities laws.
Now they're on the hook for $1.375 million in profits they earned from their copycat project and $200,000 for domain cybersquatting violations. They also must transfer control of two domain names, two Twitter accounts, and the RR/BAYC smart contract. Worse yet, the court found that this was an "exceptional case" because of the defendants' behavior, which included being "obstructive and evasive", and "unnecessarily and inappropriately ma[king] disgraceful and slanderous statements about Yuga, its founders, and its counsel" throughout the case. As a result, they will also have to pay Yuga's attorney's fees.
A lawsuit from an institutional customer was filed against the company in August, calling the project "a scam".
AuBit has tried to argue that it should be allowed to restructure, but the Cayman Islands judge opted to force the firm to liquidate, citing "a real absence of proper accounting".
That seems to be the intention of the Treasury Department, who described mixers as primarily used for illicit money laundering "by a broad range of illicit actors, including state-affiliated cyber actors, cyber criminals, and terrorist groups".
The project had raised $10.5 million in a 2021 seed funding round, and has said they intend to return remaining funds to its investors.
- "Superdao is closing down", Superdao blog [archive]
- "DAO-Builder SuperDao Shuts Shop, Returns Investor Money", CoinDesk [archive]
Now, the New York Attorney General is alleging that Gemini repeatedly lied to investors about its Gemini Earn program, assuring them that it was low-risk when internal analysis had revealed Genesis' loans to in fact be quite risky. Some personnel involved in evaluating this risk even withdrew their own funds from the program in the summer of 2022.
Genesis, DCG, and DCG CEO Barry Silbert are charged with defrauding both investors and the public when they tried to cover up $1.1 billion in losses. The lawsuit alleges that Genesis had not properly audited its borrowers, and lied to Gemini about regular reviews of borrowers' financial conditions.
In a press release, the AG claims that the companies' actions resulted in around $1 billion in losses, including in some cases their customers' entire life savings.
- "Attorney General James Sues Cryptocurrency Companies Gemini, Genesis, and DCG for Defrauding Investors", press release from the Office of the New York State Attorney General [archive]
The stolen assets represented the entire TVL of the project.
The team did not announce how many tokens were stolen. The price of $EVER suffered a 20% drop, though whether it was due to an attacker selling off tokens or collective panic by other token holders is not clear. The method of the theft was also not described.
Reddit attributed the decision to scaling difficulties, regulatory uncertainty, and the quantity of resources the company found itself having to put into the feature. The tokens were only used on a handful of subreddits, and the team had migrated them from the Ethereum blockchain to the Arbitrum Nova L2 chain, but despite that scaling continued to be a problem.
The news caused a massive dive in the prices of $MOON and $BRICK, the two Reddit tokens, as holders tried to exit their positions before the tokens became useless. Some angrily accused Reddit of rug-pulling, threatening legal action. One wrote, "I wish you guys knew how reckless this decision is and how many people you've hurt." Some accused subreddit moderators of selling when they learned about the decision an hour before it was made public.
Others were delighted at the news, however. One wrote, "Thank the effing Lord. This moons caused so much shit tier spamming for over a year."
It's not clear yet how the attack was perpetrated, although crypto researcher Spreek reposted a comment by an admin in Fantom's Telegram channel, where they blamed the theft on a zero-day exploit in Google Chrome.
TrueUSD tries to claim no affiliation with tokens created by its deployer address, raising further questions
However, the post raised only more questions, as the $TEURO token had been deployed by the address that deployed the primary TrueUSD token. This means that either TrueUSD is lying when they claim they're unaffiliated with $TEURO, or some of their private keys were compromised, allowing an unrelated party to deploy a contract appearing to belong to them.
The post by crypto media outlet CoinTelegraph was based on a faked screenshot of what appeared to be the Bloomberg Terminal. The post quickly propagated through the crypto world before people began to question its veracity. CoinTelegraph later issued an apology, blaming the incident on a failure by employees to follow the normal editorial approval process.
This adds to the list of incidents that illustrate the extent to which false reporting by traditional or crypto media, or by influential personalities, can move crypto markets. Past incidents have included a crypto Twitter personality tweeting the false rumor that Interpol had issued a red notice for Binance CEO Changpeng Zhao, and two instances of token price spikes based on false press releases claiming major corporations would accept the tokens as payment.
- "Clarification on sharing false spot Bitcoin ETF news", CoinTelegraph [archive]
The Sui Foundation has disputed the allegations on Twitter, calling them "unfounded and materially false".
Attackers previously stored the malicious code on typical webhosting services, but those services began to take it down. Now, some have started using Binance's blockchain to store these payloads, taking advantage of the immutable nature of blockchains to prevent anyone from taking it down.
The de-peg occurred amid a "liquidity crunch" as holders rushed to redeem their USDR for the DAI stablecoin, draining the project of its DAI reserves. The team behind the project, TangibleDAO, issued a statement stating that "the real estate and digital assets backing USDR still exist and will be used to support redemptions." However, despite their insistence that the problem is just a liquidity issue rather than a solvency one, a dashboard on their own website showed that the stablecoin isn't fully backed and has a deficit of around $3.4 million.
In a related incident, a trader trying to swap their $131,350 in USDR for the USDC stablecoin lost every penny of it when their transaction was arbitraged by a MEV bot.
Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.
The FTC lawsuit focuses on Voyager's claims suggesting to customers that accounts with the lender were FDIC insured. That complaint also names Voyager as a defendant. Voyager settled with the FTC, agreeing to pay a $1.65 billion judgment that will be suspended until customers are repaid.
- "CFTC Charges Former Chief Executive Officer of Digital Asset Platform with Fraud in Massive Commodity Pool Scheme", CFTC press release [archive]
- "FTC Reaches Settlement with Crypto Company Voyager Digital; Charges Former Executive with Falsely Claiming Consumers' Deposits Were Insured by FDIC", FTC press release [archive]
- "CFTC and FTC sue former CEO of bankrupt crypto lender Voyager", BlockWorks [archive]
- "Voyager Ex-CEO Charged by U.S. Regulators With Fraud, Making False Claims", CoinDesk [archive]
Black Hole Token is a Chinese project built on BNB Chain, which promises an original mechanism that only goes up. "The more you sell, the more the price goes up", promises their website.
The team behind the FinSoul project was reportedly the same as the group who pulled off the much larger $31 million Fintoch exit scam in May. They used similar strategies, including using paid actors to pose as their executive team, to push the FinSoul scam.
They may now be discovering this was a bad idea, as an impending default on a $20 million loan from February 2022 threatens the platform with a possible $7 million loss.
The loan went to a fintech credit fund called Stratos, who in turn used the money for a risky real estate technology investment (now written down to zero), crypto investments of their own (not disclosed to Goldfinch, and sold at a "near full loss"), and other investments. Stratos is, awkwardly, an investor in Goldfinch, and Stratos' founder was an advisor.
This is not the first loan gone bad for Goldfinch, who suffered a loss when an African motorcycle taxi financing company used a $5 million loan to try to plug the hole in the finances of a sister company.
A commenter on the disclosure about the distressed loan wrote, "This is the second occurrence of a lack of transparency from a borrower or a lack of auditing capability from Goldfinch. We can all appreciate that Warbler Labs will backstop the loss, but it is increasingly worrying to discover a complete lack of control from the loan underwriter, especially in the context of Stratos being an equity investor in Goldfinch."
- "Real-World Asset Loan Worth $20M Sours on DeFi Platform Goldfinch, Bringing RWA Lending Under Scrutiny", CoinDesk [archive]
- "Update on Stratos Pool", post on Goldfinch governance forum [archive]
- "DeFi protocol Goldfinch aims to sever crypto's reliance on crypto", Axios
This is actually the second such lawsuit by the supermarket against the exchange, after the first was thrown out when defendants claimed that they had simply named the project after the co-founder's brother, Joe. However, shortly after the victory, a co-founder admitted on their blog that they "just named it Trader Joe, after the supermarket".
Trader Joe's is seeking all profits made by the exchange, plus damages and compensation for the failed lawsuit last year.
This isn't the first security breach to tarnish 3Commas' reputation. In October 2022, customers reported losing a significant amount of assets in what 3Commas first tried to blame on phishing websites resembling FTX. 3Commas months later owned up to the fact that their database had been compromised, and that API keys were leaked.
The warning list was created to notify potential users of these firms, and to inform them that losses related to the use of those platforms won't be covered by the UK's compensation scheme.
Huobi has claimed they don't operate or promote in the UK, while KuCoin gestured towards adjusting its practices in the UK. Firms on the warning list may be subjected to more serious enforcement actions in the future, including fines or even prison time.
Avalanche co-founder and CEO Emin Gün Sirer drew widespread mockery when announcing that "the amount lost is only $3m", apparently not perceiving that $3 million is a massive sum to most people. He also didn't mention that it constituted almost the entire total TVL of the Stars Arena project, which was left with less than $1 in tokens following the attack.
Stars Arena was fortunate, in that the hacker ultimately contacted them offering to make a deal. The attacker returned 90% of the funds, keeping $300,000 as a "bounty".
The attacker tried to launder around $131 million of the stolen assets by routing them through services including Railgun and THORSwap. After "consultation with advisors, legal counsel, and law enforcement", THORSwap decided to pause its web interface in hopes of making money laundering more challenging for the attacker — although the thief could still interact with the THORSwap smart contracts directly, if they so chose.
Some criticized THORSwap for apparently caving on its censorship-resistant, decentralized ethos. Others, however, saw the move as understandable given the THORSwap developers reside in the United States, which has recently cracked down on mixing services that facilitate the laundering of illicit funds.
"It's a challenging time, not only for our industry but also for the global economy," wrote Yuga Labs CEO, apparently hoping that people ignorant to the past year of disaster across the NFT industry might be willing to attribute Yuga Labs' struggles to macroeconomic forces and not the implosion of the crypto — and particularly NFT — world.
In a long post on Twitter, the project promised "we will refund all investor funds down to the last cent". They also wrote that "Not only are we going to use the fullest extent of the law to go after the person or persons behind this hack / attack, we will also use ALL OTHER MEANS NECESSARY - and we do have such resources at our disposal, to go after the ones who are behind this. (We work with assets within the Russian government directly...)"
In a later post on their website, however, they wrote that they do "not bear legal liability to refund investors for the losses incurred unless the hacked funds are successfully recovered", attributing the incident to force majeure. They repeatedly claimed that they had not been involved in the theft. The project completely took down its website, redirecting it to this post.
Prager Metis is among the auditors who audited FTX, and was noted by FTX's CEO-in-bankruptcy John J. Ray III for advertising itself as "the first CPA firm to officially open its headquarters inside the metaverse".
None of the clients involved with the faulty audits were disclosed in the lawsuit, and the SEC has not issued any statements connecting the charges to the FTX collapse.
Three Arrows Capital fell apart in June 2022, and was among one of the first major collapses that set off a domino effect of crypto company failures throughout that summer and the rest of the year.
The change is scheduled to go into effect on October 16.
Police have received more than 2,200 complaints pertaining to the exchange, involving $191 million (and counting) in possible losses. Eleven people, including various crypto influencers who had promoted the exchange, were taken in for questioning. However, police have said those eleven people were not likely central to the fraud, and that the leaders of the JPEX project are on the run.
According to the South China Morning Post, "The alleged case of financial fraud involving HK$1.37 billion is the largest of its kind in Hong Kong's history."
However, a bug on the part of the counterfeiter prevented massive losses. The spoofer used only six decimal places instead of eight, meaning that those who tried to redeem the fake tokens only received $250 instead of $25,000.
Upbit later re-enabled Aptos transactions after patching the bug.
In their announcement, Mixin wrote that "the database of Mixin Network's cloud service provider was attacked by hackers", leading to some confusion as Mixin is supposed to be a decentralized network that ostensibly shouldn't have a centralized cloud database.
Mixin announced they would be suspending deposits and withdrawals pending analysis of the incident. They also told users that they would be compensated "up to a maximum of 50%" on assets that had been stolen from them, and receive "tokenized liability claims" (that is, IOUs) for the rest.
These types of scams draw in tens of millions of dollars each month, and one researcher has estimated around $350 million in Tether have been stolen in these types of scams since September 2021.
The JPEX cryptocurrency exchange was the subject of a September 13 consumer warning by the Securities and Futures Commission (SFC), who said they were promoting services to Hong Kong residents without proper licensure. The following day, attendees of the Token 2049 crypto event observed that JPEX had abandoned the booth they'd rented. Then, JPEX hiked their withdrawal fees to as high as $999, and limited withdrawals to $1,000.
According to the South China Morning Post, customers have filed at least 83 complaints about the exchange, pertaining to crypto assets priced at $4.3 million. Hong Kong police have disclosed they are investigating the firm.
JPEX released a statement that the SFC was "exerting undue pressure on our platform", and asserted that the watchdog should "bear full responsibility for undermining the prospects" of the crypto industry in the region. Later, they accused their "partnered third-party market makers" of "maliciously fr[eezing] funds". They announced that, as a result, they would be pausing their Earn product. They also suspended their platform's gaming feature.
"Personally, we believe decentralization only works for the 'informed', it's not for everyone, no offense meant," wrote PolkaWorld on Twitter.
The trailer for the show features a duo pitching "Ape Water": Bored Ape-branded canned water that sells for $2.80/can. "We want to reimagine water... When you scan the can, that's when crypto and web3 is unlocked," says the booster. Revolutionary.
Even crypto Twitter seemed less than enthused, with one person writing that the show was "like Shark Tank, but cringe". Another wrote, "Just take a peep at the panel of judges it's full of crypto grifters and scammers".
However, the Holesky launch was a failure when developers misconfigured the network, causing it to fail to initiate. Developers announced they would try to relaunch the project a week after its intended go-live date. At least it was just a testnet.