Hounax crypto scam steals $19 million

A scam Hong Kong cryptocurrency platform called Hounax swindled its customers out of HK$148 million (US$19 million). The group drew in customers by offering financial expertise on social media and awarding prize money to those who signed up to the platform. While some customers successfully tested whether they could withdraw their funds earlier on, the platform later stopped allowing customers to withdraw, or told them they would need to pay additional fees to do so.

The Hong Kong Securities and Futures Commission added Hounax to its warning list on November 1, a move that victims have criticized as much too late to stop the damage.

Bitcoiner spends $3 million on transaction fee

A Bitcoiner making a large transaction ended up spending 83.64 BTC (~$3 million) of the 139.42 BTC (~$5.1 million) transaction on transaction fees, effectively spending $3 million to send what ended up being a $2 million transfer. This apparent error has become the largest transaction fee in Bitcoin history.

A person then claimed on Twitter to be the owner of the wallet, verifying the claim by signing a message from the wallet that paid the fee. They claimed that they had been hacked, and that an error on the attacker's part led to the huge fee payment. AntPool, the mining pool that mined that block and earned the huge fee, later agreed to return the fee, though it's not clear if or how they verified that the person to whom they're returning the fee wasn't in fact the attacker who had obtained control of the wallet.

A similar fee overpayment incident occurred in September, when the Paxos crypto firm erroneously paid a $500,000 fee to send $1,865. They attributed the huge fee to a bug in their software, and the F2Pool mining pool (who had mined the block and received the fee) opted to return the overpayment.

KyberSwap hacked for $50 million

The KyberSwap decentralized exchange was hacked by an attacker who stole large sums of ETH, wETH, and the USDC stablecoin. Altogether, the assets are valued at around $54.7 million. The attacker was able to exploit a complex bug in a feature for liquidity pool providers. Prior to the hack, KyberSwap had approximately $80 million in TVL.

Shortly after the attack, the thief sent a message: "Negotiations will start in a few hours when I am fully rested." The KyberSwap team later responded to offer a 10% bounty, also seeming to praise the attacker: "You have done one of the most sophisticated hacks ser. That was high EV and everyone missed it."

The thief had other plans, though, ultimately issuing a list of "demands" which included "complete executive control" over the company and "surrender of all ... assets" to the hacker. They wrote that they had big plans for the network, and although they planned to dismiss all executives, they wrote that employees would be offered double salaries to continue their work. The hacker signed the message "Kyber Director".

Meanwhile, KyberSwap regained around $4.7 million after negotiations with the operators of front-running bots, who agreed to return 90% of the funds they obtained through frontrunning the hacker's transactions.

HTX (fka Huobi) and Heco Chain hacked for $115 million

Justin Sun confirmed that HTX (formerly Huobi) and its related Heco Chain protocol were hacked for a combined $115 million. It's been a rough few weeks for Sun, whose Poloniex exchange was hacked for around $120 million on November 10, and a rough few months for HTX, which was hacked for $8 million in late September.

HTX suspended withdrawals as they investigated the hack, and wrote that the company would "fully compensate for HTX's hot wallet losses". Security firm Cyvers said they believed the theft was enabled by a private key leak.

Binance fined over $4 billion, founder pleads guilty and resigns

Binance founder Changpeng "CZ" Zhao pleaded guilty to money laundering charges and agreed to step down as CEO of Binance, the largest global cryptocurrency exchange. He will pay a $50 million fine and faces the possibility of 18 months in prison.

Binance agreed to pay $4.3 billion in restitution for widespread wrongdoing including failure to implement proper anti-money laundering programs, unlicensed money transmitting, and sanctions violations. Binance will be allowed to continue operating, but will be subjected to a three-year-long monitorship program to ensure AML and sanctions compliance.

Simultaneously with the DOJ action, Binance reached agreements with the CFTC, FinCen, and OFAC on ongoing legal issues. Notably, the SEC lawsuit was not among those settled.

CZ posted a long thread on Twitter, admitting "I made mistakes, and I must take responsibility," carefully sidestepping mentioning what any of those mistakes were.

Aragon DAO votes to sue its founding team

Aragon is a prominent project that creates DAO infrastructure. Ironically, its own DAO-based governance has been fraught, with the group facing a governance crisis in May over conflicts between the DAO and the Aragon Association (a small group of "stewards" for the project).

Now, after the Aragon Association decided without consulting the DAO to dissolve itself and wind down the project's governance tokens (while keeping some of the funds), the DAO has voted to sue the group. The DAO has accused the group of improperly taking investors' money to put it "into their new secretive company". They've allocated $300,000 to legal efforts.

Bittrex finally closes up for good

After paying a then-record $29 million fine for sanctions violations in October 2022, shutting down US operations in March 2023, filing for bankruptcy in May, and paying $24 million to settle a lawsuit from the US SEC in August, Bittrex is finally throwing in the towel. The company announced that it was closing its global operations, and urged customers to withdraw funds stored with the exchange within only two weeks. The also informed customers who held US dollars on the exchange that they would not be allowed to withdraw, and would have to convert their dollars to Euros or cryptocurrency.

Bittrex used to be a major player in the US cryptocurrency market, with over 20% of US market share in 2018. However, the exchange's dominance had dwindled to below 1% as of 2021.

DOJ reportedly seeking $4 billion resolution to Binance investigation, with possible criminal charges against CEO

According to Bloomberg, ongoing negotiations between the U.S. Department of Justice and Binance have involved penalties greater than $4 billion as part of ending an ongoing, multi-year probe into the exchange. Such a settlement would not insulate founder Changpeng "CZ" Zhao from criminal charges.

The negotiation may involve a deferred prosecution agreement, in which the US would file a criminal complaint but agree not to prosecute so long as Binance met agreed conditions under a monitoring process.

It remains to be seen if this is the avenue the DOJ and Binance will go with. A Bloomberg source speculated that a decision could come within the next few weeks.

Kraken sued by U.S. SEC

Kraken is the latest cryptocurrency exchange to face a lawsuit from the U.S. Securities and Exchange Commission. According to the SEC, Kraken violated securities laws by listing tokens like Polygon (MATIC) and Solana (SOL), which the SEC has argued in this and in other lawsuits are unregistered securities.

Furthermore, the SEC claims that Kraken commingled corporate and customer funds, "at times pa[ying] operational expenses directly from bank accounts that hold customer cash."

Kraken's new CEO, Dave Ripley, posted on Twitter that the company "plan[s] to vigorously defend [their] position" that they do not list securities.

DOJ cracks down on $225 million crypto romance scam

At least according to the rather shady Tether stablecoin provider, the U.S. Department of Justice has been working on an investigation into a massive "pig butchering" romance scam and human trafficking operation based out of Southeast Asia.

According to Tether, they "voluntarily fr[oze] approximately 225 million in USDT tokens" in connection to the investigation.

Some romance scammers hoping to lure victims into sending them cryptocurrencies are themselves victims of human trafficking operations, where they are held victim and forced to send such messages.

dYdX insurance fund loses $9 million in apparent attack

Around 40% of the "insurance fund", intended to protect dYdX users from having to backstop other traders' losing trades, was drained in what dYdX CEO described as "pretty clearly a targeted attack against dYdX". An attacker manipulated the market for the Yearn Finance token, which is not normally heavily traded on dYdX, but which experienced a surge in trades around the attack. By taking advantage of flaws in dYdX's risk management, the attacker was able to rack up big losses and then force the dYdX insurance fund to pay out.

Kronos trading firm suffers key breach

The cryptocurrency trading firm Kronos Research announced on Twitter that they had stopped trading while they investigated "unauthorized access of some of our API keys". They claimed that "potential losses are not a significant portion of our equity". They later confirmed the loss at around $26 million.

Aqua web3 gaming marketplace shuts down

It's not that blockchain gaming was a flop, they were "just too early" (said CEO Sean Ryan). The Aqua gaming NFT marketplace announced their shutdown, attributing it to "challenges in raising funds and the slower-than-expected growth within the web3 gaming sector". Users were instructed to transfer their funds off the platform by December 1.

The company launched its marketplace in September 2022, backed by $10 million from the DIGITAL venture fund.

The Blockchain Group suspends stock trading in apparent financial crisis

French blockchain firm The Blockchain Group announced that they had requested trading be halted on the company's shares and postponed a planned company meeting. The announcement disclosed "financial difficulties" that had caused the company to try to obtain rescue financing. They also said that they had begun discussions with creditors around possible restructuring.

The Blockchain Group is behind a number of different services, including a crypto wallet called Eniblock and an open source software bounty project called Bountysource. Users of the Bountysource project have been complaining about issues receiving payments since as far back as May 2023.

Network of fake Twitter accounts impersonating crypto security firms phish panicked victims

A screenshot of Twitter's trending topics sidebar, showing that #OpenSeaSecurityBreach, #OpenSeaHackAlert, and #CryptoSafetyConcerns were trendingTwitter trending topics on November 14 (attribution)
On the evening of November 14 I logged on to Twitter to notice that #OpenSeaHackAlert and related hashtags were trending. But they were trending not because OpenSea had truly been hacked, but because a huge network of fake accounts with usernames similar to those of PeckShield, CertiK, and zachxbt — well-known accounts that alert crypto traders to possible scams — were spamming the hashtag. Hoping to spark panic into crypto holders who had used the popular service, as well as other services like Uniswap which they were claiming were breached, the phishers shared links to sites that would supposedly help users revoke access to their wallets by those services, securing their assets. Instead, however, those malicious sites would drain the wallets.

According to researcher zachxbt, who himself was one of the impersonated, the scammers have stolen more than $300,000 in various assets using this technique.

This is not the first time such a technique has been used — a scammer attempted a similar, though less successful, scheme in April 2022. Scams like this take advantage of the poor UX in the crypto world for tracking and revoking wallet permissions that have been granted, requiring people to use third-party websites created for this purpose. Some of them are legitimate, but there are many malicious copies of these revocation sites that prey upon users who may be acting quickly in fear that their assets are at risk.

Up to $1 billion stored in early Bitcoin wallets may be at risk due to "Randstorm" vulnerability

While trying to help a Bitcoin holder who lost their password, researchers at Unciphered discovered a major flaw in the way early Bitcoin wallets had been created. Thanks to a flaw in an open source software library called BitcoinJS, which was later incorporated into many wallet software projects to generate Bitcoin wallets with random keys, wallets created prior to 2016 may be vulnerable to cracking. Wallets created before March 2012 are at particular risk, as the roughly 6% of those that are vulnerable (and which hold a combined ~55,000 BTC, or ~$100 million) could be cracked without requiring major computing resources.

Unciphered worked with various wallet providers to contact people whose wallets may be vulnerable, though ultimately it is up to those wallet holders to secure their funds by creating new wallets and transferring their tokens. Unciphered also noted that some Dogecoin, Litecoin, and Zcash wallets may be vulnerable due to shared code.

Wallet drainer steals more than $60 million in six months

A wallet drainer service has facilitated the theft of more than $60 million in various assets from almost 100,000 victims since May 2023. According to research group ScamSniffer, the drainer has recently started using functionality in the Ethereum network called CREATE2 to generate new addresses for each malicious signature. This allows the drainer to sidestep security alerts built into some crypto wallet software that would flag known malicious addresses.

ScamSniffer identified one victim who lost almost 17,000 GMX (~$927,000) to this drainer after signing a malicious transaction.

Wallet linked to Binance deployer loses $27 million in apparent hack

An attacker apparently stole $27 million in the Tether stablecoin from a wallet that had just withdrawn the funds from their Binance account. The hacker quickly converted the funds to evade attempts at freezing the stolen assets.

Crypto researcher zachxbt observed that the wallet targeted for the theft had in 2019 received a transfer from the Binance deployer, suggesting that the compromised wallet may have some ties to Binance itself.

Raft exploited for $3.3 million, then hacker screws up

An attacker exploited the Raft defi project after finding a vulnerability that allowed them to mint 6.7 million of Raft's R stablecoin without any backing.

The attacker then went to convert the R into ETH, which they would then be able to launder and cash out. However, an error in the attacker's code caused 1,570 ETH ($3.25 million) to be sent to the burn address, rendering it permanently inaccessible to everyone including the hacker. Only 7 ETH remained. However, because they had to spend ETH to fund the attack, the hack ultimately resulted in a loss of 4 ETH (~$8,000) for the perpetrator. Oops.

As a result of the hack, the R stablecoin lost its dollar peg, plummeting down to around $0.70. Raft acknowledged the attack and announced that they had paused minting.

Samudai treasury drained

The treasury of the Samudai DAO was apparently drained as an attacker compromised the project's multisignature wallets and the wallet belonging to the project's founder, Kushagra Agarwal. Altogether, around $1.25 million in ETH was stolen.

Agarwal sent a message to the thief shortly afterwards, offering a 10% "bounty" in exchange for the return of the rest of the funds. The attacker didn't seem to be interested, and in mid-January began tumbling the assets through the Tornado Cash cryptocurrency mixer.

Samudai didn't seem to publicly acknowledge the theft, even though they've posted on Twitter a few times since then. The organization had raised $2.5 million in pre-seed capital in June 2022.

Poloniex hacked for more than $120 million

Assets including Bitcoin, Ethereum, and Tron's TRX token, priced at more than $126 million, were stolen from Justin Sun's Poloniex cryptocurrency exchange. Researchers are still homing in on the exact amount of funds that were stolen from the company's hot wallets across multiple blockchains, but suffice to say it's a lot.

Poloniex was initially tight-lipped, posting on Twitter that they had "disabled for maintenance" an exchange wallet. Justin Sun later updated that they were investigating the "hack incident", and promised to "fully reimburse" the massive theft... somehow. He later tweeted that they would offer a 5% "bounty" to the hacker if they returned the funds within a week, threatening to "engage law enforcement" otherwise.

CoinSpot exchange exploited

The Australian cryptocurrency exchange CoinSpot appears to have been hacked for around 1,283 ETH (~$2.4 million). In two separate transactions, the ETH was transferred out of CoinSpot's hot wallet, then bridged to Bitcoin via Thorchain and another bridge.

Wintermute declares friendship over with Near Foundation and Aurora Labs after they refuse to send $11 million

"Public service announcement or 'how we are not really friends with Near Foundation and Aurora Labs going forward'", wrote Wintermute CEO Evgeny Gaevoy on Twitter. He launched into a thread accusing Near and Aurora of refusing to honor a previous agreement to facilitate the redemption of around 11.2 million USN, the de-pegged stablecoin of the Near network. Wintermute said they had helped FTX to sell that quantity of the USN tokens, providing them with dollars to disburse to creditors, under the belief that Near and Aurora would help them honor the USN redemptions at $1.

However, Near later decided it would not honor the redemption, accusing Wintermute of trying to pull off an arbitrage trade with the distressed asset. They also, somewhat curiously, claimed that the funds that were provided to Wintermute by the FTX estate may have been the tied to illegal activities. Aurora also described Wintermute's claims as "unfounded", and accused Wntermute of "tr[ying] to exploit the programme to profit from the purchase of distressed assets from the Alameda estate".

Wintermute has promised to "pursue all legal avenues" against the Near Foundation and Aurora Labs.

MEV bot exploited for almost $2 million

An MEV bot was exploited after an attacker discovered a vulnerability in its code that allowed anyone to call one of its functions that sold wBTC for wETH. Using a flash loan to imbalance a wETH/wBTC pool on Curve, the attacker then caused the bot to purchase wBTC at its inflated price. They then sold the wBTC for a profit. Altogether, the exploiter made off with 1,047 ETH ($1.975 million).

Arrests made in $300 million Indian crypto scam

Indian police have arrested around eighteen people, including four police officers, in connection with a $300 million cryptocurrency scam that affected around 100,000 people in Himachal Pradesh. Victims were invited to invest in a cryptocurrency called Korvio Coin (KRO), but later the scam incorporated other tokens as well. Around 5,000 government officials and around 1,000 police fell victim to the scam, with some themselves becoming promoters.

The scam was allegedly orchestrated by Subhash Sharma, who has not been apprehended. This particular fraud was uncovered in September, but has been ongoing since as long ago as 2018.

Yuga Labs' social media lead resigns after racist and antisemitic tweets resurface

One might think that a social media lead might have a grasp on his own social media accounts, and might have scrubbed damning tweets made only shortly before they began their position.

One also might think that a company embroiled in constant racism accusations might be cautious about screening its employees.

Neither of these things happened, though, and someone dug up vile tweets by Shpend Salihu, better known as NGBxShpend. Salihu resigned shortly after the tweets came to light, writing that they had "become a distraction from the [Bored Ape Yacht] Club and what we're all about."

Bored Ape collectors experience searing eye pain after "ApeFest" party

Bored Ape #9291. A brown-furred ape, wearing a slouchy orange beanie and black t-shirt, has its mouth open in a sort of smile. There are red laser beams shooting out of (or perhaps into) its eyes.All this time I thought the lasers were going in the other direction (BAYC #9291) (attribution)
Bored Ape collectors attending an ApeFest party in Hong Kong have now been subjected to the kind of eye pain the rest of us have felt for years having to look at their hideous, pricey JPEGs.

The going theory is that event organizers skimped on lighting costs by using UV lights intended for sanitization, not for entertainment, causing burns to the eyes and skin. The eye condition, photokeratitis, is better known as "snow blindness" or "welder's flash", as it more typically affects people who haven't worn proper eye protection while welding or while exposed to sunlight reflected from ice and snow.

Several attendees reported having to seek emergency medical treatment after experiencing excruciating eye pain and vision problems, and tweet threads began circulating giving various other ApeFest attendees advice on recovering from the painful condition.

Bored Ape creator Yuga Labs belatedly issued a tweet two days after the incident, claiming only a small fraction of attendees had experienced "eye-related issues", but encouraging anyone with symptoms to "seek medical attention just in case".

Sam Bankman-Fried convicted on seven charges

Sam Bankman-FriedSam Bankman-Fried (attribution)
After less than five hours of deliberation, a jury convicted Sam Bankman-Fried of seven fraud and money laundering charges. The conviction followed a five-week-long trial which culminated in Sam Bankman-Fried himself taking the stand, only to appear evasive and sullen as he told prosecutors he couldn't recall many significant events from his time as FTX CEO.

Sentencing is scheduled for March 28, 2024, though scheduling could be affected by factors including whether the US decides to continue pursuing an additional five charges also set to be tried in March.

Onyx hacked for $2.1 million

The Onyx Protocol was hacked for 1,164 ETH (~$2.1 million) after an exploiter took advantage of a known vulnerability affecting forks of Compound Finance. The bug allows attackers to siphon funds from new and unfunded markets on Compound forks — in this case, a new pool that had been created for the PEPE token.

After pulling off the hack, the attacker received the usual flood of on-chain messages from people asking them to share some of their ill-gotten funds. Unusually, the attacker followed through, ultimately sharing 19.5 ETH (~$36,000) out of their spoils.

Onyx is far from the first Compound fork to fail to patch known vulnerabilities and suffer hacks as a result. Hacks stemming from known Compound bugs, such as the attacks on Rari Capital and Sonne Finance, have netted tens of millions of dollars apiece for attackers in the past.

Monero discloses that its community crowdfunding wallet was drained

Monero's Community Crowdfunding System (CCS) funds projects that aim to improve the ecosystem of Monero, a privacycoin. The CCS is funded by donations, and up until September 1, 2023, held a balance of 2675.73 XMR (~$460,000). Two months after the fact, "Luigi" (a Monero developer and one of the two people with access to the wallet seed phrase) disclosed on Github that the wallet had been drained entirely. According to Luigi, he only discovered this a month after the theft.

The other person with access to the wallet is a former Monero developer named "fluffypony", or Ricardo Spagni. He surrendered to US authorities in July 2023 for extradition to South Africa, where he has been charged with invoice fraud against a cookie company (think chocolate chip, not software). However, he was released in late September, and has been working to "address this matter" while free but under court supervision.

Safemoon executives charged and arrested

An indictment charging SafeMoon executives with defrauding investors via their SafeMoon token was unsealed in the Eastern District of New York. Three defendants were charged with conspiracy to commit securities fraud, conspiracy to commit wire fraud and money laundering conspiracy for their roles in creating Safemoon, a crypto token that once boasted a "market cap" of around $8 billion.

SafeMoon promised buyers it would "safely go to the moon" by locking the liquidity pool so that its developers couldn't rug pull. In reality, the "locking" didn't prevent the developers from removing tokens from the liquidity pool in other ways, which they did to the tune of millions of dollars. They then spent the proceeds of their crimes on personal expenses, like luxury sports cars and real estate.

Alongside the charges from the Department of Justice, the Securities and Exchange Commission simultaneously brought a lawsuit against the SafeMoon executives for violating registration and anti-fraud provisions of securities laws.

Ryder Ripps loses Bored Apes infringement lawsuit, ordered to pay $1.6 million and legal fees

A judge has ordered Ryder Ripps and his co-defendant Jeremy Cahen to pay almost $1.6 million in disgorgement and damages after they created a collection of identical NFTs to the popular Bored Ape collection. The duo were sued for trademark infringement in June 2022 over their RR/BAYC project, which Ripps and Cahen tried to argue was an art project created to draw attention to racist imagery they and others have identified in the project.

In August, Ripps tried unsuccessfully to get the lawsuit dismissed via anti-SLAPP protections.

Now they're on the hook for $1.375 million in profits they earned from their copycat project and $200,000 for domain cybersquatting violations. They also must transfer control of two domain names, two Twitter accounts, and the RR/BAYC smart contract. Worse yet, the court found that this was an "exceptional case" because of the defendants' behavior, which included being "obstructive and evasive", and "unnecessarily and inappropriately ma[king] disgraceful and slanderous statements about Yuga, its founders, and its counsel" throughout the case. As a result, they will also have to pay Yuga's attorney's fees.

AuBit, the company behind Freeway, enters liquidation

A judge in the Cayman Islands has placed Aubit, the firm behind the Freeway crypto project, into liquidation. Freeway was a crypto lending project that promised annual returns as high as 43%, at least until it halted withdrawals in October 2022, claiming it was due to "unprecedented volatility" in forex and crypto markets. Withdrawals were never re-enabled, leaving around $160 million in total customer assets out of reach.

A lawsuit from an institutional customer was filed against the company in August, calling the project "a scam".

AuBit has tried to argue that it should be allowed to restructure, but the Cayman Islands judge opted to force the firm to liquidate, citing "a real absence of proper accounting".

Treasury Department introduces proposal targeting crypto mixers

The U.S. Treasury Department introduced a proposal for new regulation that would require cryptocurrency mixers (also called tumblers) to up their recordkeeping and reporting processes. Needless to say, for a class of projects intended to help people anonymize their cryptocurrency transactions and make them more challenging for governments and others to track, this would somewhat undermine the whole point.

That seems to be the intention of the Treasury Department, who described mixers as primarily used for illicit money laundering "by a broad range of illicit actors, including state-affiliated cyber actors, cyber criminals, and terrorist groups".

Superdao to shut down

Superdao, a project aiming to assist communities in forming DAOs, has announced it will be closing its doors. It was blunt in its announcement: "it became clear that the crypto industry itself becomes much smaller than its initial ambition ('the new internet') and specialized tools for crypto companies are unlikely to produce venture-scale outcomes."

The project had raised $10.5 million in a 2021 seed funding round, and has said they intend to return remaining funds to its investors.

Gemini, Genesis, and DCG sued over $1 billion alleged fraud

The New York Attorney General filed suit against Gemini, Genesis, and Digital Currency Group (DCG), a group of companies that have been involved in a bitter feud amongst themselves. As Genesis undergoes bankrutpcy proceedings, Gemini and its Winklevoss twin cofounders have been firing accusations of fraud at them as they try to recover around $900 million of their customer funds that were with Genesis when it collapsed.

Now, the New York Attorney General is alleging that Gemini repeatedly lied to investors about its Gemini Earn program, assuring them that it was low-risk when internal analysis had revealed Genesis' loans to in fact be quite risky. Some personnel involved in evaluating this risk even withdrew their own funds from the program in the summer of 2022.

Genesis, DCG, and DCG CEO Barry Silbert are charged with defrauding both investors and the public when they tried to cover up $1.1 billion in losses. The lawsuit alleges that Genesis had not properly audited its borrowers, and lied to Gemini about regular reviews of borrowers' financial conditions.

In a press release, the AG claims that the companies' actions resulted in around $1 billion in losses, including in some cases their customers' entire life savings.

Hope Lend emptied in $825,000 hack

A small defi protocol called Hope Lend was drained of nearly all its assets when attackers stole around 526 ETH (~$825,000). Hilariously, the project claims the hacker was frontrun by a watchful third party, who paid half of the stolen funds (~264 ETH, or around $414,000) to an ETH validator to allow them to frontrun the transaction. The original attacker who discovered the bug reportedly made no money at all.

The stolen assets represented the entire TVL of the project.

Everscale halts bridge as "large number" of tokens stolen

The team behind the Everscale blockchain project disclosed that a "large number" of tokens had been stolen. In an attempt to thwart the attacker from cashing out, they announced that they had halted the project's bridge.

The team did not announce how many tokens were stolen. The price of $EVER suffered a 20% drop, though whether it was due to an attacker selling off tokens or collective panic by other token holders is not clear. The method of the theft was also not described.

Reddit abandons blockchain-based Community Points

Reddit's attempt to blockchainify their signature Reddit karma has come to an end as the company has decided to pull the plug on the feature. The idea was that users could "own a piece of their community" (what?) by racking up points for their positive contributions, which they could then spend on perks like custom badges.

Reddit attributed the decision to scaling difficulties, regulatory uncertainty, and the quantity of resources the company found itself having to put into the feature. The tokens were only used on a handful of subreddits, and the team had migrated them from the Ethereum blockchain to the Arbitrum Nova L2 chain, but despite that scaling continued to be a problem.

The news caused a massive dive in the prices of $MOON and $BRICK, the two Reddit tokens, as holders tried to exit their positions before the tokens became useless. Some angrily accused Reddit of rug-pulling, threatening legal action. One wrote, "I wish you guys knew how reckless this decision is and how many people you've hurt." Some accused subreddit moderators of selling when they learned about the decision an hour before it was made public.

Others were delighted at the news, however. One wrote, "Thank the effing Lord. This moons caused so much shit tier spamming for over a year."

Fantom Foundation and employees lose collective $7 million in mass hack

An attack targeting the Fantom Foundation and its employees siphoned $7 million from wallets under their control. Of that, around $550,000 were funds belonging to the Fantom Foundation. One individual employee reportedly lost $3.4 million.

It's not clear yet how the attack was perpetrated, although crypto researcher Spreek reposted a comment by an admin in Fantom's Telegram channel, where they blamed the theft on a zero-day exploit in Google Chrome.

TrueUSD tries to claim no affiliation with tokens created by its deployer address, raising further questions

A new, Euro-pegged stablecoin called $TEURO emerged on October 13, with an initial supply of around €70 million. However, TrueUSD subsequently tweeted that "we have zero affiliation with it". The post warned people to "step back and refrain from risky investments".

However, the post raised only more questions, as the $TEURO token had been deployed by the address that deployed the primary TrueUSD token. This means that either TrueUSD is lying when they claim they're unaffiliated with $TEURO, or some of their private keys were compromised, allowing an unrelated party to deploy a contract appearing to belong to them.

Almost $100 million liquidated over false news of Bitcoin ETF approval

A sudden spike and then rapid decrease in the price of Bitcoin, from just under $28,000 to $30,000 and then back to around $28,000October 16 Bitcoin price spike (attribution)
A post falsely announcing that the SEC had approved a spot Bitcoin ETF caused $100 million in liquidations as the market briefly surged on the news. $81 million in short positions were liquidated as Bitcoin shot up to $30,000 from just under $28,000, and another $31 million in long positions were liquidated as the news turned out to be false.

The post by crypto media outlet CoinTelegraph was based on a faked screenshot of what appeared to be the Bloomberg Terminal. The post quickly propagated through the crypto world before people began to question its veracity. CoinTelegraph later issued an apology, blaming the incident on a failure by employees to follow the normal editorial approval process.

This adds to the list of incidents that illustrate the extent to which false reporting by traditional or crypto media, or by influential personalities, can move crypto markets. Past incidents have included a crypto Twitter personality tweeting the false rumor that Interpol had issued a red notice for Binance CEO Changpeng Zhao, and two instances of token price spikes based on false press releases claiming major corporations would accept the tokens as payment.

South Korean regulators allege Sui Foundation manipulated markets

A lawmaker in South Korea has alleged that the Sui Foundation has engaged in market manipulation to enrich themselves. The South Korean Financial Supervisory Service reportedly launched an investigation into the distribution of the SUI token following Representative Min Byeong-deok's allegations, intending to determine whether there was truth to his claims that they had paid themselves interest by staking tokens that should have been left untouched in the non-circulating supply.

The Sui Foundation has disputed the allegations on Twitter, calling them "unfounded and materially false".

Hackers host malicious code on Binance chain to circumvent takedowns

An otherwise very "web2" hack has taken on a web3 twist as hackers have started to store malicious code on the blockchain. Attackers first compromise WordPress websites, then show a screen to visitors telling them they need to update their browser to view the website. When the visitor does so, the site downloads malware which then harvests information like login credentials.

Attackers previously stored the malicious code on typical webhosting services, but those services began to take it down. Now, some have started using Binance's blockchain to store these payloads, taking advantage of the immutable nature of blockchains to prevent anyone from taking it down.

USDR stablecoin de-pegs

The real-estate-backed US dollar stablecoin "Real USD" (aka USDR) lost its peg, dropping from $1 to around $0.53. The website for the stablecoin was — even after the depeg — promising customers 16.39% yields.

The de-peg occurred amid a "liquidity crunch" as holders rushed to redeem their USDR for the DAI stablecoin, draining the project of its DAI reserves. The team behind the project, TangibleDAO, issued a statement stating that "the real estate and digital assets backing USDR still exist and will be used to support redemptions." However, despite their insistence that the problem is just a liquidity issue rather than a solvency one, a dashboard on their own website showed that the stablecoin isn't fully backed and has a deficit of around $3.4 million.

In a related incident, a trader trying to swap their $131,350 in USDR for the USDC stablecoin lost every penny of it when their transaction was arbitraged by a MEV bot.

Platypus Finance hacked for a third time this year

At this point, they should probably just have a form email ready to go. Platypus Finance has suffered a cumulative $2.23 million in losses thanks to several attacks on the platform over the course of several hours. This set of hacks followed a $8.5 million hack in February, and another hack of at least $150,000 in July.

Platypus was quickly able to recover $575,000 from this latest hacker, thanks to a flaw in their attack. Later, they recovered all but $167,400 of the stolen funds after coming to an agreement with the attacker that they would not pursue legal action.

CFTC and FTC sue Voyager CEO Stephen Ehrlich

Stephen Ehrlich, sitting and speaking into a microphoneStephen Ehrlich (attribution)
Simultaneous civil lawsuits from the Commodity Futures Trading Commission (CFTC) and Federal Trade Commission (FTC) against former CEO of the collapsed Voyager crypto lender accuse him of fraud and making deceptive claims to customers.

The FTC lawsuit focuses on Voyager's claims suggesting to customers that accounts with the lender were FDIC insured. That complaint also names Voyager as a defendant. Voyager settled with the FTC, agreeing to pay a $1.65 billion judgment that will be suspended until customers are repaid.

Black Hole Token exploited for $1.28 million

The Black Hole Token project suffered a $1.28 million apparent exploit, according to security firm PeckShield, though it's hard not to wonder if it might have been a rug pull.

Black Hole Token is a Chinese project built on BNB Chain, which promises an original mechanism that only goes up. "The more you sell, the more the price goes up", promises their website.

Sounds legit.

Fintoch scammers strike again with $1.6 million FinSoul scam

A metaverse gaming project called FinSoul promised users “sandbox worlds, multiplayer sports, leisure experiences, player socializing, MMORPG,” and other features. However, on October 10, the project team made off with $1.6 million, which they then tumbled through Tornado Cash.

The team behind the FinSoul project was reportedly the same as the group who pulled off the much larger $31 million Fintoch exit scam in May. They used similar strategies, including using paid actors to pose as their executive team, to push the FinSoul scam.

FSL token rug pulls for $1.68 million within 24 hours of launch

The BNB Chain-based FSL token rug pulled within 24 hours of launching, with developers draining $1.68 million of liquidity they had amassed.