Supply chain attack on Ledger puts much of defi at risk

A supply chain attack on the Ledger connector application has rippled throughout the world of decentralized apps, which widely use the software to enable people to connect their popular Ledger hardware wallets to perform transactions. Although hardware wallets are meant to be among the most secure ways to store crypto, they too are vulnerable to attacks when they are connected to perform transactions.

A hacker was able to obtain access to Ledger's source code management tool and push out a new release that contained code that would drain wallets as users connect them. Because the library is so widely used, many crypto applications were vulnerable — including Revoke.cash, a security-focused project intended to help people guard against attacks on their wallets.

CTO of the Sushi crypto project issued a broad warning: "Do not interact with ANY dApps until further notice." At least $600,000 has been drained from multiple users so far.

CoinList reaches $1.2 million settlement with OFAC over Russian sanction violations

The Californian cryptocurrency exchange CoinList has settled a lawsuit from the Treasury Departments Office of Foreign Assets Control (OFAC) for $1.2 million. OFAC charged CoinList for processing almost 1,000 transactions between April 2020 and May 2022 on behalf of residents of Crimea, a Ukrainian territory occupied by Russia in 2014 and sanctioned by the United States shortly after.

CoinList reportedly allowed 89 users to sign up for accounts on the platform, most of whom had stated that they were residents of Russia but provided addresses in Crimea.

Money launderers charged over $80 million crypto romance scam

Four individuals who helped launder money through shell companies and various bank accounts have been charged in connection to an $80 million "pig butchering" cryptocurrency scam. The scam reportedly involved at least 284 transactions, though it's not clear how many victims were involved.

Australian victims lose estimated $1.3 billion to prolific scammers' HyperVerse project

Many investors have reported losses thanks to a cryptocurrency investment scheme called HyperVerse, which operated in Australia from around 2018 to mid-2023. Several financial watchdogs issued warnings about the company, including the UK, Canada, Germany, and New Zealand. The Hungarian central bank warned in August 2022 that the HyperVerse project was a "suspected pyramid scheme... behind which there is no real economic activity... There is a significant chance that investors may permanently lose part or all of their invested capital."

Estimates by Chainalysis suggest that victims have lost a combined $1.3 billion (with a B) to the scam thus far.

The scheme's operators Sam Lee and Zijing "Ryan" Xu were also behind Blockchain Global, a collapsed company that operated the Australian ACX crypto exchange that collapsed in 2019. The company is in liquidation, and creditor claims are expected to surpass $50 million. Although Lee and Xu were reported for investigation to the Australian Securities & Investments Commission, ASIC did not take any action.

Lee has also been involved in other investment platforms, including two that are currently active: StableDao and We Are All Satoshi. Both platforms were the target of cease and desist letters from the Californian Department of Financial Protection and Innovation in September 2023, who described them both as "fraudulent pyramid and Ponzi scheme[s]".

Crypto scammer suddenly pleads guilty in trial surrounding EXW fraud

There was surprise in an Austrian courtroom when a defendant suddenly gave up any pretense of innocence, proclaiming, "I've run out of steam, I've finished driving... I plead guilty in full and ask for a lenient and speedy sentence". The judge then had to back up and understand what exactly he was pleading guilty to. The same defendant had earlier admitted to some guilt, but denied the fraud had been planned from the start. Later, he said that he had indeed planned from the beginning to steal the funds.

The scam in question was a Ponzi scheme called EXW, in which the eight defendants stole at least €17.6 million (~$19.3 million) from at least 40,000 victims in late 2019 and 2020. The fraud later resurfaced under a different name. However, in court, the ex-girlfriend of the main defendant testified that the scam had actually brought in €80–100 million ($88—$110 million).

One of the defendants, who from reports seems to be the same one who just admitted his guilt in court, reportedly feigned being autistic when he was arrested by police, somehow earning himself enough time to erase the contents of his phone.

He and seven other defendants have been charged with fraud, money laundering, running a pyramid scheme, and operating a criminal organization.

Blockchain chess platform Immortal Game ditches token after "heavy cheating"

After raising $12 million from crypto-focused venture funds, the Immortal Game blockchain chess platform has announced that they would be nixing most of the blockchain part by shutting down support for their "Checkmate" token and stopping development on play-to-earn and NFT projects. Although they began as a blockchain chess company, they seem to be pivoting to just being a chess company.

"We found that by offering large amounts of cash with no limit barrier to entry, we encouraged heavy cheating on the platform and degraded the user experience for our legitimate player base who want a fair and safe place to play chess online," they wrote. Who could have guessed.

Somewhat ironically, they suggested that they may still intended to look into using web3 technology for "anti-cheat measures".

Grifter-in-chief Donald Trump hawks mugshot NFTs

Trading card style illustration featuring the Trump mugshot, with an arrow showing that a scrap of the suit will come with some of the purchasesPromotional image for the Trump NFTs (attribution)
The collapse of the NFT bubble hasn't stopped Donald Trump from trying to cash out. Following in the footsteps of his wife, who timed things much better as far as interest in NFTs goes, the former president launched his first NFT collection in December 2022. He was later accused of using stolen artwork in the collection.

Now, Trump is hawking a new set of $99 NFTs, featuring the August 2023 mugshot taken in connection to his ongoing racketeering lawsuit. Those who purchase 47 of the NFTs — amounting to $4,653 plus fees — are promised a scrap of the suit Trump wore in the mugshot and a dinner with the president-turned-fulltime criminal defendant.

The fine print, however, reserves the possibility that neither promise will come through.

Fraudsters steal more than $25 million in "AI-powered" crypto ponzi

Two fraudsters capitalized on the hype around both cryptocurrency and artificial intelligence, advertising an "artificial intelligence automated trading bot" that they promised would earn large returns for their investors. Instead, however, the fraudsters spent the money on themselves, paying for private chartered jet flights, luxury hotel accommodations, private mansion rentals, a personal chef, and private security guards.

In addition to pulling off the original scam, the fraudsters also came up with a fake investigative agency called the "Federal Crypto Reserve", where they directed victims who were seeking to recover their losses.

The scammers were charged with wire fraud, money laundering, and obstruction of justice, which carry hefty maximum prison terms.

OKX DEX suffers $2.7 million hack

OKX DEX is a service by OKX that aggregates decentralized exchanges (or DEXes) to help users access features and prices across multiple projects. On December 12, an attacker appeared to gain administrative control of the DEX's smart contract. They upgraded the contract such that they could transfer tokens to themselves, then proceeded to do exactly that until they had stolen around $2.7 million in various cryptocurrencies.

It appears the attacker was able to gain access to the smart contract admin key, which gave them the ability to upgrade the contracts to enable malicious functionality.

OKX announced that they would reimburse the losses, and pursue legal action against the exploiter.

KuCoin fined $22 million in New York

The KuCoin cryptocurrency exchange has agreed to a settlement in which it will pay a $22 million fine and ban residents of New York state from its platform. The New York Attorney General sued KuCoin in March, alleging they had been serving New York customers despite not being registered in the state.

KuCoin has admitted to allowing New Yorkers to trade securities and commodities on the platform, and representing themselves as an "exchange" without having registered as such.

In addition to paying the fine, KuCoin has agreed to shut down all New Yorkers' accounts in the coming months and prevent residents of the state from signing up for new accounts.

Yearn Finance accidentally swaps its entire Ip-yCRVv2 treasury, asks nicely for the money back

Periodically, Yearn Finance converts a small quantity of its treasury tokens into stablecoins to spend on operations. However, something went terribly wrong during this process when they went to perform the swap and erroneously converted the entire amount — nearly 3.8 million Ip-yCRVv2 tokens — into a stablecoin. According to one Yearn Finance employee, this pool of tokens comprised around 3% of the project's treasury.

Because there was not sufficient liquidity for such a large trade at the going price, the trade was ultimately fulfilled, but at a 63% loss. Before the trade, that quantity of tokens was priced at around $2.28 million; however, Yearn received only around $780,000 in stablecoins because of the slippage.

Yearn quickly identified the issue and embarked on a campaign to ask nicely for the counterparties in the trade to please give some of their profits back. In on-chain messages, Yearn wrote: "one of yearns multisigs made a costly mistake last night that affected a critical source of yCRVs liquidity. we identified you as having made a profit off of this and are kindly requesting that you return as much as you see reasonable to yearns main multisig: ychad.eth. sorry we have to ask this, but hope you can understand." Doesn't hurt to ask, I guess. So far, only one wallet has taken them up on the offer, returning 2 ETH (~$4,400).

Uranium Finance hacker cashes out in Magic: The Gathering cards

Stacks of <i>Magic: The Gathering - Fallen Empires</i> booster boxesMagic: The Gathering booster boxes (attribution)
In April 2021, an attacker stole $50 million from the defi exchange Uranium Finance. Blockchain investigator zachxbt now says that he believes this attacker has been able to cash out his ill-gotten funds... in an unusual way.

After tracing the attacker's attempts to launder the money through Tornado Cash and then obfuscate that it had come from the mixing service (something that raises flags at some exchanges), zachxbt observed the funds go to a broker of Magic: The Gathering based in the United States. Altogether, the hacker appeared to be spending millions on starter decks, alpha sets, and sealed boxes — often overpaying by 5-10%. These items routinely sell for hundreds or thousands of dollars.

The thief is probably a creative money launderer rather than an massive MTG fan, and is probably reselling the cards to further obscure the source of the money. Then again, MTG is more than a little addictive.

Do Kwon reportedly to be extradited to the United States

Do Kwon, founder of the collapsed Terra/Luna project, will be extradited from Montenegro to the United States once he's completed his four-month-long jail sentence for document forgery, says the Wall Street Journal. Although a Montenegrin court had already approved his extradition, it left the decision of whether to send him to South Korea or the United States up to Justice Minister Andrej Milovic. Milovic has reportedly privately said he intends to send Kwon to the US.

Kwon filed a last-ditch appeal of the extradition decision on December 6. A decision is scheduled on the matter by December 15. Milovic is unlikely to publicly announce Kwon's extradition destination until then.

Both South Korea and the United States have sought Kwon's extradition on criminal charges related to the Terra/Luna scheme. Federal prosecutors in the Southern District of New York indicted Kwon on eight fraud and market manipulation charges in March 2023. He and his company also face a civil lawsuit from the Securities and Exchange Commission.

The AEUR stablecoin isn't

Chart of the AEUR price in USDT, showing it maintaining its €1 (~$1.08) peg before spiking to over €3, dropping somewhat, and trending back upwardsI don't think "stable"coins are supposed to do that (attribution)
Binance says traders must have missed the memo on the AEUR stablecoin, which was intended to be pegged to the Euro. Shortly after it was listed on Binance, high demand caused the token — which had a limited supply of 5 million — to begin trading for as high as €3 per token. "[U]sers ... might not have realized its standing as a stablecoin" wrote Binance in an announcement, published the day after the exchange suspended trading in the token due to "abnormal volatility".

Binance announced a compensation plan for users who purchased the token during an eligibility period and who were unable to resell, in an apparent attempt to placate the angry traders who accused Binance of "scamming" them by halting trading.

AEUR was issued by Anchored Coins, a Swiss stablecoin issuer.

Nostr Assets gets clogged up

The Nostr Assets bitcoin platform has had to ask people to stop depositing into their platform because it's all clogged up. The project uses the bitcoin Lightning Network, which itself is an attempt to overcome the slowness and high cost of the bitcoin network. However, it too has limited capacity, and Nostr Assets has announced that the "inbound capacity of lightning channels" was depleted.

Meanwhile, the founder of the Nostr social media platform has accused Nostr Assets of being an "affinity scam" by falsely suggesting in their platform name and $NOSTR token naming they are affiliated with the Nostr project. Nostr Assets has described the allegations as "unfounded", saying that their use of the Nostr network means the name is "pertinent", and suggesting that Nostr's founder has no basis to dictate who can use the Nostr name as it is a decentralized and open source project.

Rob Robb robs victims of $1.2 million

If you're named Rob Robb, do you have any choice but go into a life of thievery?

Robb, also known as "pokerbrat2019", convinced at least 11 people to give him a total of $1.2 million, which he said he would use to develop various MEV bots. Instead of doing so, he pocketed the money, offering a litany of excuses for why the project was continually delayed.

Robb had previously been convicted of a $4 million scam in 2002 after soliciting funds for an online gambling platform, instead using the money to buy a car and fund his own gambling.

Ethereum projects scramble to address widespread smart contract vulnerability through ThirdWeb

Projects using the suite of pre-built smart contracts from crypto development platform ThirdWeb have been racing to migrate to patched versions as ThirdWeb has disclosed a vulnerability affecting dozens of its contracts. Although they claim no contracts containing the vulnerability have been exploited, they've urged projects using them to urgently migrate to updated versions without the flaw.

Projects relying on these pre-built smart contracts will have to lock the old contract and deploy new ones, then provide new versions of tokens via airdrop or a claim page — a fairly disruptive process.

Major NFT marketplace OpenSea issued a statement that they were working with ThirdWeb about a vulnerability "impacting some NFT collections". Rarible also stated that some NFT collections on their platform were affected, including some on the Polygon sidechain. Coinbase and Base also disclosed that some projects on their platforms were vulnerable. Projects by groups including Cool Cats and Mocaverse will need to be migrated.

Users of the Safe Wallet lose cumulative $2 million to address poisoning

Users of the (not so) Safe Wallet have lost $2.05 million altogether in the past week as they've been targeted by an attacker using an address poisoning attack. The same attacker was also behind such an attack on the Florence Finance real-world lending protocol, in which they stole $1.45 million.

According to research group ScamSniffer, the attacker has stolen at least $5 million from at least 21 victims in the past four months.

Florence Finance loses $1.45 million to address poisoning

An apparent address poisoning attack on the Florence Finance real-world asset lending protocol led to the loss of $1.45 million in the USDC stablecoin.

As of December 4, Florence Finance had not publicly acknowledged the theft.

DraftKings was secretly paid to run a Polygon network validator

In March 2022, Polygon boasted about how "The decision by DraftKings, a NASDAQ-listed company, to take an active role in day-to-day operations of a major network is an important adoption milestone for the blockchain industry." The company had agreed to run a validator on the network, and Polygon claimed in a press release at the time that DraftKings would be "an equal community member" among other validators.

However, it turns out that Polygon allocated tens of millions of tokens to the DraftKings validator — far more than they allocated to other validators — on which DraftKings earned a highly unusual 100% of staking rewards. Polygon also sent the company 2.5 million of their MATIC tokens (priced at just over $1.5 million at the time), and it's unclear if this was a purchase by DraftKings or a transfer as a part of the deal.

In October 2023, Polygon kicked DraftKings off the network as the validator had failed to maintain performance standards. Throughout the period that the DraftKings maintained the validator, they earned millions of dollars through the undisclosed partnership.

Crypto media outlet Forkast goes bust

The crypto media website Forkast has stopped publishing and laid off most of its editorial staff. The last post on the site is from November 22.

After raising $1.7 million in seed funding in 2021, the site seems to have run out of runway. It merged with the CryptoSlam data aggregator in January 2023, but that apparently didn't help it sustain operations. The company appears to be trying to rebrand as "Forkast Labs", and is offering crypto data feeds.

BitStable decides to burn most tokens after public sale goes wrong

BitStable launched their BSSB token in a public sale only to watch as all tokens sold out in one block. Four entities acquired the majority of the BSSB tokens, an outcome that the team had been hoping to avoid in the interest of "fairness and integrity". As a result, the team announced that they would burn 75% of the tokens.

Some applauded the decision, seeing the token hoarding as an unfair tactic that deprived others who wanted the tokens of their opportunity to buy any. However, some — particularly those who succeeded in buying tokens in the initial sale — worried that they were being "rugged" as the team threatened to destroy their tokens. Others objected based on the "code is law" ethos: "Basically we used ur platform and ur rules - u said ur selling at 500k mcap valuation and now changed it to 3m mcap valuation after it sold out - straight rug material u can't do that lmao", wrote one person on Twitter.

SoFi neobank ditches crypto

After entering the crypto sector in 2019, the neobank SoFi is jettisoning the blockchain portion of its business by mid-December. Customers are being given the option to move their accounts to Blockchain.com; otherwise their assets will be liquidated.

The move is likely tied to its bank charter, which was conditionally approved with a two-year period in which it was required to receive approval for its crypto business. SoFi had previously described discussions with the Federal Reserve "to determine whether there is a path to conform our crypto-related activities to the requirements of the Bank Holding Company Act" — this move suggests they decided there was not.

Hounax crypto scam steals $19 million

A scam Hong Kong cryptocurrency platform called Hounax swindled its customers out of HK$148 million (US$19 million). The group drew in customers by offering financial expertise on social media and awarding prize money to those who signed up to the platform. While some customers successfully tested whether they could withdraw their funds earlier on, the platform later stopped allowing customers to withdraw, or told them they would need to pay additional fees to do so.

The Hong Kong Securities and Futures Commission added Hounax to its warning list on November 1, a move that victims have criticized as much too late to stop the damage.

Bitcoiner spends $3 million on transaction fee

A Bitcoiner making a large transaction ended up spending 83.64 BTC (~$3 million) of the 139.42 BTC (~$5.1 million) transaction on transaction fees, effectively spending $3 million to send what ended up being a $2 million transfer. This apparent error has become the largest transaction fee in Bitcoin history.

A person then claimed on Twitter to be the owner of the wallet, verifying the claim by signing a message from the wallet that paid the fee. They claimed that they had been hacked, and that an error on the attacker's part led to the huge fee payment. AntPool, the mining pool that mined that block and earned the huge fee, later agreed to return the fee, though it's not clear if or how they verified that the person to whom they're returning the fee wasn't in fact the attacker who had obtained control of the wallet.

A similar fee overpayment incident occurred in September, when the Paxos crypto firm erroneously paid a $500,000 fee to send $1,865. They attributed the huge fee to a bug in their software, and the F2Pool mining pool (who had mined the block and received the fee) opted to return the overpayment.

KyberSwap hacked for $50 million

The KyberSwap decentralized exchange was hacked by an attacker who stole large sums of ETH, wETH, and the USDC stablecoin. Altogether, the assets are valued at around $54.7 million. The attacker was able to exploit a complex bug in a feature for liquidity pool providers. Prior to the hack, KyberSwap had approximately $80 million in TVL.

Shortly after the attack, the thief sent a message: "Negotiations will start in a few hours when I am fully rested." The KyberSwap team later responded to offer a 10% bounty, also seeming to praise the attacker: "You have done one of the most sophisticated hacks ser. That was high EV and everyone missed it."

The thief had other plans, though, ultimately issuing a list of "demands" which included "complete executive control" over the company and "surrender of all ... assets" to the hacker. They wrote that they had big plans for the network, and although they planned to dismiss all executives, they wrote that employees would be offered double salaries to continue their work. The hacker signed the message "Kyber Director".

Meanwhile, KyberSwap regained around $4.7 million after negotiations with the operators of front-running bots, who agreed to return 90% of the funds they obtained through frontrunning the hacker's transactions.

HTX (fka Huobi) and Heco Chain hacked for $115 million

Justin Sun confirmed that HTX (formerly Huobi) and its related Heco Chain protocol were hacked for a combined $115 million. It's been a rough few weeks for Sun, whose Poloniex exchange was hacked for around $120 million on November 10, and a rough few months for HTX, which was hacked for $8 million in late September.

HTX suspended withdrawals as they investigated the hack, and wrote that the company would "fully compensate for HTX's hot wallet losses". Security firm Cyvers said they believed the theft was enabled by a private key leak.

Binance fined over $4 billion, founder pleads guilty and resigns

Binance founder Changpeng "CZ" Zhao pleaded guilty to money laundering charges and agreed to step down as CEO of Binance, the largest global cryptocurrency exchange. He will pay a $50 million fine and faces the possibility of 18 months in prison.

Binance agreed to pay $4.3 billion in restitution for widespread wrongdoing including failure to implement proper anti-money laundering programs, unlicensed money transmitting, and sanctions violations. Binance will be allowed to continue operating, but will be subjected to a three-year-long monitorship program to ensure AML and sanctions compliance.

Simultaneously with the DOJ action, Binance reached agreements with the CFTC, FinCen, and OFAC on ongoing legal issues. Notably, the SEC lawsuit was not among those settled.

CZ posted a long thread on Twitter, admitting "I made mistakes, and I must take responsibility," carefully sidestepping mentioning what any of those mistakes were.

Aragon DAO votes to sue its founding team

Aragon is a prominent project that creates DAO infrastructure. Ironically, its own DAO-based governance has been fraught, with the group facing a governance crisis in May over conflicts between the DAO and the Aragon Association (a small group of "stewards" for the project).

Now, after the Aragon Association decided without consulting the DAO to dissolve itself and wind down the project's governance tokens (while keeping some of the funds), the DAO has voted to sue the group. The DAO has accused the group of improperly taking investors' money to put it "into their new secretive company". They've allocated $300,000 to legal efforts.

Bittrex finally closes up for good

After paying a then-record $29 million fine for sanctions violations in October 2022, shutting down US operations in March 2023, filing for bankruptcy in May, and paying $24 million to settle a lawsuit from the US SEC in August, Bittrex is finally throwing in the towel. The company announced that it was closing its global operations, and urged customers to withdraw funds stored with the exchange within only two weeks. The also informed customers who held US dollars on the exchange that they would not be allowed to withdraw, and would have to convert their dollars to Euros or cryptocurrency.

Bittrex used to be a major player in the US cryptocurrency market, with over 20% of US market share in 2018. However, the exchange's dominance had dwindled to below 1% as of 2021.

DOJ reportedly seeking $4 billion resolution to Binance investigation, with possible criminal charges against CEO

According to Bloomberg, ongoing negotiations between the U.S. Department of Justice and Binance have involved penalties greater than $4 billion as part of ending an ongoing, multi-year probe into the exchange. Such a settlement would not insulate founder Changpeng "CZ" Zhao from criminal charges.

The negotiation may involve a deferred prosecution agreement, in which the US would file a criminal complaint but agree not to prosecute so long as Binance met agreed conditions under a monitoring process.

It remains to be seen if this is the avenue the DOJ and Binance will go with. A Bloomberg source speculated that a decision could come within the next few weeks.

Kraken sued by U.S. SEC

Kraken is the latest cryptocurrency exchange to face a lawsuit from the U.S. Securities and Exchange Commission. According to the SEC, Kraken violated securities laws by listing tokens like Polygon (MATIC) and Solana (SOL), which the SEC has argued in this and in other lawsuits are unregistered securities.

Furthermore, the SEC claims that Kraken commingled corporate and customer funds, "at times pa[ying] operational expenses directly from bank accounts that hold customer cash."

Kraken's new CEO, Dave Ripley, posted on Twitter that the company "plan[s] to vigorously defend [their] position" that they do not list securities.

DOJ cracks down on $225 million crypto romance scam

At least according to the rather shady Tether stablecoin provider, the U.S. Department of Justice has been working on an investigation into a massive "pig butchering" romance scam and human trafficking operation based out of Southeast Asia.

According to Tether, they "voluntarily fr[oze] approximately 225 million in USDT tokens" in connection to the investigation.

Some romance scammers hoping to lure victims into sending them cryptocurrencies are themselves victims of human trafficking operations, where they are held victim and forced to send such messages.

dYdX insurance fund loses $9 million in apparent attack

Around 40% of the "insurance fund", intended to protect dYdX users from having to backstop other traders' losing trades, was drained in what dYdX CEO described as "pretty clearly a targeted attack against dYdX". An attacker manipulated the market for the Yearn Finance token, which is not normally heavily traded on dYdX, but which experienced a surge in trades around the attack. By taking advantage of flaws in dYdX's risk management, the attacker was able to rack up big losses and then force the dYdX insurance fund to pay out.

Kronos trading firm suffers key breach

The cryptocurrency trading firm Kronos Research announced on Twitter that they had stopped trading while they investigated "unauthorized access of some of our API keys". They claimed that "potential losses are not a significant portion of our equity". They later confirmed the loss at around $26 million.

Aqua web3 gaming marketplace shuts down

It's not that blockchain gaming was a flop, they were "just too early" (said CEO Sean Ryan). The Aqua gaming NFT marketplace announced their shutdown, attributing it to "challenges in raising funds and the slower-than-expected growth within the web3 gaming sector". Users were instructed to transfer their funds off the platform by December 1.

The company launched its marketplace in September 2022, backed by $10 million from the DIGITAL venture fund.

The Blockchain Group suspends stock trading in apparent financial crisis

French blockchain firm The Blockchain Group announced that they had requested trading be halted on the company's shares and postponed a planned company meeting. The announcement disclosed "financial difficulties" that had caused the company to try to obtain rescue financing. They also said that they had begun discussions with creditors around possible restructuring.

The Blockchain Group is behind a number of different services, including a crypto wallet called Eniblock and an open source software bounty project called Bountysource. Users of the Bountysource project have been complaining about issues receiving payments since as far back as May 2023.

Network of fake Twitter accounts impersonating crypto security firms phish panicked victims

A screenshot of Twitter's trending topics sidebar, showing that #OpenSeaSecurityBreach, #OpenSeaHackAlert, and #CryptoSafetyConcerns were trendingTwitter trending topics on November 14 (attribution)
On the evening of November 14 I logged on to Twitter to notice that #OpenSeaHackAlert and related hashtags were trending. But they were trending not because OpenSea had truly been hacked, but because a huge network of fake accounts with usernames similar to those of PeckShield, CertiK, and zachxbt — well-known accounts that alert crypto traders to possible scams — were spamming the hashtag. Hoping to spark panic into crypto holders who had used the popular service, as well as other services like Uniswap which they were claiming were breached, the phishers shared links to sites that would supposedly help users revoke access to their wallets by those services, securing their assets. Instead, however, those malicious sites would drain the wallets.

According to researcher zachxbt, who himself was one of the impersonated, the scammers have stolen more than $300,000 in various assets using this technique.

This is not the first time such a technique has been used — a scammer attempted a similar, though less successful, scheme in April 2022. Scams like this take advantage of the poor UX in the crypto world for tracking and revoking wallet permissions that have been granted, requiring people to use third-party websites created for this purpose. Some of them are legitimate, but there are many malicious copies of these revocation sites that prey upon users who may be acting quickly in fear that their assets are at risk.

Up to $1 billion stored in early Bitcoin wallets may be at risk due to "Randstorm" vulnerability

While trying to help a Bitcoin holder who lost their password, researchers at Unciphered discovered a major flaw in the way early Bitcoin wallets had been created. Thanks to a flaw in an open source software library called BitcoinJS, which was later incorporated into many wallet software projects to generate Bitcoin wallets with random keys, wallets created prior to 2016 may be vulnerable to cracking. Wallets created before March 2012 are at particular risk, as the roughly 6% of those that are vulnerable (and which hold a combined ~55,000 BTC, or ~$100 million) could be cracked without requiring major computing resources.

Unciphered worked with various wallet providers to contact people whose wallets may be vulnerable, though ultimately it is up to those wallet holders to secure their funds by creating new wallets and transferring their tokens. Unciphered also noted that some Dogecoin, Litecoin, and Zcash wallets may be vulnerable due to shared code.

Wallet drainer steals more than $60 million in six months

A wallet drainer service has facilitated the theft of more than $60 million in various assets from almost 100,000 victims since May 2023. According to research group ScamSniffer, the drainer has recently started using functionality in the Ethereum network called CREATE2 to generate new addresses for each malicious signature. This allows the drainer to sidestep security alerts built into some crypto wallet software that would flag known malicious addresses.

ScamSniffer identified one victim who lost almost 17,000 GMX (~$927,000) to this drainer after signing a malicious transaction.

Wallet linked to Binance deployer loses $27 million in apparent hack

An attacker apparently stole $27 million in the Tether stablecoin from a wallet that had just withdrawn the funds from their Binance account. The hacker quickly converted the funds to evade attempts at freezing the stolen assets.

Crypto researcher zachxbt observed that the wallet targeted for the theft had in 2019 received a transfer from the Binance deployer, suggesting that the compromised wallet may have some ties to Binance itself.

Raft exploited for $3.3 million, then hacker screws up

An attacker exploited the Raft defi project after finding a vulnerability that allowed them to mint 6.7 million of Raft's R stablecoin without any backing.

The attacker then went to convert the R into ETH, which they would then be able to launder and cash out. However, an error in the attacker's code caused 1,570 ETH ($3.25 million) to be sent to the burn address, rendering it permanently inaccessible to everyone including the hacker. Only 7 ETH remained. However, because they had to spend ETH to fund the attack, the hack ultimately resulted in a loss of 4 ETH (~$8,000) for the perpetrator. Oops.

As a result of the hack, the R stablecoin lost its dollar peg, plummeting down to around $0.70. Raft acknowledged the attack and announced that they had paused minting.

Samudai treasury drained

The treasury of the Samudai DAO was apparently drained as an attacker compromised the project's multisignature wallets and the wallet belonging to the project's founder, Kushagra Agarwal. Altogether, around $1.25 million in ETH was stolen.

Agarwal sent a message to the thief shortly afterwards, offering a 10% "bounty" in exchange for the return of the rest of the funds. The attacker didn't seem to be interested, and in mid-January began tumbling the assets through the Tornado Cash cryptocurrency mixer.

Samudai didn't seem to publicly acknowledge the theft, even though they've posted on Twitter a few times since then. The organization had raised $2.5 million in pre-seed capital in June 2022.

Poloniex hacked for more than $120 million

Assets including Bitcoin, Ethereum, and Tron's TRX token, priced at more than $126 million, were stolen from Justin Sun's Poloniex cryptocurrency exchange. Researchers are still homing in on the exact amount of funds that were stolen from the company's hot wallets across multiple blockchains, but suffice to say it's a lot.

Poloniex was initially tight-lipped, posting on Twitter that they had "disabled for maintenance" an exchange wallet. Justin Sun later updated that they were investigating the "hack incident", and promised to "fully reimburse" the massive theft... somehow. He later tweeted that they would offer a 5% "bounty" to the hacker if they returned the funds within a week, threatening to "engage law enforcement" otherwise.

CoinSpot exchange exploited

The Australian cryptocurrency exchange CoinSpot appears to have been hacked for around 1,283 ETH (~$2.4 million). In two separate transactions, the ETH was transferred out of CoinSpot's hot wallet, then bridged to Bitcoin via Thorchain and another bridge.

Wintermute declares friendship over with Near Foundation and Aurora Labs after they refuse to send $11 million

"Public service announcement or 'how we are not really friends with Near Foundation and Aurora Labs going forward'", wrote Wintermute CEO Evgeny Gaevoy on Twitter. He launched into a thread accusing Near and Aurora of refusing to honor a previous agreement to facilitate the redemption of around 11.2 million USN, the de-pegged stablecoin of the Near network. Wintermute said they had helped FTX to sell that quantity of the USN tokens, providing them with dollars to disburse to creditors, under the belief that Near and Aurora would help them honor the USN redemptions at $1.

However, Near later decided it would not honor the redemption, accusing Wintermute of trying to pull off an arbitrage trade with the distressed asset. They also, somewhat curiously, claimed that the funds that were provided to Wintermute by the FTX estate may have been the tied to illegal activities. Aurora also described Wintermute's claims as "unfounded", and accused Wntermute of "tr[ying] to exploit the programme to profit from the purchase of distressed assets from the Alameda estate".

Wintermute has promised to "pursue all legal avenues" against the Near Foundation and Aurora Labs.

MEV bot exploited for almost $2 million

An MEV bot was exploited after an attacker discovered a vulnerability in its code that allowed anyone to call one of its functions that sold wBTC for wETH. Using a flash loan to imbalance a wETH/wBTC pool on Curve, the attacker then caused the bot to purchase wBTC at its inflated price. They then sold the wBTC for a profit. Altogether, the exploiter made off with 1,047 ETH ($1.975 million).

Arrests made in $300 million Indian crypto scam

Indian police have arrested around eighteen people, including four police officers, in connection with a $300 million cryptocurrency scam that affected around 100,000 people in Himachal Pradesh. Victims were invited to invest in a cryptocurrency called Korvio Coin (KRO), but later the scam incorporated other tokens as well. Around 5,000 government officials and around 1,000 police fell victim to the scam, with some themselves becoming promoters.

The scam was allegedly orchestrated by Subhash Sharma, who has not been apprehended. This particular fraud was uncovered in September, but has been ongoing since as long ago as 2018.

Yuga Labs' social media lead resigns after racist and antisemitic tweets resurface

One might think that a social media lead might have a grasp on his own social media accounts, and might have scrubbed damning tweets made only shortly before they began their position.

One also might think that a company embroiled in constant racism accusations might be cautious about screening its employees.

Neither of these things happened, though, and someone dug up vile tweets by Shpend Salihu, better known as NGBxShpend. Salihu resigned shortly after the tweets came to light, writing that they had "become a distraction from the [Bored Ape Yacht] Club and what we're all about."

Bored Ape collectors experience searing eye pain after "ApeFest" party

Bored Ape #9291. A brown-furred ape, wearing a slouchy orange beanie and black t-shirt, has its mouth open in a sort of smile. There are red laser beams shooting out of (or perhaps into) its eyes.All this time I thought the lasers were going in the other direction (BAYC #9291) (attribution)
Bored Ape collectors attending an ApeFest party in Hong Kong have now been subjected to the kind of eye pain the rest of us have felt for years having to look at their hideous, pricey JPEGs.

The going theory is that event organizers skimped on lighting costs by using UV lights intended for sanitization, not for entertainment, causing burns to the eyes and skin. The eye condition, photokeratitis, is better known as "snow blindness" or "welder's flash", as it more typically affects people who haven't worn proper eye protection while welding or while exposed to sunlight reflected from ice and snow.

Several attendees reported having to seek emergency medical treatment after experiencing excruciating eye pain and vision problems, and tweet threads began circulating giving various other ApeFest attendees advice on recovering from the painful condition.

Bored Ape creator Yuga Labs belatedly issued a tweet two days after the incident, claiming only a small fraction of attendees had experienced "eye-related issues", but encouraging anyone with symptoms to "seek medical attention just in case".