An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.
Dolomite exchange exploited for $1.8 million
SEC launches investigation into Ethereum Foundation
Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.
Bitcoin flash crashes on BitMEX
The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.
BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.
Slerf memecoin meltdown only adds to mania
Thanks to the aforementioned frenzy, the project managed to raise $10 million in the presale. However, things went sideways when the developer accidentally burned the $10 million by sending them to an address where they would be permanently inaccessible. "oh fuck", the developer wrote ominously on Twitter, before explaining their mistake.
Some speculated that the screwup may have been a marketing ploy, in which case it was very successful, because the token went on to post more than $2.7 billion in trading volume over a 24-hour period — more than the entire ETH trading volume in that period. The monumental error by the developers seemed to have no damper on the overall frenzy around memecoins, or even produced the opposite effect.
Surely this trend won't end badly.
Wilder World game suffers $1.8 million theft, blames contractor
The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal security systems".
Phisher impersonating influential crypto trader in Twitter replies scams over $2.6 million
In one of the real Ansem's tweets, Ansem wrote "i dont launch coins bros" — nevertheless, followers eager to get in early on a new memecoin clicked a link offering a presale and had their wallets drained.
Altogether, people lost $2.6 million to the scam. One individual lost $1.2 million.
Remilia Collective reports multi-million dollar hack
The attacker stole around 490 ETH (~$1.8 million) and $58,000 USDC, along with more than 130 Milady NFTs, 320 Remilio NFTs, and hundreds of derivative tokens issued on the NFTX platform. Based on floor prices, the assets are valued at north of $6 million.
The mechanism of the attack is still uncertain, though Fang has said he suspects malware that could have intercepted credentials to his Bitwarden password manager. Some have expressed skepticism around the "hack", suggesting it could have been inside job. The Remilia group had suffered a separate $1 million loss in September 2023 — blamed on a rogue developer — and failed to implement many security safeguards after that incident.
NFPrompt discloses hack
The platform announced on March 15 that it had suffered a "critical security incident" that it attributed to "a group of hackers" who were able to gain access to funds belonging both to the project's users and the project itself. They did not disclose how much was taken.
The project announced that it was working with the FBI, and had contacted centralized exchanges to ask them to freeze stolen funds.
Someone accidentally burns $1.36 million Tether
Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.
The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.
Mozaic exploited for $2 million, recovers 90%
According to MozaicFi, the theft had been perpetrated by a rogue developer who was able to gain access to a private key held by a core team member. They also claimed that a simultaneous large sale of the Mozaic token resulted in cascading liquidations.
In good news for the project, the attacker moved around 90% of the stolen funds to MEXC, a centralized cryptocurrency exchange that was able to freeze the thief's access to the funds.
MOBOX lending platform exploited for $750,000
Massachusetts prosecutors seek to seize $2.3 million from crypto romance scam
- "United States Files Forfeiture Action to Recover Cryptocurrency Traceable to Pig Butchering Romance Scam", United States Attorney's Office, District of Massachusetts [archive]
Phishing attack drains $2 million from one victim
Incognito Market drug marketplace pulls multi-million dollar double scam
Making matters worse, on March 10 the website posted a message reading, "Yes, this is an extortion !!" They wrote that, although the platform promised to "auto-encrypt" messages between buyers and sellers, and auto-delete after an expiry date, messages were not encrypted or deleted. They demanded that users pay an additional $100 to $20,000 to have their information removed from the dataset, which they promised to release at the end of May. "Whether or not you and your customers' info is on that list is totally up to you."
The tactic is reminiscent of that of ransomware groups, which often demand double fees: one from victims of hacks first to regain access to their systems, and another in exchange for a promise to destroy stolen data.
- Incognito Darknet Market Mass-Extorts Buyers, Sellers, Krebs on Security [archive]
Kickstarter's bizarre "pivot to blockchain" spurred by secret $100 million Andreessen Horowitz investment
Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.
He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.
The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.
Twitter phishers steal over $46 million from 57,000 victims in February
The largest individual loss was the phishing attack against kirilm.eth, who had over 180 million $BEAM tokens notionally worth over $5 million drained from their crypto wallet. The attacker sold the tokens for around $4.5 million.
The total amount stolen is down slightly from January, in which $55 million was taken. Altogether, scammers have stolen over $100 million via Twitter phishing alone in the first two months of 2024.
Crypto4Winners investment firm claims funds were stolen
The company had paused withdrawals the previous day, and has not re-enabled them. They also have not disclosed the amount that was allegedly stolen.
Crypto4Winners claims it has earned 377% returns on customer investments since 2019, producing 3–20% monthly returns.
The company is co-owned by Luc Schiltz, who was sentenced to six years in prison in 2017 for defrauding victims of over $1.5 million through various investment frauds. He was released after two years, and quickly started the Crypto4Winners project after.
Unizen platform hacked for $2.1 million
The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.
WOOFi hacked for $8.75 million
Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".
- Woofi, Rekt [archive]
- "WOOFi sPMM exploit post-mortem", WOOFi [archive]
"The AI Protocol" burns tokens after holder suffers $4.3 million theft
Blockchain sleuth zachxbt was able to coordinate with the project to organize a community governance vote to burn the stolen tokens before the attacker was able to cash out. Although this doesn't return the stolen funds to their original owner, it at least keeps the attacker from profiting.
Shido exploited for at least $3.3 million
Although the stolen tokens were nominally priced at $35 million, the massive theft caused the price to plummet 94%. The attacker has converted the stolen tokens to around 956 ETH ($3.3 million).
The Shido team announced that they would be trying to offer a "bounty" to the hacker.
Seneca Protocol bug enables at least $3 million in stolen user funds
Making things worse, although the project's smart contract inherits the Pausable
module that should allow the Seneca team to halt the malfunctioning code, they never implemented the function, meaning there's no way for them to stop the thefts. Instead, individual users must each revoke access to the flawed contract.
"Crypto inheritence" project Serenity Shield hacked, token price plummets 99%
An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.
Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.
The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.
According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).
- Tweet by Serenity Shield [archive]
- Zachxbt on Telegram [archive]
- On-chain message by Serenity Shield to the hacker [archive]
Scammers hack Twitter account of late actor Matthew Perry, solicit "donations" for "substance abuse charity"
Some scammers were able to compromise the Twitter account belonging to the Friends star Matthew Perry, who passed away in October 2023. He had spent much of his life battling addiction, and his death was drug-related.
The scammers took advantage of this to share crypto addresses that they claimed would funnel donations to the real Matthew Perry Foundation, which actually tries to help those battling addiction. However, in a post on Perry's other social media accounts, the Foundation clarified that they had nothing to do with the wallets or the Twitter posts, and described the website as "fraudulent".
tea.xyz causes a flood of spam pull requests to open source projects
A project called tea.xyz promised people they could "get rewards for [their] open-source contributions", complete with a flashy website describing how it would "enhance the sustainability of open-source software".
So far, it's achieved the exact opposite. Promising to reward open source contributors with crypto tokens, the project asked users to verify their access to open source projects by merging in a YAML file containing their crypto wallet address. This kicked off a flood of pull requests to prominent, often non-crypto-related open source projects by people who had never contributed to the project (or, often, any open source project), but who wished to merge in a file describing them as a "code owner".
Particularly impacted by this project was the open source blogging platform Ghost, which was used as an example in the demo video released by tea.xyz, and which received several PRs of this kind. A somewhat flummoxed maintainer of the repository replied to one PR: "[I]n practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work. ... This why people hate on crypto." A maintainer of another unrelated open source project called "ghost" also reported receiving an influx of spam PRs.
This is not the first time crypto has generated massive Github spam, although another recent incident was (blessedly) mostly limited to open-source crypto projects and didn't waste the time of non-crypto-related projects as this one has.
- "The disappointing tea.xyz", Connor Tumbleson [archive]
- Github pull request for Ghost [archive]
$440,000 stolen as MicroStrategy's Twitter account is hacked
Although Saylor has been publicly critical of Ethereum, that didn't seem to raise flags among those eager to receive an airdrop of the Ethereum-based "MSTR" token that the company's Twitter account claimed they had just launched. Those who fell for the phishing link were redirected to a website that spoofed the real MicroStrategy website, with malicious code that drained funds.
Around $440,000 was stolen thanks to the fake announcement, with the majority of it coming from one wallet that was drained of a variety of tokens notionally worth around $425,000.
Dechat announces its token launch with a link to the wrong token
"You clowns literally linked a honeypot for your own token launch," wrote crypto sleuth zachxbt. Some users replied that they had lost money to the erroneous link.
Dechat quickly removed the post and created a new one with a corrected link. They also promised to reimburse users who had lost money to the honeypot.
BitForex shuts off website after $57 million withdrawal
The withdrawals were first noticed by blockchain detective zachxbt, who also noted that the exchange has stopped processing withdrawals and has not been replying to customer support inquiries.
It seems likely that the outflows were an exit scam rather than an outside attack, particularly given the lack of communication and somewhat shady status of the exchange. The firm faced regulatory scrutiny in Japan in mid-2023 for operating without a license, and has been accused of inflating its trading volume. Its CEO resigned in January, but promised a new team would be taking over.
"Fully private" Aleo blockchain accidentally sends out copies of users' identification documents
A user posted on Twitter that they had received an email with someone else's identification. "That makes me wonder, if I have someone else's KYC document, who else have you sent mine to?" Another person replied to the thread that they had experienced the same thing.
Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".
- "Zero-knowledge chain Aleo faces privacy leak issues", CryptoBriefing [archive]
Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk
The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.
This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.
Myanmar-based romance scam operation pulls in $100 million in less than two years
Many of the workers for the romance scam group are themselves victims of human trafficking. The operation is based in a "compound" near Myanmar's border with Thailand, and researchers estimate that thousands of trafficked workers operate the scam from the "self-contained city".
The scam may put more pressure on Tether, whose role in human trafficking and high-volume romance scam operations has been scrutinized more heavily in recent months and years. Tether has frozen some assets belonging to romance scammers in the past, but remains the token of choice for many of these groups.
- "$100mn in crypto payments traced to Myanmar-based 'scammers'", Financial Times [archive]
RiskOnBlast gambling platform rug pulls for $1.3 million
The team behind Blast had even helped to promote the RiskOnBlast platform, tweeting from its official account that Blast was "a new challenger" in the ecosystem with "undeniable" potential.
On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform. The project's anonymous team then laundered the funds through various services and exchanges. All social media accounts for the project were taken offline.
Australian disappears with more than US$585,000 erroneously transferred to his cryptocurrency account by OTCPro
OTCPro didn't notice their error until February 4, by which point Chai had already disappeared. They were able to recoup some funds that Chai had left in the OTCPro account, putting their total loss at around AU$490,000 (US$320,000).
A judge issued an injunction to try to prevent Chai from leaving the country, and issued a freeze on his assets. However, a freeze may be ineffective depending on if and how Chai has laundered the funds.
Blueberry Protocol narrowly avoids $1.3 million hack
About 457.7 ETH ($1.35 million) was drained from the project, but 366.6 ETH ($1.08 million) of that was able to be returned. The remaining ~91 ETH (~$265,000) was lost to validator payments.
Blueberry paused their protocol as they investigated the hack, and stated that they "aim for a full repayment to users as the goal".
DeezNutz_404 hacked for $170,000
One thing that keeps me from ever trying my hand as a crypto project hacker is that if I made $170,000 from exploiting a project called "DeezNutz_404", I would immediately be caught because I wouldn't be able to resist telling everyone I know that I'd just made enough money to not have to work for a couple years by exploiting deez nuts.
Anyway, there was a bug in their code that allowed an attacker to mint infinite tokens and steal around 58.65 ETH (~$170,000).
Axie Infinity co-founder suffers $9.5 million loss after wallet compromise
Some were briefly concerned that Axie Infinity's Ronin Bridge had been hacked (again), since the funds moved out of the bridge. Jihoz and others were quick to emphasize that the bridge had not been affected, and it was simply a personal wallet compromise.
Influencer "Crypto Rover" accused of pump-and-dump and other shady behavior
Zachxbt outlined various incidents, including how Crypto Rover purchased "Stoned Pepe" tokens before posting to his hundreds of thousands of followers that he thought the token would "do at least a 10x", and claiming that he had inside info on the project. He also detailed how Rover had taken a $10,000 payment and 1% of the supply of a new token that he promised to promote, then never promoted — despite promising the team that he could "pump projects from 1/2m to 10m easy".
After zachxbt published his research, Rover deleted his Telegram channel.
Over $55 million taken from defunct AAX crypto exchange
Now, over a year later, the Cyvers blockchain security firm has observed more than 24,000 ETH (~$55.6 million) has been moved from wallets used by the platform. Although there could be innocuous explanations for money moving off a defunct platform, whoever was moving the funds used various decentralized services to launder the money, appearing to be trying to make it more difficult to trace.
Airdrop hunters spam Github projects
Several repositories for crypto projects that have not launched tokens were inundated with hundreds of trivial Github issues apparently written in the hopes that in the event of an airdrop, they would be considered contributions.
"Please don't submit a GitHub issue just for farming purposes," wrote one employee of a crypto project receiving such spammy contributions. "The [project] core team is stretched thin enough as it is, please don't make our lives harder." Several projects had to limit who was allowed to open new issues in their repositories to try to tackle the spam.
FixedFloat exchange hacked for $26 million
FixedFloat first wrote that they had "encountered some minor technical problems", then acknowledged that there had been a hack. FixedFloat is non-custodial, so no user funds were impacted, however some have reported frozen transactions and missing funds from using the service on social media.
- "FixedFloat confirms $26M exploit in Bitcoin, Ether", CoinTelegraph [archive]
Yuga Labs acquires Moonbirds amid speculation of insider trading
Anyway, after the acquisition was announced, prices for Moonbirds spiked, as was to be expected.
What wasn't expected was a notable spike in trading in the days leading up to the acquisition announcement, in which some wallets began accumulating large amounts of Moonbirds and related NFTs. One such wallet purchased 80 Moonbirds, 71 Moonbird Mythics, 28 Oddities, and 13 Mythic eggs in the week leading up to the announcement, and enjoyed several hundred thousand dollars in profits after the acquisition was announced.
Trader loses $4.5 million in phishing attack
The stolen tokens were notionally priced at around $5.14 million, although the sale of the stolen tokens resulted in a price drop that meant the attacker ultimately was only able to trade them for 1,629 ETH (~$4.5 million). The BEAM price dropped around 10%.
YouTuber KSI accused of pump-and-dump
Although the token dumping occurred in March 2022, zachxbt waited until now — when KSI returned to his dormant Twitter account — to release the evidence he'd collected.
KSI had previously claimed to followers that he was "holding his bags", meaning not selling the XCAD tokens he'd purchased or been given. zachxbt determined this to have been a lie. The XCAD founder later came to KSI's defense, claiming he had bought more tokens than he sold, as though that somehow justifies the behavior.
- "KSI Accidentally Exposes His Crypto Scams", Coffeezilla [archive]
- Tweet thread by zachxbt [archive]
"Decentralized" social network Farcaster criticized after confiscating channel name to be used by influential crypto podcasters
This made it a bit of a shock when the co-founder of the a16z-backed Farcaster blockchain-based social network messaged a user to inform them that he would be taking away the channel name he had registered, whether he agreed to it or not. According to the co-founder, Dan Romero, the popular Bankless crypto podcast had requested the bankless
channel name, which the user he was messaging had already registered.
After the user argued back against Romero's offer of $25 in USDC to reimburse him for the channel name, and said it set a poor precedent, Romero stated: "ok this isn't productive. do you want USDC for the refund or warps" (referring to the non-crypto points used by the Warpcast client for Farcaster).
On one hand, some criticized the user who had registered the name for allegedly squatting on the channel name and trying to resell it. Romero defended his decision by arguing, "I never said channels were decentralized yet" (though the platform does generally claim to be "sufficiently decentralized"). Others argued the action set a bad precedent, and flew in the face of the ethos supposedly motivating these types of web3 social networks.
Romero has promised on Twitter that Farcaster channels "will be onchain later this year and like [user identifiers] won't be able to be touched." When pushed on the precedent this sets, he replied, "So let the squatter extort money?" Romero clearly needs to grapple with the fact that, like it or not, squatting is a feature of systems that take a hands-off approach to managing access to identifiers. This should not be news to anyone remotely familiar with the web, where "domaining" emerged out of the relatively laissez-faire structure of DNS — though unlike with fully decentralized identifiers, there can be some intervention when domain name speculation enters the realm of cybersquatting.
- "Farcaster" blog post by Dan Romero [archive]
- "Farcaster Explained: The Blockchain-Powered Decentralized Social Media Protocol", Decrypt [archive]
- Tweet thread by JohnnyFiat.eth [archive]
- Tweet by Dan Romero [archive]
- Tweet by Dan Romero [archive]
Creator of "Robotos" NFT project, once collaborating on a TV series with TIME studios, accused of rug pull
Rewind to November 2021, when it was announced that TIME Magazine's film and production studio would be collaborating with Stanley to develop a children's animated TV show based on the Robotos NFTs. The announcement helped to drive interest in the NFT collection, which reached a peak floor price of around 1.5 ETH (~$5,000 at the time).
Since then, no show has materialized, and the collection's floor price has dwindled. NFTs from the collection have recently sold for around 0.015 ETH (~$42). In the project Discord, Stanley claimed that TIME had lost interest in the project after the writer's strike. He also wrote that he had lost faith in web3: "Glad you still believe. It's hard for me to believe in it anymore." He explained that he had viewed Robotos as a "personal side project", and that he was "sorry if that's not enough for most people, but that's all I have the appetite for, and that's all I can offer."
- Tweet thread by HashBastardsNFT [archive]
- Tweet thread by Robotos [archive]
- Tweet by FotiWeb3 [archive]
- "TIME Studios, in Partnership with Nelvana, to Begin Production on Two Animated Children’s Series Based on New Characters from Creators of 'Robotos' and 'the littles' NFT Collections", press release from TIME [archive]
Duelbits crypto casino exploited for $4.6 million
It appears that the thief got access to a Duelbits wallet, perhaps through a private key compromise.
Yuga Labs bungles "free" Otherside NFT drop
Yuga released a new NFT, intending to function as ship parts that could be combined to create a ship to be used in the game. Players who had completed an Otherside minigame would be eligible to mint these NFTs for free. However, the "free" NFT cost around $30 in gas fees to mint. Worse still, the parts were meant to be repeatedly traded and combined to make new parts and ships, leading fans to wonder why on earth they decided to release the project on a blockchain where each transaction often costs tens of dollars.
Apparently realizing they'd made a mistake, Yuga first responded by announcing they would gift people free "Catalyst" NFTs to make it up to them. This only sparked further rage, though, as it was seen to dilute the value of the Catalyst NFTs and throw off incentives.
Yuga later reversed course on this decision, instead deciding to reimburse the gas fees.
This was not Yuga Labs' first gas-related fiasco, after they caused gas fees to spike into the thousands of dollars across the entire Ethereum network in April 2022 during the initial Otherside land sale.
One observer wrote, "[W]hat's the plan for the marketplace in Otherside that is supposed to support millions of daily microtransaction? I'm afraid this means Otherside is much less developed than we would like to hope. These decisions are entry level mistakes, not mistakes we should see from the biggest company in the space developing a metaverse. If the Otherside mint wasn't an eye opener, then this wont be either."
PlayDapp crypto gaming platform exploited, spurring misleading headlines
Days after the initial attack, on February 12, the attacker minted another 1.59 billion $PLA. This has led to news reports that the platform was exploited for "$290 million". However, this value is being naively calculated based on the token price without taking into account the massive supply inflation, and ignoring that that dollar figure is more than 2.5x the total claimed market cap of the token. Even reputable outlets like Bleeping Computer have printed the figure in their headline (though Bleeping Computer later changed the headline to a more accurate one).
PlayDapp sent on-chain messages to the attacker, offering a bounty, but the offer was ignored.
Solana goes down for five hours
With blockchains promising to become "world computers" upon which anyone can create projects ranging from mere toys to critical infrastructure, uptime is crucial, and a five-hour-long outage is devastating.
SIM swappers charged over hacks, reportedly including FTX
Although the indictment does not name FTX, Bloomberg has reported that "victim company-1" named in the court filings was FTX, which was hacked for around $400 million amid the chaos as the company was collapsing.