LENX co-founder accused of $10 million rug pull

The LENX cross-chain bitcoin liquidity protocol has recently been accused of a $10 million rug pull after community members observed massive withdrawals of treasury funds which were then sent to Binance accounts.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

KuCoin and founders criminally charged

The cryptocurrency exchange KuCoin and two of its founders, Chun Gan and Ke Tang, were indicted in the Southern District of New York on charges of conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act. Both founders are Chinese citizens, and neither has been located or arrested.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

"Munchables" crypto game exploited for $62.5 million

A small round furry shape with big blue eyes and thin legs, somewhat resembling a soot spriteA Munchable (attribution)
The "Munchables" crypto game explains: "Schnibbles grow on every realm across the Munchable's world. Each realm has their own unique and distinctive schniblet, and the Munchables react differently based on their compatibility to the schniblets fed to them. When creating an account for the Munchables, you must choose the location of your snuggery." Right then.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

Curio RWA project suffers $16 million exploit

Curio, a crypto project that creates tokens based on "real-world assets" (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project's funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

Solana memecoin frenzy sparks trend of incredibly racist meme tokens

A screenshot of many Solana tokens on DEXScreener, including:
JEWS "Jews did 911"
卐 "NAZI"
N*** TRUMP "N*** Trump"
N***OLAS "N***OLAS CAGE"
COVID "chinadidcovid"
N***Butt "N*** Butt Token"
APERAH "aperah wenfree"
BDN "Big Dick N***"
CHIGGA "Chinese N***"
HITLER "I was right"
BOJE "Book of J***ers"
WODNDOR "AuschwitzWoodenDoor"
LIBTARD "Go Woke Go Broke"
BULLJEW "BULL JEW"
wifcancer "kate wif cancer"
N*** TRUMP "N*** TRUMP 2024"
GayPedo "Gays Are Pedos"
J*** "J*** Buice"Racist Solana tokens on DEXScreener (attribution)
Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

Previously rug-pulled Lucky Star Currency project somehow rugs again

The astrology-based Lucky Star Currency project rug-pulled for $1.1 million in October 2023. You'd think that might be the end of it, but on March 22, 2024, ownership of the project was transferred to a malicious smart contract that then drained tokens priced at almost $300,000 from those who still held them.

You almost have to admire the tenacity.

TICKER project developer steals $900,000

Tweet by MIDA (@brgMIDA): "im not sorry for any of you, tbh
you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich, you were expecting to receive 10,100,1000x money for that donation or wtf, "they dont tell us it gonna 1000x when they are down the streets tho", cuz you would have otherwise mfer? go touch grass anon, and apply donating from hands to hands to people in needs in your closest physical community and turn the world a better place instead, i love you
social contracts do not have a place on the blockchain anons, i don't know why it is not much more evident for all of you"Tweet by TICKER thief (attribution)
A developer brought on to run a presale for the $TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

Super Sushi Samurai exploited by whitehat for $4.6 million

Super Sushi Samurai, a new blockchain game on the Blast layer-2 blockchain was exploited for $4.6 million when an attacker discovered a vulnerability in its smart contract. A bug in the mint functionality caused users who transferred their $SSS balance to themselves to receive twice as many tokens. An attacker took advantage of this to drain $4.6 million from the project, causing the $SSS token to plummet by 99%.

The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, "Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users." Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% "bounty". The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

AirDAO exploited via social engineering attack

An attacker used social engineering techniques to gain access to the AirDAO project's liquidity pool. They then were able to drain 126.5 ETH (~$551,540) and 41.6 million AMB (notionally priced at around $500,000, but not very liquid). The thief then transferred the stolen tokens through various exchanges.

AirDAO announced the theft the following day, and stated that they were working to track and freeze stolen funds. They also offered the attacker a 10% "bounty" if they chose to return the stolen assets.

Dolomite exchange exploited for $1.8 million

The Dolomite DEX suffered a $1.8 million theft as an exploiter was able to take advantage of a vulnerability in a smart contract that had been deployed in 2019. Although most contemporary users of the exchange use a version deployed on the Arbitrum layer-2 network, the old contracts were still usable on Ethereum.

An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.

SEC launches investigation into Ethereum Foundation

Fortune reported that the U.S. Securities and Exchange Commission has targeted the Swiss-based Ethereum Foundation for investigation, apparently in an effort to classify its ETH token a security. The report came out shortly after CoinDesk reported that a warrant canary had been removed from the Ethereum Foundation's website.

Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.

Bitcoin flash crashes on BitMEX

A "very small number of accounts" were able to crash the bitcoin price on the BitMEX exchange from its roughly $66,000 price to as low as $8,900. BitMEX attributed the incident to "aggressive selling behavior" by that small group.

The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.

BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.

Slerf memecoin meltdown only adds to mania

People have gotten really into memecoin trading on Solana recently. Like really into it. Someone decided they'd hop on the bandwagon with "Slerf", a sloth-themed memecoin they said would launch with a 50% presale.

Thanks to the aforementioned frenzy, the project managed to raise $10 million in the presale. However, things went sideways when the developer accidentally burned the $10 million by sending them to an address where they would be permanently inaccessible. "oh fuck", the developer wrote ominously on Twitter, before explaining their mistake.

Some speculated that the screwup may have been a marketing ploy, in which case it was very successful, because the token went on to post more than $2.7 billion in trading volume over a 24-hour period — more than the entire ETH trading volume in that period. The monumental error by the developers seemed to have no damper on the overall frenzy around memecoins, or even produced the opposite effect.

Surely this trend won't end badly.

Wilder World game suffers $1.8 million theft, blames contractor

Wilder World is a blockchain-based racing game that uses all the buzzwords: blockchains, artificial intelligence, and metaverse. On March 16, someone with access to the project deployer's private key upgraded legacy contracts and transfer the project's $WILD and $MEOW tokens to themselves. Altogether, the attacker profited 515 ETH (~$1.8 million), which they then laundered through the Tornado Cash cryptocurrency tumbler.

The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal security systems".

Phisher impersonating influential crypto trader in Twitter replies scams over $2.6 million

Tweet by real Ansem account: i dont launch coins bros, but i can give allo to good stuff in other ways soon
Tweet by fake Ansem account closely resembling the one above it: 
im about to launch my own token $BULL this weekend
link presale: [redacted link]
min 1 sol
max 3 sol
lets run it up yallAnsem impersonator responding to a tweet by the real account (attribution)
Someone impersonating Ansem, an influential crypto trader, was able to scam people out of more than $2.6 million simply by replying to the real Ansem's tweets. Using an account mimicking the real account, with only a slight difference in the username, a phisher convinced Ansem's followers that he was creating his own Solana memecoin and asked them to buy in.

In one of the real Ansem's tweets, Ansem wrote "i dont launch coins bros" — nevertheless, followers eager to get in early on a new memecoin clicked a link offering a presale and had their wallets drained.

Altogether, people lost $2.6 million to the scam. One individual lost $1.2 million.

Remilia Collective reports multi-million dollar hack

An anime style illustration of a person with green hair wearing a cat ears headband and light blue blouse with a peter pan style collar. At the bottom of the illustration are defense and attack points bars like in a card game.Milady #5539 (attribution)
"Charlotte Fang", the leader of the controversial Remilia project (known for its Milady NFTs), claimed he was hacked and drained of ETH and NFTs potentially worth several million dollars. Although the project's treasury used a multi-signature model, the private keys were stored in one password manager, which Fang says was compromised.

The attacker stole around 490 ETH (~$1.8 million) and $58,000 USDC, along with more than 130 Milady NFTs, 320 Remilio NFTs, and hundreds of derivative tokens issued on the NFTX platform. Based on floor prices, the assets are valued at north of $6 million.

The mechanism of the attack is still uncertain, though Fang has said he suspects malware that could have intercepted credentials to his Bitwarden password manager. Some have expressed skepticism around the "hack", suggesting it could have been inside job. The Remilia group had suffered a separate $1 million loss in September 2023 — blamed on a rogue developer — and failed to implement many security safeguards after that incident.

NFPrompt discloses hack

A Binance-incubated platform called NFPrompt claims to be "the first Prompt Artist Platform in Web3" — with "prompt artist" referring to people who come up with prompts to feed into large language models. More succinctly, it's a platform to sell the NFTs you've made out of AI-generated images.

The platform announced on March 15 that it had suffered a "critical security incident" that it attributed to "a group of hackers" who were able to gain access to funds belonging both to the project's users and the project itself. They did not disclose how much was taken.

The project announced that it was working with the FBI, and had contacted centralized exchanges to ask them to freeze stolen funds.

Someone accidentally burns $1.36 million Tether

Someone accidentally threw away $1.36 million when they accidentally sent Tethers to the Tether contract address — making them permanently inaccessible in a process known as "burning". This is a rather common phenomenon in crypto, where it's easy to accidentally copy/paste the wrong address.

Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.

The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.

Mozaic exploited for $2 million, recovers 90%

The "AI-optimized" defi project Mozaic Fi was exploited by an attacker who drained around $2 million in funds from the project.

According to MozaicFi, the theft had been perpetrated by a rogue developer who was able to gain access to a private key held by a core team member. They also claimed that a simultaneous large sale of the Mozaic token resulted in cascading liquidations.

In good news for the project, the attacker moved around 90% of the stolen funds to MEXC, a centralized cryptocurrency exchange that was able to freeze the thief's access to the funds.

MOBOX lending platform exploited for $750,000

The decentralized lending protocol, MOBOX, was exploited on March 14, 2024 after an attacker was able to take advantage of a bug in its referral program and borrowing functionality. By repeatedly borrowing funds and earning rewards, they were able to drain around $750,000 in USDT.

Massachusetts prosecutors seek to seize $2.3 million from crypto romance scam

The U.S. Attorney's Office in the District of Massachusetts announced that they had filed a civil forfeiture action to seize cryptocurrency priced at around $2.3 million from two Binance accounts. Those accounts had received cryptocurrency of various kinds from at least 37 American victims, one of whom was based in Massachusetts and who lost $400,000 in crypto assets to the scammers.

Phishing attack drains $2 million from one victim

An Ethereum holder who had been staking their ETH through a liquid restaking protocol called Ether.fi suffered a 501 ETH (~$2.025 million) loss when they fell victim to a phishing scam. They inadvertently signed a malicious transaction that granted the attacker "increase allowance" permissions, enabling them to siphon almost the entire sum of funds from the wallet. The individual was left with less than $1,500 in the wallet.

Incognito Market drug marketplace pulls multi-million dollar double scam

Since March 5, those who used the Incognito Market darkweb narcotics marketplace have found themselves unable to withdraw the Bitcoin and Monero they had on the platform. It appeared the platform had exit scammed for somewhere between $10 and $30 million.

Making matters worse, on March 10 the website posted a message reading, "Yes, this is an extortion !!" They wrote that, although the platform promised to "auto-encrypt" messages between buyers and sellers, and auto-delete after an expiry date, messages were not encrypted or deleted. They demanded that users pay an additional $100 to $20,000 to have their information removed from the dataset, which they promised to release at the end of May. "Whether or not you and your customers' info is on that list is totally up to you."

The tactic is reminiscent of that of ransomware groups, which often demand double fees: one from victims of hacks first to regain access to their systems, and another in exchange for a promise to destroy stolen data.

Kickstarter's bizarre "pivot to blockchain" spurred by secret $100 million Andreessen Horowitz investment

Web3: a technology so promising you can't even pay a company $100 million to use it.

Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.

He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.

The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.

Twitter phishers steal over $46 million from 57,000 victims in February

Scam Sniffer's February 2024 report describes 57,000 victims who collectively lost almost $47 million thanks to various phishing schemes on the Twitter platform. Many of the losses came from accounts designed to impersonate various popular cryptocurrency projects, who diverted users to scam websites resembling the real ones.

The largest individual loss was the phishing attack against kirilm.eth, who had over 180 million $BEAM tokens notionally worth over $5 million drained from their crypto wallet. The attacker sold the tokens for around $4.5 million.

The total amount stolen is down slightly from January, in which $55 million was taken. Altogether, scammers have stolen over $100 million via Twitter phishing alone in the first two months of 2024.

Crypto4Winners investment firm claims funds were stolen

A investment firm called Crypto4Winners announced in their Telegram channel that "Our investigations lead us to suspect an individual of committing fraudulent acts that may have compromised the integrity of assets. It is also possible that the current and historical data at our disposal has been tampered with, with a high degree of sophistication."

The company had paused withdrawals the previous day, and has not re-enabled them. They also have not disclosed the amount that was allegedly stolen.

Crypto4Winners claims it has earned 377% returns on customer investments since 2019, producing 3–20% monthly returns.

The company is co-owned by Luc Schiltz, who was sentenced to six years in prison in 2017 for defrauding victims of over $1.5 million through various investment frauds. He was released after two years, and quickly started the Crypto4Winners project after.

Unizen platform hacked for $2.1 million

The Unizen defi platform lost around $2.1 million in the Tether stablecoin in an attack that took advantage of a vulnerability an external call from the project smart contract.

The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.

WOOFi hacked for $8.75 million

An attacker was able to use a flash loan attack to manipulate an oracle on the WooFi DEX implementation on the Arbitrum network. By manipulating the price of $WOO, they were able to steal around $8.5 million.

Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".

"The AI Protocol" burns tokens after holder suffers $4.3 million theft

Someone who held over 111.6 million ALI tokens from a project called The AI Protocol was phished by someone using a wallet drainer service using a permit phishing technique. The tokens were priced at around $4.3 million.

Blockchain sleuth zachxbt was able to coordinate with the project to organize a community governance vote to burn the stolen tokens before the attacker was able to cash out. Although this doesn't return the stolen funds to their original owner, it at least keeps the attacker from profiting.

Shido exploited for at least $3.3 million

The Shido blockchain suffered an exploit of their staking smart contract, in which an attacker was able to transfer ownership of the contract to another address and then upgrade the contract with a function that allowed them to withdraw staked tokens. Altogether, the attacker withdrew all 4.3 billion staked $SHIDO tokens — over half the entire circulating supply.

Although the stolen tokens were nominally priced at $35 million, the massive theft caused the price to plummet 94%. The attacker has converted the stolen tokens to around 956 ETH ($3.3 million).

The Shido team announced that they would be trying to offer a "bounty" to the hacker.

Seneca Protocol bug enables at least $3 million in stolen user funds

A bug in Seneca Protocol's smart contract has allowed attackers to steal funds from users who had approved the contract. So far, around $3 million has been stolen across the Ethereum blockchain and Arbitrum layer-2.

Making things worse, although the project's smart contract inherits the Pausable module that should allow the Seneca team to halt the malfunctioning code, they never implemented the function, meaning there's no way for them to stop the thefts. Instead, individual users must each revoke access to the flawed contract.

"Crypto inheritence" project Serenity Shield hacked, token price plummets 99%

Serenity Shield, a project aiming to solve "crypto inheritence", has been hacked. Although the project prominently claims to help "ensur[e] your financial and personal security", they seem to have some trouble ensuring their own.

An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.

Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.

The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.

According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).

Scammers hack Twitter account of late actor Matthew Perry, solicit "donations" for "substance abuse charity"

Matthew PerryMatthew Perry (attribution)
There are evidently no lows to which crypto scammers will not sink.

Some scammers were able to compromise the Twitter account belonging to the Friends star Matthew Perry, who passed away in October 2023. He had spent much of his life battling addiction, and his death was drug-related.

The scammers took advantage of this to share crypto addresses that they claimed would funnel donations to the real Matthew Perry Foundation, which actually tries to help those battling addiction. However, in a post on Perry's other social media accounts, the Foundation clarified that they had nothing to do with the wallets or the Twitter posts, and described the website as "fraudulent".

tea.xyz causes a flood of spam pull requests to open source projects

This crypto skeptic I've heard of once said "Show me the incentive and I will show you the outcome."

A project called tea.xyz promised people they could "get rewards for [their] open-source contributions", complete with a flashy website describing how it would "enhance the sustainability of open-source software".

So far, it's achieved the exact opposite. Promising to reward open source contributors with crypto tokens, the project asked users to verify their access to open source projects by merging in a YAML file containing their crypto wallet address. This kicked off a flood of pull requests to prominent, often non-crypto-related open source projects by people who had never contributed to the project (or, often, any open source project), but who wished to merge in a file describing them as a "code owner".

Particularly impacted by this project was the open source blogging platform Ghost, which was used as an example in the demo video released by tea.xyz, and which received several PRs of this kind. A somewhat flummoxed maintainer of the repository replied to one PR: "[I]n practice the TEA project is not helping to support the Ghost project, but is instead causing a rush of self-serving PRs to be submitted to cash-in on other people's work. ... This why people hate on crypto." A maintainer of another unrelated open source project called "ghost" also reported receiving an influx of spam PRs.

This is not the first time crypto has generated massive Github spam, although another recent incident was (blessedly) mostly limited to open-source crypto projects and didn't waste the time of non-crypto-related projects as this one has.

$440,000 stolen as MicroStrategy's Twitter account is hacked

Michael Saylor sitting in front of a large model shipMichael Saylor (attribution)
MicroStrategy, the company founded and chaired by Bitcoin maximalist Michael Saylor, suffered a Twitter account compromise on February 26. Although MicroStrategy ostensibly develops software, it's better known for its massive Bitcoin holdings, driven by Saylor.

Although Saylor has been publicly critical of Ethereum, that didn't seem to raise flags among those eager to receive an airdrop of the Ethereum-based "MSTR" token that the company's Twitter account claimed they had just launched. Those who fell for the phishing link were redirected to a website that spoofed the real MicroStrategy website, with malicious code that drained funds.

Around $440,000 was stolen thanks to the fake announcement, with the majority of it coming from one wallet that was drained of a variety of tokens notionally worth around $425,000.

Dechat announces its token launch with a link to the wrong token

The user experience in crypto is apparently so bad that platforms can't even keep their own tokens straight. A web3 messaging project, Dechat, announced with some fanfare that the Dechat token would begin trading. In their social media post, however, they erroneously linked to the wrong token on the PancakeSwap cryptocurrency exchange. Instead of linking to the token they had developed, they included a link to a honeypot: that is, a malicious smart contract that aims to entice people to deposit funds that can then be stolen.

"You clowns literally linked a honeypot for your own token launch," wrote crypto sleuth zachxbt. Some users replied that they had lost money to the erroneous link.

Dechat quickly removed the post and created a new one with a corrected link. They also promised to reimburse users who had lost money to the honeypot.

BitForex shuts off website after $57 million withdrawal

The Hong Kong-based BitForex cryptocurrency exchange has shut down access to its platform after a suspicious outflow of around $57 million on several blockchains. Users who have tried to log in see a CloudFlare page explaining that they are blocked from accessing the website by CloudFlare's DDoS protection service.

The withdrawals were first noticed by blockchain detective zachxbt, who also noted that the exchange has stopped processing withdrawals and has not been replying to customer support inquiries.

It seems likely that the outflows were an exit scam rather than an outside attack, particularly given the lack of communication and somewhat shady status of the exchange. The firm faced regulatory scrutiny in Japan in mid-2023 for operating without a license, and has been accused of inflating its trading volume. Its CEO resigned in January, but promised a new team would be taking over.

"Fully private" Aleo blockchain accidentally sends out copies of users' identification documents

Aleo, a blockchain project that advertises it's a place for "fully private applications" with "built-in privacy" has just emailed private identification documents — including selfies and photographs of government identification cards — to the wrong users.

A user posted on Twitter that they had received an email with someone else's identification. "That makes me wonder, if I have someone else's KYC document, who else have you sent mine to?" Another person replied to the thread that they had experienced the same thing.

Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".

Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk

A community member of the Tornado Cash cryptocurrency tumbler project has reported that malicious code was added to the Tornado Cash project on January 1, which has put at risk funds deposited into the service. According to the community member, a successful governance proposal two months ago resulted in a code change, but malicious JavaScript included in the change went unnoticed.

The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.

This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.

Myanmar-based romance scam operation pulls in $100 million in less than two years

A pig-butchering operation in Myanmar has scammed victims of more than $100 million in Tether in less than two years, according to a report from Chainalysis and the anti-human trafficking organization International Justice Mission.

Many of the workers for the romance scam group are themselves victims of human trafficking. The operation is based in a "compound" near Myanmar's border with Thailand, and researchers estimate that thousands of trafficked workers operate the scam from the "self-contained city".

The scam may put more pressure on Tether, whose role in human trafficking and high-volume romance scam operations has been scrutinized more heavily in recent months and years. Tether has frozen some assets belonging to romance scammers in the past, but remains the token of choice for many of these groups.

RiskOnBlast gambling platform rug pulls for $1.3 million

RiskOnBlast, a gambling and trading platform on the new ethereum layer-2 Blast blockchain, appears to have performed the blockchain's first major rug pull — before the blockchain has even officially launched. Blast was created by the developers of the Blur NFT platform, and received funding from the Paradigm crypto VC.

The team behind Blast had even helped to promote the RiskOnBlast platform, tweeting from its official account that Blast was "a new challenger" in the ecosystem with "undeniable" potential.

On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform. The project's anonymous team then laundered the funds through various services and exchanges. All social media accounts for the project were taken offline.

Australian disappears with more than US$585,000 erroneously transferred to his cryptocurrency account by OTCPro

When businessman Kow Seng Chai transferred AU$99,500 (~US$65,000) to a cryptocurrency account on the Australian OTCPro cryptocurrency trading platform on January 25, he received an unexpected windfall thanks to an extra 0 erroneously added to the amount. When he saw the AU$995,000 ($650,000) in his account, he set to work, cashing out the excess funds through multiple withdrawals of the maximum amount.

OTCPro didn't notice their error until February 4, by which point Chai had already disappeared. They were able to recoup some funds that Chai had left in the OTCPro account, putting their total loss at around AU$490,000 (US$320,000).

A judge issued an injunction to try to prevent Chai from leaving the country, and issued a freeze on his assets. However, a freeze may be ineffective depending on if and how Chai has laundered the funds.

Blueberry Protocol narrowly avoids $1.3 million hack

The Blueberry defi leverage project had a bug in their lending contract, where improper decimal handling allowed for an exploit. An attacker tried to exploit the vulnerability, but was front-run by c0ffeebabe.eth, a well-known MEV bot operator and whitehat who has in the past been able to front-run other exploits and return the funds to the projects.

About 457.7 ETH ($1.35 million) was drained from the project, but 366.6 ETH ($1.08 million) of that was able to be returned. The remaining ~91 ETH (~$265,000) was lost to validator payments.

Blueberry paused their protocol as they investigated the hack, and stated that they "aim for a full repayment to users as the goal".

DeezNutz_404 hacked for $170,000

I might otherwise skip over news of a $170,000 hack, given how commonly thefts of that scale happen in the crypto world, but with a name like this... come on.

One thing that keeps me from ever trying my hand as a crypto project hacker is that if I made $170,000 from exploiting a project called "DeezNutz_404", I would immediately be caught because I wouldn't be able to resist telling everyone I know that I'd just made enough money to not have to work for a couple years by exploiting deez nuts.

Anyway, there was a bug in their code that allowed an attacker to mint infinite tokens and steal around 58.65 ETH (~$170,000).

Axie Infinity co-founder suffers $9.5 million loss after wallet compromise

Jeff "Jihoz" Zirlin, a co-founder of the Axie Infinity blockchain game, lost around $9.5 million as two of his crypto wallets were compromised. The thief stole 3,248 ETH ($9.5 million), which they quickly laundered with the Tornado Cash cryptocurrency mixer.

Some were briefly concerned that Axie Infinity's Ronin Bridge had been hacked (again), since the funds moved out of the bridge. Jihoz and others were quick to emphasize that the bridge had not been affected, and it was simply a personal wallet compromise.

Influencer "Crypto Rover" accused of pump-and-dump and other shady behavior

Influencer "Crypto Rover" taking a selfie with an exaggerated concerned expression, and the bitcoin logo next to himCrypto Rover (attribution)
A popular cryptocurrency influencer known as "Crypto Rover" has been accused by blockchain sleuth zachxbt of shady behavior, including accepting promotional payments from crypto projects and then not following through on his end of the deal, dumping tokens after promising followers he would hold, and secretly purchasing tokens for memecoin projects before pumping the price by posting about them.

Zachxbt outlined various incidents, including how Crypto Rover purchased "Stoned Pepe" tokens before posting to his hundreds of thousands of followers that he thought the token would "do at least a 10x", and claiming that he had inside info on the project. He also detailed how Rover had taken a $10,000 payment and 1% of the supply of a new token that he promised to promote, then never promoted — despite promising the team that he could "pump projects from 1/2m to 10m easy".

After zachxbt published his research, Rover deleted his Telegram channel.

Over $55 million taken from defunct AAX crypto exchange

The Hong Kong-based AAX cryptocurrency exchange suspended withdrawals in November 2022, only days after the FTX collapse and related chaos in the cryptocurrency world. They claimed that user funds were safe, but the exchange never restored service. A month later, police arrested two of the company's executives.

Now, over a year later, the Cyvers blockchain security firm has observed more than 24,000 ETH (~$55.6 million) has been moved from wallets used by the platform. Although there could be innocuous explanations for money moving off a defunct platform, whoever was moving the funds used various decentralized services to launder the money, appearing to be trying to make it more difficult to trace.

Airdrop hunters spam Github projects

A Github issue titled "github" with the text "i'm a scroll contributor"Airdrop farming Github issue (attribution)
After projects like Celestia and Starknet distributed airdrops of crypto tokens to people who had contributed to their open source Github repositories, airdrop hunters have begun spamming other projects in hope that they might one day receive tokens for their "contributions". In the recent Starknet airdrop, one individual received 1,800 STRK (~$3,200 at current estimates, though the token isn't actively trading yet) for an unmerged pull request fixing a typo in project documentation, so the hope that relatively trivial contributions could result in a windfall isn't completely unjustified.

Several repositories for crypto projects that have not launched tokens were inundated with hundreds of trivial Github issues apparently written in the hopes that in the event of an airdrop, they would be considered contributions.

"Please don't submit a GitHub issue just for farming purposes," wrote one employee of a crypto project receiving such spammy contributions. "The [project] core team is stretched thin enough as it is, please don't make our lives harder." Several projects had to limit who was allowed to open new issues in their repositories to try to tackle the spam.

FixedFloat exchange hacked for $26 million

The FixedFloat cryptocurrency exchange was exploited for around 409 BTC (~$21.17 million) and 1,728 ETH (~$4.85 million) for a total loss of just over $26 million. FixedFloat is a decentralized cryptocurrency exchange that doesn't require user registration or Know Your Customer, making it popular for hackers looking to launder stolen funds.

FixedFloat first wrote that they had "encountered some minor technical problems", then acknowledged that there had been a hack. FixedFloat is non-custodial, so no user funds were impacted, however some have reported frozen transactions and missing funds from using the service on social media.

Yuga Labs acquires Moonbirds amid speculation of insider trading

Pixel art of a white owl with one squinting eye, wearing a forest ranger hat, on a light green backgroundMoonbirds #768 (attribution)
On February 16, the NFT giant Yuga Labs announced it would be acquiring the Moonbirds NFT project. This adds to list of blue-chip NFT collections controlled by Yuga Labs, which already included their original Bored Ape Yacht Club and spin-off NFT collections, and the CryptoPunks and Meebits collections they acquired in March 2022. Decentralized!

Anyway, after the acquisition was announced, prices for Moonbirds spiked, as was to be expected.

What wasn't expected was a notable spike in trading in the days leading up to the acquisition announcement, in which some wallets began accumulating large amounts of Moonbirds and related NFTs. One such wallet purchased 80 Moonbirds, 71 Moonbird Mythics, 28 Oddities, and 13 Mythic eggs in the week leading up to the announcement, and enjoyed several hundred thousand dollars in profits after the acquisition was announced.