Web3 is Going Just Great

The stolen tokens were notionally priced at around $5.14 million, although the sale of the stolen tokens resulted in a price drop that meant the attacker ultimately was only able to trade them for 1,629 ETH (~$4.5 million). The BEAM price dropped around 10%.

Although the token dumping occurred in March 2022, zachxbt waited until now — when KSI returned to his dormant Twitter account — to release the evidence he'd collected.

KSI had previously claimed to followers that he was "holding his bags", meaning not selling the XCAD tokens he'd purchased or been given. zachxbt determined this to have been a lie. The XCAD founder later came to KSI's defense, claiming he had bought more tokens than he sold, as though that somehow justifies the behavior.

This made it a bit of a shock when the co-founder of the a16z-backed Farcaster blockchain-based social network messaged a user to inform them that he would be taking away the channel name he had registered, whether he agreed to it or not. According to the co-founder, Dan Romero, the popular Bankless crypto podcast had requested the bankless channel name, which the user he was messaging had already registered.

After the user argued back against Romero's offer of $25 in USDC to reimburse him for the channel name, and said it set a poor precedent, Romero stated: "ok this isn't productive. do you want USDC for the refund or warps" (referring to the non-crypto points used by the Warpcast client for Farcaster).

On one hand, some criticized the user who had registered the name for allegedly squatting on the channel name and trying to resell it. Romero defended his decision by arguing, "I never said channels were decentralized yet" (though the platform does generally claim to be "sufficiently decentralized"). Others argued the action set a bad precedent, and flew in the face of the ethos supposedly motivating these types of web3 social networks.

Romero has promised on Twitter that Farcaster channels "will be onchain later this year and like [user identifiers] won't be able to be touched." When pushed on the precedent this sets, he replied, "So let the squatter extort money?" Romero clearly needs to grapple with the fact that, like it or not, squatting is a feature of systems that take a hands-off approach to managing access to identifiers. This should not be news to anyone remotely familiar with the web, where "domaining" emerged out of the relatively laissez-faire structure of DNS — though unlike with fully decentralized identifiers, there can be some intervention when domain name speculation enters the realm of cybersquatting.

Rewind to November 2021, when it was announced that TIME Magazine's film and production studio would be collaborating with Stanley to develop a children's animated TV show based on the Robotos NFTs. The announcement helped to drive interest in the NFT collection, which reached a peak floor price of around 1.5 ETH (~$5,000 at the time).

Since then, no show has materialized, and the collection's floor price has dwindled. NFTs from the collection have recently sold for around 0.015 ETH (~$42). In the project Discord, Stanley claimed that TIME had lost interest in the project after the writer's strike. He also wrote that he had lost faith in web3: "Glad you still believe. It's hard for me to believe in it anymore." He explained that he had viewed Robotos as a "personal side project", and that he was "sorry if that's not enough for most people, but that's all I have the appetite for, and that's all I can offer."

It appears that the thief got access to a Duelbits wallet, perhaps through a private key compromise.

Yuga released a new NFT, intending to function as ship parts that could be combined to create a ship to be used in the game. Players who had completed an Otherside minigame would be eligible to mint these NFTs for free. However, the "free" NFT cost around $30 in gas fees to mint. Worse still, the parts were meant to be repeatedly traded and combined to make new parts and ships, leading fans to wonder why on earth they decided to release the project on a blockchain where each transaction often costs tens of dollars.

Apparently realizing they'd made a mistake, Yuga first responded by announcing they would gift people free "Catalyst" NFTs to make it up to them. This only sparked further rage, though, as it was seen to dilute the value of the Catalyst NFTs and throw off incentives.

Yuga later reversed course on this decision, instead deciding to reimburse the gas fees.

This was not Yuga Labs' first gas-related fiasco, after they caused gas fees to spike into the thousands of dollars across the entire Ethereum network in April 2022 during the initial Otherside land sale.

One observer wrote, "[W]hat's the plan for the marketplace in Otherside that is supposed to support millions of daily microtransaction? I'm afraid this means Otherside is much less developed than we would like to hope. These decisions are entry level mistakes, not mistakes we should see from the biggest company in the space developing a metaverse. If the Otherside mint wasn't an eye opener, then this wont be either."

Days after the initial attack, on February 12, the attacker minted another 1.59 billion $PLA. This has led to news reports that the platform was exploited for "$290 million". However, this value is being naively calculated based on the token price without taking into account the massive supply inflation, and ignoring that that dollar figure is more than 2.5x the total claimed market cap of the token. Even reputable outlets like Bleeping Computer have printed the figure in their headline (though Bleeping Computer later changed the headline to a more accurate one).

PlayDapp sent on-chain messages to the attacker, offering a bounty, but the offer was ignored.

With blockchains promising to become "world computers" upon which anyone can create projects ranging from mere toys to critical infrastructure, uptime is crucial, and a five-hour-long outage is devastating.

Although the indictment does not name FTX, Bloomberg has reported that "victim company-1" named in the court filings was FTX, which was hacked for around $400 million amid the chaos as the company was collapsing.

Now, as Su Zhu emerges from several months in jail, he, Kyle Davies, and the other executives of OPNX are shutting down the project. Traders have a week to settle their positions, and another week before the platform closes entirely.

Both Zhu and Davies are, of course, trying to promote a new crypto derivatives trading project.

The top seven victims collectively lost $17 million, with the top victim alone losing $4.7 million.

Larsen attempted to downplay the massive theft, claiming repeatedly that the theft did not represent a threat to Ripple itself, and trying to reassure people that Ripple wallets are still safe. However, fears over a threat to Ripple itself and the true separation between Larsen's wallets and those belonging to the Ripple project continued, and XRP dipped around 5% on the news.

The Magic Internet Money ($MIM) stablecoin has lost its dollar peg again, dipping all the way below $0.77 in a flash crash before returning to around $0.95.

The depeg appears to be related to an exploit of the Abracadabra lending protocol, which allows people to borrow $MIM. An attacker exploited an apparent flaw in the platform's smart contracts to drain around $6.5 million.

This is the second time the token has depegged, after a June 2022 incident shortly after the Terra collapse.

This is the second HyperVerse related criminal charge in recent days, following the arrest of promoter "Bitcoin Rodney".

Goledo Finance contacted the attacker to offer a 10% "bounty" for the return of the remaining assets. In a message on January 29, the attacker wrote: "I hacked Goledo and want to negotiate".

Anyway, the South Korean Somesing platform — which is really more of a TikTok-but-just-for-song-covers clone than anything to do with karaoke — suffered a breach in which 730 million SSX tokens were stolen. These tokens are nominally priced at around $11.5 million, but around 2/3 of the stolen tokens were as yet undistributed and not a part of the circulating supply.

Singh pled guilty to conspiracy to possess with the intent to distribute controlled substances and conspiracy to commit money laundering, charges for which he's expected to serve around 8 years in prison.

The attackers were able to siphon 769 million $WSM from the contract, which was notionally worth around $7 million. However, the token lacks liquidity to support swapping hundreds of millions of tokens without depressing the price, and the token price dropped around 35% in the wake of the attack as the thief began to cash out over several days.

Meanwhile, WSM announced that they would be issuing a new token to replace the stolen tokens, and "renew[ing] the liquidity pool"... somehow.

The emails appeared to announce airdrops and exclusive offers from those companies, and recipients were invited to connect their wallets to claim tokens. Those wallets were then drained.

The attackers stole a variety of cryptocurrencies, and some outlets have reported the theft has totalled more than $3.3 million. However, because a substantial amount of that number comes from the illiquid Xbanking token, the actual liquid value of the tokens is likely closer to $700,000. The attackers have begun mixing the stolen funds through the Railgun privacy service.

GMEE is the token belonging to the Gamee blockchain-based gaming platform, which was acquired by the Animoca Brands company in 2020. Animoca is mostly known for its crypto-metaverse project, The Sandbox.

Tokens priced at around $1.8 million were drained from the project vaults. In a tweet, Concentric urged users to revoke contract approvals to avoid further losses.

The wallet addresses used by the exploiter appeared to connect the attacker to the $2.7 million OKX DEX theft in December 2023.

Despite all of that, Terraform Labs had continued to operate. However, it is now in dire financial straits, and has now filed for Chapter 11 bankruptcy in an attempt to sort out its financial obligations amid costly legal cases. Terraform Labs is currently a defendant in a complaint by the SEC, as well as several class-action lawsuits.

According to the company's bankruptcy filing, it has between $100 million and $500 million in assets, and liabilities in the same range.

After the dismal launch, Howard tried a few somewhat desperate-seeming moves to try to attract interest in the project: promising to send free crypto to some holders, redoing all the art after criticism of its quality, and slashing the NFT supply to 1,500. Despite all that, only 465 NFTs have sold (15% of the original supply, netting Howard 930 AVAX — around $28,400).

The flop was so bad that a member of the team behind the Avalanche blockchain put out a tweet distancing themselves from the project, stating that they didn't even know about the project until he announced it. "Gone are the days that individuals/Brands with large followings can just drop IP related NFTs out of nowhere and expect it to do well," they wrote, seemingly criticizing Howard's approach by writing that NFT creators must "mak[e] sure to do it in an organic way with proper intentions."

Debiex, however, only resembled a cryptocurrency trading platform. In reality, the website merely mimicked a trading platform, and the funds supposedly deposited there for trading purposes were taken by Debiex.

The CFTC identified five victims who were allegedly defrauded of a combined $2.3 million.

Regalado posted a video to his supporters explaining that he had been sued by the Colorado state securities regulator. "So the charges are that Kaitlyn and I pocketed $1.3 million, and I just want to come out and say that those uh charges are true," said Regalado in the video, presumably causing a cold chill to run down the spine of his defense attorney in the middle of whatever he was doing.

According to Regalado, God told them to first invest in a separate coin, which turned out to be a scam. Then, says Regalado, God told him to make his own currency, which Regalado called INDXcoin, "but also give them a 10x". Who knew God was a degen! Regalado had told investors that the funds would be going to "widows and orphans", but spent most of it on himself and his wife.

In an announcement posted on Rubiales' Twitter account, the South Korean Moon Labs wrote: "Yes, we agree that Mr. Luis Rubiales made a small mistake in women world cup." The statement went on to condemn "extremism and radical feminism", and downplay Rubiales' actions as not "really" sexual assault. "Yes, Luis did small mistake but probably the biggest mistake was losing Luis Rubiales in football part [sic]."

Now, another $2.7 million is gone after an apparent thief was able to exploit a smart contract that was intended to distribute payouts to Hector's token holders. They then swapped the tokens from the USDC stablecoin to ETH.

Investors in the project are furious, especially because various parties had warned Hector Network about apparently insecure practices. Hector Network's team, meanwhile, have not acknowledged the theft, although a law firm involved in the project liquidation promised a statement would be forthcoming.

Adding to those is the fact that TrueUSD recently paused its real-time reserves attestations, due to systems reporting liabilities that exceeded assets, though TrueUSD (obviously) claimed this was just an error.

A little over 700 victims were affected, and the highest loss from a single wallet was around $657,000. 121 wallets lost assets priced at more than $10,000.

On January 23, the protocol announced they had recovered 1,032 ETH (~$2.23 million) of the stolen funds.

Evidently the platform has still been running since then, though it rarely enjoys much mention alongside its many competitors.

Now, rolling out the classic "regulatory uncertainty" line, GameStop has announced it will be shutting down the marketplace. After shutting down a crypto wallet project in November, the company seems to have fully exited the crypto world.

The bug was fixed about a week later. There has been a dispute since then between Harmony employees and a consultant who was involved in identifying the bug, and the consultant has been accused of delaying action to profit from the excess tokens. The consultant also balked at destroying some of the tokens he mistakenly received.

The consultant claims that he didn't profit from the bug, and objected to a Harmony employee coming after him to destroy the excess tokens when he'd done little towards others who profited from the error. He did, however, say later that he had destroyed the tokens.

According to the consultant, a Harmony employee claimed that he had filed reports to the FBI and IRS about the consultant's behavior, and had the consultant banned from the annual ETH Denver event.

The failures included poor anti-money laundering programs, deficiencies around filing suspicious activity reports, and poor cybersecurity.

The NYDFS action is only one of Genesis' many worries these days, as it undergoes bankruptcy proceedings and is facing various other legal woes.

With the malfunctioning hardware wallet and no recovery key, Bentley has lost access to assets including 1.2 million EUL tokens — over 4% of the total EUL token supply. These tokens are priced at about $3.8 million today, though at other times the tokens would have been worth up to about $15 million.

"I've now lost a substantial percentage of the crypto assets I held in cold storage, accumulated over more than seven years, including the majority of the EUL allocated to me for participating in Euler governance," said Bentley.

Some have speculated that the trade might be an expensive marketing stunt to increase attention to WIF, which was losing some steam.

I'll give it to them: the token's namesake is pretty cute. But not $9 million cute.

It's unclear if the move is spurred by the massively waning interest in NFTs, or if it's part of Twitter's broad slashing of functionality in the wake of Elon Musk's disastrous takeover and cost-cutting attempts.

Those who already had the hexagonal profile pictures now seem to have had them restored to their usual circular shape, and there's no longer any mention of the feature in Twitter's support documentation, and new NFT profile photos can't be uploaded. People can, of course, still right-click and save the images and upload them that way.

Bitcoin briefly spiked by about $1,000 before dipping around $1,000 below its previous price, as traders excitedly reacted to the news, and then the news that the news was fake.

Bitcoin Rodney has been charged with operating an unlicensed money transmitting business and conspiracy to operate an unlicensed money transmitting business.

When investigators subpoenaed Discord for Rhoden's chat logs, they found messages celebrating the rug pull. "good shit on us making a fuck ton of money," he wrote to his co-conspirator.

MangoFarmSOL is unrelated to the other Solana-based mango-themed project, Mango Markets, which was exploited in October 2022 for more than $100 million.

However, investigation by the CertiK blockchain security firm suggests that the "hack" may have been an inside job, with much of the $1.5 million that was "stolen" going to wallets with links to the Narwhal team.

The Narwhal project had launched in mid-December.

On January 6, the project's creators drained the tokens that had been put into the project, then deleted their website and social media accounts. Altogether, they withdrew 558.3 ETH (~$1.25 million).

In July 2023, an attacker stole $37.3 million from the CoinsPaid platform. CoinsPaid said at the time that they suspected the attacker was the North Korean Lazarus hacking group, which has been a prolific perpetrator of cryptocurrency thefts.

CertiK quickly regained control of the account and deleted the tweets, later explaining that an employee had been contacted by a "verified account, associated with well-known media". The journalist's account, apparently compromised, successfully phished the CertiK employee by sending what looked like a Calendly meeting scheduling link, but what was in fact a malicious link used to take over the CertiK Twitter account.

Blockchain sleuth zachxbt criticized CertiK, which describes itself as a leading blockchain security firm, for not protecting against the attack, and asked if they would be reimbursing phishing victims.

Gamma has contacted the hacker to try to negotiate a return of some of the assets, and also says they have engaged law enforcement. Although they have promised to try to repay some of the stolen assets, they are estimating between 25% and 40% recoveries for various categories of users.

Radiant Capital sent an on-chain message to the attacker, offering to negotiate a bounty.

"I just got scammed out of $125k of stEth while trying to claim the $LFG airdrop. And I'm a fking founder of a wallet startup that's trying to improve wallet security..." wrote Lou on Twitter. "This is the first time I've been scammed. I always read about others but you never think it could happen to you..." he wrote.

If the founder of a wallet security project can't avoid scams in the crypto world, what hope do the rest of us have?

Orbit began sending the attacker on-chain messages, writing that "we will track you down and restore the damage you incurred to the ecosystem. And we will not stop." Orbit also wrote on Twitter that they were working with various law enforcement agencies.

The attack was perpetrated by the Pink Drainer group, which had recently compromised the Twitter account of Compound Finance to try to lure its more than 250,000 followers into authorizing the malicious drainer. It's not clear if that's how this wallet was drained, however, as Pink Drainer uses numerous strategies to attract victims.

This is a major decision in the crypto world, which recently celebrated a decision in the SEC v. Ripple case, which found that some sales of Ripple's XRP token did not constitute unregistered securities offerings.

The SEC has maintained a position that the majority of crypto asset offerings are securities offerings, which has been an unpopular opinion among those in the cryptocurrency industry — which broadly does not wish to be regulated by the SEC.

The attack was unusual in that it lasted almost two weeks, going unnoticed because it was draining pools slowly enough that the Levana team assumed it was organic activity. However, when the network became congested, the attack suddenly became more profitable — and more noticeable.