Web3 is Going Just Great

Max Howell, the creator of tea.xyz (and creator of homebrew, though he's no longer involved), seemed apologetic, and promised to make changes to the protocol to stop this spammy behavior.

Now, deprived of that avenue, people are just creating massive waves of empty software packages, with nothing other than a "teafile" with their crypto wallet address for rewards, and submitting them to package managers like NPM and RubyGems.

This spam prompted a blog post from RubyGems, who wrote that they had to devote time to strengthening limits on package publishing and "ensuring [accounts] didn't disrupt the community further."

Security researchers at Phylum also wrote up the protocol's impact on the JavaScript world, which has seen as many as 7x as many packages published on NPM as previous daily averages. "Automated sustained spamming of this volume for months on end is rare and does nothing but cause heavy strain on the ecosystem itself, degrading the performance of the ecosystem for genuine users and straining open source security researchers," they wrote.

Pac Finance has said they are "actively developing a plan with [impacted users] to mitigate the issue."

NGS and its associated business is believed to have pulled in around AU$62 million (US$42 million) from around 450 Australians.

So far, losses are estimated to affect around 100 investors, who have up to AU$100 million (US$65 million) in claims.

Balanian had boasted of his career experience as a former NASA mission planner, and targeted his fund to wealthy investors with a minimum initial deposit of AU$50,000 (~US$33,000).

US Attorney Damian Williams described this as the first ever conviction for a smart contract hack.

Ahmed forfeited around $12.3 million in stolen funds, and will pay more than $5 million in restitution.

On April 10, CEO Edgar Pavlovsky tweeted that he had resigned from MarginFi, publicly calling that he "d[idn't] agree with the way things have been done internally or externally". Pavlovsky had been criticized for his response to the controversy around MarginFi, in which he had been argumentative and insulting, tweeting things like "take your money out, go fuck yourself" to those who accused him and MarginFi of malfeasance.

Amid the chaos, more than $210 million in TVL has exited the protocol.

The notice was received with an adversarial posture by Uniswap, who announced its receipt with a blog post titled "Fighting for DeFi". "Taking into account the SEC's ongoing lawsuits against Coinbase and others as well as their complete unwillingness to provide clarity or a path to registration to those operating lawfully within the U.S., we can only conclude that this is the latest political effort to target even the best actors building technology on blockchains," they wrote.

The news was met with outrage in the crypto community, who generally saw the action as indicative of an overly aggressive posture by the SEC to crack down on defi and crypto more broadly.

According to STFIL, while some of the core team members were detained by Chinese police, FIL tokens were moved to an unknown wallet. They also acknowledged that there had been "abnormal, unscheduled upgrades to the protocol". They asked their community members for help in tracking the wallet.

Some speculated that the story was fake, and that the project had stolen the funds. However, Chinese police have in several instances cracked down on people and companies involved in Filecoin-related projects, including an $83.3 million alleged pyramid scheme in August 2023 and a group of Filecoin Ponzi schemers in 2021. Filecoin mining became popular in China after its 2018 initial coin offering, and also became a magnet for Ponzi schemes and other scams.

The project described itself as a DEX with a native $MUSK token, and launched in July 2021. However, the token tanked on December 25, 2021. Although the project team tried to blame the crash on "liquidity issues" and promised paths forward, they locked the project Telegram chat on March 11, 2022. On April 5, 2022, the team withdrew remaining funds and deleted the website.

Crypto analysis firm CertiK linked the MuskSwap project to several other scam tokens and projects: RocketDoge, InfinityGame, SpaceX, MUFC (themed after Manchester United), and Elona Musk. Altogether, the rug pulls have drawn in $5.1 million.

Some more recent Yelp reviews described fairly mediocre food, which "[t]he NFTs don't make up for".

The restaurant opened in April 2022, a month after owner Andy Nguyen purchased Bored Ape #6184 for $268,000, along with three Mutant Apes for an additional combined $187,000. #6184 became the restaurant's logo, and the others were incorporated into the restaurant's branding. The NFTs haven't been resold since, although it's unlikely they could recoup close to their original purchase prices — Bored Apes have been averaging a little under $50,000 in recent sales, and Mutants around $8,500 each.

Kwon and his company were behind the algorithmic stablecoin, Terra, which dramatically collapsed in May 2022, sending huge ripple effects throughout the ecosystem. He and his company had lied about the stability of the token, ultimately causing massive financial damage to the tune of around $40 billion.

Kwon is in custody in Montenegro after attempting to flee criminal cases in both the United States and South Korea. The civil case in the US proceeded without him.

The "yes" votes are currently in the lead with a 63% margin. The most yes votes came from sushigov.eth, the official SushiSwap team address, which also created the proposal. It is the first time that address has ever participated in a governance proposal.

The 5.5 million yes votes from the team wallet, plus another 3.1 million delegated from other community members, were enough to push the vote to majority support. A former SushiSwap contributor has also alleged that the SushiSwap team was manipulating the vote with additional wallets.

On Twitter, Sushi's "Head Chef" claimed that he had consulted with lawyers and then authorized the voting activity out of fear of an "extortative [sic] governance attack attempt".

Despite that, people sent the creator over 8.8 ETH (almost $29,000) for the project's "pre-sale", even as they repeated on Twitter that the project was a scam and that no one should buy it.

FixedFloat acknowledged the theft in a Twitter post, and blamed the same thieves. They claimed that this theft was enabled by a vulnerability in a third-party service.

Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, "We at #SOLAREUM team can clarify that we DO NOT steal money." Ah, well, in that case.

Other bots may have been involved in the theft, though it's not clear at this point. Though there was some speculation that a trading bot called BonkBot was to blame, that seems to have been unfounded.

The total theft amount is not clear, but exceeds $500,000.

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

The sentence follows his conviction on all seven felony charges in November 2022 — a decision reached by the jury within hours of beginning their deliberations.

Bankman-Fried intends to appeal the conviction.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

You almost have to admire the tenacity.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, "Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users." Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% "bounty". The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

AirDAO announced the theft the following day, and stated that they were working to track and freeze stolen funds. They also offered the attacker a 10% "bounty" if they chose to return the stolen assets.

An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.

Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.

The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.

BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.

Thanks to the aforementioned frenzy, the project managed to raise $10 million in the presale. However, things went sideways when the developer accidentally burned the $10 million by sending them to an address where they would be permanently inaccessible. "oh fuck", the developer wrote ominously on Twitter, before explaining their mistake.

Some speculated that the screwup may have been a marketing ploy, in which case it was very successful, because the token went on to post more than $2.7 billion in trading volume over a 24-hour period — more than the entire ETH trading volume in that period. The monumental error by the developers seemed to have no damper on the overall frenzy around memecoins, or even produced the opposite effect.

Surely this trend won't end badly.

The project blamed the theft on a previous contractor who had the private key. They also explained that the attacker seemed to be a developer based on the fact that they had "specialized knowledge of ZERO's internal security systems".

In one of the real Ansem's tweets, Ansem wrote "i dont launch coins bros" — nevertheless, followers eager to get in early on a new memecoin clicked a link offering a presale and had their wallets drained.

Altogether, people lost $2.6 million to the scam. One individual lost $1.2 million.

The attacker stole around 490 ETH (~$1.8 million) and $58,000 USDC, along with more than 130 Milady NFTs, 320 Remilio NFTs, and hundreds of derivative tokens issued on the NFTX platform. Based on floor prices, the assets are valued at north of $6 million.

The mechanism of the attack is still uncertain, though Fang has said he suspects malware that could have intercepted credentials to his Bitwarden password manager. Some have expressed skepticism around the "hack", suggesting it could have been inside job. The Remilia group had suffered a separate $1 million loss in September 2023 — blamed on a rogue developer — and failed to implement many security safeguards after that incident.

The platform announced on March 15 that it had suffered a "critical security incident" that it attributed to "a group of hackers" who were able to gain access to funds belonging both to the project's users and the project itself. They did not disclose how much was taken.

The project announced that it was working with the FBI, and had contacted centralized exchanges to ask them to freeze stolen funds.

Most experienced crypto users have adopted the habit of sending small test transactions before transferring large amounts of tokens, to first check that they're using the correct address. Oddly, this person did so in this case, but then went right ahead and transferred the remaining tokens to the erroneous address.

The person may have lucked out that they were using a centralized stablecoin like Tether, whose operators hold a substantial amount of control over freezing, destroying, and creating new Tethers — and could feasibly replace the burned tokens.

According to MozaicFi, the theft had been perpetrated by a rogue developer who was able to gain access to a private key held by a core team member. They also claimed that a simultaneous large sale of the Mozaic token resulted in cascading liquidations.

In good news for the project, the attacker moved around 90% of the stolen funds to MEXC, a centralized cryptocurrency exchange that was able to freeze the thief's access to the funds.

Making matters worse, on March 10 the website posted a message reading, "Yes, this is an extortion !!" They wrote that, although the platform promised to "auto-encrypt" messages between buyers and sellers, and auto-delete after an expiry date, messages were not encrypted or deleted. They demanded that users pay an additional $100 to $20,000 to have their information removed from the dataset, which they promised to release at the end of May. "Whether or not you and your customers' info is on that list is totally up to you."

The tactic is reminiscent of that of ransomware groups, which often demand double fees: one from victims of hacks first to regain access to their systems, and another in exchange for a promise to destroy stolen data.

Crowdfunding website Kickstarter surprised and dismayed many of its users in December 2021 when they announced they would be moving the product to the blockchain in December 2021 for... reasons. That blockchain would just so happen to be the relatively unknown Andreessen Horowitz-backed Celo blockchain. "How this will actually work, beyond Kickstarter being able to yell 'blockchain' like a spell to summon investors ... is unclear," wrote Tom McKay at Gizmodo.

He probably didn't realize how right he was, but now it's been revealed that KickStarter was able to land a $100 million investment from Andreessen Horowitz with handwavy proclamations about the blockchain that its own COO didn't seem to quite understand.

The company seems to have since given up on its blockchain ambitions — in no small part thanks to user revolt. It seems that $100 million windfall didn't include any terms actually requiring Kickstarter to follow through.

The largest individual loss was the phishing attack against kirilm.eth, who had over 180 million $BEAM tokens notionally worth over $5 million drained from their crypto wallet. The attacker sold the tokens for around $4.5 million.

The total amount stolen is down slightly from January, in which $55 million was taken. Altogether, scammers have stolen over $100 million via Twitter phishing alone in the first two months of 2024.

The company had paused withdrawals the previous day, and has not re-enabled them. They also have not disclosed the amount that was allegedly stolen.

Crypto4Winners claims it has earned 377% returns on customer investments since 2019, producing 3–20% monthly returns.

The company is co-owned by Luc Schiltz, who was sentenced to six years in prison in 2017 for defrauding victims of over $1.5 million through various investment frauds. He was released after two years, and quickly started the Crypto4Winners project after.

The project team sent on-chain messages to the attacker, offering a 20% "bounty" for the return of the remaining funds.

Blockchain security firms detected the attack quickly, and the project team paused the project's smart contract within fifteen minutes, but not before the millions were stolen. They contacted the attacker via an on-chain message to offer a 10% "bounty", later threatening that they had a "strong lead that we think will soon reveal the identity of the exploiter".

Blockchain sleuth zachxbt was able to coordinate with the project to organize a community governance vote to burn the stolen tokens before the attacker was able to cash out. Although this doesn't return the stolen funds to their original owner, it at least keeps the attacker from profiting.

Although the stolen tokens were nominally priced at $35 million, the massive theft caused the price to plummet 94%. The attacker has converted the stolen tokens to around 956 ETH ($3.3 million).

The Shido team announced that they would be trying to offer a "bounty" to the hacker.

Making things worse, although the project's smart contract inherits the Pausable module that should allow the Seneca team to halt the malfunctioning code, they never implemented the function, meaning there's no way for them to stop the thefts. Instead, individual users must each revoke access to the flawed contract.

An attacker stole 6.9 SERSH tokens from a MetaMask wallet belonging to the project. Although the tokens were ostensibly priced at $5.6 million, the thief was only able to sell them for around $586,000.

Serenity Shield confirmed the breach, and encouraged people to stop trading $SERSH as they planned to relaunch the token. "Rest assured, we are deploying all necessary safety measures to ensure a foolproof system," they wrote. This time it will be secure, they promise.

The team also sent a message to the hacker, offering a 15% "bounty" and a promise not to pursue legal action in exchange for the return of the stolen funds.

According to crypto sleuth zachxbt, the attack seems to be linked to exploits of OKX (December 2023) and Concentric (January 2024).

Some scammers were able to compromise the Twitter account belonging to the Friends star Matthew Perry, who passed away in October 2023. He had spent much of his life battling addiction, and his death was drug-related.

The scammers took advantage of this to share crypto addresses that they claimed would funnel donations to the real Matthew Perry Foundation, which actually tries to help those battling addiction. However, in a post on Perry's other social media accounts, the Foundation clarified that they had nothing to do with the wallets or the Twitter posts, and described the website as "fraudulent".