Web3 is Going Just Great

The attacker was successfully able to transfer around 13.8 million STX (~$2 million) on the Stack BTC layer-2 chain. However, their attempts to steal assets notionally worth around $4.3 million from the project's BNB Chain implementation failed when they upgraded the project contract to a malicious version, but failed to prevent other people from calling the withdraw function. The attacker's first transactions to withdraw the funds themself failed, and an apparent whitehat hacker was able to step in and complete the withdrawal ahead of the exploiter. They later negotiated a deal for the funds' return, after offering a 10% "bounty".

The exploiter had also tried, and failed, to steal assets notionally worth around $5 million on the Ethereum blockchain, but failed to do so. ALEX Lab later announced they were able to recover or secure around $4.5 million of those assets. ALEX also later announced that they believed the attackers were part of the North Korean Lazarus Group.

The case is a concerning one, as sanctioning software developers for how the code they write is used — particularly when it comes to software intended to protect privacy — has frightening implications. Although there is some precedent in the United States that "code is speech", and merely writing and publishing code is protected by the First Amendment, that obviously does not apply to the Netherlands. A collaborator to Pertsev, Roman Storm, is set to be tried on charges of money laundering and sanctions violations in the United States in September, and that case is likely to grapple with this exact issue.

After being alerted to the theft by several security companies, Sonne announced they had paused the contract on the Optimism Ethereum layer-2 chain.

Cypher was hacked for $1 million in August 2023, but was able to recover around $600,000 of the stolen funds, which they promised to distribute to impact users via a redemption fund. However, over a period of months and unbeknownst to the rest of the team, hoak had been dipping into the recovered funds — taking around half of what was in the fund for himself.

After he was accused, hoak fessed up in a public statement where he wrote that his actions were a "culmination of what snowballed into a crippling gambling addiction and probably multiple other psychological factors that went by unchecked for too long." He continued: "I know likely nothing I say or do will make things better - perhaps other than rotting in jail. To address the elephant in the room, the allegations are true, I took the funds and gambled them away. I didn’t run away with it, nor did anyone else."

In the past, Robinhood has removed cryptocurrencies from trading after they were alleged to be securities by the SEC, such as Solana (SOL), Cardano (ADA), and Polygon (MATIC) in the wake of the lawsuits against Binance and Coinbase. However, given the SEC's stance that most cryptocurrencies are securities, it seems likely that the SEC believes one or more of the 14 non-bitcoin cryptocurrencies Robinhood offers may also be a security.

Robinhood's Chief Legal Officer issued a statement that "We firmly believe that the assets listed on our platform are not securities and we look forward to engaging with the SEC to make clear just how weak any case against Robinhood Crypto would be."

GNUS.ai (short for "Genius", not a reference to the animal) is one of many AI-related blockchain projects that has sprung out of the recent AI hype. This particular one promises to allow people to "utiliz[e] unused cycles" on various computing devices for computation-intensive AI systems, using cryptocurrency for payments.

Cred had claimed to customers that they engaged in only "collateralized or guaranteed lending", hedged their investments, and "comprehensive insurance", but hid that "virtually all the assets to pay the yield were generated by a single company whose business was to make unsecured micro-loans to Chinese gamers." Furthermore, they did engage in uncollateralized lending, did not hedge their investments, and did not hold insurance as they had claimed.

Around $150 million in customer funds were lost in the collapse based on prices at the time, though those crypto assets would have been priced substantially higher at various times since.

Address poisoning is a scam tactic that takes advantage of crypto traders' tendencies to copy and paste wallet addresses from their transaction histories, since the addresses are long strings of characters that are not practical to type from memory. By creating a new wallet address with identical start and/or ending character strings to addresses used by the victim, and spamming the victim with transactions from that similar address, scammers are sometimes able to get victims to erroneously copy the spoofed address for future transfers.

That's what appears to have happened in this case, when a victim transferred 1,155 wrapped bitcoin — tokens pegged to the bitcoin price meant for use on the Ethereum blockchain — to the malicious address.

The victim and the exploiter later reached an agreement for the return of most of the funds, with the exploiter keeping $7.2 million as a "bounty".

The first attack, on April 26, was enabled by a flaw in the security measures related to transfers of the USDC stablecoin. An attacker was able to change the recipient address and amount, ultimately making off with almost $300,000 in the stablecoin. Pike released a postmortem two days later, acknowledging that the bug had been identified by a third-party auditor but had not been rectified by their team.

When the Pike team went to patch the smart contracts to thwart this attack, they introduced new, even worse vulnerabilities. As a result, on April 30, an attacker was able to upgrade the project's smart contracts to malicious ones, then withdraw $1.68 million in ETH, ARB, and OP tokens.

Pike Finance has offered a 20% reward for the return of the funds or information pertaining to the attacker, and has promised "a plan to make users whole". Pike, which launched in early 2024, is backed by Circle and Wormhole.

Ver was arrested in Spain, and the United States will seek his extradition.

Besides his tax woes, Ver has also been caught up in accusations by CoinFLEX that he owed the platform around $84 million after failing to meet a margin call. Ver has in turn claimed that CoinFLEX owed him money. CoinFLEX filed for restructuring in August 2022.

Prosecutors sought a three year sentence for Zhao, while Zhao requested to serve no time. The judge ultimately decided on a sentence closer to the five-month sentence that was being recommended by the Probation Office.

After zachxbt sounded the alarm on May 13, Rain admitted that they had had a "security incident", but stressed that customer funds were safe, and stated that the Rain Group had "covered any potential losses resulting from this incident".

Mazini also ran a scam targeting the Muslim community in New York, via a company called Halal Capital. In reality, this was a Ponzi scheme, and payouts to his investors were funded in part by the crypto scam he was also running.

Mazini was arrested in March 2021 on kidnapping charges, after he kidnapped and beat someone who might have witnessed his frauds. He was sentenced to five years in prison for that charge, to which he pled guilty. His new fraud sentence will be served concurrently with the kidnapping sentence.

In addition to seven years in prison, Mazini has been ordered to forfeit $10 million. Restitution has not yet been determined.

Rodriguez was arrested in the United States; the United States will seek extradition for Hill, who was arrested in Portugal.

Samourai Wallet advertised itself as "a bitcoin wallet made for the streets", which would "keep your transactions private, your identity masked, and your funds secure". It touted features including "remote self-destruct", and would hide itself from a phone's applications list. As charges were filed in the United States, the wallet's website began displaying a seizure notice that informed visitors of a coordinated law enforcement action by the US Attorney's Office in the Southern District of New York, FBI, IRS, Europol, and Portuguese and Icelandic police. The app was also removed from the Google Play Store.

Instead, the project's creators transferred those more than 10,500 ETH ($33 million) to Lido, an Ethereum staking service. As for the "return" of funds, the project team indeed followed through with their promises to return the crypto... except instead of ETH, depositors received the project's native token, ZKAS, which would vest over a period of 15 months. The project announced that they had calculated the ZKAS distribution based on a discounted rate, "as a favour to our users who have bridged to participate in the ecosystem". Gee, thanks!

One investor in the project wrote, "We made a mistake investing in Zkasino early. ... [I]t sounds like a scam, but 95% of crypto consists of such crap. With memecoins pumping every day, people believe this could be the next one."

It seems that ZKasino's creators have links to other crypto scams, including a failed "ZigZagExchange", which raised around $15 million that was allegedly misallocated to work on the ZKasino project. Crypto sleuth zachxbt had also described the team as "proven bad actors" in December, listing multiple instances in which they had avoided making promised payments.

After the rug pull, the project's planned IDO on Ape Terminal and AIT Launchpad were canceled, and MEXC (which had invested in the project's seed round) canceled the token listing.

The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.

Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: "Well done for finding it! We're assuming you executed this exploit as a white hat, so we'd like to get in touch with you to discuss next steps." No on-chain response thus far.

According to Hong Kong police, they have received more than 2,600 complaints about JPEX, involving HK$1.6 billion (~US$204 million) in assets.

Shortly after he was identified as the person behind the attack, Eisenberg tweeted that he "was involved with a team that operated a highly profitable trading strategy last week. I believe all of our actions were legal open market actions". Sadly for him, jurors didn't share this belief.

Eisenberg faces up to 20 years in prison.

What he failed to mention is that the tokens in Trump's wallet were airdropped to him, likely without Trump even realizing it. Several of Trump's crypto wallets are publicly known, and people send coins and NFTs to them all the time. Trump has no more endorsed Stone's "MAGA Memecoin" than he has the "HarryPotterTrumpHomerSimpson777Inu" tokens that also sit in his crypto wallet.

Elsewhere, Stone disclosed, "My promotion of MAGAMemecoin is, of course, sponsored." I haven't been able to find where he has disclosed the amount he was paid for these promotions, as he is required to do.

The team behind the project claimed that the deployer wallet had been compromised, allowing an attacker to drain the project's liquidity pool. Altogether, 615 ETH (~$2 million) was taken from the project.

Grand Base is a platform where users can trade "gAssets", which are crypto tokens that represent stocks in tech companies including Amazon, Apple, Google, Meta, and Microsoft.

Max Howell, the creator of tea.xyz (and creator of homebrew, though he's no longer involved), seemed apologetic, and promised to make changes to the protocol to stop this spammy behavior.

Now, deprived of that avenue, people are just creating massive waves of empty software packages, with nothing other than a "teafile" with their crypto wallet address for rewards, and submitting them to package managers like NPM and RubyGems.

This spam prompted a blog post from RubyGems, who wrote that they had to devote time to strengthening limits on package publishing and "ensuring [accounts] didn't disrupt the community further."

Security researchers at Phylum also wrote up the protocol's impact on the JavaScript world, which has seen as many as 7x as many packages published on NPM as previous daily averages. "Automated sustained spamming of this volume for months on end is rare and does nothing but cause heavy strain on the ecosystem itself, degrading the performance of the ecosystem for genuine users and straining open source security researchers," they wrote.

Pac Finance has said they are "actively developing a plan with [impacted users] to mitigate the issue."

NGS and its associated business is believed to have pulled in around AU$62 million (US$42 million) from around 450 Australians.

So far, losses are estimated to affect around 100 investors, who have up to AU$100 million (US$65 million) in claims.

Balanian had boasted of his career experience as a former NASA mission planner, and targeted his fund to wealthy investors with a minimum initial deposit of AU$50,000 (~US$33,000).

US Attorney Damian Williams described this as the first ever conviction for a smart contract hack.

Ahmed forfeited around $12.3 million in stolen funds, and will pay more than $5 million in restitution.

On April 10, CEO Edgar Pavlovsky tweeted that he had resigned from MarginFi, publicly calling that he "d[idn't] agree with the way things have been done internally or externally". Pavlovsky had been criticized for his response to the controversy around MarginFi, in which he had been argumentative and insulting, tweeting things like "take your money out, go fuck yourself" to those who accused him and MarginFi of malfeasance.

Amid the chaos, more than $210 million in TVL has exited the protocol.

The notice was received with an adversarial posture by Uniswap, who announced its receipt with a blog post titled "Fighting for DeFi". "Taking into account the SEC's ongoing lawsuits against Coinbase and others as well as their complete unwillingness to provide clarity or a path to registration to those operating lawfully within the U.S., we can only conclude that this is the latest political effort to target even the best actors building technology on blockchains," they wrote.

The news was met with outrage in the crypto community, who generally saw the action as indicative of an overly aggressive posture by the SEC to crack down on defi and crypto more broadly.

According to STFIL, while some of the core team members were detained by Chinese police, FIL tokens were moved to an unknown wallet. They also acknowledged that there had been "abnormal, unscheduled upgrades to the protocol". They asked their community members for help in tracking the wallet.

Some speculated that the story was fake, and that the project had stolen the funds. However, Chinese police have in several instances cracked down on people and companies involved in Filecoin-related projects, including an $83.3 million alleged pyramid scheme in August 2023 and a group of Filecoin Ponzi schemers in 2021. Filecoin mining became popular in China after its 2018 initial coin offering, and also became a magnet for Ponzi schemes and other scams.

The project described itself as a DEX with a native $MUSK token, and launched in July 2021. However, the token tanked on December 25, 2021. Although the project team tried to blame the crash on "liquidity issues" and promised paths forward, they locked the project Telegram chat on March 11, 2022. On April 5, 2022, the team withdrew remaining funds and deleted the website.

Crypto analysis firm CertiK linked the MuskSwap project to several other scam tokens and projects: RocketDoge, InfinityGame, SpaceX, MUFC (themed after Manchester United), and Elona Musk. Altogether, the rug pulls have drawn in $5.1 million.

Some more recent Yelp reviews described fairly mediocre food, which "[t]he NFTs don't make up for".

The restaurant opened in April 2022, a month after owner Andy Nguyen purchased Bored Ape #6184 for $268,000, along with three Mutant Apes for an additional combined $187,000. #6184 became the restaurant's logo, and the others were incorporated into the restaurant's branding. The NFTs haven't been resold since, although it's unlikely they could recoup close to their original purchase prices — Bored Apes have been averaging a little under $50,000 in recent sales, and Mutants around $8,500 each.

Kwon and his company were behind the algorithmic stablecoin, Terra, which dramatically collapsed in May 2022, sending huge ripple effects throughout the ecosystem. He and his company had lied about the stability of the token, ultimately causing massive financial damage to the tune of around $40 billion.

Kwon is in custody in Montenegro after attempting to flee criminal cases in both the United States and South Korea. The civil case in the US proceeded without him.

The "yes" votes are currently in the lead with a 63% margin. The most yes votes came from sushigov.eth, the official SushiSwap team address, which also created the proposal. It is the first time that address has ever participated in a governance proposal.

The 5.5 million yes votes from the team wallet, plus another 3.1 million delegated from other community members, were enough to push the vote to majority support. A former SushiSwap contributor has also alleged that the SushiSwap team was manipulating the vote with additional wallets.

On Twitter, Sushi's "Head Chef" claimed that he had consulted with lawyers and then authorized the voting activity out of fear of an "extortative [sic] governance attack attempt".

Despite that, people sent the creator over 8.8 ETH (almost $29,000) for the project's "pre-sale", even as they repeated on Twitter that the project was a scam and that no one should buy it.

FixedFloat acknowledged the theft in a Twitter post, and blamed the same thieves. They claimed that this theft was enabled by a vulnerability in a third-party service.

Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, "We at #SOLAREUM team can clarify that we DO NOT steal money." Ah, well, in that case.

Other bots may have been involved in the theft, though it's not clear at this point. Though there was some speculation that a trading bot called BonkBot was to blame, that seems to have been unfounded.

The total theft amount is not clear, but exceeds $500,000.

Plasma paused the protocol after detecting the attack.

The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a "whitehat rescue", and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects' responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.

In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like "exploit" and "attack" in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

The sentence follows his conviction on all seven felony charges in November 2022 — a decision reached by the jury within hours of beginning their deliberations.

Bankman-Fried intends to appeal the conviction.

One of the co-founders, known only as "Paul", claimed on Discord that he was "trying to investigate" the movement of funds, which have been blamed on the project's other co-founder, John Kim.

Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.

LENX is backed by the Frax Finance lending protocol.

According to prosecutors, they tried to conceal that the exchange had customers from the United States in order to claim that they were exempt from US anti-money laundering laws. They also marketed KuCoin as a KYC-optional exchange where customers from the US could operate unverified accounts.

The charges against the founders carry maximum sentences of five years in prison.

Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been "planned since deploy".

Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to "undo" the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.

Some hours after the attack, the exploiter was convinced to return the funds.

A bug in the project's Ethereum smart contract enabled an attacker to mint 1 billion of the project's CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.

Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that "We'll be reviewing our token profile moderation policy in the coming days. We won't be the gatekeepers of what happens on-chain, but we're definitely not here to spread hate." The replies to the tweet were, predictably, full of people accusing DEXScreener of "censorship" and "going woke".

You almost have to admire the tenacity.

After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, "im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich". The thief later spent some of the money on Milady NFTs and memecoins.

zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, "Hi team, this is a whitehat rescue hack. Let's work on reimbursing the users." Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% "bounty". The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

AirDAO announced the theft the following day, and stated that they were working to track and freeze stolen funds. They also offered the attacker a 10% "bounty" if they chose to return the stolen assets.

An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.

Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.

The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.

BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.