Web3 is Going Just Great

Now, Flowcarbon has reportedly been issuing refunds after the tokens have failed to materialize more than two years later. Flowcarbon has reportedly been blaming "market conditions and resistance from carbon registries" for the failure to launch, according to a report from Forbes. Flowcarbon claimed they have been offering refunds "due to industry delays" since 2023.

The platform's smart contracts remain operational, however, and so despite the lack of a frontend website for the platform, the backend still remains. A trader was able to use these smart contracts to trigger a feature that allows a buyout of the fractional shard holders which, if not countered by someone else, automatically goes through in 14 days. The bidder proposed a purchase of 0.001 ETH per share, and without an operational Niftex frontend, no one noticed. The bid went through, and the trader successfully purchased all 10,000 shares — and thus, the NFT — for 10 ETH.

Since then, several people have offered to purchase the NFT for amounts ranging from 100 to 605 ETH. If the new owner were to accept the 605 ETH bid, they would 60x their purchase price.

One owner of a fractionalized share said he thought he had managed to successfully block the sale, but miscalculated. "GG to the new owner", he wrote. He wrote on Twitter, "I don’t consider this a heist. It’s an arb. The smart contract worked as intended. If you want decentralized systems you have to take the good with the bad. It’s part of the game. It’s why we’re here. If you don’t like those rules, you probably shouldn’t be playing."

Indodax's Instagram account also appeared to be compromised, promoting a suspicious "giveaway".

Terms of the settlement include 100% repayment of investments made by victims in the five states that settled: Texas, Alabama, Arizona, Arkansas, and Georgia.

GS Partners has also faced regulatory scrutiny in other US states, as well as in Canada, Australia, and South Africa.

This $10 million was later sent to a German non-profit foundation called the Wau Holland Foundation, which has also been fundraising and managing funds relating to Assange's legal defense. However, this transfer raised serious concerns among some members of the DAO who say they've effectively been cut out of decisionmaking, that the funds were transferred without their approval, and allege the treasury was mismanaged and crashed in value as a result.

Hacktivist, bitcoin core developer, and AssangeDAO organizer Amir Taaki accused fellow AssangeDAO organizer: "Harry Halpin you should be honest and direct with the people here. You believe the money should be kept in a foundation controlled by your people with Julian. You do not respect the community or believe in the DAO."

The project spiked in popularity when it launched in August 2023, but interest rapidly dwindled. A token launched in May 2024 also suffered a mostly downward trajectory. On September 7, the team reassigned ownership and admin rights to the smart contracts to the burn address, making them permanently inaccessible.

Some denounced the project as a Ponzi scheme (repeating accusations it has received since its inception, based on its incentive structure). Others accused the development team of rug pulling and not delivering on their promises — accusations that intensified as one co-founder deleted his Twitter account and the other set his to private. The team is estimated to have made around $44 to $60 million in fees.

He went on to state that the "vast majority" of the stolen assets were his personal funds. He also alleged that "There is some evidence to suggest that someone in the Ventures syndicate is either part of the group, or passing information onto them."

The amount of funds stolen was not disclosed. Drakon resigned as CEO, and said that he had forfeited his interest in Revolo Intel "to facilitate the return of some money back to members as quickly as possible". He wrote: "To be clear, I have zero financial interest in Revelo moving forward."

He also stated that he would be "stepping away from 'public life' in this space", and warned others: "If you are someone who is known to control large sums of money, you are a target and it is not difficult at all to get to you."

In addition to the fine, terms of the settlement require the platform to allow its customers to withdraw their crypto assets, and to update disclosures regarding asset custody.

The California DOJ also accused the platform of misleading its customers by claiming that the app "advertis[ed] it would connect to multiple trading venues, to ensure customers receive the most competitive prices between the venues, which was not always true". They also say that Robinhood lied about always holding all customer crypto assets purchased through the platform, when in reality, "there were instances in which it arranged for trading venues to hold customer assets for extended periods".

The team behind Pendle (the platform on which Pendie is built) detected the attack and paused Pendle an hour after the attack began, which they claim prevented another $105 million from being stolen.

Members of the Penpie team filed complaints with Singaporean police and the US FBI. They also attempted to negotiate a "bug bounty" via on-chain and social media messages to the attacker, but the hacker seems uninterested and has continued to transfer funds between various crypto wallets and launder funds through Tornado Cash.

The SEC also charged that Galois Capital had misled some investors into believing they needed five business days of notice to redeem assets, while other investors were allowed to redeem assets more quickly.

Galois agreed to a settlement with the SEC in which they will pay a $225,000 penalty, which will go to investors who lost money.

An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar".

Finzer promised that the company would vigorously fight any impending lawsuit.

The lawsuit echoes previous enforcement actions by the SEC, such as a September 2023 settlement with the celebrity-backed Stoner Cats project, in which the SEC suggested that it may broadly view NFTs as securities if investors "reasonably expect to profit" from the continued efforts of those who release the NFTs.

Bitcoin mining has been an extremely challenging business in recent times, partly due to volatile crypto prices over the last few years, and due to diminishing miner rewards following the April halving event.

Rhodium Enterprises had been showing signs of trouble, including failing to make scheduled loan payments earlier this month. In December 2023, a dispute between them and a subsidiary of the Riot Platforms bitcoin mining group culminated in armed security removing Rhodium employees from a bitcoin mining facility in Rockdale, Texas, where Rhodium was leasing bitcoin miners. The case was later sent to arbitration.

However, $53.9 million of investor funds were used to pay other investors, in classic Ponzi fashion. The brothers also used investor funds to build houses for themselves and their family, purchase vehicles and designer goods, and make payments on a $30 million condo in Miami for Tanner.

One of the brothers, Jonathan, had in 2004 been convicted on felony securities law violations that resulted in a four-year jail sentence and more than $300,000 in restitution.

Abra settled the charges from the SEC by agreeing to an obey-the-law injunction, and agreeing to pay as-yet-undetermined civil penalties.

In January 2024, Abra settled claims from the Texas State Securities Board by agreeing to refund customers. As a part of the complaint, the TSSB had alleged that Abra was "insolvent or nearly insolvent", and had been making misleading statements. In June 2024, Abra settled with 25 state regulatory agencies, agreeing to refund up to $82.1 million to its US customers. Abra had begun winding down operations in the United States in mid-2023, after facing multiple state regulatory actions.

One member of the Discord described losing more than $140,000 in tokens after clicking a link shared by a person appearing to be a member of the Polygon team, which advertised a token distribution to serve as a "pre-migration celebration".

They then boasted about their haul on the compromised Instagram account, changing the bio to say: "Sorry mah nigga you have just been rug pulled by India_X_Kr3w thank you for the $700,000 in Solana 🇮🇳".

The token stunt by the massive company was perhaps made more believable by McDonald's previous forays into crypto, including when they launched a McRib-themed NFT project in December 2021. The company had also joked about a "Grimacecoin" back in January 2022, in a reply to a tweet from Elon Musk.

The attacker later moved the stablecoins to a new wallet, and exchanged about half of them for 10,625 ETH.

Between May and July of 2023, Hanes transferred $47.1 million of the bank's funds to the fraudulent scheme. This ultimately led to the bank collapsing, with equity investors losing $9 million and the FDIC footing the bill. "There were people who lost 70, 80% of their retirement" as a result of their investment losses, stated a community member.

Hanes had also taken money from a local church, an investment club, and his daughter's college savings. These funds were reportedly used to buy cryptocurrency after those running the scheme told him they needed more money to "unlock" the returns on his investments — a common tactic with these scams.

Ziemian was wanted on international warrants from Poland and South Korea. FutureNet, which was established in 2018 and purported to be a crypto trading platform, is alleged to have defrauded numerous people of a combined $21 million. Victims were encouraged to buy "participation packages", and earn rewards for referring others to the scheme. Polish authorities warned that FutureNet might be a pyramid scheme in 2019, and South Korea began an investigation into the company in 2020.

Ziemian faces fraud, money laundering, and theft charges, which could be punished by life imprisonment in South Korea.

Now, Austin "DNP3" Taylor has pleaded guilty to wire fraud after stealing around $1.14 million in investor funds from his CluCoin project, which had claimed it would "help others in need". DNP3 himself had built up a reputation of making generous gifts while livestreaming. He transferred the stolen funds to online casinos, where he then gambled them away.

Taylor faces up to 20 years in prison. The statement from the U.S. Attorney's Office announced that authorities would be notifying identified victims via NFT, and encouraging them to submit statements to the FBI.

Scammers impersonating crypto company support representatives are everywhere on social media and elsewhere. Now, it seems, they are purchasing Google ads to rise to the top of Google search rankings. While Google says they attempt to remove fraudulent advertisers, some slip through the cracks.

While phishing attacks like this are prevalent both in crypto and in tradfi, crypto platforms often do not have similar safeguards as major banking platforms to try to thwart unauthorized transactions, nor do they have the same ability to reverse transactions that are made.

The SEC's lawsuit also targets six other promoters of the NovaTech scheme, all of whom the agency says used "religious overtones" when attracting new investors. Ultimately, the scheme was revealed to be a Ponzi scheme, with new investors' money being used to pay out previous investors, as the promoters also took money for themselves.

Defendants Sam Bankman-Fried, Caroline Ellison, and Gary Wang, as well as the FTX and Alameda Research companies, will be prohibited from commodities trading, including trading bitcoin, ether, USDT, or other assets considered "digital asset commodities" by the CFTC. However, with Bankman-Fried already beginning a 25-year prison sentence, and Ellison and Wang due to be sentenced, this may be low on their list of worries.

zachxbt traced the payment addresses for roughly 21 developers involved in this kind of activity, which he found had been working for at least 25 different cryptocurrency projects. They had earned around $375,000 over the past month.

Ripple and others in the crypto world have been celebrating the judgment as a victory, in part because it is a substantially smaller penalty than the $1 billion in disgorgement and $900 million in penalties sought by the agency.

The SEC has already signaled throughout the case that they were likely to appeal an eventual outcome, after objecting to the judge's decision that several other types of token sales were not unlawful securities offerings.

People were quick to blame those behind the project, primarily "Pharma Bro" Martin Shkreli (who has been accused of dumping his own token before). Shkreli was quick to shift the blame to Donald Trump's youngest son, Barron, who he has also claimed is behind the token (although this has not been independently confirmed). However, the owner of the wallet that dumped its tokens is not definitively known.

Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.

The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.

The Kujira team apologized for the fiasco, and announced a plan to create a DAO to take over the project treasury.

Although ConvergenceFi described itself as audited, they admitted they had made changes to that portion of the code after the audits.

They assured their users that all user funds were safe, but recommended that users remove their staked funds from the platform.

ZKX had raised $4.5 million in seed funding from investors including the now-bankrupt Alameda Research, Starkware, HTX, Amber Group, ArkStream Capital, and HashKey Capital. The project had announced a second, $7.6 million raise only a few weeks before its shutdown.

People at Amber Group, ArkStream, and HashKey publicly criticized the lack of transparency from ZKX around its financial situation. Ye Su, a founding partner at ArkStream, explained that he felt they had been "rug pulled".

Blockchain sleuth zachxbt joined the VCs in characterizing the project as a rug, and further elaborated that he felt the retail investors who had purchased the project's token only weeks earlier had been tricked into buying a token by the project team, who "misled the community/retail ... by giving the appearance the project was healthy and strong when in reality they were in a bad position and about to shut down."

According to the criminal charges, Al-Naji misled investors, including by taking $3 million from an investor and using it for his own personal expenses and gifts to family. Al-Naji had told investors that the sales of the platform's token would not go to him or to other employees.

The SEC complaint separately alleged that Al-Naji had tried to falsely present the BitClout project as decentralized, including by soliciting a letter of opinion from a law firm that his tokens were not likely to be deemed securities, which was based on mischaracterizations.

BitClout raised money from various prominent firms, including Andreessen Horowitz, Sequoia, Chamath Palihapitiya's Social Capital, Coinbase Ventures and Winklevoss Capital.

In an announcement in the project Discord and on their website, DraftKings wrote that the shutdown was "due to recent developments". They offered holders the ability to cash out their Reignmakers cards "based on factors that include, but are not limited to, the relative size and quality of your digital game piece collection". Holders were also invited to transfer their NFTs to their own cryptocurrency wallets, although the DraftKings-run "contests" in which people used their NFTs to try to earn rewards and win prizes will no longer exist. It's also unclear whether some NFTs, built to not be transferrable off-marketplace, will be able to be retained by their holders.

Members of the DraftKings Discord reacted with chagrin to the news, and doubt that the vague promises of cash payments would amount to much. "What kind of compensation u think we get coming to us? Pennies?" wrote one. "Yeah I'm out like $20k," said another. Some blamed the shutdown on a recent lawsuit from a holder of the Reignmakers NFTs who lost $14,000 — a lawsuit which recently survived the motion to dismiss stage.

Humpy has previously been accused of governance attacks on other protocols, including Balancer and SushiSwap.

Prior to the proposal's passage, some Compound Finance DAO members raised objections. "In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates," stated Compound Finance security adviser Michael Lewellen, who also described the proposal as "a malicious attempt to steal funds from the protocol".

Afterwards, Lewellen wrote that "OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing and so we are exploring options to mitigate or reverse this outcome."

The malicious video chat software attack vector has been widely used in the crypto world, with a victim losing cryptocurrency to an attacker using the same technique and impersonating an Andreessen Horowitz partner last month.

So far, the MonoSwap attacker has laundered $1.3 million via the Tornado Cash cryptocurrency mixer.

The affected domain was hosted on Squarespace, which could connect this compromise to similar events earlier in the month affecting domains registered there.

In a stroke of luck for the RHO team, the MEV bot operator sent RHO an on-chain message indicating they were willing to return all of the funds, although they first demanded that RHO "admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what you are going to do to prevent it from happening again."

RHO is built on the Scroll Ethereum layer-2 network. Scroll temporarily paused the chain as RHO investigated the loss.

WazirX is the largest cryptocurrency exchange in India. The company was acquired by Binance in 2019, but the two companies re-separated in 2023 after a bizarre public dispute.

WazirX's June 2024 proof-of-reserves reported around $500 million in total holdings, making the $235 million theft a substantial portion of the assets held at the exchange.

Blockchain sleuth zachxbt observed that the theft had some of the hallmarks of the Lazarus Group, a North Korean hacking group that has perpetrated other 9-figure heists including the $625 million Axie Infinity theft in March 2022, and the theft of more than $100 million from Atomic Wallet users.

"Can't believe @Trip a multibillion company is also a rugged project," wrote one person in response to the shutdown announcement.

Unsurprisingly, the project turned out to be a pyramid scheme. On June 25, the Philippines SEC issued a warning, noting that the project was not registered with them, and that it "has the characteristics of a 'Ponzi scheme'". Shortly afterwards, Metamax deleted their Twitter account, and shut down victims' online access to their accounts.

Local news estimated that the scheme affected around 15,000 victims, mainly in Cyprus and Greece. Three people have been arrested in connection to the scheme, including a retired Cypriot police officer. One of the suspects turned himself in to police, claiming that he himself was a victim of the scam, and that he believed his life was in danger as he was being threatened by Metamax victims. Days later, a bomb was detonated near a home he once rented.

Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.

Dough Finance sent an on-chain message to the attacker, asking them to return the "misappropriated funds", threatening that they would "pursue all criminal, legal, and administrative avenues available" in the event that the attacker did not do so.

Somewhat ironically, the "Unstoppable Domains" web3 domain service was also impacted, and their site was offline for a while before they regained control.

The hijacking appears to be thanks to an attack on Squarespace's domain registry. Crypto founder Bobby Ong has suggested that the attack is affecting domains acquired through Google Domains, which sold its business to Squarespace several months ago. "Tthe forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked," he wrote. "Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved."

Web2 is going just great!

The OmegaPro Ponzi scheme was reportedly linked to the OneCoin crypto Ponzi, whose operators stole at least $4 billion from millions of victims since 2019. Multiple people associated with OneCoin have been arrested, including its co-founder Karl Sebastian Greenwood, but its "Cryptoqueen" co-founder Ruja Ignatova was one of Europol's most wanted fugitives and remains the subject of an Interpol red notice.

The attacker appeared to have only marginal success, as the token reached a market cap of around $500,000 before collapsing by 96%.

Hackers have compromised a string of celebrity Twitter accounts to promote memecoins recently, including those of Hulk Hogan and Metallica.

Bittensor is among the artificial intelligence-focused cryptocurrency projects that have become popular recently amid the AI hype. Although the project website boasts that "Bittensor is creating a new future for humanity, where new economies and new commodities are decentralized by design and where no single entity is a sole authority," the group unilaterally halted the chain in the wake of the attack.