SEC fines Jump Crypto subsidiary $123 million

The SEC has levied a $123 million fine against Jump Crypto subsidiary Tai Mo Shan, which was part of a secret deal with Terraform Labs to help prop up the floundering Terra stablecoin in May 2021. Jump spent $20 million to help the supposedly “self-healing” stablecoin regain its $1 peg, earning about $1.28 billion in the process, and Terraform Labs CEO Do Kwon would later claim that the restoration to a $1 price was thanks to an automatic feature of the Terra project and not some backroom deal. This lie by Terraform Labs and Jump Crypto helped build confidence in the sustainability of the Terra token, which collapsed horrendously a year later.

The SEC also found that Tai Mo Shan had acted as a statuary underwriter for the Terra sister token Luna, which was an unregistered security.

Tai Mo Shan agreed to the fine, and to a prohibition on future violations of securities laws.

Two NFT fraudsters charged for rug pulls amounting to over $22 million

An illustration of a person with green skin and a face shaped like a square-cut gem. They're wearing a white bandana, sunglasses with dollar sign patterns, and a prison uniform, and they have a party horn in their mouth.Vault of Gems #2509 (attribution)
Gabriel Hay and Gavin Mayo, two LA-based NFT creators, have been charged for defrauding investors of more than $22.4 million through a series of NFT rug pulls and other crypto scams. The duo launched various projects with detailed and false roadmaps to lure NFT buyers, then abandoned the projects without following through.

For example, a "Vault of Gems" NFT project falsely claimed to be the "first NFT pegged to a hard asset, like jewelry", which would have its own exchange. A "Faceless" NFT project promised to produce comic books, a movie, and a clothing company. None of the promises ever materialized, and Hay and Mayo abandoned the projects soon after launching them.

Hay and Mayo worked to hide their involvement with their scams, and have been charged with harassment for attempting to threaten those who connected them. In one case, after a person revealed Hay and Mayo to be the ones behind the Faceless NFT project, the duo sent threatening emails and text messages to the man and his parents. In an email to his parents, they impersonated a law firm, and even threatened to make false sexual abuse claims against the man.

Kraken fined $5.1 million by Australian securities regulator

The US-based cryptocurrency exchange Kraken has been fined AU$8 million (US$5.1 million) for illegally offering margin trading to Australian customers. The firm had offered the margin product to more than 1,100 Australians without first undergoing the process to determine if the products were appropriate for retail customers.

The more than 1,100 customers lost more than US$5 million. While some of the customers were likely sophisticated investors, Kraken made no effort to limit the product to such a group. Around 81% of the customers who used Kraken's margin product lost money.

This is far from Kraken's first run-in with regulators. The company has settled with US regulators over sanctions violations and failure to comply with securities regulations pertaining to its staking product. They also have an open lawsuit from the US SEC over alleged unregistered securities offerings and commingling corporate and customer funds.

Crypto holder loses assets priced at $2.5 million

A crypto holder tweeted at the Ledger hardware wallet manufacturer to report that 10 BTC (~$1 million) and "~1.5m of NFTs" had been stolen from a Ledger wallet they were using. "The ledger was purchased directly from you. The seed phrase was stored in a secure location, never entered anywhere online. I never signed any malicious transactions. Everything is in my physical possession.I haven’t touched this ledger in 2 months," they wrote.

Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.

Despite this, Ledger blamed its customer, telling a media outlet that "As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too".

Former pastor charged with crypto scheme in which he stole $5.9 million from his former congregants

The CFTC has filed suit against Francier Obando Pinillo, an American former pastor who targeted his former congregants and other unsophisticated investors with a crypto pyramid scheme called "Solanofi". He promised victims that his supposed automated trading system was "risk free", and that they would earn guaranteed profits as high as almost 35% compounded monthly — which he "proved" to them with an online dashboard showing faked balances. They were also encouraged to recruit friends and family, and incentivized with referral fees.

Despite his promises, Pinillo had created no trading platform whatsoever, was doing no crypto trading, and simply pocketed all the money. Any payments made to his customers during the fraud were taken from newer investors, in classic Ponzi fashion.

Clober gets clobbered

Clober, a DEX built on Coinbase's Base Ethereum layer-2, suffered an exploit only about a week after its launch. A re-entrancy bug in the project allowed an attacker to siphon 133.7 ETH (~$501,000) from the project. Although the project boasted of audits, Clober had made changes to a contract after the audits that introduced the vulnerability.

Clober has offered a 20% "bug bounty" to the exploiter vi on-chain message, though they have not yet received any public reply.

Alpaca Finance proposes $50,000 restitution for $2.8 million in losses

Users of the Alpaca Finance lending protocol suffered losses when the protocol's sloppy oracle implementation finally resulted in consequences. Although many had warned the project about their glacial oracle setup, and the vulnerabilities they were opening themselves up to, the project repeatedly denied any issues and even banned those voicing concerns.

Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca's issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.

On December 10, Alpaca Finance proposed distributing $50,000 "saved" by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a "group bot/FUD attack".

85-year-old painter loses life savings to NFT art dealer scam

An 85-year-old painter from Brooklyn was convinced to send scammers $135,000 after they promised they would sell his artwork as NFTs on OpenSea. After agreeing to have a supposed "art dealer" list and sell his artwork, the man was told he'd earned $300,000. But there was a catch: he would have to pay nearly half that amount in "fees" to get access to his windfall. The man liquidated his retirement, made credit card payments, and took out a personal loan to acquire cryptocurrency for the supposed fees, only to later realize he'd been duped.

Police were unable to recover his money, although they did seize around 40 websites that were spoofing various real NFT marketplaces.

"Hawk tuah" memecoin immediately crashes

Haliey WelchHaliey Welch (attribution)
Who could have guessed that buying up a token based around the long-past-its-expiration-date hawk tuah meme might turn out to be an unwise investment? Haliey Welch, the originator of the raunchy catchphrase, launched a memecoin that she insisted was not a cash grab but a "good way to interact with her fans". (The "interaction" in question here was limited to " fans give money", because she had no other specific plans for the token).

The token followed the typical pattern of quickly pumping, then crashing spectacularly, losing around 90% of its "value". This is often an indicator of a pump-and-dump scheme by insiders, but Welch vehemently denied such wrongdoing, blaming the crash on "snipers".

"I really lost $43k apeing in 'hawk tuah' coin," wrote one buyer on Twitter. Other Twitter users marveled at a wallet that swapped $1.4 million worth of MOODENG (a memecoin based on the tiny hippo of the same name) only to lose it all on the $HAWK token.

Official Solana JavaScript library compromised in supply chain attack, at least $184,000 taken

An attacker was able to compromise an account that had publish access for the official Solana web3.js library, which is widely used by dApps to read and write from the Solana blockchain. The library gets over 350,000 downloads per week from the popular JavaScript package manager npm.

Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.

Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.

Clipper DEX suffers $450,000 hack

The Clipper decentralized exchange suffered a $450,000 exploit across two Ethereum layer-2 chains. Although some speculated that the issue may have been a private key leak, Clipper denied this, and instead said that an attacker had exploited a feature allowing people to make withdrawals denominated in a single token by performing swaps along with the withdrawal.

Although the $450,000 theft is relatively small compared to some other crypto hacks, it represented around 6% of the total value locked on Clipper. Clipper stated they were working to trace and attempt to recover funds, and asked the hacker to contact them to potentially negotiate a return of some funds.

Crypto exchange XT.com suffers $1.7 million hack

On November 28, cryptocurrency exchange XT.com abruptly suspended withdrawals, citing a "wallet upgrade and maintenance". However, after a blockchain security firm identified $1.7 million in suspicious transfers, XT.com acknowledged that they had "detected an abnormal transfer from our platform wallet". According to an announcement, the stolen funds were company assets, rather than cryptocurrencies belonging to users.

13-year-old rug pulls crypto token, then faces retaliation

A 13-year-old known as the "Gen Z Quant kid," created a token called QUANT and executed a rug pull, making $30,000. In retaliation, various people in the cryptocurrency world executed a "revenge pump" — pumping up the price of the token after the kid cashed out, causing him to miss out on potential gains. Worse, they then found the child's identity, and published his address and the school he attended. They also identified his mother, and began leaving hateful comments on her Instagram account. Rumors also emerged that a member of the cryptocurrency community dognapped the child's dog, then launched a memecoin based on the animal.

Around $21 million in losses reported by users of DEXX

DEXX, a platform that advertises itself as the "first memecoins trading terminal application", disclosed that it had been hacked when it posted a message on social media addressed to "Mr./Ms. Hacker", asking they return stolen funds in exchange for "destroy[ing] all information we currently have on the hack" and not pursuing further legal action.

DEXX did not disclose how much was taken in the breach, but hundreds of victims have reported around $21 million in combined losses so far.

Polter Finance exploited for $12 million

The Fantom-based Polter Finance defi project was exploited for $7 million when an attacker was able to perform an oracle manipulation attack. By artificially increasing the price of the $BOO token, which is a governance token used by the SpookySwap project, they were then able to use that token to drain Polter's liquidity pools using a flash loan. The attacker successfully drained the entire $12 million worth of tokens on the platform.

The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.

Thala Labs loses, then recovers, $25.5 million

The Thala Labs Aptos-based defi project suffered a $25.5 million theft when an attacker exploited a vulnerability in one of their smart contracts. They paused related smart contracts and froze tokens where they were able, ultimately freezing around $11.5 million in assets. After working with law enforcement and several blockchain security teams, they successfully negotiated the return of the assets, leaving the attacker with a "bounty" of $300,000.

DeltaPrime loses $4.8 million in second hack

The DeltaPrime defi protocol was hacked for the second time in two months, losing $4.8 million in Arbitrum and Avalanche tokens. The attacker appeared to have exploited a flaw in one of the platform's smart contracts that enabled them to borrow more than they put up in collateral.

DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.

DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform's stablecoin deposit receipts.

Trader reveals he lost $28 million to bad copy-paste

After apparently exhausting all his other options, a trader has put out a call to "all skilled hackers and white hats out there" to help him recover 7,912 Renzo staked ETH (ezETH) he inadvertently sent to an inaccessible address back in June. The tokens were priced at a little over $28 million at the time, and are currently priced at a little less than $26 million. According to the trader, he copied the wrong address to his clipboard before making the trade, which rendered his funds permanently inaccessible.

Short of finding a vulnerability in Renzo, the trader's only real choice is to plead with Renzo to change their smart contract in such a way as to release the funds. While this is technically possible, Renzo has told the trader they could not grant his request due to "regulatory limitations".

CoinPoker exploited for $2 million

Crypto-powered poker website CoinPoker was apparently exploited for around $2 million when an attacker was able to compromise a hot wallet controlled by the platform. The attacker then laundered most of the funds through the Tornado Cash mixer.

The platform sent a message to the exploiter attempting to negotiate a return of some of the funds.

MetaWin casino hacked for $4 million

Hot wallets used by the MetaWin crypto casino were drained of around $4 million. According to the company's CEO, the attacker "t[ook] advantage of our frictionless withdrawal system". The attacker then moved the stolen funds to crypto exchanges including KuCoin.

Supply chain attack stemming from JavaScript animation library results in losses for users of 1inch and other platforms

Attackers were able to inject malicious code into the popular "LottieFiles" JavaScript animations library. Visitors to websites using the library saw a prompt to connect their crypto wallets to what was ultimately a cryptocurrency wallet drainer. This affected some crypto platforms that used the library, including the 1inch decentralized exchange aggregator. One victim who connected their wallet suffered the loss of 10 BTC (~$723,000).

Other crypto platforms affected included TEN Finance and Movement. Because the animations library is widely used, other non-crypto-related websites also showed the prompt.

M2 cryptocurrency exchange hacked for $13.7 million

The UAE-based M2 cryptocurrency exchange was hacked for $13.7 million in bitcoin, ether, and Solana tokens. The exploiter compromised several of the exchange's hot wallets to take the funds.

Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved". This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.

Sunray Finance hacked for $2.7 million

A perpetuals trading platform called Sunray Finance was hacked on October 30 by an attacker who was able to upgrade a smart contract used by the protocol. They then were able to mint a massive number of the protocol's SUN token — 200 sextillion, to be precise. Then, they cashed out what they were able to, crashing the SUN token price in the process. Ultimately, the attacker made off with about $2.1 million of the Tether stablecoin.

In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.

$20 million moved from US government wallet in possible theft

More than $20 million in stablecoins and Ethereum were transferred from a wallet identified as belonging to the US government, and holding funds connected to the 2016 hack of the Bitfinex cryptocurrency exchange. While the government does occasionally shuffle cryptocurrency around, these funds were moved to a brand new wallet and then began to be shuffled through cryptocurrency exchanges — something that crypto sleuth zachxbt noted "looks nefarious".

The government has not made any statements regarding the movement of assets.

The following day, $19.3 million in tokens were returned to the original wallet.

Sharpei memecoin rug pulls for $3.4 million

A dog-themed memecoin project called Sharpei abruptly cashed out $3.4 million, tanking the token price by more than 96% in seconds. The project had been promoted by crypto influencers, but hit a snag when a pitch deck for the project leaked. The deck contained multiple lies, including claims to have hired multiple "KOLs" who later denied involvement, and false claims of partnerships with various platforms and projects.

As the token price stuttered along with these revelations, insiders apparently decided to quit while they were ahead, and cashed out in a quick and coordinated sale.

Blockchain company Forte acquires games studios, demands secrecy, shuts them down

Sometime in 2023, blockchain firm Forte acquired game studios Phoenix Labs and Rumble Games. However, it would be a year before this came to light, because according to a report from Game Developer, Forte demanded secrecy from employees. (Forte refutes this). In both cases, some employees believed that Forte was funding their development, but didn't find out until later that Forte owned the companies.

Both studios had several games in progress, and two of Phoenix Labs' games were explicitly designed for younger players. Developers reportedly voiced discomfort with incorporating blockchains into the games, selling digital items to children.

Later, Forte pulled the plug on several in-development games at both studios. Then, Forte shut down Rumble in 2024, laying off all employees. Forte also laid off over 100 people from Phoenix Labs that year.

Tapioca DAO exploited for most of its assets — over $4 million

The defi lending protocol Tapioca DAO was exploited after an attacker reportedly socially engineered the DAO's co-founder and gain access to their private key. The attacker then used their access to sell off TAP tokens, and to drain a stablecoin liquidity pool on the platform, netting around $4.4 million in USDC and ETH. The TAP token price subsequently crashed by around 96%.

Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.

Radiant Capital exploited again, this time for at least $50 million

The cryptocurrency lending project Radiant Capital was hacked for the second time in under a year, this time for more than $50 million in the USDC stablecoin, wBNB, ETH, and other tokens. An attacker successfully gained access to three of eleven private keys controlling a multisignature wallet, which enabled them to upgrade the project's smart contracts in such a way as to drain funds.

This is the second Radiant Capital exploit this year, after a $4.5 million theft in January that was enabled by an unaddressed vulnerability in the underlying Compound Finance code.

Cosmos founder reveals a portion of the protocol was created by North Korean developers

Cosmos creator Jae Kwon has raised concerns about a portion of the Cosmos protocol called the "Liquid Staking Module" after learning it was developed by North Korean agents. Although a contributor to the protocol, Zaki Manian, learned of the developers' links to North Korea after contact from the FBI in March 2023, Kwon claims that Manian ignored known flaws in their code, failed to fully audit their code, and did not report the issue to the project team or the Cosmos community. According to Kwon, the code contained a vulnerability that would allow stakers to avoid having their stakes slashed, which "contradicts the fundamental principles of staking security."

Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.

Permit phisher steals almost $1.4 million in frog tokens

An attacker using the permit phishing technique stole $1.39 million in tokens from an unsuspecting holder. The victim unknowingly signed a "Permit2" signature — a function intended to make crypto transactions smoother and less expensive, but one that also makes it possible for malicious actors to completely drain crypto wallets.

The attacker stole around $1.1 million of the cartoon frog-themed PEPE tokens, and another roughly $50,000 of the also cartoon frog-themed APU token.

$3.1 million in EIGEN tokens stolen and sold

Around 1.67 million EIGEN tokens belonging to an investor in the popular Ethereum-based EigenLayer project were stolen after the investor was tricked into transferring the tokens into the attacker's wallet. The thief then sold the tokens for around $3.1 million, although the tokens were notionally worth around $5.5 million. Some of the stolen funds were later frozen by centralized exchanges.

After the incident, some questioned why the tokens had been sent to an investor without a vesting contract, given they were supposed to be locked for a period of time to prevent sale.

Victim loses over $32 million to wallet drainer

A victim lost 12,083 spWETH tokens (~$32.4 million) after signing a malicious transaction stemming from someone using wallet drainer software. These drainers are "scam-as-a-service" products, where the drainer creators allow others to operate the drainer software in exchange for a 20% cut of stolen funds.

The victim wallet sent a message to the thief, offering "a peaceful resolution to this situation" in which the thief could keep 20% of the total amount taken (around $6.5 million).