M2 cryptocurrency exchange hacked for $13.7 million

The UAE-based M2 cryptocurrency exchange was hacked for $13.7 million in bitcoin, ether, and Solana tokens. The exploiter compromised several of the exchange's hot wallets to take the funds.

Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved". This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.

Sunray Finance hacked for $2.7 million

A perpetuals trading platform called Sunray Finance was hacked on October 30 by an attacker who was able to upgrade a smart contract used by the protocol. They then were able to mint a massive number of the protocol's SUN token — 200 sextillion, to be precise. Then, they cashed out what they were able to, crashing the SUN token price in the process. Ultimately, the attacker made off with about $2.1 million of the Tether stablecoin.

In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.

$20 million moved from US government wallet in possible theft

More than $20 million in stablecoins and Ethereum were transferred from a wallet identified as belonging to the US government, and holding funds connected to the 2016 hack of the Bitfinex cryptocurrency exchange. While the government does occasionally shuffle cryptocurrency around, these funds were moved to a brand new wallet and then began to be shuffled through cryptocurrency exchanges — something that crypto sleuth zachxbt noted "looks nefarious".

The government has not made any statements regarding the movement of assets.

The following day, $19.3 million in tokens were returned to the original wallet.

Sharpei memecoin rug pulls for $3.4 million

A dog-themed memecoin project called Sharpei abruptly cashed out $3.4 million, tanking the token price by more than 96% in seconds. The project had been promoted by crypto influencers, but hit a snag when a pitch deck for the project leaked. The deck contained multiple lies, including claims to have hired multiple "KOLs" who later denied involvement, and false claims of partnerships with various platforms and projects.

As the token price stuttered along with these revelations, insiders apparently decided to quit while they were ahead, and cashed out in a quick and coordinated sale.

Blockchain company Forte acquires games studios, demands secrecy, shuts them down

Sometime in 2023, blockchain firm Forte acquired game studios Phoenix Labs and Rumble Games. However, it would be a year before this came to light, because according to a report from Game Developer, Forte demanded secrecy from employees. (Forte refutes this). In both cases, some employees believed that Forte was funding their development, but didn't find out until later that Forte owned the companies.

Both studios had several games in progress, and two of Phoenix Labs' games were explicitly designed for younger players. Developers reportedly voiced discomfort with incorporating blockchains into the games, selling digital items to children.

Later, Forte pulled the plug on several in-development games at both studios. Then, Forte shut down Rumble in 2024, laying off all employees. Forte also laid off over 100 people from Phoenix Labs that year.

Tapioca DAO exploited for most of its assets — over $4 million

The defi lending protocol Tapioca DAO was exploited after an attacker reportedly socially engineered the DAO's co-founder and gain access to their private key. The attacker then used their access to sell off TAP tokens, and to drain a stablecoin liquidity pool on the platform, netting around $4.4 million in USDC and ETH. The TAP token price subsequently crashed by around 96%.

Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.

Radiant Capital exploited again, this time for at least $50 million

The cryptocurrency lending project Radiant Capital was hacked for the second time in under a year, this time for more than $50 million in the USDC stablecoin, wBNB, ETH, and other tokens. An attacker successfully gained access to three of eleven private keys controlling a multisignature wallet, which enabled them to upgrade the project's smart contracts in such a way as to drain funds.

This is the second Radiant Capital exploit this year, after a $4.5 million theft in January that was enabled by an unaddressed vulnerability in the underlying Compound Finance code.

Cosmos founder reveals a portion of the protocol was created by North Korean developers

Cosmos creator Jae Kwon has raised concerns about a portion of the Cosmos protocol called the "Liquid Staking Module" after learning it was developed by North Korean agents. Although a contributor to the protocol, Zaki Manian, learned of the developers' links to North Korea after contact from the FBI in March 2023, Kwon claims that Manian ignored known flaws in their code, failed to fully audit their code, and did not report the issue to the project team or the Cosmos community. According to Kwon, the code contained a vulnerability that would allow stakers to avoid having their stakes slashed, which "contradicts the fundamental principles of staking security."

Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.

Permit phisher steals almost $1.4 million in frog tokens

An attacker using the permit phishing technique stole $1.39 million in tokens from an unsuspecting holder. The victim unknowingly signed a "Permit2" signature — a function intended to make crypto transactions smoother and less expensive, but one that also makes it possible for malicious actors to completely drain crypto wallets.

The attacker stole around $1.1 million of the cartoon frog-themed PEPE tokens, and another roughly $50,000 of the also cartoon frog-themed APU token.

$3.1 million in EIGEN tokens stolen and sold

Around 1.67 million EIGEN tokens belonging to an investor in the popular Ethereum-based EigenLayer project were stolen after the investor was tricked into transferring the tokens into the attacker's wallet. The thief then sold the tokens for around $3.1 million, although the tokens were notionally worth around $5.5 million. Some of the stolen funds were later frozen by centralized exchanges.

After the incident, some questioned why the tokens had been sent to an investor without a vesting contract, given they were supposed to be locked for a period of time to prevent sale.

Victim loses over $32 million to wallet drainer

A victim lost 12,083 spWETH tokens (~$32.4 million) after signing a malicious transaction stemming from someone using wallet drainer software. These drainers are "scam-as-a-service" products, where the drainer creators allow others to operate the drainer software in exchange for a 20% cut of stolen funds.

The victim wallet sent a message to the thief, offering "a peaceful resolution to this situation" in which the thief could keep 20% of the total amount taken (around $6.5 million).

Bedrock staking platform loses $2 million after bug that allowed users to trade Bitcoin and Ethereum 1:1

A staking platform called Bedrock lost around $2 million after exploiters discovered a bug that allowed them to swap 1 ETH for 1 BTC despite the more than $63,000 difference in prices for the two assets.

A security firm working with Bedrock had tried to warn Bedrock of the vulnerability several hours before the attack, but the team was asleep. The vulnerable contracts had been deployed a day and a half prior to the attack, and had not been audited.

Fortunately for Bedrock, security groups were able to pause third-party projects surrounding Bedrock, which helped to limit the losses — which ultimately could have been as high as the entire value of funds on the protocol.

Onyx hacked for $3.8 million via the same exploit used against them less than a year ago

The Onyx protocol was hacked for a second time by attackers taking advantage of known bugs in forks of the Compound Finance project. Projects regularly fail to patch these bugs, despite many instances of multi-million dollar hacks affecting Compound forks in the past.

Onyx apparently didn't learn their lesson the first time around, when they were exploited for $2 million in November 2023 by an attacker taking advantage of a known vulnerability affecting empty markets on the protocol. This same bug seems to have contributed to this exploit, although Onyx has claimed the hack was due to a separate vulnerability in an NFT liquidation contract.

Truflation hacked for around $5 million

The Truflation platform suffered a loss of around $5 million after what they described as "an attack using malware". The company acknowledged the attack and limited some of their services while they worked to mitigate it. They also offered a reward to "any white hats offering assistance", and offered to negotiate a "bug bounty" with the attacker.

Truflation is a blockchain-based project that provides economic data including inflation rates and asset valuations. The platform has been backed by Coinbase Ventures, Chainlink, and others.

OpenAI Twitter account once again hacked and used to promote scam token

The Twitter account belonging to OpenAI's news account was compromised and used to "announce" a scam website purporting to announce the $OPENAI token. "All OpenAI users are eligible to claim a piece of $OPENAI’s initial supply. Holding $OPENAI will grant access to all of our future beta programs," the scam tweets claimed. A link in the tweets directed users to a malicious website that invited users to connect their wallets to claim tokens.

This latest hack is only the latest in a slew of Twitter account compromises "announcing" a scam token. Over a year, OpenAI CTO Mira Murati had her account hacked to promote an "$OPENAI" token. Three months ago, accounts belonging to chief scientist Jakub Pachocki and researcher Jason Wei were hacked and used to post the same scam as today.

Shezmu hacked for almost $5 million, negotiates bounty

A crypto yield platform called Shezmu suffered a loss of around $4.9 million in $ShezUSD after an attacker exploited a flaw that allowed anyone to mint collateral, which they could then use to borrow ShezUSD. These tokens were relatively illiquid, however, so the total amount the attacker could have obtained was likely considerably less.

Shortly after the attack, Shezmu offered a 10% "bounty" for the return of the funds. The attacker responded that they would only consider a 20% bounty. Shezmu agreed to the terms, and announced to their followers that they had achieved a recovery from the "white hat" hacker.

BingX hacked for $52 million

Singaporean cryptocurrency exchange BingX suffered a $52 million loss across a broad range of cryptocurrencies. The thefts occurred across two attacks that were hours apart. The attack appears to have targeted one of the exchange's hot wallets.

Some accused the exchange of trying to cover up the theft by announcing "temporary wallet maintenance" without disclosing that a theft had occurred. The team later announced that "there has been minor asset loss", and stated that the lost funds would be restored out of the company's capital.

Around $10 million of the stolen assets were frozen during recovery efforts after the theft.

Germany seizes 47 cryptocurrency exchanges reportedly used by ransomware groups

Webpage announcing seized crypto exchange. Letter reads: "Operation Final Exchange THIS WAS YOUR FINAL EXCHANGE! This is for you, ransomware affiliates, botnet operators and darknet vendors: For years, the operators of these criminal exchange services have led you to believe that their hosting cannot be found, that they do not store any customer data and that all data is deleted immediately after the transaction. An apparently unregulated hub allowing you to launder the proceeds of your criminal activities without fear of prosecution. From our point of view: nothing but empty promises! We have found their servers and seized them - development servers, production servers, backup servers. We have their data and therefore we have your data. Transactions, registration data, IP addresses. Our search for traces begins. See you soon."Warning on seized domains (attribution)
German authorities have seized 47 cryptocurrency exchanges alleged to have been used to launder stolen funds by ransomware groups. The exchanges did not require KYC, allowing customers to remain anonymous throughout their transactions.

Websites for these exchanges now show notices announcing a law enforcement operation called "Operation Final Exchange". The page announces to visitors "This was your final exchange!", and in a letter addressed to "ransomware affiliates, botnet operators and darknet vendors", warns that authorities are now working to trace the illicit users of the exchange.

Almost $2 million taken from users of Telegram "Banana Gun" crypto trading bot

Some people use a Telegram-based crypto trading bot called "Banana Gun" to "snipe" crypto trades, copytrade, and perform other activities. On September 19, at least 11 victims lost around $3 million after their accounts were apparently compromised and drained.

Banana Gun acknowledged the attack on Twitter and shut down the bot. They posted that they did not believe their backend was compromised, and stated that they believed the attack occurred via a "front-end vulnerability" — though it was not clear what this might have referred to.

Arrests made after $243 million stolen from one individual in Gemini phishing attack

Two people have been arrested in relation to a phishing scam that successfully stole more than 4,000 BTC priced at around $243 million from a single individual. The victim was targeted with a phishing scam in which the attackers posed as Google support employees and convinced the victim to reset their two-factor authentication for their account on the Gemini cryptocurrency exchange.

The FBI raided a luxury home in Miami in connection to the theft, and arrested two men in their early twenties. Authorities worked with crypto investigators including zachxbt to trace the stolen funds.

Rari Capital settles with the SEC

The defi lending protocol Rari Capital, and its three co-founders, have settled charges from the SEC that it misled investors and engaged in unregistered broker activity. Rari Capital entities also settled charges that they conducted unregistered offerings of three securities, and engaged in unregistered securities offerings and unregistered broker activity. The SEC alleged that the firm and its co-founders made false statements to investors about supposedly automatic re-balancing of assets into the highest yield opportunities when, in fact, rebalancing was also done manually. The SEC also alleged that the company and its co-founders made misleading statements about the supposedly high yield from the platform, which they said did not account for fees, and which ultimately caused many investors to lose money.

The company and co-founders will pay fines, and the individuals will agree to five-year bans from serving as officers or directors.

The regional SEC director stated, "We will not be deterred by someone labeling a product as 'decentralized' and 'autonomous'," alluding to crypto firms' tendencies to try to skirt securities regulations by claiming to be "decentralized".

Rari has featured on Web3 is Going Just Great before, when they were exploited for around $80 million in April 2022 and when they were exploited for around $15 million in May 2021. The project effectively wound down soon after the second theft.

Ethena website compromised

The website for the Ethena protocol was compromised by attackers who gained control of the project's domain registration. The protocol issued warnings to their users to urge them not to interact with the website, which could compromise their crypto holdings.

They later were able to deactivate the website and regain control of the domain. "Remember scammers are always chasing you," they wrote on Twitter.

$6 million taken from Delta Prime defi protocol

The DeltaPrime defi protocol suffered a $6 million loss after a private key was leaked. Access to the private key allowed the attacker to mint 1.1×1069 DPUSDC, which are tokens that allow holders to redeem the USDC stablecoin at a 1:1 ratio. They repeated the mint with several other deposit receipt tokens for bitcoin, ether, and other cryptocurrencies. Altogether, they redeemed a small fraction of these enormous quantities of deposit receipts, amounting to around $6 million in assets.

DeltaPrime acknowledged the attack on Twitter, and announced that "the risk is contained". They also stated that they were "looking into other ways to reduce user losses to a minimum", including by pulling from the protocol's insurance pool.

Flappy Bird creator disavows crypto spin-off

Tweet by @flappy_bird: "I AM BACK!! 

Just a decade ago, I was the talk of the town and soaring to new heights with my 100 million friends. Sadly, I had to leave the fame and spotlight behind to go home and find out who I really am.

Thanks to my super Flappy Bird® fans, I’m refreshed, reinvigorated, and ready to soar again. The decade-long mission involved acquiring legal rights and even working with my predecessor to uncage me and re-hatch the official Flappy Bird® game!" A community note adds: "The new Flappy Bird is not made by the original creator Dong Nguyen.
Gametech Holdings has acquired the trademark for Flappy Bird."Tweet by @flappy_bird (attribution)
A blockchain-based version of the 2014 hit game Flappy Bird has emerged, taking advantage of the recent "tap-to-earn" crypto craze. The @flappy_bird Twitter account posted "I AM BACK!!" on September 12, with a video compilation showing people playing the original game. The tweet also claimed they were "working with [Flappy Bird's] predecessor", leading many to believe that the original Flappy Bird creator Dong Nguyen was involved with the project.

Nguyen famously removed the game from app stores shortly after it surged to popularity, stating that he felt guilty that people were becoming addicted to the game. This makes the game's reappearance — complete with loot boxes and other addictive features — feel somewhat dark.

On September 15, Nguyen returned from a seven-year Twitter hiatus to post: "No, I have no related with their game. I did not sell anything. I also don't support crypto."

Although Nguyen held the Flappy Bird trademark, he did not sell it to this group. Instead, they registered the trademark themselves after arguing he had abandoned it.

Eve Online developer angers fans with announcement that their new game will be blockchain-based

"Always Has Been" meme. The world is titled "Eve Frontier", the front astronaut is titled "cryptobros" and the astronaut with the gun is titled "Eve veterans". The text reads "It's all an unprofitable hellscape?"r/Eve meme (attribution)
CCP, the developer of the Eve Online space MMORPG, has angered their fanbase with a new announcement that their upcoming game will be built on the blockchain and incorporate cryptocurrency for in-game transactions. According to an FAQ, the spin-off game (previously called "Project Awakening" and now titled "Eve Frontier") will use a layer-2 blockchain called Redstone.

"There is still time. You can still roll it back and pretend it never happened. Please. None of us want this crypto slop, this desperate cash grab, this attempt at 'creating something great,' this game where buzzwords seem more important than gameplay," wrote one player on the game's subreddit.

A tweet announcing the game was celebrated by some crypto advocates, but attracted some critical responses from players. One wrote, "releasing a blockchain game a year after the weird hype about that technology died so now you got a shitty concept and don't even get a pay-off for it. let's see how this is going to turn out :)"

eToro settles with SEC for $1.5 million, shuts down most crypto trading

The eToro stock and crypto trading platform settled with the U.S. Securities and Exchange Commission on charges that it was operating an unregistered broker and unregistered clearing agency, and facilitating trading certain crypto assets as securities. The platform agreed to pay $1.5 million in fines. As a part of the settlement, the platform will also restrict crypto trading for its U.S.-based customers to only bitcoin, bitcoin cash, and ether.

Adam Neumann's Flowcarbon refunds customers after failing to launch "Goddess Nature Token"

In May 2022, WeWork founder and former CEO Adam Neumann announced he would be launching a company called Flowcarbon, which would issue "tokenized carbon credits" called "Goddess Nature Tokens" and sell them to companies looking to green up their image. The company raised $70 million in funding from Andreessen Horowitz and others, at least half of which was raised through token sales.

Now, Flowcarbon has reportedly been issuing refunds after the tokens have failed to materialize more than two years later. Flowcarbon has reportedly been blaming "market conditions and resistance from carbon registries" for the failure to launch, according to a report from Forbes. Flowcarbon claimed they have been offering refunds "due to industry delays" since 2023.

CryptoPunk sells for a fraction of its likely market price due to zombie smart contract

A CryptoPunk resembling an ape, wearing a blue and white sweatband and small sunglassesCryptoPunk #2386 (attribution)
A rare CryptoPunk NFT recently sold for only 10 ETH (~$25,300), despite a market value that's likely around 600 ETH (~$1.5 million). The sale went through thanks to lingering smart contracts from a defunct NFT fractionalization platform called Niftex, which allowed people to buy and sell "shards" of various NFTs. Niftex launched in November 2020, and is now defunct, with its domain redirecting to the Kraken cryptocurrency exchange.

The platform's smart contracts remain operational, however, and so despite the lack of a frontend website for the platform, the backend still remains. A trader was able to use these smart contracts to trigger a feature that allows a buyout of the fractional shard holders which, if not countered by someone else, automatically goes through in 14 days. The bidder proposed a purchase of 0.001 ETH per share, and without an operational Niftex frontend, no one noticed. The bid went through, and the trader successfully purchased all 10,000 shares — and thus, the NFT — for 10 ETH.

Since then, several people have offered to purchase the NFT for amounts ranging from 100 to 605 ETH. If the new owner were to accept the 605 ETH bid, they would 60x their purchase price.

One owner of a fractionalized share said he thought he had managed to successfully block the sale, but miscalculated. "GG to the new owner", he wrote. He wrote on Twitter, "I don’t consider this a heist. It’s an arb. The smart contract worked as intended. If you want decentralized systems you have to take the good with the bad. It’s part of the game. It’s why we’re here. If you don’t like those rules, you probably shouldn’t be playing."

Hacker steals $1.45 million from CUT token liquidity pool

An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.

Indodax crypto exchange apparently hacked for at least $22 million

The Indonesian Indodax cryptocurrency exchange suffered an exploit that allowed attackers to steal tokens from several of its hot wallets. The firm did not directly acknowledge the theft, instead posting an announcement that they had "discovered a potential security issue" and were "conducting a complete maintenance to ensure the entire system is operating properly". They reassured customers that their assets were "100% safe".

Indodax's Instagram account also appeared to be compromised, promoting a suspicious "giveaway".

State securities regulators settle with GS Partners over pyramid schemes including "tokenized skyscraper"

Rendering of a skyscraper in Dubai, with the Burj Khalifa in the backgroundRendering of the supposed "G999 Tower" (attribution)
Five states have settled with the European crypto firm GS Partners over several crypto investment pyramid schemes. These included one in which the firm sold crypto "vouchers", each representing a single square inch of a 36-floor Dubai sksycraper, which they said would allow holders to earn passive income from rental leases. The group reportedly offered a 5% weekly guaranteed return. Other schemes involved selling metaverse land and a token purportedly backed by gold. GS Partners worked with various celebrity spokespeople, including eternal moth-to-the-flame of scammy crypto projects, Floyd Mayweather. The GS Partners firm shut down in the United States as of December 2023.

Terms of the settlement include 100% repayment of investments made by victims in the five states that settled: Texas, Alabama, Arizona, Arkansas, and Georgia.

GS Partners has also faced regulatory scrutiny in other US states, as well as in Canada, Australia, and South Africa.

AssangeDAO accused of rug pull after transferring treasury to German foundation

Julian AssangeJulian Assange (attribution)
AssangeDAO was a project created to fundraise for the legal defense of WikiLeaks founder Julian Assange, who has been fighting espionage and computer intrusion charges for over a decade, and who was imprisoned in the United Kingdom for several years. The DAO raised around $55 million, and when Assange reached a plea deal and was sentenced to time serve, around $10 million remained.

This $10 million was later sent to a German non-profit foundation called the Wau Holland Foundation, which has also been fundraising and managing funds relating to Assange's legal defense. However, this transfer raised serious concerns among some members of the DAO who say they've effectively been cut out of decisionmaking, that the funds were transferred without their approval, and allege the treasury was mismanaged and crashed in value as a result.

Hacktivist, bitcoin core developer, and AssangeDAO organizer Amir Taaki accused fellow AssangeDAO organizer: "Harry Halpin you should be honest and direct with the people here. You believe the money should be kept in a foundation controlled by your people with Julian. You do not respect the community or believe in the DAO."

Friend.tech team abandons project

The development team behind friend.tech has officially ditched the crypto-based social media project, which was (very) briefly hailed as a potential platform for influencers to earn money from their followers. It attracted crypto influencers, OnlyFans models, and a handful of more mainstream notables. Friend.tech received undisclosed seed funding from the crypto venture capital firm Paradigm.

The project spiked in popularity when it launched in August 2023, but interest rapidly dwindled. A token launched in May 2024 also suffered a mostly downward trajectory. On September 7, the team reassigned ownership and admin rights to the smart contracts to the burn address, making them permanently inaccessible.

Some denounced the project as a Ponzi scheme (repeating accusations it has received since its inception, based on its incentive structure). Others accused the development team of rug pulling and not delivering on their promises — accusations that intensified as one co-founder deleted his Twitter account and the other set his to private. The team is estimated to have made around $44 to $60 million in fees.

Revelo CEO resigns after claiming he was robbed of personal and company funds at gunpoint

Nick Drakon, formerly the CEO of the crypto research and venture capital firm Revelo, announced on Twitter that he was resigning from the company. In the post, he claimed that he "was recently targeted, surveilled and robbed by a highly sophisticated group. This was an in person attack where my wife and 8 month old son were threatened. The group was specifically interested in crypto assets and knew the deposit addresses belonging to the crypto businesses I operate. I was forced, at gunpoint, to log into a number of crypto accounts and transfer funds out. The funds stolen comprised personal funds, Revelo Intel working capital & retained earnings, as well as Revelo Ventures (an investment syndicate) funds for deals awaiting settlement."

He went on to state that the "vast majority" of the stolen assets were his personal funds. He also alleged that "There is some evidence to suggest that someone in the Ventures syndicate is either part of the group, or passing information onto them."

The amount of funds stolen was not disclosed. Drakon resigned as CEO, and said that he had forfeited his interest in Revolo Intel "to facilitate the return of some money back to members as quickly as possible". He wrote: "To be clear, I have zero financial interest in Revelo moving forward."

He also stated that he would be "stepping away from 'public life' in this space", and warned others: "If you are someone who is known to control large sums of money, you are a target and it is not difficult at all to get to you."

Robinhood pays $3.9 million to settle commodities law violations in California

Robinhood has paid $3.9 million to settle charges from the California Department of Justice that the platform was violating commodities laws. From 2018 to 2022, the popular trading platform prohibited its customers from actually taking custody of the cryptocurrency assets they purchased on the platform. According to the California DOJ, this violated the state's commodities laws.

In addition to the fine, terms of the settlement require the platform to allow its customers to withdraw their crypto assets, and to update disclosures regarding asset custody.

The California DOJ also accused the platform of misleading its customers by claiming that the app "advertis[ed] it would connect to multiple trading venues, to ensure customers receive the most competitive prices between the venues, which was not always true". They also say that Robinhood lied about always holding all customer crypto assets purchased through the platform, when in reality, "there were instances in which it arranged for trading venues to hold customer assets for extended periods".

Trump family Twitter accounts compromised ahead of World Liberty Financial launch

The Twitter accounts belonging to Lara and Tiffany Trump were compromised and used to announce a fake launch of the (unfortunately real) World Liberty Financial project that their family has been promoting. Donald Trump's son Eric tried to warn people of the scam, but in doing so retweeted the scam tweet containing the malicious token address.

The posts were deleted and accounts were locked down very quickly by Twitter, but not before approximately 2,000 people bought around $1.8 million of the fake token.

Penpie hacked for $27.3 million

The defi protocol Penpie was exploited for 11,113.6 ETH (~$27.3 million) by an attacker who exploited a flaw allowing them to withdraw unearned "rewards". Although the protocol claimed to have been audited by two blockchain security firms, they later disclosed that the smart contracts containing the bugs had not been fully audited.

The team behind Pendle (the platform on which Pendie is built) detected the attack and paused Pendle an hour after the attack began, which they claim prevented another $105 million from being stolen.

Members of the Penpie team filed complaints with Singaporean police and the US FBI. They also attempted to negotiate a "bug bounty" via on-chain and social media messages to the attacker, but the hacker seems uninterested and has continued to transfer funds between various crypto wallets and launder funds through Tornado Cash.

SEC charges Galois Capital, Galois settles

Eighteen months after the crypto-focused algorithmic trading fund Galois Capital shut down, explaining that they had lost around $40 million in the FTX collapse, the SEC has filed a lawsuit against the firm for failing to properly custody their clients' funds. According to the SEC, instead of complying with SEC requirements that investment advisers hold assets with qualified custodians like banks, Galois was keeping assets on crypto exchanges including FTX.

The SEC also charged that Galois Capital had misled some investors into believing they needed five business days of notice to redeem assets, while other investors were allowed to redeem assets more quickly.

Galois agreed to a settlement with the SEC in which they will pay a $225,000 penalty, which will go to investors who lost money.

"Peripheral" Aave smart contract hacked for $56,000

The popular defi lending platform, Aave, suffered a smart contract exploit that allowed an attacker to steal around $56,000. A smart contract outside of the core Aave protocol, which is used to allow people to use existing collateral to repay their loans, had gradually accrued a balance of tokens leftover from slippage. These small leftover token amounts are sometimes called "dust". Altogether, these tokens amounted to around $70,000 across several blockchain networks.

An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar".

OpenSea receives SEC Wells notice

OpenSea has announced that they received a Wells notice from the U.S. Securities and Exchange Commission, warning them of a likely lawsuit from the agency. According to CEO Devin Finzer, "they believe NFTs on our platform are securities". Finzer did not provide any more details about the scope of the SEC's notice.

Finzer promised that the company would vigorously fight any impending lawsuit.

The lawsuit echoes previous enforcement actions by the SEC, such as a September 2023 settlement with the celebrity-backed Stoner Cats project, in which the SEC suggested that it may broadly view NFTs as securities if investors "reasonably expect to profit" from the continued efforts of those who release the NFTs.

Bitcoin mining company Rhodium Enterprises files for bankruptcy

The Texas-based Rhodium Enterprises bitcoin mining company has filed for bankruptcy, disclosing debts between $50 and $100 million and total assets between $100 and $500 million. The company had tried to begin restructuring, but was not able to reach agreement among shareholders, and so decided to enter bankruptcy.

Bitcoin mining has been an extremely challenging business in recent times, partly due to volatile crypto prices over the last few years, and due to diminishing miner rewards following the April halving event.

Rhodium Enterprises had been showing signs of trouble, including failing to make scheduled loan payments earlier this month. In December 2023, a dispute between them and a subsidiary of the Riot Platforms bitcoin mining group culminated in armed security removing Rhodium employees from a bitcoin mining facility in Rockdale, Texas, where Rhodium was leasing bitcoin miners. The case was later sent to arbitration.

Brothers charged by SEC for $60 million "crypto bot" Ponzi scheme

Brothers Jonathan and Tanner Adam were charged with violating the antifraud provisions of the federal securities laws with their GCZ Global and Triten Financial Group entities, which the SEC alleges amounted to a $61.5 million Ponzi scheme that impacted more than 80 victims. The brothers claimed to have a crypto arbitrage bot that would pull from investor funds to perform profitable trades that would earn them 8–13.5% returns. They claimed to investors that, short of a complete meltdown in global financial markets, their funds would be safe.

However, $53.9 million of investor funds were used to pay other investors, in classic Ponzi fashion. The brothers also used investor funds to build houses for themselves and their family, purchase vehicles and designer goods, and make payments on a $30 million condo in Miami for Tanner.

One of the brothers, Jonathan, had in 2004 been convicted on felony securities law violations that resulted in a four-year jail sentence and more than $300,000 in restitution.

Abra crypto lender charged with securities violations, settles

The SEC charged the Abra cryptocurrency lending platform with failing to register the offers and sales of its retail crypto asset lending product, Abra Earn, and with operating as an unregistered investment company. Abra Earn was available to US customers from July 2020 until June 2023.

Abra settled the charges from the SEC by agreeing to an obey-the-law injunction, and agreeing to pay as-yet-undetermined civil penalties.

In January 2024, Abra settled claims from the Texas State Securities Board by agreeing to refund customers. As a part of the complaint, the TSSB had alleged that Abra was "insolvent or nearly insolvent", and had been making misleading statements. In June 2024, Abra settled with 25 state regulatory agencies, agreeing to refund up to $82.1 million to its US customers. Abra had begun winding down operations in the United States in mid-2023, after facing multiple state regulatory actions.

Users suffer losses after Polygon Discord hack

Some fans of the Polygon blockchain, or those looking for help with using it, suffered losses after hackers successfully compromised the project's Discord server. Discord hacks have become a major issue in the cryptocurrency world, and although Polygon is one of the largest projects to suffer a Discord compromise, it's far from the only project to do so.

One member of the Discord described losing more than $140,000 in tokens after clicking a link shared by a person appearing to be a member of the Polygon team, which advertised a token distribution to serve as a "pre-migration celebration".

McDonald's Instagram hacked, hackers claim $700,000 haul

Instagram page for McDonald's, showing the bio: "Sorry mah nigga you have just been rug pulled by India_X_Kr3w thank you for the $700,000 in Solana 🇮🇳"Hacked McDonald's Instagram (attribution)
McDonald's Instagram account, as well as the Twitter account of a McDonald's marketing director, began promoting a memecoin called $GRIMACE (named for the restaurant chain's blobby purple mascot). The posts to McDonald's 5.1 million followers caused the token price to spike. Then, the attacker sold off their holdings, profiting around $700,000 and plunging the token price.

They then boasted about their haul on the compromised Instagram account, changing the bio to say: "Sorry mah nigga you have just been rug pulled by India_X_Kr3w thank you for the $700,000 in Solana 🇮🇳".

The token stunt by the massive company was perhaps made more believable by McDonald's previous forays into crypto, including when they launched a McRib-themed NFT project in December 2021. The company had also joked about a "Grimacecoin" back in January 2022, in a reply to a tweet from Elon Musk.

Crypto holder loses over $55 million to apparent phishing attack

Someone holding almost $55.5 million in the DAI stablecoin was apparently phished, signing a transaction to reassign ownership of their DAI stash to a phishing address. The victim appeared to realize their error several hours later, attempting to withdraw the tokens only to have the transaction fail since they were no longer the owner of the assets.

The attacker later moved the stablecoins to a new wallet, and exchanged about half of them for 10,625 ETH.

Former CEO of Heartland Tri-State Bank sentenced to more than 24 years in prison after putting bank funds into crypto scheme

Shan HanesShan Hanes (attribution)
Shan Hanes, the former CEO of the Kansas Heartland Tri-State Bank, was sentenced to 293 months (24 years, 5 months) imprisonment after pleading guilty to embezzlement by a bank officer. Hanes had fallen for a "pig butchering" scam, where he believed he could earn returns by "investing" funds under the bank's control into a cryptocurrency scheme.

Between May and July of 2023, Hanes transferred $47.1 million of the bank's funds to the fraudulent scheme. This ultimately led to the bank collapsing, with equity investors losing $9 million and the FDIC footing the bill. "There were people who lost 70, 80% of their retirement" as a result of their investment losses, stated a community member.

Hanes had also taken money from a local church, an investment club, and his daughter's college savings. These funds were reportedly used to buy cryptocurrency after those running the scheme told him they needed more money to "unlock" the returns on his investments — a common tactic with these scams.

FutureNet founder arrested for alleged crypto fraud

Roman ZiemianRoman Ziemian (attribution)
Roman Ziemian, a co-founder of the alleged crypto pyramid scheme FutureNet, was arrested in Montenegro, where he was living under a false identity. He had previously been arrested in Italy in October 2022, but fled the country after being released to home confinement. Ziemian’s co-founder, Stephan Morgenstern, had also fled authorities after being arrested and released to home confinement in Greece, but was arrested again in Albania in August 2023.

Ziemian was wanted on international warrants from Poland and South Korea. FutureNet, which was established in 2018 and purported to be a crypto trading platform, is alleged to have defrauded numerous people of a combined $21 million. Victims were encouraged to buy "participation packages", and earn rewards for referring others to the scheme. Polish authorities warned that FutureNet might be a pyramid scheme in 2019, and South Korea began an investigation into the company in 2020.

Ziemian faces fraud, money laundering, and theft charges, which could be punished by life imprisonment in South Korea.

Twitch streamer DNP3 pleads guilty to wire fraud after gambling away funds invested in crypto charity project

Still frame of streamer DNP3 speaking into a microphoneAustin "DNP3" Taylor (attribution)
In January 2023, Twitch streamer DNP3 issued a statement admitting that he had gambled away investor funds while chasing losses. "Eventually I lost everything. In addition to my own life savings, I also irresponsibly used investor funds to try and 'get my money back' from the casino," he wrote. He had founded crypto projects including CluCloin, the Gridcraft metaverse project, and the Goobers NFT project.

Now, Austin "DNP3" Taylor has pleaded guilty to wire fraud after stealing around $1.14 million in investor funds from his CluCoin project, which had claimed it would "help others in need". DNP3 himself had built up a reputation of making generous gifts while livestreaming. He transferred the stolen funds to online casinos, where he then gambled them away.

Taylor faces up to 20 years in prison. The statement from the U.S. Attorney's Office announced that authorities would be notifying identified victims via NFT, and encouraging them to submit statements to the FBI.

Crypto holder loses $100,000 to "Coinbase support" scammer, found via a Google ad

After encountering issues trading his cryptocurrency holdings on Coinbase, a man in his 60s decided to contact Coinbase support for help. He Googled "Coinbase" and clicked on a promoted result that displayed a Coinbase support phone number. After calling the number, the man was convinced to share his Coinbase password and to open his online banking account with the person on the other end, who was in fact a scammer impersonating Coinbase's customer support. By the time the man realized what was happening, thanks to a fraud alert from his bank, he had lost $100,000 in bitcoin, ether, and US dollars.

Scammers impersonating crypto company support representatives are everywhere on social media and elsewhere. Now, it seems, they are purchasing Google ads to rise to the top of Google search rankings. While Google says they attempt to remove fraudulent advertisers, some slip through the cracks.

While phishing attacks like this are prevalent both in crypto and in tradfi, crypto platforms often do not have similar safeguards as major banking platforms to try to thwart unauthorized transactions, nor do they have the same ability to reverse transactions that are made.