Web3 is Going Just Great

zachxbt recounted how scammers routinely spoof phone numbers and use stolen personal information to gain trust with victims on phone calls, where they claim to be Coinbase employees informing users of unauthorized account access. They then walk victims through "securing" their accounts, but in reality they direct people to cloned versions of the Coinbase website where the victims are made to transfer their assets to the scammers.

zachxbt concluded, "Coinbase needs to urgently make changes as more and more users are being scammed for tens of millions every month. ... Coinbase is in a position where they have the power to make these changes and set a good example but they have chosen to do little to nothing ."

Altogether, around $827,000 has passed through the AlleyCat creator's Sportsbet.io account in seven months. Crypto scam-spotting account Rug Pull Finder has alleged that the AlleyCat creator is also behind other rugpulls.

The AlleyCat cryptocurrency project is based on the 1983 Atari game of the same name, though the crypto project does not appear to have any affiliation with (or approval from) the game's creators.

However, crypto media firm Decrypt reached out to a spokesperson for the Las Vegas Sphere and discovered that no such deal had been reached.

Dogwifhat creators have since backtracked, replacing the tweet with a version omitting the "officially confirmed" portion, but still claiming that they "have been in ongoing negotiations with various parties to collaborate on the Sphere ad placement". They promised to return the funds "if, by any chance, the plan is not executed".

However, poor security by the software developers allowed attackers to ship a remote access trojan (RAT) along with the DogWifTools release. Once the package was downloaded, the trojan began scanning infected devices for crypto private keys, login information, and other sensitive data. Attackers even used scans of identification documents taken from their targets' computers to create Binance accounts.

Ultimately, around $10 million was stolen from would-be scammers. Along with the virus, the people who compromised DogWifTools left an angry note on infected machines: "Solana is a fucking joke and a scam from the beginning, it was designed for criminals by criminals! As a result, we have confiscated all your crypto, because you deserved it! You people who use automated tools to run these scam tokens are fucking disgusting to us. It's about time you got fucked over for once. Solana is nothing more than a shitty platform that enables scammers and rug pullers to steal from innocent users."

They also launched an onion website containing a message: "We specifically targeted scammers in the crypto market who were using tools to gain an unfair advantage over innocent, day-to-day traders. ... We believe it was morally correct to confiscate money that was not rightfully theirs." They added that they would soon be publishing the user data they stole on the scammers.

It's not clear whether Ulbricht has taken over control of these wallets, or if they are still being operated on his behalf. Either way, whoever does control the wallets made a big mistake when they tried to cash out on their memecoin stash by adding single-sided liquidity on Meteora. They accidentally initialized the liquidity pool at too low a price, allowing a MEV bot to snap up 5% of the token supply (notionally ~$1.5 million) at a discount and resell them.

The wallet operator then made the same error again with a larger quantity of tokens, selling off another 35% of the supply and losing out on around $10.5 million in notional value.

According to US prosecutors, "KuCoin was used to transmit billions in suspicious transactions and potentially criminal proceeds, including proceeds from darknet markets and malware, ransomware, and fraud schemes."

KuCoin has agreed to pay $297 million in penalties, and will leave the US market for at least two years. Furthermore, two company founders who were also charged will no longer work for the company. Prosecutors reached a deferred prosecution agreement with the two founders, who will also forfeit around $2.7 million each.

The team has announced that the pause will last for 90 days as they explore options to save the project.

After the Trump family actually did launch the $TRUMP and $MELANIA memecoins, several more tweets by the @TrumpDailyPosts account appeared to crosspost additional announcements by Donald Trump on Truth Social of memecoins with names like $POTUS, $WIN, $POWER, and $MAGA. The tweets contained the date and timestamps that normally establish that a post on the account is a repost of Trump's genuine Truth Social posts.

It's not clear if the @TrumpDailyPosts Twitter account was hacked or if those running it decided to scam their followers. However, by sharing the now-deleted posts to their large following, they made around $1.25 million from people who were hoping to hop on the trend and buy in early to new Trump-backed memecoins.

The reaction to his post was not exactly warm, with lawyer Ari Cohn tweeting: "🎶Look at this grift, isn't it neat? Wouldn't you say God's debasement's complete? 🎶"

After a very brief spike in token price, the memecoin collapsed.

Fournier posted on Twitter, claiming he was scammed by his collaborator. When accused of rugging the token, Fournier replied "I'm very new to crypto and I promise you I didn’t rug it." "Buddy, we see your wallet. It’s all on-chain," replied another person. Fournier, apparently not knowing he was describing a rug pull, wrote: "I literally sold because it was going down increasingly. I don’t know who wouldn’t do that."

This is not Melania Trump's first foray into the crypto world. In December 2021, she launched her own line of NFTs — only to apparently wash trade them after a tepid response.

Meanwhile, some in the crypto world are reacting with horror at Trump's decisionmaking. While they hoped that Trump's administration would be crypto-friendly, they did not seem to anticipate that the Trump family would openly embrace some of the ecosystem's worst parts to enrich themselves at everyone else's expense.

They wrote in their announcement that, although they had some money left, the "prolonged downturn" in the NFT market was causing them to "anticipate significant challenges in securing further investment which would make it difficult". They said they would be returning unused funding to investors and shutting down most of the site's functionality immediately.

BitMEX was not supposed to serve US customers, yet Americans made up around 11.5% of their customers. "BITMEX policies nominally in place to prevent such trading were toothless or easily overridden to serve BITMEX's bottom line goal of obtaining revenue through the U.S. market without regard to U.S. criminal laws," alleged a press release by the US Attorney's Office of the Southern District of New York. They added: "Corporate executives took affirmative steps purportedly designed to exempt BITMEX from the application of U.S. laws like AML and KYC requirements, despite knowing of BITMEX's obligation to implement such programs by operating in the U.S. As part of BITMEX's willful evasion of U.S. AML laws, the company lied to a bank about the purpose and nature of a subsidiary to allow BITMEX to pump millions of dollars through the U.S. financial system."

Although The Idols boasts of two audits from several years ago, the contract containing the vulnerability may not have been audited.

Sony's crackdown on these tokens perhaps should not have come as a huge surprise, given that the announcement of Soneium's launch touted "protecting content rights and creating fair profit-sharing mechanisms" among its goals.

Nevertheless, members of the Soneium Discord widely accused Sony of "rugging" or "honeypotting" them by prohibiting trading on the memecoins they had purchased.

Buyers were told they could use the NFTs as a sort of fan pass, receiving access to a Discord, and earning ground passes and behind-the-scenes access for finals weeks. There was also a scheme in which NFT holders could redeem access to passes to matches.

However, the Australian Open seems to have let the project — launched at the peak of NFT hype — peter out, with no mention of redeeming passes, and project websites still promising a 2024 update. The Discord has been shut down.

UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.

Shortly after the token's public launch, Bankless VC dumped 300,000 AICC (8% of their allocation) for 344 SOL ($65,300). By immediately dumping tokens on retail when the token opened for public trading, they were able to sell the tokens for an average of $0.22 — considerably higher than the $0.05 to $0.11 the token has been trading at over the last 24 hours.

When questioned about the trades, Bankless host David Hoffmann wrote: "Agree that Bankless Ventures should not be selling tokens - that was an impulsive mistake." He announced that they had repurchased the tokens they had sold, and were "discussing a self-imposed vesting schedule" for selling tokens that they themselves had promoted.

They later posted a long apology in their Discord, blaming the sales on Ben Lakoff, a general partner of Bankless VC. "Ben did not have context for this, and was in the mindset of trading a local high as you might trade a meme coin you're bullish on - or there's no way he would have done this - huge mistake, first time something like this has happened - he's devastated", explained Bankless co-host Ryan Sean Adams. He also placed some blame on AICC for not imposing any token lockups or vesting schedule that would prohibit early investors from dumping tokens on retail.

One single victim was defrauded out of more than $100,000.

The NYAG has seized $2.2 million in Tether, and is pursuing legal action against the as-yet-unidentified scammers. Because of the unknown identities of the defendants, the NYAG will serve notice of the lawsuit via NFT — something they describe as a first by government regulators.

Another $1.47 million in assets were vulnerable as a result, but the whitehat blockchain security firm Seal911 successfully drained those funds to later be returned to the protocol once it was secured.

"The team is not sure what happened," wrote Orange Finance in a tweet announcing the hack, encouraging people to revoke contract approvals for the compromised addresses.

Orange Finance attempted to negotiate with the attacker via on-chain message, writing, "If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack."

Victims estimate that between €1.5 million and €4.5 million (~$1.54 million – $4.64 million) was stolen.

The man contacted Canadian police, who told him the assets had been transferred out of the country and that they were unable to trace it.

Youssef emphasized that user funds were safe, which led to questioning from others on how that could be possible when nearly $8 million had been stolen. Youssef claimed he had reimbursed the stolen assets himself.

This time, the FEG project team blamed an issue with the project's bridge, which is a tool used to deposit and withdraw tokens from the project. An attacker was able to maliciously withdraw a large amount of FEG tokens via the flaw in the bridge, which they then sold off for around $1.07 million, tanking the FEG token price by 99% in the process. The bridge had been audited by the PeckShield blockchain security firm.

The SEC also found that Tai Mo Shan had acted as a statuary underwriter for the Terra sister token Luna, which was an unregistered security.

Tai Mo Shan agreed to the fine, and to a prohibition on future violations of securities laws.

For example, a "Vault of Gems" NFT project falsely claimed to be the "first NFT pegged to a hard asset, like jewelry", which would have its own exchange. A "Faceless" NFT project promised to produce comic books, a movie, and a clothing company. None of the promises ever materialized, and Hay and Mayo abandoned the projects soon after launching them.

Hay and Mayo worked to hide their involvement with their scams, and have been charged with harassment for attempting to threaten those who connected them. In one case, after a person revealed Hay and Mayo to be the ones behind the Faceless NFT project, the duo sent threatening emails and text messages to the man and his parents. In an email to his parents, they impersonated a law firm, and even threatened to make false sexual abuse claims against the man.

The more than 1,100 customers lost more than US$5 million. While some of the customers were likely sophisticated investors, Kraken made no effort to limit the product to such a group. Around 81% of the customers who used Kraken's margin product lost money.

This is far from Kraken's first run-in with regulators. The company has settled with US regulators over sanctions violations and failure to comply with securities regulations pertaining to its staking product. They also have an open lawsuit from the US SEC over alleged unregistered securities offerings and commingling corporate and customer funds.

Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.

Despite this, Ledger blamed its customer, telling a media outlet that "As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too".

Despite his promises, Pinillo had created no trading platform whatsoever, was doing no crypto trading, and simply pocketed all the money. Any payments made to his customers during the fraud were taken from newer investors, in classic Ponzi fashion.

Clober has offered a 20% "bug bounty" to the exploiter vi on-chain message, though they have not yet received any public reply.

Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca's issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.

On December 10, Alpaca Finance proposed distributing $50,000 "saved" by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a "group bot/FUD attack".

Police were unable to recover his money, although they did seize around 40 websites that were spoofing various real NFT marketplaces.

The token followed the typical pattern of quickly pumping, then crashing spectacularly, losing around 90% of its "value". This is often an indicator of a pump-and-dump scheme by insiders, but Welch vehemently denied such wrongdoing, blaming the crash on "snipers".

"I really lost $43k apeing in 'hawk tuah' coin," wrote one buyer on Twitter. Other Twitter users marveled at a wallet that swapped $1.4 million worth of MOODENG (a memecoin based on the tiny hippo of the same name) only to lose it all on the $HAWK token.

However, the "metaverse" trend failed to take off, and Nike is only the latest company to abandon its multi-million dollar investment in the space.

Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.

Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.

Although the $450,000 theft is relatively small compared to some other crypto hacks, it represented around 6% of the total value locked on Clipper. Clipper stated they were working to trace and attempt to recover funds, and asked the hacker to contact them to potentially negotiate a return of some funds.

DEXX did not disclose how much was taken in the breach, but hundreds of victims have reported around $21 million in combined losses so far.

The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.