The SEC also found that Tai Mo Shan had acted as a statuary underwriter for the Terra sister token Luna, which was an unregistered security.
Tai Mo Shan agreed to the fine, and to a prohibition on future violations of securities laws.
SEC fines Jump Crypto subsidiary $123 million
The SEC has levied a $123 million fine against Jump Crypto subsidiary Tai Mo Shan, which was part of a secret deal with Terraform Labs to help prop up the floundering Terra stablecoin in May 2021. Jump spent $20 million to help the supposedly “self-healing” stablecoin regain its $1 peg, earning about $1.28 billion in the process, and Terraform Labs CEO Do Kwon would later claim that the restoration to a $1 price was thanks to an automatic feature of the Terra project and not some backroom deal. This lie by Terraform Labs and Jump Crypto helped build confidence in the sustainability of the Terra token, which collapsed horrendously a year later.
- “Tai Mo Shan to Pay $123 Million for Negligently Misleading Investors About Stability of Terra USD”, U.S. Securities and Exchange Commission [archive]
Two NFT fraudsters charged for rug pulls amounting to over $22 million
Gabriel Hay and Gavin Mayo, two LA-based NFT creators, have been charged for defrauding investors of more than $22.4 million through a series of NFT rug pulls and other crypto scams. The duo launched various projects with detailed and false roadmaps to lure NFT buyers, then abandoned the projects without following through.
For example, a "Vault of Gems" NFT project falsely claimed to be the "first NFT pegged to a hard asset, like jewelry", which would have its own exchange. A "Faceless" NFT project promised to produce comic books, a movie, and a clothing company. None of the promises ever materialized, and Hay and Mayo abandoned the projects soon after launching them.
Hay and Mayo worked to hide their involvement with their scams, and have been charged with harassment for attempting to threaten those who connected them. In one case, after a person revealed Hay and Mayo to be the ones behind the Faceless NFT project, the duo sent threatening emails and text messages to the man and his parents. In an email to his parents, they impersonated a law firm, and even threatened to make false sexual abuse claims against the man.
- Indictment of Gabriel Hay and Gavin Mayo [archive]
Kraken fined $5.1 million by Australian securities regulator
The US-based cryptocurrency exchange Kraken has been fined AU$8 million (US$5.1 million) for illegally offering margin trading to Australian customers. The firm had offered the margin product to more than 1,100 Australians without first undergoing the process to determine if the products were appropriate for retail customers.
The more than 1,100 customers lost more than US$5 million. While some of the customers were likely sophisticated investors, Kraken made no effort to limit the product to such a group. Around 81% of the customers who used Kraken's margin product lost money.
This is far from Kraken's first run-in with regulators. The company has settled with US regulators over sanctions violations and failure to comply with securities regulations pertaining to its staking product. They also have an open lawsuit from the US SEC over alleged unregistered securities offerings and commingling corporate and customer funds.
- "Kraken crypto exchange operator to pay $8 million following ASIC enforcement action", Australian Securities and Investments Commission press release
Crypto holder loses assets priced at $2.5 million
A crypto holder tweeted at the Ledger hardware wallet manufacturer to report that 10 BTC (~$1 million) and "~1.5m of NFTs" had been stolen from them. "The ledger was purchased directly from you. The seed phrase was stored in a secure location, never entered anywhere online. I never signed any malicious transactions. Everything is in my physical possession.I haven’t touched this ledger in 2 months," they wrote.
Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.
Despite this, Ledger blamed its customer, telling a media outlet that "As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too".
Former pastor charged with crypto scheme in which he stole $5.9 million from his former congregants
The CFTC has filed suit against Francier Obando Pinillo, an American former pastor who targeted his former congregants and other unsophisticated investors with a crypto pyramid scheme called "Solanofi". He promised victims that his supposed automated trading system was "risk free", and that they would earn guaranteed profits as high as almost 35% compounded monthly — which he "proved" to them with an online dashboard showing faked balances. They were also encouraged to recruit friends and family, and incentivized with referral fees.
Despite his promises, Pinillo had created no trading platform whatsoever, was doing no crypto trading, and simply pocketed all the money. Any payments made to his customers during the fraud were taken from newer investors, in classic Ponzi fashion.
- "CFTC Charges Washington State Pastor with Fraud, Misappropriation in Multilevel Marketing Scheme Targeting Hispanic Americans", US Commodity Futures Trading Commission [archive]
Clober gets clobbered
Clober, a DEX built on Coinbase's Base Ethereum layer-2, suffered an exploit only about a week after its launch. A re-entrancy bug in the project allowed an attacker to siphon 133.7 ETH (~$501,000) from the project. Although the project boasted of audits, Clober had made changes to a contract after the audits that introduced the vulnerability.
Clober has offered a 20% "bug bounty" to the exploiter vi on-chain message, though they have not yet received any public reply.
- "Clober Dex Incident Analysis", CertiK
Alpaca Finance proposes $50,000 restitution for $2.8 million in losses
Users of the Alpaca Finance lending protocol suffered losses when the protocol's sloppy oracle implementation finally resulted in consequences. Although many had warned the project about their glacial oracle setup, and the vulnerabilities they were opening themselves up to, the project repeatedly denied any issues and even banned those voicing concerns.
Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca's issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.
On December 10, Alpaca Finance proposed distributing $50,000 "saved" by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a "group bot/FUD attack".
85-year-old painter loses life savings to NFT art dealer scam
An 85-year-old painter from Brooklyn was convinced to send scammers $135,000 after they promised they would sell his artwork as NFTs on OpenSea. After agreeing to have a supposed "art dealer" list and sell his artwork, the man was told he'd earned $300,000. But there was a catch: he would have to pay nearly half that amount in "fees" to get access to his windfall. The man liquidated his retirement, made credit card payments, and took out a personal loan to acquire cryptocurrency for the supposed fees, only to later realize he'd been duped.
Police were unable to recover his money, although they did seize around 40 websites that were spoofing various real NFT marketplaces.
- "Brooklyn District Attorney Shuts Down 40 Domains Associated With NFT Crypto Scam Targeting Artists, After Brooklyn Painter Lost Over $135,00", "Kings County District Attorney's Office" [archive]
"Hawk tuah" memecoin immediately crashes
Who could have guessed that buying up a token based around the long-past-its-expiration-date hawk tuah meme might turn out to be an unwise investment? Haliey Welch, the originator of the raunchy catchphrase, launched a memecoin that she insisted was not a cash grab but a "good way to interact with her fans". (The "interaction" in question here was limited to " fans give money", because she had no other specific plans for the token).
The token followed the typical pattern of quickly pumping, then crashing spectacularly, losing around 90% of its "value". This is often an indicator of a pump-and-dump scheme by insiders, but Welch vehemently denied such wrongdoing, blaming the crash on "snipers".
"I really lost $43k apeing in 'hawk tuah' coin," wrote one buyer on Twitter. Other Twitter users marveled at a wallet that swapped $1.4 million worth of MOODENG (a memecoin based on the tiny hippo of the same name) only to lose it all on the $HAWK token.
Official Solana JavaScript library compromised in supply chain attack, at least $184,000 taken
An attacker was able to compromise an account that had publish access for the official Solana web3.js library, which is widely used by dApps to read and write from the Solana blockchain. The library gets over 350,000 downloads per week from the popular JavaScript package manager npm.
Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.
Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.
- "Solana Web3.js library backdoored to steal secret, private keys", Bleeping Computer [archive]
Clipper DEX suffers $450,000 hack
The Clipper decentralized exchange suffered a $450,000 exploit across two Ethereum layer-2 chains. Although some speculated that the issue may have been a private key leak, Clipper denied this, and instead said that an attacker had exploited a feature allowing people to make withdrawals denominated in a single token by performing swaps along with the withdrawal.
Although the $450,000 theft is relatively small compared to some other crypto hacks, it represented around 6% of the total value locked on Clipper. Clipper stated they were working to trace and attempt to recover funds, and asked the hacker to contact them to potentially negotiate a return of some funds.
Crypto exchange XT.com suffers $1.7 million hack
On November 28, cryptocurrency exchange XT.com abruptly suspended withdrawals, citing a "wallet upgrade and maintenance". However, after a blockchain security firm identified $1.7 million in suspicious transfers, XT.com acknowledged that they had "detected an abnormal transfer from our platform wallet". According to an announcement, the stolen funds were company assets, rather than cryptocurrencies belonging to users.