Crypto exchange XT.com suffers $1.7 million hack
13-year-old rug pulls crypto token, then faces retaliation
Around $21 million in losses reported by users of DEXX
DEXX did not disclose how much was taken in the breach, but hundreds of victims have reported around $21 million in combined losses so far.
Polter Finance exploited for $12 million
The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.
Thala Labs loses, then recovers, $25.5 million
DeltaPrime loses $4.8 million in second hack
DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.
DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform's stablecoin deposit receipts.
Trader reveals he lost $28 million to bad copy-paste
Short of finding a vulnerability in Renzo, the trader's only real choice is to plead with Renzo to change their smart contract in such a way as to release the funds. While this is technically possible, Renzo has told the trader they could not grant his request due to "regulatory limitations".
CoinPoker exploited for $2 million
The platform sent a message to the exploiter attempting to negotiate a return of some of the funds.
MetaWin casino hacked for $4 million
- "Online Casino MetaWin hacked for $4 million — ZackXBT", CoinTelegraph
Supply chain attack stemming from JavaScript animation library results in losses for users of 1inch and other platforms
Other crypto platforms affected included TEN Finance and Movement. Because the animations library is widely used, other non-crypto-related websites also showed the prompt.
M2 cryptocurrency exchange hacked for $13.7 million
Shortly after the theft, M2 acknowledged the hack and announced that "the situation has been fully resolved". This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.
Sunray Finance hacked for $2.7 million
In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.
$20 million moved from US government wallet in possible theft
The government has not made any statements regarding the movement of assets.
The following day, $19.3 million in tokens were returned to the original wallet.
Sharpei memecoin rug pulls for $3.4 million
As the token price stuttered along with these revelations, insiders apparently decided to quit while they were ahead, and cashed out in a quick and coordinated sale.
Blockchain company Forte acquires games studios, demands secrecy, shuts them down
Both studios had several games in progress, and two of Phoenix Labs' games were explicitly designed for younger players. Developers reportedly voiced discomfort with incorporating blockchains into the games, selling digital items to children.
Later, Forte pulled the plug on several in-development games at both studios. Then, Forte shut down Rumble in 2024, laying off all employees. Forte also laid off over 100 people from Phoenix Labs that year.
Tapioca DAO exploited for most of its assets — over $4 million
Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.
Radiant Capital exploited again, this time for at least $50 million
This is the second Radiant Capital exploit this year, after a $4.5 million theft in January that was enabled by an unaddressed vulnerability in the underlying Compound Finance code.
Cosmos founder reveals a portion of the protocol was created by North Korean developers
Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.
- "On the LSM Module", All In Bits
Permit phisher steals almost $1.4 million in frog tokens
The attacker stole around $1.1 million of the cartoon frog-themed PEPE tokens, and another roughly $50,000 of the also cartoon frog-themed APU token.
$3.1 million in EIGEN tokens stolen and sold
After the incident, some questioned why the tokens had been sent to an investor without a vesting contract, given they were supposed to be locked for a period of time to prevent sale.
Victim loses over $32 million to wallet drainer
The victim wallet sent a message to the thief, offering "a peaceful resolution to this situation" in which the thief could keep 20% of the total amount taken (around $6.5 million).
Bedrock staking platform loses $2 million after bug that allowed users to trade Bitcoin and Ethereum 1:1
A security firm working with Bedrock had tried to warn Bedrock of the vulnerability several hours before the attack, but the team was asleep. The vulnerable contracts had been deployed a day and a half prior to the attack, and had not been audited.
Fortunately for Bedrock, security groups were able to pause third-party projects surrounding Bedrock, which helped to limit the losses — which ultimately could have been as high as the entire value of funds on the protocol.
Onyx hacked for $3.8 million via the same exploit used against them less than a year ago
Onyx apparently didn't learn their lesson the first time around, when they were exploited for $2 million in November 2023 by an attacker taking advantage of a known vulnerability affecting empty markets on the protocol. This same bug seems to have contributed to this exploit, although Onyx has claimed the hack was due to a separate vulnerability in an NFT liquidation contract.
Truflation hacked for around $5 million
Truflation is a blockchain-based project that provides economic data including inflation rates and asset valuations. The platform has been backed by Coinbase Ventures, Chainlink, and others.
OpenAI Twitter account once again hacked and used to promote scam token
This latest hack is only the latest in a slew of Twitter account compromises "announcing" a scam token. Over a year, OpenAI CTO Mira Murati had her account hacked to promote an "$OPENAI" token. Three months ago, accounts belonging to chief scientist Jakub Pachocki and researcher Jason Wei were hacked and used to post the same scam as today.
Shezmu hacked for almost $5 million, negotiates bounty
Shortly after the attack, Shezmu offered a 10% "bounty" for the return of the funds. The attacker responded that they would only consider a 20% bounty. Shezmu agreed to the terms, and announced to their followers that they had achieved a recovery from the "white hat" hacker.
BingX hacked for $52 million
Some accused the exchange of trying to cover up the theft by announcing "temporary wallet maintenance" without disclosing that a theft had occurred. The team later announced that "there has been minor asset loss", and stated that the lost funds would be restored out of the company's capital.
Around $10 million of the stolen assets were frozen during recovery efforts after the theft.
Germany seizes 47 cryptocurrency exchanges reportedly used by ransomware groups
Websites for these exchanges now show notices announcing a law enforcement operation called "Operation Final Exchange". The page announces to visitors "This was your final exchange!", and in a letter addressed to "ransomware affiliates, botnet operators and darknet vendors", warns that authorities are now working to trace the illicit users of the exchange.
- "Germany seizes 47 crypto exchanges used by ransomware gangs", BleepingComputer
Almost $2 million taken from users of Telegram "Banana Gun" crypto trading bot
Banana Gun acknowledged the attack on Twitter and shut down the bot. They posted that they did not believe their backend was compromised, and stated that they believed the attack occurred via a "front-end vulnerability" — though it was not clear what this might have referred to.
- "Telegram bot Banana Gun’s users drained of over $1.9M", CoinTelegraph [archive]
Arrests made after $243 million stolen from one individual in Gemini phishing attack
The FBI raided a luxury home in Miami in connection to the theft, and arrested two men in their early twenties. Authorities worked with crypto investigators including zachxbt to trace the stolen funds.
Rari Capital settles with the SEC
The company and co-founders will pay fines, and the individuals will agree to five-year bans from serving as officers or directors.
The regional SEC director stated, "We will not be deterred by someone labeling a product as 'decentralized' and 'autonomous'," alluding to crypto firms' tendencies to try to skirt securities regulations by claiming to be "decentralized".
Rari has featured on Web3 is Going Just Great before, when they were exploited for around $80 million in April 2022 and when they were exploited for around $15 million in May 2021. The project effectively wound down soon after the second theft.
- "SEC Charges DeFi Platform Rari Capital and its Founders With Misleading Investors and Acting as Unregistered Brokers", U.S. Securities and Exchange Commission [archive]
Ethena website compromised
They later were able to deactivate the website and regain control of the domain. "Remember scammers are always chasing you," they wrote on Twitter.
$6 million taken from Delta Prime defi protocol
DeltaPrime acknowledged the attack on Twitter, and announced that "the risk is contained". They also stated that they were "looking into other ways to reduce user losses to a minimum", including by pulling from the protocol's insurance pool.
Flappy Bird creator disavows crypto spin-off
Nguyen famously removed the game from app stores shortly after it surged to popularity, stating that he felt guilty that people were becoming addicted to the game. This makes the game's reappearance — complete with loot boxes and other addictive features — feel somewhat dark.
On September 15, Nguyen returned from a seven-year Twitter hiatus to post: "No, I have no related with their game. I did not sell anything. I also don't support crypto."
Although Nguyen held the Flappy Bird trademark, he did not sell it to this group. Instead, they registered the trademark themselves after arguing he had abandoned it.
Eve Online developer angers fans with announcement that their new game will be blockchain-based
"There is still time. You can still roll it back and pretend it never happened. Please. None of us want this crypto slop, this desperate cash grab, this attempt at 'creating something great,' this game where buzzwords seem more important than gameplay," wrote one player on the game's subreddit.
A tweet announcing the game was celebrated by some crypto advocates, but attracted some critical responses from players. One wrote, "releasing a blockchain game a year after the weird hype about that technology died so now you got a shitty concept and don't even get a pay-off for it. let's see how this is going to turn out :)"
eToro settles with SEC for $1.5 million, shuts down most crypto trading
- “eToro Reaches Settlement with SEC and Will Cease Trading Activity in Nearly All Crypto Assets”, United States Securities and Exchange Commission [archive]
Adam Neumann's Flowcarbon refunds customers after failing to launch "Goddess Nature Token"
Now, Flowcarbon has reportedly been issuing refunds after the tokens have failed to materialize more than two years later. Flowcarbon has reportedly been blaming "market conditions and resistance from carbon registries" for the failure to launch, according to a report from Forbes. Flowcarbon claimed they have been offering refunds "due to industry delays" since 2023.
CryptoPunk sells for a fraction of its likely market price due to zombie smart contract
The platform's smart contracts remain operational, however, and so despite the lack of a frontend website for the platform, the backend still remains. A trader was able to use these smart contracts to trigger a feature that allows a buyout of the fractional shard holders which, if not countered by someone else, automatically goes through in 14 days. The bidder proposed a purchase of 0.001 ETH per share, and without an operational Niftex frontend, no one noticed. The bid went through, and the trader successfully purchased all 10,000 shares — and thus, the NFT — for 10 ETH.
Since then, several people have offered to purchase the NFT for amounts ranging from 100 to 605 ETH. If the new owner were to accept the 605 ETH bid, they would 60x their purchase price.
One owner of a fractionalized share said he thought he had managed to successfully block the sale, but miscalculated. "GG to the new owner", he wrote. He wrote on Twitter, "I don’t consider this a heist. It’s an arb. The smart contract worked as intended. If you want decentralized systems you have to take the good with the bad. It’s part of the game. It’s why we’re here. If you don’t like those rules, you probably shouldn’t be playing."
Hacker steals $1.45 million from CUT token liquidity pool
Indodax crypto exchange apparently hacked for at least $22 million
Indodax's Instagram account also appeared to be compromised, promoting a suspicious "giveaway".
State securities regulators settle with GS Partners over pyramid schemes including "tokenized skyscraper"
Terms of the settlement include 100% repayment of investments made by victims in the five states that settled: Texas, Alabama, Arizona, Arkansas, and Georgia.
GS Partners has also faced regulatory scrutiny in other US states, as well as in Canada, Australia, and South Africa.
AssangeDAO accused of rug pull after transferring treasury to German foundation
This $10 million was later sent to a German non-profit foundation called the Wau Holland Foundation, which has also been fundraising and managing funds relating to Assange's legal defense. However, this transfer raised serious concerns among some members of the DAO who say they've effectively been cut out of decisionmaking, that the funds were transferred without their approval, and allege the treasury was mismanaged and crashed in value as a result.
Hacktivist, bitcoin core developer, and AssangeDAO organizer Amir Taaki accused fellow AssangeDAO organizer: "Harry Halpin you should be honest and direct with the people here. You believe the money should be kept in a foundation controlled by your people with Julian. You do not respect the community or believe in the DAO."
Friend.tech team abandons project
The project spiked in popularity when it launched in August 2023, but interest rapidly dwindled. A token launched in May 2024 also suffered a mostly downward trajectory. On September 7, the team reassigned ownership and admin rights to the smart contracts to the burn address, making them permanently inaccessible.
Some denounced the project as a Ponzi scheme (repeating accusations it has received since its inception, based on its incentive structure). Others accused the development team of rug pulling and not delivering on their promises — accusations that intensified as one co-founder deleted his Twitter account and the other set his to private. The team is estimated to have made around $44 to $60 million in fees.
Revelo CEO resigns after claiming he was robbed of personal and company funds at gunpoint
He went on to state that the "vast majority" of the stolen assets were his personal funds. He also alleged that "There is some evidence to suggest that someone in the Ventures syndicate is either part of the group, or passing information onto them."
The amount of funds stolen was not disclosed. Drakon resigned as CEO, and said that he had forfeited his interest in Revolo Intel "to facilitate the return of some money back to members as quickly as possible". He wrote: "To be clear, I have zero financial interest in Revelo moving forward."
He also stated that he would be "stepping away from 'public life' in this space", and warned others: "If you are someone who is known to control large sums of money, you are a target and it is not difficult at all to get to you."
Robinhood pays $3.9 million to settle commodities law violations in California
In addition to the fine, terms of the settlement require the platform to allow its customers to withdraw their crypto assets, and to update disclosures regarding asset custody.
The California DOJ also accused the platform of misleading its customers by claiming that the app "advertis[ed] it would connect to multiple trading venues, to ensure customers receive the most competitive prices between the venues, which was not always true". They also say that Robinhood lied about always holding all customer crypto assets purchased through the platform, when in reality, "there were instances in which it arranged for trading venues to hold customer assets for extended periods".
- "Attorney General Bonta Secures $3.9 Million Settlement with Cryptocurrency Company Robinhood", California Attorney General's Office [archive]
Trump family Twitter accounts compromised ahead of World Liberty Financial launch
The posts were deleted and accounts were locked down very quickly by Twitter, but not before approximately 2,000 people bought around $1.8 million of the fake token.
Penpie hacked for $27.3 million
The team behind Pendle (the platform on which Pendie is built) detected the attack and paused Pendle an hour after the attack began, which they claim prevented another $105 million from being stolen.
Members of the Penpie team filed complaints with Singaporean police and the US FBI. They also attempted to negotiate a "bug bounty" via on-chain and social media messages to the attacker, but the hacker seems uninterested and has continued to transfer funds between various crypto wallets and launder funds through Tornado Cash.
SEC charges Galois Capital, Galois settles
The SEC also charged that Galois Capital had misled some investors into believing they needed five business days of notice to redeem assets, while other investors were allowed to redeem assets more quickly.
Galois agreed to a settlement with the SEC in which they will pay a $225,000 penalty, which will go to investors who lost money.
- "SEC Charges Crypto-Focused Advisory Firm Galois Capital for Custody Failures", U.S. Securities and Exchange Commission
"Peripheral" Aave smart contract hacked for $56,000
An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as "raiding the tip jar".
OpenSea receives SEC Wells notice
Finzer promised that the company would vigorously fight any impending lawsuit.
The lawsuit echoes previous enforcement actions by the SEC, such as a September 2023 settlement with the celebrity-backed Stoner Cats project, in which the SEC suggested that it may broadly view NFTs as securities if investors "reasonably expect to profit" from the continued efforts of those who release the NFTs.