Cryptocurrency

SEC Form 8-K

Mon, 06 Apr 2026 00:00:00 +0000

Bitcoin ATM operator Bitcoin Depot has disclosed a March 23 hack in which attackers stole 50.903 BTC (~$3.67 million) from company wallets. According to the company’s disclosure with the SEC, the exploiters gained access to the company’s IT systems and wallet credentials, allowing them to steal the assets.Bitcoin Depot is the largest operator of crypto ATMs globally and in the United States, with approximately 8,700 kiosks in the US and 9,200 worldwide.

Total loss estimated at $3,665,000.

"Drift says $280M exploit tied to 'sophisticated' admin takeover; ZachXBT criticizes Circle over USDC handling"

Wed, 01 Apr 2026 00:00:00 +0000

The Solana-based Drift defi perpetual futures exchange was exploited for $285 million. The project alerted the community on social media, writing: “Drift Protocol is experiencing an active attack. … This is not an April Fools joke.“The project later described the exploit as “a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.” Once the attacker had access to admin capabilities, they quickly eliminated risk management limits on the protocol and drained huge quantities of tokens, which they swapped to USDC and then ETH. The attack was attributed to extremely sophisticated social engineering, likely by North Korean hackers.Some have criticized USDC’s issuer, Circle, for not freezing the stolen funds during the six hours they were held in USDC. Unlike ETH, USDC is controlled by a centralized company that can, and regularly does, freeze assets determined to have been stolen or connected to illicit activity.The theft is among the largest in defi history.

Total loss estimated at $285,000,000.

"On the Future of Balancer: Shutting Down Balancer Labs, Supporting the Path Forward"

Tue, 24 Mar 2026 00:00:00 +0000

After a November 2025 exploit in which $110 million was drained from the Balancer defi protocol, the company behind the project has announced it will shut down. Besides the massive loss, the hack also caused users to flee the protocol, and Balancer’s total value locked quickly plummeted from around $775 million to around $300 million. It has continued to decline since, now hovering around $150 million.Balancer co-founder Fernando Martinelli has said he strongly considered shutting down the protocol entirely, but ultimately decided to continue the project as it generates a relatively small amount of revenue. Instead, the project will move to being operated by a DAO and operating company, which Martinelli hopes will allow them to dodge “real and ongoing legal exposure” and “the liability of past security incidents”.Although another Balancer co-founder has optimistically presented this as “the start of a better chapter” for Balancer, it remains to be seen whether a skeleton crew will be able to revive the project.

"Venus Protocol left with roughly $2M in bad debt after exploit manipulates Thena's THE token price"

Tue, 17 Mar 2026 00:00:00 +0000

The BNB Chain’s Venus Protocol lending protocol accumulated $2.15 million in bad debt after an exploiter manipulated the price of the Thena protocol’s THE token. THE had very low liquidity, and the exploiter took advantage of it to manipulate the THE price oracle by borrowing against THE, using the borrowed funds to buy more THE, and repeating — causing the price oracle to reflect higher and higher prices. The attacker was able to avoid a supply cap on Venus by “donating” the funds rather than depositing them in the standard way.While the exploit left the Venus Protocol with over $2 million in bad debt, it’s not clear if the attacker even made money from the exploit. The exploiter’s position was ultimately liquidated, collapsing the increase in THE price. However, it’s possible the exploiter took advantage of the price discrepancy elsewhere to profit.The Venus Protocol has had a number of issues in the past — notably in June 2023, when the team developing the BNB Chain had to intervene when the a thief borrowed $150 million on Venus against stolen tokens and then faced liquidation.

Total loss estimated at $2,150,000.

Tweet by Solv Protocol

Thu, 05 Mar 2026 00:00:00 +0000

The Solv Protocol bitcoin defi lending and staking platform disclosed an exploit that they said affected fewer than ten users, but nevertheless netted the attacker 38 SolvBTC (a wrapped bitcoin token priced at $2.7 million). Although Solv has not disclosed specifics of the attack, some researchers have suggested it was a bug in the protocol’s burn and mint functionality.

Total loss estimated at $2,700,000.

Tweet by Step Finance

Mon, 23 Feb 2026 00:00:00 +0000

Step Finance announced that, following a $30 million theft in late January, the project would be shutting down. Along with it, they will shut down SolanaFloor — a Solana-focused media project — and Remora Markets — a Solana-based tokenized stocks platform.According to Step Finance, “we explored every possible path forward, including financing and acquisition opportunities. Unfortunately, we were unable to secure a viable outcome and have made the difficult decision to end all operations effective immediately.“In reply to Step Finance’s announcement, crypto investor Mike Dudas claimed that the project had contacted him about bridge financing, but that Step had never responded to his request for more information about the hack. “i responded: ‘would need to see the security post mortem before i could consider investing here’ ”

"IoTeX hit by private key exploit draining around $2 million from bridge contracts, per co-founder"

Sat, 21 Feb 2026 00:00:00 +0000

IoTeX, a platform to connect IoT devices to blockchain networks, lost around $2 million after a private key compromise enabled an attacker to drain funds from the project’s token safe. Initial loss estimates were as high as $8.8 million, although IoTeX CEO Raullen Chai stated that the actual loss was closer to $2 million.Blockchain security researcher Specter has suggested there may be links between this attack and a $50 million theft from the Infini “stablecoin neobank” a year ago.

Total loss estimated at $2,000,000.

"Prosecutors recover $22 million worth of lost Bitcoin"

Thu, 19 Feb 2026 00:00:00 +0000

Staff members working for South Korean prosecutors, for some reason, decided to use a “wallet checking tool” during an August 2025 audit of seized crypto assets. The tool they selected turned out to be a phishing tool, and five wallets were drained of 320 BTC.On February 19, the office announced they had recovered the stolen assets and identified the thief.

Total loss estimated at $22,000,000.

"South Korean crypto firm accidentally sends $44 billion in bitcoins to users"

Sat, 07 Feb 2026 00:00:00 +0000

The South Korean cryptocurrency exchange Bithumb disclosed that it had accidentally given its customers more than 620,000 BTC (~~$44 billion) in a promotional event gone wrong. Intending to reward each customer with at least ₩2,000 (~~$1.40), the exchange accidentally rewarded each customer at least 2,000 BTC (almost $140 million).The exchange announced that they had recovered 99.7% of the erroneously awarded tokens, leaving around 1,860 BTC (~$130 million) unaccounted for.The incident has drawn further scrutiny from Korean regulators, who said that the error “has exposed the vulnerabilities and risks of virtual assets.” Regulatory agencies in the country had already been cracking down on crypto firms following a $30 million hack of the Upbit crypto exchange in November 2025.

Total loss estimated at $132,000,000.

"CrossCurve Threatens Legal Action After $3M Cross-Chain Bridge Exploit"

Sun, 01 Feb 2026 00:00:00 +0000

Hackers exploited a bug in smart contracts deployed by the defi protocol CrossCurve to steal an estimated $3 million across multiple blockchains. The thief was able to spoof cross-chain messages, causing the CrossCurve bridge to release assets not belonging to them.CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, “These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent.” (Who among us hasn’t accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.

Total loss estimated at $3,000,000.

Tweet by CertiK

Sat, 31 Jan 2026 00:00:00 +0000

The Solana-based defi portfolio tracker Step Finance lost 261,854 SOL (~$28.7 million) when a thief gained access to treasury and fee wallets. It’s not yet clear how the attacker was able to steal the funds, although Step Finance posted to Twitter that the theft occurred via a “well known attack vector”. Step wrote that they were working with cybersecurity firms and law enforcement to address the incident.

Total loss estimated at $28,700,000.

"SwapNet Incident Post Mortem"

Sun, 25 Jan 2026 00:00:00 +0000

Some users of Matcha Meta, a decentralized exchange aggregator on the Base blockchain, suffered losses after a thief exploited a vulnerability in its SwapNet integration. SwapNet is another DEX aggregator that integrates with Matcha Meta, and Matcha blamed a vulnerability in their smart contracts that enabled a thief to steal assets transferred via the integration.Most of the lost funds came from a single user, who lost $13.34 million in assets. Other users lost a combined $90,000.

Total loss estimated at $13,430,000.

Tweet thread by Aperture Finance

Sun, 25 Jan 2026 00:00:00 +0000

An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled “instant liquidity management” features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their “intents”.Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.

Total loss estimated at $3,400,000.

Tweet by Saga

Wed, 21 Jan 2026 00:00:00 +0000

The Saga project halted its blockchain after acknowledging that $7 million had been stolen. An attacker was evidently able to mint a large quantity of Saga Dollar tokens, though it’s not yet clear whether it was because of a smart contract vulnerability, private key compromise, or some other issue. The attacker was quick to swap most of the assets to ETH to thwart asset freezes or blockchain halts.The Saga Dollar token lost its peg and fell to around $0.75 after the attack.

Total loss estimated at $7,000,000.

Tweet by RuneCrypto_

Mon, 12 Jan 2026 00:00:00 +0000

Shortly after losing his campaign for re-election as mayor of New York City, Eric Adams announced he would be launching “NYC Token”. He’s pitched the project as a fundraising tool to fight “antisemitism” and “anti-Americanism”, and as a project to “teach our children how to embrace the blockchain technology.“He launched the project on January 12, and buyers piled in in hopes of being early to a high-profile crypto token endorsed by a public figure. However, within hours, the team began pulling liquidity as the price peaked, extracting around $2.5 million. As the price began to fall, the team added back around $1.5 million, leaving around $1 million unaccounted for.Additionally, on-chain researchers observed at least one wallet that spent almost $750,000 to purchase around 1.5 million $NYC around 10 minutes before the token was publicly announced, leading to speculation around insider trading. However, because of the token price crash after the team began pulling liquidity, the apparent insider ultimately lost around $500,000.People were quick to accuse Adams, or his unidentified crypto team, of rug-pulling buyers. Adams and the project’s social media account have claimed that the team was simply moving or “rebalanc[ing]” liquidity, though they have not yet offered any explanation as to where the missing $1 million went.

Total loss estimated at $1,000,000.

Tweet by zachxbt

Sat, 10 Jan 2026 00:00:00 +0000

A crypto holder has lost $282 million in bitcoin and litecoin after a scammer impersonating a customer support employee for the Trezor hardware wallet manufacturer successfully convinced them into revealing their seed phrase. After gaining access to the assets, they quickly swapped them to the Monero privacycoin. The volume of assets was so large that the Monero price spiked as the scammer laundered the finds. The scammer also swapped assets using the THORChain project, which boasted on social media about the “World record speedrun. ⚡️” (presumably without realizing they were bragging about a thief using their project to launder money).Around $700,000 of the stolen assets were frozen thanks to intervention by a security firm called ZeroShadow, although this represents only 0.2% of the total loss.

Total loss estimated at $281,300,000.

Tweet by Truebit

Thu, 08 Jan 2026 00:00:00 +0000

A bug in a smart contract belonging to the Ethereum-based Truebit project allowed an attacker to steal 8,535 ETH (~$26.4 million). The thief targeted one of the project’s older contracts — deployed in 2021 — which contained a bug in which the price calculation to mint sufficiently large quantities of the protocol’s TRU token would overflow, erroneously allowing people to mint large amounts of TRU for next to nothing. The exploiter took advantage of this by minting TRU and swapping it for ETH, ultimately causing the TRU token price to crash 99.9%. Another subsequent attack saw around $300,000 more drained from the project.Truebit acknowledged the hack and urged users not to interact with the vulnerable smart contract.

Total loss estimated at $26,600,000.

"Flow blockchain probes security incident as FLOW token plunges over 40%"

Sat, 27 Dec 2025 00:00:00 +0000

The Flow blockchain suffered an exploit in which an attacker was able to mint a large number of wrapped FLOW tokens, which they then swapped to tokens on other blockchains. Ultimately around $3.9 million was stolen, and the FLOW token dramatically plunged in price.Some crypto exchanges, such as Upbit and Bithumb, halted withdrawals and deposits for FLOW after the exploit was discovered. Flow later confirmed the exploit, and said that validators “executed a coordinated halt” of the network to shut down the attack.

Total loss estimated at $3,900,000.

Tweet by PeckShield

Tue, 16 Dec 2025 00:00:00 +0000

Only weeks after losing $6.6 million to an infinite mint exploit, a Yearn Finance smart contract has again been exploited, allowing an attacker to make off with around 103 ETH (~$300,000). The affected contract is a legacy contract that was part of the Yearn v1 project (once known as iearn). The attacker used a flash loan to manipulate the price of tokens in the vault, allowing them to withdraw the iearn assets, which they then swapped for ETH.This is Yearn’s fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.

Total loss estimated at $304,400.

Tweet by Aevo (fka Ribbon Finance)

Fri, 12 Dec 2025 00:00:00 +0000

Ribbon Finance, which has partially rebranded to Aevo, has lost $2.7 million after attackers exploited a vulnerability in the smart contract for legacy Ribbon vaults that enabled them to manipulate oracle prices and withdraw a large amount of ETH and USDC.Ribbon has announced it will cover $400,000 of the lost funds with its own assets. However, Ribbon is also offering users a lower-than-expected haircut on their assets by assuming that some of the largest affected accounts will not withdraw their assets, having been dormant for several years. While this plan may benefit active users, it seems like it could get very messy if those dormant users do wish to withdraw their assets and discover they’ve been used to pay others.

Total loss estimated at $2,700,000.

"Binance post confirming insider trading sends 'year of the yellow fruit' meme token even higher"

Mon, 08 Dec 2025 00:00:00 +0000

Binance has announced that the company has suspended an employee who used the platform’s official Twitter accounts to promote a memecoin they had launched. The token, called “year of the yellow fruit”, pumped in price after official Binance accounts coaxed followers to “harvest abundantly”.Binance publicly acknowledged that an employee had been suspended for misconduct over the incident. “These actions constitute abuse of their position for personal gain and violate our policies and code of professional conduct,” Binance tweeted from its BinanceFutures account. After this announcement, the memecoin token price spiked even further.Earlier this year, Binance fired another employee after discovering they had used inside information to profit from a token sale event.

"Fusaka Mainnet Prysm Incident"

Thu, 04 Dec 2025 00:00:00 +0000

Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its “Fusaka” network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.

Total loss estimated at $1,180,000.

"yETH Pool Exploit: Technical Incident Report and Math Reconstruction"

Sun, 30 Nov 2025 00:00:00 +0000

Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project’s smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team’s wallet — essentially, removing the tokens from the hacker’s wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.

Total loss estimated at $6,600,000.

"Upbit Reveals 5.9B-Won Corporate Loss in Latest Hack, Fully Reimburses Users"

Thu, 27 Nov 2025 00:00:00 +0000

The Korean cryptocurrency exchange Upbit suffered a loss of around $30 million in various Solana-based assets due to a hack. Some entities have suggested that Lazarus, a North Korean state-sponsored cybercrime group, was behind the hack.Upbit reimbursed users who had lost funds from company reserves. The exchange was able to freeze around $1.77 million of the stolen assets.This theft occurred exactly six years after Upbit suffered a theft of 342,000 ETH (priced at around $50 million at the time).

Total loss estimated at $28,430,000.

"Top DEXs Aerodrome, Velodrome hit with front-end compromise, urge users to avoid main domains"

Sat, 22 Nov 2025 00:00:00 +0000

Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites’ domains. The platforms urged users not to visit the websites as they worked to regain control.This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.

Tweet thread by Homer J

Fri, 21 Nov 2025 00:00:00 +0000

On November 21, the Cardano blockchain suffered a major chainsplit after someone created a transaction that exploited an old bug in Cardano node software, causing the chain to split. The person who submitted the transaction fessed up on Twitter, writing, “It started off as a ’let’s see if I can reproduce the bad transaction’ personal challenge and then I was dumb enough to rely on AI’s instructions on how to block all traffic in/out of my Linux server without properly testing it on testnet first, and then watched in horror as the last block time on explorers froze.“Charles Hoskinson, the founder of Cardano, responded with a tweet boasting about how quickly the chain recovered from the catastrophic split, then accused the person of acting maliciously. “It was absolutely personal”, Hoskinson wrote, adding that the person’s public version of events was merely him “trying to walk it back because he knows the FBI is already involved”. Hoskinson added, “There was a premeditated attack from a disgruntled [single pool operator] who spent months in the Fake Fred discord actively looking at ways to harm the brand and reputation of IOG. He targeted my personal pool and it resulted in disruption of the entire cardano network.“Hoskinson’s decision to involve the FBI horrified some onlookers, including one other engineer at the company who publicly quit after the incident. They wrote, “I’ve fucked up pen testing in a major way once. I’ve seen my colleagues do the same. I didn’t realize there was a risk of getting raided by the authorities because of that + saying mean things on the Internet.”

Telegram post by zachxbt

Thu, 20 Nov 2025 00:00:00 +0000

An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that “GANA’s interaction contract has been targeted by an external attack, resulting in unauthorized asset theft.”

Total loss estimated at $3,100,000.

"'Fat-Finger' Fail? Cardano Whale Torches $6M After Hitting Illiquid USDA Pool"

Sun, 16 Nov 2025 00:00:00 +0000

A holder of around 14.4 million ADA (~$6.9 million), the token for the Cardano network, made an expensive error when attempting to swap the tokens for a stablecoin. Because the stablecoin they were looking to buy is lightly used and has only around $10.6 million tokens in circulation, an attempt to purchase millions of the tokens on the market caused the dollar-pegged stablecoin’s price to spike to around $1.26. The resulting slippage meant that the trader spent their roughly $6.9 million in tokens to receive a little less than $850,000 in the USDA stablecoin, meaning the trader essentially threw away $6 million.Observers have questioned what happened. It’s possible that the holder, who had not been active on-chain since 2020, was simply unaware of the slippage risk. It’s also possible that it was a “fat-finger” trade — that the trader accidentally selected the wrong stablecoin from a list of similarly named options, some of which could have more easily absorbed a trade of that size.

Total loss estimated at $6,000,000.

Tweet thread by Elixir

Thu, 06 Nov 2025 00:00:00 +0000

After the defi yield platform Stream Finance announced a $93 million loss, Elixir announced it would be discontinuing its deUSD synthetic stablecoin. Stream Finance owes $68 million to Elixir, and holds around $75 million deUSD.Elixir has announced that they plan to allow deUSD holders to redeem their tokens for USDC through a process that will also eliminate the risk of Stream Finance cashing out their deUSD without repaying their loan. According to Elixir, “Stream comprised of 99%+ of the lending positions (and has decided to not repay or close positions)”.

wrsETH Oracle Malfunction 11/4/25

Tue, 04 Nov 2025 00:00:00 +0000

The Moonwell lending protocol, built on the Base Ethereum L2, wound up with $3.7 million in bad debt after an attacker took advantage of an oracle malfunction that caused the price of wrsETH to be massively inflated. The Chainlink oracle used by the project erroneously reported that a single wrsETH token (Kelp DAO’s wrapped restaked ETH) was priced at around 1.65 million ETH ($5.8 billion). Within 30 seconds of the oracle reporting bad data, an attacker took advantage of the error to borrow huge amounts of tokens, which they then swapped to other tokens to cash out.Ultimately the attacker profited around 295 ETH ($1 million), but the protocol was saddled with significantly more bad debt that the team will now have to grapple with.

Total loss estimated at $3,680,000.

"Balancer Hit by Apparent Exploit as $110M in Crypto Moves to New Wallets"

Mon, 03 Nov 2025 00:00:00 +0000

The defi protocol Balancer suffered a major exploit that drained over $110 million across several blockchains, including Ethereum, Polygon, Base, and Sonic. Attackers exploited faulty access control in the manageUserBalance function of Balancer’s v2 smart contract, enabling unauthorized internal withdrawals. The stolen tokens included 6,850 osETH, 6,590 wETH, and 4,260 wstETH, later consolidated into new wallets likely for laundering.The exploit also impacted forked protocols like Beets Finance, which lost around $3 million. Balancer’s BAL token dropped over 10% following the theft.This was Balancer’s third major security incident since 2020, despite prior audits by OpenZeppelin and Trail of Bits.

Total loss estimated at $110,000,000.

"DeFi karma: Garden hacked for $11M after bridging Lazarus’ loot "

Thu, 30 Oct 2025 00:00:00 +0000

The Garden bitcoin bridge suffered a roughly $11 million loss after one of its solvers was compromised. These solvers essentially act as market makers for the protocol. Some blockchain sleuths have questioned whether the affected solver, which Garden described as a separate entity, may actually be operated by the same team as Garden.There wasn’t much sympathy to be had for Garden after this exploit. The protocol had recently announced hitting a milestone of bridging more than $2 billion in assets, but the celebration was criticized after zachxbt pointed out that a substantial portion of the bridged funds were proceeds of crimes being laundered to evade detection and recovery.

Total loss estimated at $11,000,000.

Tweet by Whale Alert

Wed, 15 Oct 2025 00:00:00 +0000

Paxos, the issuer of PayPal’s PYUSD stablecoin, accidentally minted 300 trillion of the supposedly dollar-pegged token. For context, this is approximately 2.5x the global GDP, and around 125x the total number of US dollars actually in circulation.Paxos later announced that the mint was an “internal technical error”, and that they had burned the excess tokens.While PayPal promises its customers that “Reserves are held 100% in US dollar deposits, US treasuries and cash equivalents – meaning that customer funds are available for 1:1 redemption with Paxos,” there clearly isn’t much in the way of safeguards to ensure that is always the case. As with most stablecoin issuers, Paxos merely issues self-reported and unreviewed portfolio reports, and monthly third-party attestations (not audits) of reserves.

"Hyperliquid User Loses $21 Million Due to Private Key Compromise, Experts Say"

Fri, 10 Oct 2025 00:00:00 +0000

An attacker apparently obtained access to a victim’s private key, enabling them to drain $21 million in various crypto assets. The attacker quickly bridged the stolen funds to ETH, then bounced through various addresses in hopes of disguising their origin and making the funds more challenging to recover.Some originally feared that the theft was enabled by an exploit on Hyperliquid itself, shortly after another Hyperliquid-based project was compromised, but the theft appears to have been a key leak rather than an exploit on the protocol.

Total loss estimated at $21,000,000.

"Abracadabra loses $1.8 million in protocol's third major DeFi hack since 2024"

Sat, 04 Oct 2025 00:00:00 +0000

In their third major hack in two years, the Abracadabra defi lending project lost $1.8 million of their Magic Internet Money stablecoin. An attacker took advantage of a bug in the project smart contracts to borrow more than their provided collateral would normally allow. The attack was funded via Tornado Cash, and the exploiter then swapped the stolen tokens for ETH and laundered them back through Tornado.The project disclosed the theft, describing the exploit as affecting “some deprecated contracts”. They downplayed the theft, saying they’d bought back the stolen assets using treasury funds.Abracadabra previously suffered a $13 million theft in March 2025, and a $6.5 million theft in January 2024.

Total loss estimated at $1,800,000.

"Hyperliquid-based Hyperdrive loses $782,000 after smart contract exploit"

Sat, 27 Sep 2025 00:00:00 +0000

Exploiters drained $782,000 in crypto assets from two markets on the Hyperdrive lending protocol, which is built on the Hyperliquid layer-1 blockchain. The attacker apparently took advantage of a security flaw in one of the project’s smart contracts to drain the funds.Hyperdrive paused all markets while investigating the vulnerability, and patched the bug. They also compensated those who had lost money in the exploit.

Total loss estimated at $782,000.

"$3.6M Drained From Hyperliquid DeFi Platform Hypervault in ‘Abnormal Withdrawal’"

Fri, 26 Sep 2025 00:00:00 +0000

Only days after the Hypervault yield farming platform announced on Twitter that they’d surpassed $5 million in total value locked, the platform suddenly shut down its website and social media accounts. Simultaneously, the crypto security firm PeckShield observed an “abnormal withdrawal” of a large quantity of various crypto assets priced at around $3.6 million, which were swapped to 752 ETH (~$3.1 million) and laundered through Tornado Cash.The project had attracted customers by advertising yields of 76–95%.

Total loss estimated at $3,600,000.

Tweet by Meta Alchemist

Tue, 23 Sep 2025 00:00:00 +0000

An attacker exploited bridges for SFUND, the token issued by the Seedify launchpad and incubator. It appears the exploiter has profited around $1.7 million from the theft. Seedify issued a statement announcing the theft, and said the bridge contracts that were exploited had been deployed for three years. The SFUND token crashed in price by around 80% before recovering somewhat.Seedify has been a launchpad for blockchain games, NFT projects, and other web3 products. The team recently has embraced “vibe coding” — a practice in which people rely heavily on AI to generate code.

Total loss estimated at $1,700,000.

Tweet by Yala

Sun, 14 Sep 2025 00:00:00 +0000

The YU bitcoin-backed stablecoin lost its intended dollar peg after what they described as “an attempted attack”, later writing that there was an “unauthorized transfer of funds”. Although they initially wrote that “All funds are safe”, they later stated that they “identified the stolen assets on-chain and are actively working with law enforcement to pursue recovery.” Research firm Lookonchain observed a large mint of the YU token that may have been related — if so, the attacker successfully stole at least 1,501 ETH ($6.75 million), and holds a substantial quantity of YU they still haven’t sold.Despite the project’s attempted reassurances, the YU stablecoin lost its $1 peg, plummeting as low as around $0.20. As of writing, about a day later, the stablecoin is still well below its peg, at around $0.94.

Total loss estimated at $7,600,000.

"SwissBorg hacked for $41M SOL after third-party API compromise"

Tue, 09 Sep 2025 00:00:00 +0000

Thieves stole 192,600 SOL (~$41.5 million) from a wallet belonging to the Swiss cryptocurrency exchange SwissBorg. The attack is being blamed on a vulnerability in the API of Kiln, a staking partner used for SwissBorg’s “Earn” program.SwissBorg announced that they would be reimbursing impacted customers using treasury funds, and working with security firms and law enforcement to try to recover the stolen assets.

Total loss estimated at $41,500,000.

"Sui-based Nemo Protocol exploited for $2.4 million"

Sun, 07 Sep 2025 00:00:00 +0000

The Nemo Protocol on the Sui blockchain suffered a $2.4 million exploit. The defi yield infrastructure protocol acknowledged the theft shortly after, explaining they had paused the protocol smart contracts as they investigated the theft. It appears the thief was able to manipulate a price oracle, siphoning $2.4 million in USDC from the project. They then bridged the funds from Arbitrum to Ethereum.

Total loss estimated at $2,400,000.

"Decentralized exchange Bunni loses an estimated $8.4 million in smart contract exploit"

Tue, 02 Sep 2025 00:00:00 +0000

The Bunni decentralized exchange was exploited for approximately $8.4 million across the Unichain Ethereum layer 2 network and the Ethereum mainnet. Bunni acknowledged the theft and paused the protocol shortly after the attack.

Total loss estimated at $8,400,000.

"Venus Protocol pauses after user loses funds in suspected phishing attack"

Tue, 02 Sep 2025 00:00:00 +0000

A user of the Venus Protocol borrowing and lending platform was successfully phished by an attacker who gained access to their account and drained $13.5 million in stablecoins and wBETH. The user signed a malicious transaction, approving the attacker’s address for token withdrawals.Venus paused the protocol as they investigated the theft. The project then proposed a vote to force liquidation of the attacker’s wallet and recover the stolen funds.

Total loss estimated at $2,100,000.

"Closing up (the) Shop"

Thu, 28 Aug 2025 00:00:00 +0000

Three years after launching “Collectible Avatars”, the NFT project they didn’t want to call “NFTs” because they were already becoming kind of cringe, Reddit has decided to pull the plug. “Well, this is one of those posts. The kind that we hoped we would never have to write,” they wrote.Reddit has ended submissions for new avatars, and will shut down its avatar shop, collection display on profiles, and NFT wallet feature.The feature is apparently so unused that the shutdown announcement garnered zero comments in the r/CollectibleAvatars subreddit. Besides posts relating to the shutdown, the most recent post in the subreddit was a year old.This is the second blockchain-based feature Reddit has sunset, following the October 2023 decision to end their “Community Points” feature.

Tweet by zachxbt

Tue, 19 Aug 2025 00:00:00 +0000

A bitcoin holder reportedly fell for a social engineering attack after receiving communications from scammers posing as customer support for a crypto exchange and hardware wallet provider, according to crypto sleuth zachxbt. The thieves stole 783 BTC (~$91 million), which they then transferred through the Wasabi mixer to complicate tracing.

Total loss estimated at $91,000,000.

"Qubic Claims Majority Control of Monero Hashrate, Raising 51% Attack Fears"

Tue, 12 Aug 2025 00:00:00 +0000

Monero, a privacy-focused blockchain network, has been undergoing an attempted 51% attack — an existential threat to any blockchain. In the case of a successful 51% attack, where a single entity becomes responsible for 51% or more of a blockchain’s mining power, the controlling entity could reorganize blocks, attempt to double-spend, or censor transactions.A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be “stress testing” Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.Though Qubic has claimed to have achieved 51% of the Monero hashrate, these claims have been disputed. However, they do appear to be very close if not there already, and there have been multiple chain reorganizations — including a 6-block reorganization — suggesting that Qubic has established significant control over Monero mining.

Tweet by BobBodily

Tue, 12 Aug 2025 00:00:00 +0000

Odin.fun, a bitcoin-based memecoin launchpad sort of like the popular pump.fun, was exploited for 58.2 BTC (~$7 million). The attacker had apparently manipulated the price of various tokens, then withdrew bitcoin based on the inflated prices.A team member suggested they were unsure of the total amount stolen, “but as of right now, our company treasury isn’t big enough to cover the losses”.

Total loss estimated at $7,000,000.

"Solana lender Credix pledges full reimbursement after $4.5 million DeFi exploit"

Mon, 04 Aug 2025 00:00:00 +0000

The defi lending protocol Credix lost $4.5 million to an exploit after a hacker gained control of an admin wallet and used it to mint tokens and drain liquidity pools.Credix subsequently announced they had negotiated with the thief, who they said agreed to return the funds “in return for money fully paid by the credix treasury”. They did not disclose how much they paid to the hacker.However, shortly after this announcement, the company deleted its social media accounts and disappeared, leading some to wonder if the “hack” may have in fact been a rug pull by insiders. The promised reimbursements have not yet materialized.

Total loss estimated at $4,500,000.

Tweet by CyversAlerts

Mon, 28 Jul 2025 00:00:00 +0000

A hacker stole RARE tokens priced at around $731,000 after exploiting a vulnerability in a staking contract for the SuperRare NFT platform. The attacker funded the exploiter wallet around six months ago with assets transferred via the Tornado Cash cryptocurrency mixer.

Total loss estimated at $731,000.

Tweet thread by CertiK

Tue, 15 Jul 2025 00:00:00 +0000

The Arcadia Finance defi margin protocol was exploited for $3.5 million after an attacker found a vulnerability in a project smart contract. The attacker quickly swapped the stolen tokens and bridged them from Base to the Ethereum mainnet. The attacker stole the funds in two separate transactions that were more than four hours apart.Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.

Total loss estimated at $3,500,000.

Tweet by Ramon | Kinto

Thu, 10 Jul 2025 00:00:00 +0000

The price of Kinto’s $K token suddenly crashed 90%, sparking accusations of a rug pull. A tranche of investor tokens had just been unlocked recently, leading some to speculate that investors dumped their tokens on retail buyers.However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that “we got hacked by a state actor”. Venn seemed to corroborate Kinto’s explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, “Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate.“Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.

Tweet by PeckShield

Wed, 09 Jul 2025 00:00:00 +0000

The decentralized perpetual exchange GMX has been exploited for $42 million. The exploit involved a vulnerability in one version of the exchange’s price calculation smart contract. GMX paused some trading while they investigated the hack, and placed other temporary restrictions on the platform.GMX offered a 10% “bug bounty” to the hacker if they returned the funds. The attacker later returned $40.5 million in stolen assets; unusually, this is more than the 90% return requested by GMX.

Total loss estimated at $42,000,000.

Tweet by Texture

Wed, 09 Jul 2025 00:00:00 +0000

An attacker exploited the Solana-based lending protocol Texture, stealing $2.2 million in user funds from one of the project’s vaults.Shortly after the attack, Texture sent a message to the thief: “We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%. You made an opsec mistake, but it’s not too late to avoid escalating the situation.“The threat and “bounty” offer apparently worked, and the hacker returned $1.98 million, keeping $220,000 as a so-called “greyhat bounty”. “As the hacker has fulfilled their side of the agreement, we will not pursue the matter further,” wrote Texture.

Total loss estimated at $2,200,000.

Tweet thread by deeberiroz

Wed, 09 Jul 2025 00:00:00 +0000

On July 9, security researchers at VennBuild and other firms disclosed a “critical backdoor” affecting thousands of smart contracts, which one of the researchers said left “over $10,000,000 at risk for months”. The researchers suggested that the backdoor was likely created by Lazarus, a North Korean state-sponsored hacking group.According to the researchers, they found thousands of contracts affected by the exploit, and worked with multiple protocols to upgrade contracts or withdraw vulnerable funds. The researchers theorized that the attackers were “likely a sophisticated group waiting for a bigger target, not small wins.”

"Meta Pool, a Liquid Staking Protocol, Suffers $27M Exploit"

Tue, 17 Jun 2025 00:00:00 +0000

An attacker exploited a vulnerability in the staking contract for Meta Pool, which is a liquid staking project. This allowed them to mint 9,700 mpETH, the project’s liquid staking token, which is notionally worth $27 million. However, very low liquidity for the token meant that the attacker was only able to swap 10 ETH (~$25,000) of tokens.Meta Pool acknowledged the theft in a post shortly after the exploit was noticed by a blockchain security firm, and announced that the team had paused the project’s smart contract.

Total loss estimated at $25,000.

"DeFi Platform Cork Protocol Suffers $12M Smart Contract Exploit"

Wed, 28 May 2025 00:00:00 +0000

Cork Protocol, a defi project aimed at “tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens”, suffered a $12 million loss after an attacker exploited a bug in how the project’s smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.Cork had been audited in whole or in part by four different security firms. The project’s funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz’s Crypto Startup Accelerator.

Total loss estimated at $12,000,000.

Tweet by Cetus

Thu, 22 May 2025 00:00:00 +0000

An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $163 million of the funds had been frozen, leaving around $60 million unaccounted for.This led some to question how decentralized the project truly is if the funds can be frozen in such a way.Sui validators later voted to return the frozen assets to the Cetus project. Cetus also announced that users would be fully compensated, and that they would cover the $60 million gap with project treasury funds and a loan from the Sui Foundation.

Total loss estimated at $60,000,000.

Tweet by zachxbt

Sun, 27 Apr 2025 00:00:00 +0000

3,250 BTC (~$330 million) were apparently stolen from a bitcoin holder and then quickly moved through multiple exchanges and swapped for the Monero privacycoin. Such a massive swap into Monero was apparently enough to cause the Monero price to spike from around $230 to as high as around $330, before retracting somewhat.

Total loss estimated at $330,700,000.

"Solana DeFi protocol Loopscale hit with $5.8 million exploit two weeks after launch"

Sat, 26 Apr 2025 00:00:00 +0000

A new Solana-based defi protocol called Loopscale, backed by Coinbase Ventures and Solana Labs, suffered a $5.8 million exploit only two weeks after its launch. The stolen funds represented 12% of the protocol’s TVL. The project blamed the exploit on a bug in the protocol’s pricing calculations. Although the project had been audited in February by OShield, the audit evidently did not detect the flaw.

Total loss estimated at $5,800,000.

Tweet by Term Labs

Sat, 26 Apr 2025 00:00:00 +0000

The Ethereum-based lending project Term Finance lost $1.6 million when an oracle misconfiguration resulted in unintended liquidations. The team later announced that they had “successfully negotiated [the] return” of 333 ETH (~~$600,000) that had been lost, and that another roughly 223 ETH (~~$400,000) had been “captured internally”, leaving the final loss at around 362 ETH (~$650,000).

Total loss estimated at $600,000.

"ZKsync discloses $5 million attack from compromised airdrop admin account, triggering 20% price drop"

Tue, 15 Apr 2025 00:00:00 +0000

An attacker compromised an admin account belonging to the ZKsync Ethereum layer-2 project, which is built by Matter Labs. By doing so, they were able to steal approximately $5 million worth of the ZK token, which the project said were “the remaining unclaimed tokens from the ZKsync airdrop”.ZK Sync offered a 10% “bug bounty” to the thief, who accepted and returned 90% of the stolen funds.

Total loss estimated at $500,000.

Tweet by KiloEx

Mon, 14 Apr 2025 00:00:00 +0000

KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx’s pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.KiloEx later announced that the recovery had been successful, and that they would pay out the 10% “bounty”.

Total loss estimated at $750,000.

On-chain messages

Mon, 31 Mar 2025 00:00:00 +0000

The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% “bounty” for the return of the funds, but received no reply — that is, until now.On March 31, the attacker sent an on-chain message to the platform, writing: “Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry.“The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools’ joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.

"ICERAID: Report Immigrants, Get Paid In Crypto"

Sun, 30 Mar 2025 00:00:00 +0000

A project called “ICERAID” has emerged, promising to reward “intelligence gathering” on “suspicious activities” by photographing supposedly criminal behavior by undocumented immigrants to law enforcement. The project has been advertised by right wing personalities including Laura Loomer and Matt Gaetz, the latter of whom promised ICERAID lets people “ping the cops faster than you can say ‘sanctuary city’.“An instructional video posted to social media by the platform encourages people to “do [their] patriotic duty” by going to a District Court in a blue state, then “Secretly snap a photo of the judge. Don’t let the bailiff see you.” The video shows a person uploading a photograph of Judge James Boasberg, who is presiding over the Trump administration deportation flights case, and reporting him for “terrorism”.The project has been likened to Stasi programs in which citizens were paid to spy and report on their neighbors.The founder of ICERAID, Jason Meyers, claims that he had had conversations with the White House about the project, although the website for the tool states it is not affiliated with any government agency and is not a website of the US government. Meyers has faced several enforcement actions resulting in disciplinary penalties over his involvement in security sales, and in 2014 was permanently banned by FINRA from broker-dealer activities after misappropriating investor funds. Meanwhile, multiple users have complained about not receiving their promised ICERAID tokens, and the project reportedly changed its terms after the token presale to reduce the amount of money buyers would earn for participating.

Telegram post

Fri, 28 Mar 2025 00:00:00 +0000

A Coinbase customer reportedly lost 400 BTC (~$35 million) in a scam identified by blockchain sleuth zachxbt. While investigating the massive theft from the single customer, he also observed at least $11 million in thefts from various other Coinbase customers throughout March.zachxbt has previously accused Coinbase of not doing enough to protect customers from hundreds of millions of dollars in scams, and he noted that in these cases, Coinbase had not marked the thief wallets as malicious in various cryptocurrency compliance tools.

Total loss estimated at $46,000,000.

"Hyperliquid delists JELLYJELLY memecoin amid whale manipulation fiasco"

Thu, 27 Mar 2025 00:00:00 +0000

HyperLiquid’s Hyperliquidity Provider market making vault suffered a $13.5 million loss after an alleged market manipulation incident involving a memecoin called JELLYJELLY. A trader holding nearly $5 million (notional) of the token used a combination of shorts and spot purchases to force HyperLiquid to take on the short position. By forcing the token price up with large spot purchases, HLP suffered an unrealized loss of $13.5 million.HyperLiquid validators voted to delist the JELLY token. They also evidently overrode the JELLY price provided by the market oracle in an attempt to reduce their losses, leading an unrelated crypto executive to question “Is that even legal?”

Total loss estimated at $13,500,000.

"Hacker steals $13 million in Abracadabra's 'Magic Internet Money' seemingly using a flash loan attack"

Tue, 25 Mar 2025 00:00:00 +0000

An attacker using a flash loan attack stole $13 million in the Magic Internet Money token from the Abracadabra project. The attack was enabled by a bug in the platform’s smart contracts, and the hacker ultimately made off with around 6,262 ETH.This is the second time Abracadabra has been exploited, after suffering a $6.5 million theft in January 2024.

Total loss estimated at $13,000,000.

"Binance memecoin platform Four Meme exploited again — this time for $130K"

Tue, 18 Mar 2025 00:00:00 +0000

After suffering an $183,000 loss to an attack in February, the BNB-based Four.Meme memecoin launchpad has been hacked again, this time for around $130,000. Four.Meme aims to be BNB’s version of pump.fun, the popular Solana-based memecoin platform.Four.Meme acknowledged the latest theft on Twitter, writing that they intended to reimburse users who lost money.

Total loss estimated at $130,000.

Tweet by 1inch

Wed, 05 Mar 2025 00:00:00 +0000

An attacker exploited a smart contract belonging to the 1inch DEX aggregator, stealing $5 million in the USDC stablecoin and wETH. According to the platform, the vulnerability existed in “smart contracts using the obsolete Fusion v1 implementation”, and the stolen funds belonged to resolvers (that is, entities that fulfill 1inch orders) rather than users.

Total loss estimated at $5,000,000.

Complaint

Thu, 27 Feb 2025 00:00:00 +0000

A plaintiff named Mandar Mirashi has filed a lawsuit against an unknown defendant accused of stealing around $40 million in bitcoin through a sophisticated phishing attack and/or device compromise. After receiving suspicious emails from or appearing to be from Google, the Ledger hardware wallet manufacturer, and Apple, and after observing an apparent device compromise allowing an attacker to delete his Reddit account without his involvement, Mirashi moved 300 BTC from a Ledger hardware wallet, believing it to be compromised. An attacker then attempted to steal the funds from the hot wallet where he’d moved them, but Mirashi was able to intervene in time to cancel the transaction. Mirashi moved the funds back to the Ledger, only to discover the next day that around 522 BTC had been stolen from two of his Ledger wallets.

Total loss estimated at $40,000,000.

Tweet by Suji Yan

Thu, 27 Feb 2025 00:00:00 +0000

Suji Yan, the founder of the Mask Network, suffered the loss of more than $4 million in various cryptocurrency assets to an apparent wallet hack. According to Yan, the theft happened on his birthday while he was at a party. “[E]ither the private key was leaked same day as my birthday and hacker manual[ly transferred assets] out or it might be an offline attack. I was in a private gathering with dozen friends and my phone was away for some minutes when I using the restroom etc.”

Total loss estimated at $4,000,000.

"0xInfini Incident Analysis"

Mon, 24 Feb 2025 00:00:00 +0000

Around $49.5 million in the USDC stablecoin was stolen from the Infini crypto-focused “stablecoin neobank”, a fintech company that promises “financial freedom” by “democratizing banking” and “redefining the future of digital finance”.Infini experienced a different form of “financial freedom” when attackers liberated almost $50 million from the company after a thief with access to a wallet with admin rights drained tokens, then swapped them for the DAI stablecoin, which unlike USDC cannot be frozen by its issuer.The attack came only a day after a celebratory tweet from the company in which it had announced that they had achieved $50 million in total value locked, suggesting that the theft affected substantially all of the assets on the platform. Despite this, they have claimed that transactions on the platform are unaffected, and when someone asked how that was possible, they simply replied: “We’ve got solid runway to operate. No worries.“Infini attempted to contact the thief via on-chain message, threatening that they had “gathered critical IP and device information” about them, and asking them to return 80% of the funds in exchange for a promise that Infini “will cease further tracking or analysis, and you will not face accountability”. However, Infini’s 48-hour deadline has come and gone without any reply.

Total loss estimated at $49,500,000.

Tweet by Ben Zhou

Fri, 21 Feb 2025 00:00:00 +0000

In what is looking like largest ever theft from a cryptocurrency exchange, attackers took control of a hot wallet belonging to the Bybit cryptocurrency exchange and moved a massive amount of ETH-based tokens amounting to approximately $1.5 billion in notional value (though it should be noted that that quantity of stolen tokens could not be quickly cashed out for that many dollars without affecting the ETH price).Bybit CEO Ben Zhou confirmed the attack on Twitter, writing that an attacker used an advanced phishing technique to take control of the hot wallet. Zhou also promised “Bybit is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.”

Total loss estimated at $1,457,110,000.

Tweet by 0xCygaar

Tue, 18 Feb 2025 00:00:00 +0000

Around $400,000 in ETH was stolen from around 9,000 wallets on the Abstract layer-2 network, which is built by the same company that makes the Pudgy Penguins NFTs. It appears that the affected wallets had all been used to play Cardex, a fantasy trading card game that had launched only a week prior.Attackers compromised a private key belonging to the game’s creators, which allowed them to drain wallets that still had an active session with the game.

Total loss estimated at $400,000.

Tweet by Lookonchain

Fri, 14 Feb 2025 00:00:00 +0000

A tweet from Argentina’s president Javier Milei promoted a memecoin called Libra, which he described as a “private project [that] will [be] dedicated to encouraging the growth of the Argentine economy by funding small Argentine businesses and startups”. The token quickly soared in price as traders poured in.However, within hours of the launch, insiders began selling off their holdings of the token. The token had been highly concentrated among insiders, with around 82% of the token held in a small cluster of apparently insider addresses. Those insiders cashed out around $107 million, crashing the token price by around 95%.After the crash, Milei deleted his tweet promoting the project. He later claimed he was “not aware of the details of the project and after having become aware of it I decided not to continue spreading the word (that is why I deleted the tweet).”

Total loss estimated at $107,000,000.

Tweet by Four.Meme

Tue, 11 Feb 2025 00:00:00 +0000

A BNB Chain memecoin platform, Four.Meme, announced on Twitter that they were “currently experiencing a malicious attack”. The team briefly paused a portion of the service while deploying a fix, but brought it back online later that day. Around $183,000 was lost to the attack.

Total loss estimated at $183,000.

"AlleyCat - The Gambling Deployer!"

Sat, 01 Feb 2025 00:00:00 +0000

The creator of the AlleyCat Solana-based cryptocurrency project has reportedly taken about 600 SOL ($130,000) raised during the project’s presale and transferred it to gambling platforms including Sportsbet.io and Bitcasino. Although the project raised hundreds of thousands of dollars in presale funds, stating it was needed for token liquidity on launch, only 18 SOL ($11,000) was ever used for liquidity.Altogether, around $827,000 has passed through the AlleyCat creator’s Sportsbet.io account in seven months. Crypto scam-spotting account Rug Pull Finder has alleged that the AlleyCat creator is also behind other rugpulls.The AlleyCat cryptocurrency project is based on the 1983 Atari game of the same name, though the crypto project does not appear to have any affiliation with (or approval from) the game’s creators.

Total loss estimated at $130,000.

"Poetic Justice"

Fri, 31 Jan 2025 00:00:00 +0000

A suite of software tools called DogWifTools was popular among memecoin creators looking to rug pull unsuspecting traders. By helping token creators mask supply control and fake trading activity, the tool was used to convince outside traders that a token had potential — at least, up until the token creator pulled the rug out from under them.However, poor security by the software developers allowed attackers to ship a remote access trojan (RAT) along with the DogWifTools release. Once the package was downloaded, the trojan began scanning infected devices for crypto private keys, login information, and other sensitive data. Attackers even used scans of identification documents taken from their targets’ computers to create Binance accounts.Ultimately, around $10 million was stolen from would-be scammers. Along with the virus, the people who compromised DogWifTools left an angry note on infected machines: “Solana is a fucking joke and a scam from the beginning, it was designed for criminals by criminals! As a result, we have confiscated all your crypto, because you deserved it! You people who use automated tools to run these scam tokens are fucking disgusting to us. It’s about time you got fucked over for once. Solana is nothing more than a shitty platform that enables scammers and rug pullers to steal from innocent users.“They also launched an onion website containing a message: “We specifically targeted scammers in the crypto market who were using tools to gain an unfair advantage over innocent, day-to-day traders. … We believe it was morally correct to confiscate money that was not rightfully theirs.” They added that they would soon be publishing the user data they stole on the scammers.

Total loss estimated at $10,000,000.

"Solana Meme Coin Dogwifhat Has No Deal With Las Vegas Sphere, Venue Says"

Fri, 31 Jan 2025 00:00:00 +0000

In late January, the creator of the “dogwifhat” memecoin announced “Officially confirmed. Viva hat vegas.” in a tweet accompanied by a photo overlaying the dog meme with the Las Vegas Sphere. Project organizers had raised around $700,000 in March 2024 to fund the project, hoping that the attention-grabbing stunt would spike the memecoin price. The announcement alone had somewhat of a similar effect, causing the $WIF price to spike by more than 30% shortly after.However, crypto media firm Decrypt reached out to a spokesperson for the Las Vegas Sphere and discovered that no such deal had been reached.Dogwifhat creators have since backtracked, replacing the tweet with a version omitting the “officially confirmed” portion, but still claiming that they “have been in ongoing negotiations with various parties to collaborate on the Sphere ad placement”. They promised to return the funds “if, by any chance, the plan is not executed”.

Tweet by Ether Strategy

Thu, 30 Jan 2025 00:00:00 +0000

A Ethereum-based project promising to duplicate the bitcoin leveraged investment strategy used by MicroStrategy has announced that, prior to even launching, 165 ETH (~$535,850) was lost when a misconfiguration in the project interface resulted in tokens being sent to the wrong address. The project appears to have determined that those tokens are irrecoverably lost, because they announced that they had contributed 165 ETH of their own to reimburse users for their costly mistake.

Total loss estimated at $535,850.

Tweet thread by Arkham

Thu, 30 Jan 2025 00:00:00 +0000

Ross Ulbricht, the founder of the Silk Road darknet market place, earned a presidential pardon on January 21 as an apparent thank you by President Trump to the Libertarian Party. When fans created a token called $ROSS to celebrate his release, they sent a substantial number of the tokens — 50% of the supply — to donation wallets that his family have operated for years, used to raise money to campaign for his release.It’s not clear whether Ulbricht has taken over control of these wallets, or if they are still being operated on his behalf. Either way, whoever does control the wallets made a big mistake when they tried to cash out on their memecoin stash by adding single-sided liquidity on Meteora. They accidentally initialized the liquidity pool at too low a price, allowing a MEV bot to snap up 5% of the token supply (notionally ~$1.5 million) at a discount and resell them.The wallet operator then made the same error again with a larger quantity of tokens, selling off another 35% of the supply and losing out on around $10.5 million in notional value.

Tweet by SlowMist

Tue, 21 Jan 2025 00:00:00 +0000

A Twitter account called @TrumpDailyPosts has more than 1.3 million followers on Twitter. While the account does automatically crosspost to Twitter any posts Donald Trump makes on his Truth Social account, it also posts Trump-related news and other tweets.After the Trump family actually did launch the $TRUMP and $MELANIA memecoins, several more tweets by the @TrumpDailyPosts account appeared to crosspost additional announcements by Donald Trump on Truth Social of memecoins with names like $POTUS, $WIN, $POWER, and $MAGA. The tweets contained the date and timestamps that normally establish that a post on the account is a repost of Trump’s genuine Truth Social posts.It’s not clear if the @TrumpDailyPosts Twitter account was hacked or if those running it decided to scam their followers. However, by sharing the now-deleted posts to their large following, they made around $1.25 million from people who were hoping to hop on the trend and buy in early to new Trump-backed memecoins.

Total loss estimated at $1,250,000.

"‘Forgive him Satoshi’ — Trump’s pastor ripped for memecoin that crashed 93% after launch"

Mon, 20 Jan 2025 00:00:00 +0000

Reverand Lorenzo Sewell, a pastor and vocal Trump supporter who delivered the benediction at Donald Trump’s inauguration, followed in his hero’s footsteps by trying to shill a memecoin to his followers. In a video posted to Twitter hours after his speech, in which he seemed to still be wearing the same outfit, Sewell urged: “I need you to do me a favor right now. I need you to go buy the official Lorenzo Sewell coin.“The reaction to his post was not exactly warm, with lawyer Ari Cohn tweeting: “🎶Look at this grift, isn’t it neat? Wouldn’t you say God’s debasement’s complete? 🎶“After a very brief spike in token price, the memecoin collapsed.

Tweet by Melania Trump

Sun, 19 Jan 2025 00:00:00 +0000

Before people had a chance to process the fact that the incoming president of the United States had just launched his own transparent crypto cash-grab, the soon-to-be First Lady did the same. Whoever is calling the Trump family’s crypto shots seemed to think they could just follow the same playbook a second time and enjoy the same results, but the launch of the new token brought a sudden crash in the $TRUMP token value.This is not Melania Trump’s first foray into the crypto world. In December 2021, she launched her own line of NFTs — only to apparently wash trade them after a tepid response.Meanwhile, some in the crypto world are reacting with horror at Trump’s decisionmaking. While they hoped that Trump’s administration would be crypto-friendly, they did not seem to anticipate that the Trump family would openly embrace some of the ecosystem’s worst parts to enrich themselves at everyone else’s expense.

Tweet by Donald Trump

Fri, 17 Jan 2025 00:00:00 +0000

In what is likely a preview of the levels of grift about to come — levels previously not thought possible — Trump has launched a Solana memecoin two days before his inauguration. The move was so unexpected that many believed the president-elect’s Twitter account had been compromised to promote a fake scam token, but half a day later, it appears this scam token is of the genuinely Trump-backed variety.

"The Idols NFT"

Tue, 14 Jan 2025 00:00:00 +0000

An attacker noticed a vulnerability in a smart contract for The Idols, an NFT project that also incorporates ETH staking functionality. They discovered that a function used to distribute rewards had a bug when the sender and recipient addresses were the same, allowing a holder to repeatedly claim rewards. By taking advantage of this bug, they were able to siphon 97 stETH (~$324,000) from the project.Although The Idols boasts of two audits from several years ago, the contract containing the vulnerability may not have been audited.

Total loss estimated at $324,000.

"Traders seethe after Sony freezes memecoins on its new blockchain"

Tue, 14 Jan 2025 00:00:00 +0000

Only hours after Sony launched its “Soneium” layer-2 Ethereum blockchain, the company was accused of “rugging” people who had purchased various memecoins launched on Soneium when it began prohibiting their trading. The two tokens, now listed as “forbidden” for trading, were based on Sony products. One, “Aibo”, was themed around a series of robotic dog toys. The other, “Toro”, was based on Sony’s unofficial Toro Inoue mascot.Sony’s crackdown on these tokens perhaps should not have come as a huge surprise, given that the announcement of Soneium’s launch touted “protecting content rights and creating fair profit-sharing mechanisms” among its goals.Nevertheless, members of the Soneium Discord widely accused Sony of “rugging” or “honeypotting” them by prohibiting trading on the memecoins they had purchased.

"Almost 10,000 images of tennis balls plunge up to 90% in value as Australian Open appears to ditch NFTs"

Mon, 13 Jan 2025 00:00:00 +0000

Holders of any of the several thousand “AO ArtBall” NFTs may be disappointed as the Australian Open appears to have abandoned the project aimed at tennis fans. The first NFTs originally sold for 0.067 ETH (~~$275 at the time), and another round were minted for 0.23 ETH (~~$450 at the time). However, the sale prices of the NFTs have steadily dwindled since early 2023, and recent sales have been for 0.003 to 0.0075 ETH (~$10–$25).Buyers were told they could use the NFTs as a sort of fan pass, receiving access to a Discord, and earning ground passes and behind-the-scenes access for finals weeks. There was also a scheme in which NFT holders could redeem access to passes to matches.However, the Australian Open seems to have let the project — launched at the peak of NFT hype — peter out, with no mention of redeeming passes, and project websites still promising a 2024 update. The Discord has been shut down.

Tweet by SlowMist

Sun, 12 Jan 2025 00:00:00 +0000

The UniLend project, which advertises itself as a “unified platform for all things AI and defi”, was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.UniLend acknowledged the hack, downplaying it as affecting “only” 4% of the platform’s $4.7 million TVL. They offered a bounty to the attacker.

Total loss estimated at $197,600.

"Moby Post-Mortem Report / Growth Plan"

Wed, 08 Jan 2025 00:00:00 +0000

The Moby Trade defi options protocol suffered a $1 million loss, narrowly avoiding the loss of another nearly $1.5 million. The project team stated that a hacker had “identified and exploited a vulnerability in the key management system” that was supposed to protect a private key used by the project. Using the private key, they were able to perform contract upgrades that then allowed them to drain about almost $1.1 million in wBTC, wETH, and USDC.Another $1.47 million in assets were vulnerable as a result, but the whitehat blockchain security firm Seal911 successfully drained those funds to later be returned to the protocol once it was secured.

Total loss estimated at $1,088,500.

Tweet by Orange Finance

Wed, 08 Jan 2025 00:00:00 +0000

The Arbitrum-based liquidity management project Orange Finance suffered at least $840,000 in losses after hackers compromised the project’s admin address, then used it to upgrade the project’s smart contracts and transfer funds.“The team is not sure what happened,” wrote Orange Finance in a tweet announcing the hack, encouraging people to revoke contract approvals for the compromised addresses.Orange Finance attempted to negotiate with the attacker via on-chain message, writing, “If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack.”

Total loss estimated at $840,000.

Telegram post

Wed, 01 Jan 2025 00:00:00 +0000

After crypto sleuth zachxbt noticed an apparent theft from the NoOnes peer-to-peer crypto trading platform on January 1, CEO Ray Youssef was forced to acknowledge the theft. He claimed that the project’s Solana bridge had suffered a compromised, and explained that it had been taken offline for “exhaustive pen testing”.Youssef emphasized that user funds were safe, which led to questioning from others on how that could be possible when nearly $8 million had been stolen. Youssef claimed he had reimbursed the stolen assets himself.

Total loss estimated at $7,900,000.

"FEG token holders in despair after third hack causes 99% dump"

Sun, 29 Dec 2024 00:00:00 +0000

The “Feed Every Gorilla” project has once again been hacked, after suffering a pair of flash loan attacks in May 2022 amounting to $1.9 million in losses. The protocol also suffered losses later in 2022, thanks to an issue with a token locking service that cost FEG $2 million (though around $1.9 million was ultimately returned by the exploiter).This time, the FEG project team blamed an issue with the project’s bridge, which is a tool used to deposit and withdraw tokens from the project. An attacker was able to maliciously withdraw a large amount of FEG tokens via the flaw in the bridge, which they then sold off for around $1.07 million, tanking the FEG token price by 99% in the process. The bridge had been audited by the PeckShield blockchain security firm.

Total loss estimated at $1,070,000.

“Tai Mo Shan to Pay $123 Million for Negligently Misleading Investors About Stability of Terra USD”

Fri, 20 Dec 2024 00:00:00 +0000

The SEC has levied a $123 million fine against Jump Crypto subsidiary Tai Mo Shan, which was part of a secret deal with Terraform Labs to help prop up the floundering Terra stablecoin in May 2021. Jump spent $20 million to help the supposedly “self-healing” stablecoin regain its $1 peg, earning about $1.28 billion in the process, and Terraform Labs CEO Do Kwon would later claim that the restoration to a $1 price was thanks to an automatic feature of the Terra project and not some backroom deal. This lie by Terraform Labs and Jump Crypto helped build confidence in the sustainability of the Terra token, which collapsed horrendously a year later.The SEC also found that Tai Mo Shan had acted as a statuary underwriter for the Terra sister token Luna, which was an unregistered security.Tai Mo Shan agreed to the fine, and to a prohibition on future violations of securities laws.

Indictment

Wed, 18 Dec 2024 00:00:00 +0000

Gabriel Hay and Gavin Mayo, two LA-based NFT creators, have been charged for defrauding investors of more than $22.4 million through a series of NFT rug pulls and other crypto scams. The duo launched various projects with detailed and false roadmaps to lure NFT buyers, then abandoned the projects without following through.For example, a “Vault of Gems” NFT project falsely claimed to be the “first NFT pegged to a hard asset, like jewelry”, which would have its own exchange. A “Faceless” NFT project promised to produce comic books, a movie, and a clothing company. None of the promises ever materialized, and Hay and Mayo abandoned the projects soon after launching them.Hay and Mayo worked to hide their involvement with their scams, and have been charged with harassment for attempting to threaten those who connected them. In one case, after a person revealed Hay and Mayo to be the ones behind the Faceless NFT project, the duo sent threatening emails and text messages to the man and his parents. In an email to his parents, they impersonated a law firm, and even threatened to make false sexual abuse claims against the man.

Total loss estimated at $22,400,000.

Tweet by Anchor Drops

Thu, 12 Dec 2024 00:00:00 +0000

A crypto holder tweeted at the Ledger hardware wallet manufacturer to report that 10 BTC (~$1 million) and “~1.5m of NFTs” had been stolen from a Ledger wallet they were using. “The ledger was purchased directly from you. The seed phrase was stored in a secure location, never entered anywhere online. I never signed any malicious transactions. Everything is in my physical possession.I haven’t touched this ledger in 2 months,” they wrote.Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.Despite this, Ledger blamed its customer, telling a media outlet that “As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too”.

Total loss estimated at $2,500,000.

"Clober Dex Incident Analysis"

Wed, 11 Dec 2024 00:00:00 +0000

Clober, a DEX built on Coinbase’s Base Ethereum layer-2, suffered an exploit only about a week after its launch. A re-entrancy bug in the project allowed an attacker to siphon 133.7 ETH (~$501,000) from the project. Although the project boasted of audits, Clober had made changes to a contract after the audits that introduced the vulnerability.Clober has offered a 20% “bug bounty” to the exploiter vi on-chain message, though they have not yet received any public reply.

Total loss estimated at $501,000.

"False prophet"

Tue, 10 Dec 2024 00:00:00 +0000

Users of the Alpaca Finance lending protocol suffered losses when the protocol’s sloppy oracle implementation finally resulted in consequences. Although many had warned the project about their glacial oracle setup, and the vulnerabilities they were opening themselves up to, the project repeatedly denied any issues and even banned those voicing concerns.Then, when a new token called THENA was listed on Binance and experienced major volatility as trading opened, Alpaca’s issues came to a head. As the token price surged, the slow oracle failed to reflect price changes, allowing people to withdraw far more THENA than they had posted as collateral. THENA lenders have lost an estimated $2.8 million.On December 10, Alpaca Finance proposed distributing $50,000 “saved” by their liquidation bot to the lenders who had lost funds. Alpaca Finance also banned users complaining about their losses in the project Discord, dismissing them as a “group bot/FUD attack”.

Total loss estimated at $2,670,000.

"Hawk Tuah memecoin dumps 90% amid backlash over controversial launch"

Thu, 05 Dec 2024 00:00:00 +0000

Who could have guessed that buying up a token based around the long-past-its-expiration-date hawk tuah meme might turn out to be an unwise investment? Haliey Welch, the originator of the raunchy catchphrase, launched a memecoin that she insisted was not a cash grab but a “good way to interact with her fans”. (The “interaction” in question here was limited to " fans give money", because she had no other specific plans for the token).The token followed the typical pattern of quickly pumping, then crashing spectacularly, losing around 90% of its “value”. This is often an indicator of a pump-and-dump scheme by insiders, but Welch vehemently denied such wrongdoing, blaming the crash on “snipers”.“I really lost $43k apeing in ‘hawk tuah’ coin,” wrote one buyer on Twitter. Other Twitter users marveled at a wallet that swapped $1.4 million worth of MOODENG (a memecoin based on the tiny hippo of the same name) only to lose it all on the $HAWK token.

"Solana Web3.js library backdoored to steal secret, private keys"

Mon, 02 Dec 2024 00:00:00 +0000

An attacker was able to compromise an account that had publish access for the official Solana web3.js library, which is widely used by dApps to read and write from the Solana blockchain. The library gets over 350,000 downloads per week from the popular JavaScript package manager npm.Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.

Tweet by Clipper DEX

Sun, 01 Dec 2024 00:00:00 +0000

The Clipper decentralized exchange suffered a $450,000 exploit across two Ethereum layer-2 chains. Although some speculated that the issue may have been a private key leak, Clipper denied this, and instead said that an attacker had exploited a feature allowing people to make withdrawals denominated in a single token by performing swaps along with the withdrawal.Although the $450,000 theft is relatively small compared to some other crypto hacks, it represented around 6% of the total value locked on Clipper. Clipper stated they were working to trace and attempt to recover funds, and asked the hacker to contact them to potentially negotiate a return of some funds.

Total loss estimated at $450,000.

"This Child Made $30K Rugging a Solana Meme Coin—Then Crypto Degens Got Revenge"

Wed, 20 Nov 2024 00:00:00 +0000

A 13-year-old known as the “Gen Z Quant kid,” created a token called QUANT and executed a rug pull, making $30,000. In retaliation, various people in the cryptocurrency world executed a “revenge pump” — pumping up the price of the token after the kid cashed out, causing him to miss out on potential gains. Worse, they then found the child’s identity, and published his address and the school he attended. They also identified his mother, and began leaving hateful comments on her Instagram account. Rumors also emerged that a member of the cryptocurrency community dognapped the child’s dog, then launched a memecoin based on the animal.

Total loss estimated at $30,000.

"Crypto lender Polter Finance halts operations after $12M hack"

Sat, 16 Nov 2024 00:00:00 +0000

The Fantom-based Polter Finance defi project was exploited for $7 million when an attacker was able to perform an oracle manipulation attack. By artificially increasing the price of the $BOO token, which is a governance token used by the SpookySwap project, they were then able to use that token to drain Polter’s liquidity pools using a flash loan. The attacker successfully drained the entire $12 million worth of tokens on the platform.The creator of the platform stated that they had filed a police report with Singaporean authorities. They also attempted to contact the hacker via on-chain message to negotiate the return of funds, but have not received a response.

Total loss estimated at $12,000,000.

Tweet by DeltaPrime

Mon, 11 Nov 2024 00:00:00 +0000

The DeltaPrime defi protocol was hacked for the second time in two months, losing $4.8 million in Arbitrum and Avalanche tokens. The attacker appeared to have exploited a flaw in one of the platform’s smart contracts that enabled them to borrow more than they put up in collateral.DeltaPrime paused the protocol on both Arbitrum and Avalanche, stopping the attacker from being able to steal more funds than they already had.DeltaPrime was hacked previously on September 16, losing $6 million after a leaked private key enabled an attacker to mint a huge number of the platform’s stablecoin deposit receipts.

Total loss estimated at $4,800,000.

"Trader who lost $26M to copy-paste error says it’s been ‘max pain’"

Sun, 10 Nov 2024 00:00:00 +0000

After apparently exhausting all his other options, a trader has put out a call to “all skilled hackers and white hats out there” to help him recover 7,912 Renzo staked ETH (ezETH) he inadvertently sent to an inaccessible address back in June. The tokens were priced at a little over $28 million at the time, and are currently priced at a little less than $26 million. According to the trader, he copied the wrong address to his clipboard before making the trade, which rendered his funds permanently inaccessible.Short of finding a vulnerability in Renzo, the trader’s only real choice is to plead with Renzo to change their smart contract in such a way as to release the funds. While this is technically possible, Renzo has told the trader they could not grant his request due to “regulatory limitations”.

Total loss estimated at $28,127,000.

Tweet by CyversAlerts

Fri, 08 Nov 2024 00:00:00 +0000

Crypto-powered poker website CoinPoker was apparently exploited for around $2 million when an attacker was able to compromise a hot wallet controlled by the platform. The attacker then laundered most of the funds through the Tornado Cash mixer.The platform sent a message to the exploiter attempting to negotiate a return of some of the funds.

"Security Update"

Thu, 31 Oct 2024 00:00:00 +0000

The UAE-based M2 cryptocurrency exchange was hacked for $13.7 million in bitcoin, ether, and Solana tokens. The exploiter compromised several of the exchange’s hot wallets to take the funds.Shortly after the theft, M2 acknowledged the hack and announced that “the situation has been fully resolved”. This apparently involved M2 restoring customer funds from their own assets, rather than recovering the stolen assets.

Total loss estimated at $13,700,000.

"Bitcoin scammers impersonate police, Sunray Finance $2.7M drain: Crypto-Sec"

Wed, 30 Oct 2024 00:00:00 +0000

A perpetuals trading platform called Sunray Finance was hacked on October 30 by an attacker who was able to upgrade a smart contract used by the protocol. They then were able to mint a massive number of the protocol’s SUN token — 200 sextillion, to be precise. Then, they cashed out what they were able to, crashing the SUN token price in the process. Ultimately, the attacker made off with about $2.1 million of the Tether stablecoin.In the process of selling off tokens, an arbitrage bot was able to take advantage of the price difference by selling the rapidly crashing SUN token into a second liquidity pool that apparently went unnoticed by the hacker, and the bot operator also profited around $560,000.

Total loss estimated at $3,260,000.

"US Government Crypto Wallet Drained of $20 Million in Suspicious Transfers"

Thu, 24 Oct 2024 00:00:00 +0000

More than $20 million in stablecoins and Ethereum were transferred from a wallet identified as belonging to the US government, and holding funds connected to the 2016 hack of the Bitfinex cryptocurrency exchange. While the government does occasionally shuffle cryptocurrency around, these funds were moved to a brand new wallet and then began to be shuffled through cryptocurrency exchanges — something that crypto sleuth zachxbt noted “looks nefarious”.The government has not made any statements regarding the movement of assets.The following day, $19.3 million in tokens were returned to the original wallet.

Total loss estimated at $1,200,000.

"Solana Meme Coin Sharpei Plunges 96% in Seconds in Epic Rug Pull"

Wed, 23 Oct 2024 00:00:00 +0000

A dog-themed memecoin project called Sharpei abruptly cashed out $3.4 million, tanking the token price by more than 96% in seconds. The project had been promoted by crypto influencers, but hit a snag when a pitch deck for the project leaked. The deck contained multiple lies, including claims to have hired multiple “KOLs” who later denied involvement, and false claims of partnerships with various platforms and projects.As the token price stuttered along with these revelations, insiders apparently decided to quit while they were ahead, and cashed out in a quick and coordinated sale.

Total loss estimated at $3,400,000.

Tweet by Tapioca DAO

Fri, 18 Oct 2024 00:00:00 +0000

The defi lending protocol Tapioca DAO was exploited after an attacker reportedly socially engineered the DAO’s co-founder and gain access to their private key. The attacker then used their access to sell off TAP tokens, and to drain a stablecoin liquidity pool on the platform, netting around $4.4 million in USDC and ETH. The TAP token price subsequently crashed by around 96%.Various security researchers have observed that the attack appears to be linked to a slew of social engineering attacks perpetrated by cybercriminals out of North Korea.

Total loss estimated at $4,400,000.

"Radiant Capital Loses $50M to Second Blockchain Exploit This Year"

Wed, 16 Oct 2024 00:00:00 +0000

The cryptocurrency lending project Radiant Capital was hacked for the second time in under a year, this time for more than $50 million in the USDC stablecoin, wBNB, ETH, and other tokens. An attacker successfully gained access to three of eleven private keys controlling a multisignature wallet, which enabled them to upgrade the project’s smart contracts in such a way as to drain funds.This is the second Radiant Capital exploit this year, after a $4.5 million theft in January that was enabled by an unaddressed vulnerability in the underlying Compound Finance code.The US and South Korean governments later attributed this attack on Radiant to North Korean state-sponsored attackers.

Total loss estimated at $50,000,000.

"On the LSM Module"

Tue, 15 Oct 2024 00:00:00 +0000

Cosmos creator Jae Kwon has raised concerns about a portion of the Cosmos protocol called the “Liquid Staking Module” after learning it was developed by North Korean agents. Although a contributor to the protocol, Zaki Manian, learned of the developers’ links to North Korea after contact from the FBI in March 2023, Kwon claims that Manian ignored known flaws in their code, failed to fully audit their code, and did not report the issue to the project team or the Cosmos community. According to Kwon, the code contained a vulnerability that would allow stakers to avoid having their stakes slashed, which “contradicts the fundamental principles of staking security.“Kwon urged the Cosmos governance team to perform a full audit of the code written by these developers, and develop more protocols to prevent issues like this going forward. He also called for the governance team to blacklist Zaki Manian.

Tweet by Scam Sniffer

Sun, 13 Oct 2024 00:00:00 +0000

An attacker using the permit phishing technique stole $1.39 million in tokens from an unsuspecting holder. The victim unknowingly signed a “Permit2” signature — a function intended to make crypto transactions smoother and less expensive, but one that also makes it possible for malicious actors to completely drain crypto wallets.The attacker stole around $1.1 million of the cartoon frog-themed PEPE tokens, and another roughly $50,000 of the also cartoon frog-themed APU token.

Total loss estimated at $1,390,000.

"EigenLayer Says Unauthorized Selling Was an 'Isolated Incident', But Critics Still Have Concerns"

Fri, 04 Oct 2024 00:00:00 +0000

Around 1.67 million EIGEN tokens belonging to an investor in the popular Ethereum-based EigenLayer project were stolen after the investor was tricked into transferring the tokens into the attacker’s wallet. The thief then sold the tokens for around $3.1 million, although the tokens were notionally worth around $5.5 million. Some of the stolen funds were later frozen by centralized exchanges.After the incident, some questioned why the tokens had been sent to an investor without a vesting contract, given they were supposed to be locked for a period of time to prevent sale.

Total loss estimated at $3,100,000.

"Staking Protocol Bug Let Users Swap One Bitcoin for One Ethereum"

Fri, 27 Sep 2024 00:00:00 +0000

A staking platform called Bedrock lost around $2 million after exploiters discovered a bug that allowed them to swap 1 ETH for 1 BTC despite the more than $63,000 difference in prices for the two assets.A security firm working with Bedrock had tried to warn Bedrock of the vulnerability several hours before the attack, but the team was asleep. The vulnerable contracts had been deployed a day and a half prior to the attack, and had not been audited.Fortunately for Bedrock, security groups were able to pause third-party projects surrounding Bedrock, which helped to limit the losses — which ultimately could have been as high as the entire value of funds on the protocol.

Total loss estimated at $2,000,000.

"Onyx protocol exploited a second time for $3.8M via known bug"

Thu, 26 Sep 2024 00:00:00 +0000

The Onyx protocol was hacked for a second time by attackers taking advantage of known bugs in forks of the Compound Finance project. Projects regularly fail to patch these bugs, despite many instances of multi-million dollar hacks affecting Compound forks in the past.Onyx apparently didn’t learn their lesson the first time around, when they were exploited for $2 million in November 2023 by an attacker taking advantage of a known vulnerability affecting empty markets on the protocol. This same bug seems to have contributed to this exploit, although Onyx has claimed the hack was due to a separate vulnerability in an NFT liquidation contract.

Total loss estimated at $3,800,000.

"Police Arrest Two People Related to $243M Crypto Heist Targeting Genesis Creditor"

Thu, 19 Sep 2024 00:00:00 +0000

Two people have been arrested in relation to a phishing scam that successfully stole more than 4,000 BTC priced at around $243 million from a single individual. The victim was targeted with a phishing scam in which the attackers posed as Google support employees and convinced the victim to reset their two-factor authentication for their account on the Gemini cryptocurrency exchange.The FBI raided a luxury home in Miami in connection to the theft, and arrested two men in their early twenties. Authorities worked with crypto investigators including zachxbt to trace the stolen funds.

Total loss estimated at $243,000,000.

"Telegram bot Banana Gun’s users drained of over $1.9M"

Thu, 19 Sep 2024 00:00:00 +0000

Some people use a Telegram-based crypto trading bot called “Banana Gun” to “snipe” crypto trades, copytrade, and perform other activities. On September 19, at least 11 victims lost around $3 million after their accounts were apparently compromised and drained.Banana Gun acknowledged the attack on Twitter and shut down the bot. They posted that they did not believe their backend was compromised, and stated that they believed the attack occurred via a “front-end vulnerability” — though it was not clear what this might have referred to.

Total loss estimated at $3,000,000.

"Ethena domain registrar hacked, Ethena Labs warns users to stay away"

Wed, 18 Sep 2024 00:00:00 +0000

The website for the Ethena protocol was compromised by attackers who gained control of the project’s domain registration. The protocol issued warnings to their users to urge them not to interact with the website, which could compromise their crypto holdings.They later were able to deactivate the website and regain control of the domain. “Remember scammers are always chasing you,” they wrote on Twitter.

"Delta Prime attacker stole $6M by minting massive number of tokens"

Mon, 16 Sep 2024 00:00:00 +0000

The DeltaPrime defi protocol suffered a $6 million loss after a private key was leaked. Access to the private key allowed the attacker to mint 1.1×1069 DPUSDC, which are tokens that allow holders to redeem the USDC stablecoin at a 1:1 ratio. They repeated the mint with several other deposit receipt tokens for bitcoin, ether, and other cryptocurrencies. Altogether, they redeemed a small fraction of these enormous quantities of deposit receipts, amounting to around $6 million in assets.DeltaPrime acknowledged the attack on Twitter, and announced that “the risk is contained”. They also stated that they were “looking into other ways to reduce user losses to a minimum”, including by pulling from the protocol’s insurance pool.

Total loss estimated at $6,000,000.

"CryptoPunks NFT Worth $1.5 Million Just Sold for $23,000—Here's How"

Wed, 11 Sep 2024 00:00:00 +0000

A rare CryptoPunk NFT recently sold for only 10 ETH (~~$25,300), despite a market value that’s likely around 600 ETH (~~$1.5 million). The sale went through thanks to lingering smart contracts from a defunct NFT fractionalization platform called Niftex, which allowed people to buy and sell “shards” of various NFTs. Niftex launched in November 2020, and is now defunct, with its domain redirecting to the Kraken cryptocurrency exchange.The platform’s smart contracts remain operational, however, and so despite the lack of a frontend website for the platform, the backend still remains. A trader was able to use these smart contracts to trigger a feature that allows a buyout of the fractional shard holders which, if not countered by someone else, automatically goes through in 14 days. The bidder proposed a purchase of 0.001 ETH per share, and without an operational Niftex frontend, no one noticed. The bid went through, and the trader successfully purchased all 10,000 shares — and thus, the NFT — for 10 ETH.Since then, several people have offered to purchase the NFT for amounts ranging from 100 to 605 ETH. If the new owner were to accept the 605 ETH bid, they would 60x their purchase price.One owner of a fractionalized share said he thought he had managed to successfully block the sale, but miscalculated. “GG to the new owner”, he wrote. He wrote on Twitter, “I don’t consider this a heist. It’s an arb. The smart contract worked as intended. If you want decentralized systems you have to take the good with the bad. It’s part of the game. It’s why we’re here. If you don’t like those rules, you probably shouldn’t be playing.”

Total loss estimated at $1,400,000.

Tweet thread by CertiK

Tue, 10 Sep 2024 00:00:00 +0000

An attacker exploited a bug in the smart contract for a BSC-based token called CUT, draining a PancakeSwap liquidity pool of almost $1.45 million in the BSC-USD stablecoin.

Total loss estimated at $1,448,974.

"Friend.tech creators walk off with $44m as project shuts down"

Sat, 07 Sep 2024 00:00:00 +0000

The development team behind friend.tech has officially ditched the crypto-based social media project, which was (very) briefly hailed as a potential platform for influencers to earn money from their followers. It attracted crypto influencers, OnlyFans models, and a handful of more mainstream notables. Friend.tech received undisclosed seed funding from the crypto venture capital firm Paradigm.The project spiked in popularity when it launched in August 2023, but interest rapidly dwindled. A token launched in May 2024 also suffered a mostly downward trajectory. On September 7, the team reassigned ownership and admin rights to the smart contracts to the burn address, making them permanently inaccessible.Some denounced the project as a Ponzi scheme (repeating accusations it has received since its inception, based on its incentive structure). Others accused the development team of rug pulling and not delivering on their promises — accusations that intensified as one co-founder deleted his Twitter account and the other set his to private. The team is estimated to have made around $44 to $60 million in fees.

"Hackers breach social media accounts of Lara and Tiffany Trump"

Tue, 03 Sep 2024 00:00:00 +0000

The Twitter accounts belonging to Lara and Tiffany Trump were compromised and used to announce a fake launch of the (unfortunately real) World Liberty Financial project that their family has been promoting. Donald Trump’s son Eric tried to warn people of the scam, but in doing so retweeted the scam tweet containing the malicious token address.The posts were deleted and accounts were locked down very quickly by Twitter, but not before approximately 2,000 people bought around $1.8 million of the fake token.

Total loss estimated at $1,800,000.

"Lacoste Quietly Shuts Down NFT Project UNDW3, Community Alleges 'Soft Rug Pull'"

Tue, 03 Sep 2024 00:00:00 +0000

Lacoste abruptly shutdown the website, Discord, and Twitter account belonging to “UNDW3”, its NFT project. Lacoste launched its original collection of NFTs in June 2022, selling 11,212 of the tokens for 0.08 ETH ($93 at the time). Lacoste made around $1 million off the mint, plus earnings from fees on secondary sales. Later announcements promised holders of the NFTs that they could participate in raffles to earn real-life merchandise and “digital twins”. They were also promised a say in the future direction of the brand.However, that’s vanished as the project was closed without any acknowledgement. People still have their NFTs, but can no longer earn benefits from Lacoste. Meanwhile, resale prices have dwindled to around 0.004 ETH ($13). Angry token holders have accused Lacoste of a “soft rug pull”.Perhaps naming your crypto project “underwater” was an ill omen.

"Penpie Post-Mortem Report"

Tue, 03 Sep 2024 00:00:00 +0000

The defi protocol Penpie was exploited for 11,113.6 ETH (~$27.3 million) by an attacker who exploited a flaw allowing them to withdraw unearned “rewards”. Although the protocol claimed to have been audited by two blockchain security firms, they later disclosed that the smart contracts containing the bugs had not been fully audited.The team behind Pendle (the platform on which Pendie is built) detected the attack and paused Pendle an hour after the attack began, which they claim prevented another $105 million from being stolen.Members of the Penpie team filed complaints with Singaporean police and the US FBI. They also attempted to negotiate a “bug bounty” via on-chain and social media messages to the attacker, but the hacker seems uninterested and has continued to transfer funds between various crypto wallets and launder funds through Tornado Cash.

Total loss estimated at $27,348,259.

"Aave hacked via periphery contract — $56K stolen from 'tip jar'"

Wed, 28 Aug 2024 00:00:00 +0000

The popular defi lending platform, Aave, suffered a smart contract exploit that allowed an attacker to steal around $56,000. A smart contract outside of the core Aave protocol, which is used to allow people to use existing collateral to repay their loans, had gradually accrued a balance of tokens leftover from slippage. These small leftover token amounts are sometimes called “dust”. Altogether, these tokens amounted to around $70,000 across several blockchain networks.An exploiter was able to take advantage of an arbitrary call error that allowed them to steal funds from these various contracts, amounting to around $56,000. Various people associated with Aave emphasized that there was no risk to user funds or flaw in the core Aave protocol, and one described the hack as “raiding the tip jar”.

Total loss estimated at $56,000.

"Bitcoin miner Rhodium files for bankruptcy in Texas court"

Mon, 26 Aug 2024 00:00:00 +0000

The Texas-based Rhodium Enterprises bitcoin mining company has filed for bankruptcy, disclosing debts between $50 and $100 million and total assets between $100 and $500 million. The company had tried to begin restructuring, but was not able to reach agreement among shareholders, and so decided to enter bankruptcy.Bitcoin mining has been an extremely challenging business in recent times, partly due to volatile crypto prices over the last few years, and due to diminishing miner rewards following the April halving event.Rhodium Enterprises had been showing signs of trouble, including failing to make scheduled loan payments earlier this month. In December 2023, a dispute between them and a subsidiary of the Riot Platforms bitcoin mining group culminated in armed security removing Rhodium employees from a bitcoin mining facility in Rockdale, Texas, where Rhodium was leasing bitcoin miners. The case was later sent to arbitration.

Tweet by ValidatorK

Sat, 24 Aug 2024 00:00:00 +0000

Some fans of the Polygon blockchain, or those looking for help with using it, suffered losses after hackers successfully compromised the project’s Discord server. Discord hacks have become a major issue in the cryptocurrency world, and although Polygon is one of the largest projects to suffer a Discord compromise, it’s far from the only project to do so.One member of the Discord described losing more than $140,000 in tokens after clicking a link shared by a person appearing to be a member of the Polygon team, which advertised a token distribution to serve as a “pre-migration celebration”.

Total loss estimated at $140,000.

"McRugged: Hackers Take Over McDonald’s Instagram, Make $700K on Fake Grimace Token"

Wed, 21 Aug 2024 00:00:00 +0000

McDonald’s Instagram account, as well as the Twitter account of a McDonald’s marketing director, began promoting a memecoin called $GRIMACE (named for the restaurant chain’s blobby purple mascot). The posts to McDonald’s 5.1 million followers caused the token price to spike. Then, the attacker sold off their holdings, profiting around $700,000 and plunging the token price.They then boasted about their haul on the compromised Instagram account, changing the bio to say: “Sorry mah nigga you have just been rug pulled by India_X_Kr3w thank you for the $700,000 in Solana 🇮🇳".The token stunt by the massive company was perhaps made more believable by McDonald’s previous forays into crypto, including when they launched a McRib-themed NFT project in December 2021. The company had also joked about a “Grimacecoin” back in January 2022, in a reply to a tweet from Elon Musk.

Total loss estimated at $700,000.

Tweet by Lookonchain

Tue, 20 Aug 2024 00:00:00 +0000

Someone holding almost $55.5 million in the DAI stablecoin was apparently phished, signing a transaction to reassign ownership of their DAI stash to a phishing address. The victim appeared to realize their error several hours later, attempting to withdraw the tokens only to have the transaction fail since they were no longer the owner of the assets.The attacker later moved the stablecoins to a new wallet, and exchanged about half of them for 10,625 ETH.

Total loss estimated at $55,473,618.

"Judge Fines Ripple $125M, Bans Future Securities Law Violations in Long-Running SEC Case"

Wed, 07 Aug 2024 00:00:00 +0000

A judgment has been issued in the long-running case against Ripple by the SEC, and the company has been fined $125 million for violations of securities laws in its institutional sales of its XRP token. The SEC has also obtained an injunction against the company, with the judge in the case opining that there was a “likelihood that [Ripple] will eventually (if it has not already) cross the line” again with respect to securities laws.Ripple and others in the crypto world have been celebrating the judgment as a victory, in part because it is a substantially smaller penalty than the $1 billion in disgorgement and $900 million in penalties sought by the agency.The SEC has already signaled throughout the case that they were likely to appeal an eventual outcome, after objecting to the judge’s decision that several other types of token sales were not unlawful securities offerings.

"New Ronin Bridge hack down to dodgy upgrade, team banks on 'white hat' op"

Tue, 06 Aug 2024 00:00:00 +0000

The Ronin bridge, which bridges crypto assets to the Ronin Network used by Axie Infinity and other gaming projects, has once again suffered a breach — though a considerably smaller one than the recordbreaking $625 million theft in March 2022. An update to the bridge code introduced a flaw with respect to how transactions were confirmed.Fortunately for the Ronin team, it seems that most of the losses actually went to whitehats and MEV bots that were frontrunning transactions by would-be exploiters. ETH and USDC priced at around $12 million were taken — the maximum amount before triggering a safety feature in the code. Later that day, Ronin announced that the ETH (worth around $10 million) had been returned, and that the USDC was in the process of being returned. They also announced that they would reward the whitehats with a $500,000 bug bounty reward.The Ronin bridge was taken offline shortly after the flaw was detected, and the team announced it would undergo an audit before being brought back online.

Total loss estimated at $12,000,000.

"No one surprised as DJT token has finally rugged"

Tue, 06 Aug 2024 00:00:00 +0000

Surprising just about no one, a wallet holding around 20% of the supply of the $DJT Trump-themed memecoin suddenly dumped its holdings, crashing the token price by around 90%. The token price had briefly spiked in June, when it was falsely reported that the token was “an official Trump token”. However, the token’s price had already dwindled since that time, and before the sudden dump.People were quick to blame those behind the project, primarily “Pharma Bro” Martin Shkreli (who has been accused of dumping his own token before). Shkreli was quick to shift the blame to Donald Trump’s youngest son, Barron, who he has also claimed is behind the token (although this has not been independently confirmed). However, the owner of the wallet that dumped its tokens is not definitively known.

Total loss estimated at $2,000,000.

"Kujira Foundation's Tokens Stung by Its Own Leveraged Positions as Bets Backfire"

Thu, 01 Aug 2024 00:00:00 +0000

The team behind the Kujira project wound up with around $2 million in bad debt after taking some of their operational funds and using it to make leveraged bets on their own platform. They blamed “a series of events over the last few months, including exploits, socially engineered attacks and fallouts within the ecosystem” for causing the positions to be liquidated. The $KUJI token price crashed by more than 60% as a result of the team’s poor risk management.The Kujira team apologized for the fiasco, and announced a plan to create a DAO to take over the project treasury.

"Community Update on the Future of Reignmakers"

Tue, 30 Jul 2024 00:00:00 +0000

American sports gambling behemoth DraftKings announced the shutdown of its Reignmakers NFT game and NFT marketplace, effective immediately. Reignmakers was a fantasy sports game that allowed players to purchase digital trading cards used for digital fantasy leagues.In an announcement in the project Discord and on their website, DraftKings wrote that the shutdown was “due to recent developments”. They offered holders the ability to cash out their Reignmakers cards “based on factors that include, but are not limited to, the relative size and quality of your digital game piece collection”. Holders were also invited to transfer their NFTs to their own cryptocurrency wallets, although the DraftKings-run “contests” in which people used their NFTs to try to earn rewards and win prizes will no longer exist. It’s also unclear whether some NFTs, built to not be transferrable off-marketplace, will be able to be retained by their holders.Members of the DraftKings Discord reacted with chagrin to the news, and doubt that the vague promises of cash payments would amount to much. “What kind of compensation u think we get coming to us? Pennies?” wrote one. “Yeah I’m out like $20k,” said another. Some blamed the shutdown on a recent lawsuit from a holder of the Reignmakers NFTs who lost $14,000 — a lawsuit which recently survived the motion to dismiss stage.

"Compound DAO asleep at the wheel as $25M governance 'attack' passes"

Sun, 28 Jul 2024 00:00:00 +0000

A controversial proposal in front of the Compound Finance DAO has narrowly passed, granting 499,000 COMP (~$24 million, and amounting to 5% of the project’s treasury) to an outside group. A Compound Finance whale, “Humpy”, proposed the vote to allocate the tokens to a protocol created by a group called the “Golden Boys”, which Humpy also leads. The vote was the third attempt to allocate tokens to the Golden Boys’ group, after two unsuccessful votes in May and earlier in July.Humpy has previously been accused of governance attacks on other protocols, including Balancer and SushiSwap.Prior to the proposal’s passage, some Compound Finance DAO members raised objections. “In my personal opinion, the actions of Humpy and the Golden Boys can be considered a governance attack if they persist in their attempts to take funds from the protocol in clear opposition to the will of all other Compound DAO delegates,” stated Compound Finance security adviser Michael Lewellen, who also described the proposal as “a malicious attempt to steal funds from the protocol”.Afterwards, Lewellen wrote that “OpenZeppelin is working with all active delegates and Compound contributors to assess our options for protecting the protocol. We see serious risks to the future decentralization of the DAO as a result of Proposal 289 passing and so we are exploring options to mitigate or reverse this outcome.”

ETHTrustFund

Sat, 20 Jul 2024 00:00:00 +0000

The operators of a project called ETHTrustFund on Coinbase’s Base layer-2 Ethereum blockchain have apparently rug-pulled the project. The ETHTrustFund project was a fork of the Olympus DAO project on Base, but there was months of inactivity on the project following its March launch. Then, on July 20, the developer deleted his Telegram and Twitter accounts and the project’s website, and suddenly moved the project treasury to a new wallet. The funds were then laundered through Railgun and Tornado Cash.

Total loss estimated at $2,200,000.

Tweet by zachxbt

Fri, 19 Jul 2024 00:00:00 +0000

An apparent misconfiguration by the RHO Markets lending protocol allowed operators of an MEV bot to take $7.6 million from the project’s users across multiple chains.In a stroke of luck for the RHO team, the MEV bot operator sent RHO an on-chain message indicating they were willing to return all of the funds, although they first demanded that RHO “admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what you are going to do to prevent it from happening again.“RHO is built on the Scroll Ethereum layer-2 network. Scroll temporarily paused the chain as RHO investigated the loss.

"India’s WazirX confirms security breach following a $230M ‘suspicious transfer’"

Thu, 18 Jul 2024 00:00:00 +0000

After a $230 million “suspicious transfer”, Indian cryptocurrency exchange WazirX has paused withdrawals and acknowledged that one of their multisignature wallets was compromised. The attacker began selling off the tokens, causing the price of tokens like Shiba Inu to drop around 10%.WazirX is the largest cryptocurrency exchange in India. The company was acquired by Binance in 2019, but the two companies re-separated in 2023 after a bizarre public dispute.WazirX’s June 2024 proof-of-reserves reported around $500 million in total holdings, making the $235 million theft a substantial portion of the assets held at the exchange.Blockchain sleuth zachxbt observed that the theft had some of the hallmarks of the Lazarus Group, a North Korean hacking group that has perpetrated other 9-figure heists including the $625 million Axie Infinity theft in March 2022, and the theft of more than $100 million from Atomic Wallet users. The US and South Korea both officially pinned the attack on North Korea later on.

Total loss estimated at $235,000,000.

Tweet by Trekki

Wed, 17 Jul 2024 00:00:00 +0000

Travel company Trip.com has some perturbed crypto holders on its hands, after shutting down the “Trekki” NFT project it launched in June 2023. The company’s dolphin-themed NFTs had come with a roadmap that promised eventual staking features, “travel to grow” and “travel to earn” mechanisms, and other developments, which have been cancelled. However, Trip.com promised that its discount coupon functionality would remain.“Can’t believe @Trip a multibillion company is also a rugged project,” wrote one person in response to the shutdown announcement.

Tweet by LI.FI

Tue, 16 Jul 2024 00:00:00 +0000

Users of the cross-chain swapping API LI.FI Protocol, and of projects that build on top of it, suffered wallet drains amounting to at least $10 million (and counting). An attacker was able to exploit the users who had set infinite approvals. The protocol urged those who had interacted with several affected smart contracts to revoke permission, and warned: “Please do not interact with any LI.FI powered applications for now!”

Total loss estimated at $10,000,000.

Tweet by Chaofan Shou

Sun, 14 Jul 2024 00:00:00 +0000

An attacker stole $1.4 million from the defi lending project Minterest. Using a flash loan attack, they manipulated the exchange rate calculated by the project, allowing them to withdraw more tokens than they originally loaned.Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.

Total loss estimated at $1,400,000.

"Dough Finance loses $1.8M in flash loan attack"

Fri, 12 Jul 2024 00:00:00 +0000

Defi platform Dough Finance was hacked for 608 ETH ($1.8 million) by a hacker using a flash loan attack funded through the Railgun privacy service.Dough Finance sent an on-chain message to the attacker, asking them to return the “misappropriated funds”, threatening that they would “pursue all criminal, legal, and administrative avenues available” in the event that the attacker did not do so.

Total loss estimated at $1,800,000.

"American rapper Doja Cat’s X account was hacked to promote a now-collapsed token"

Mon, 08 Jul 2024 00:00:00 +0000

The Twitter account belonging to rapper Doja Cat was compromised on July 8, tweeting to her 5.6 million followers that they should “buy $DOJA or else”, and various other messages to that effect. Doja Cat quickly posted on her Instagram account to say that the Twitter account had been compromised.The attacker appeared to have only marginal success, as the token reached a market cap of around $500,000 before collapsing by 96%.Hackers have compromised a string of celebrity Twitter accounts to promote memecoins recently, including those of Hulk Hogan and Metallica.

"SEC Charges Consensys Software for Unregistered Offers and Sales of Securities Through Its MetaMask Staking Service"

Fri, 28 Jun 2024 00:00:00 +0000

As expected, the SEC has filed a lawsuit against Consensys, the maker of the popular MetaMask cryptocurrency wallet. Although Consensys had recently gloated about the SEC completing an investigation into the company’s offering of ETH, and determining not to pursue action over it, a Wells notice sent to the firm in April suggested that some legal action was impending. Shortly afterwards, Consensys filed a lawsuit against the SEC, alleging regulatory overreach.The SEC’s lawsuit claims that Consensys violated securities laws by acting as an unregistered securities broker, and by offering staking services that constituted unregistered securities offerings. The SEC has previously cracked down on staking offerings by other firms, including Coinbase and Kraken.

Tweet by CertiKAlert

Sun, 23 Jun 2024 00:00:00 +0000

The token for the Farcana blockchain shooting game plummeted in value by around 60%. First, the project team announced that one of the project wallets had been compromised. However, they later deleted that tweet, then claimed that one of their market makers had been compromised. They emphasized that their wallets had not been hacked, and that their smart contracts had not been exploited.23.8 million FAR were taken from a wallet, and the majority were sold for around $164,000 in USDT. The exploiter still holds 3.4 million FAR, which are notionally worth $83,250 but not likely to be sellable for that amount.Farcana raised $10 million in seed funding in November 2023 from investors including Animoca and Polygon Ventures.

Total loss estimated at $164,000.

Tweet thread by Scam Sniffer

Sun, 23 Jun 2024 00:00:00 +0000

A victim lost $11 million in Aave Ethereum (aEthMK) and Pendle USDe tokens after signing several permit phishing signatures. Permit phishing is a technique in which scammers convince a victim to sign a transaction that grants broad permissions, allowing the scammer to then drain assets from the wallets.

Total loss estimated at $11,000,000.

Instagram post by 50 Cent

Sat, 22 Jun 2024 00:00:00 +0000

50 Cent has claimed his Twitter account and website were hacked to promote a memecoin called $GUNIT. “I have no association with this crypto,” the rapper wrote on Instagram.50 Cent also claimed in the post that “Who ever did this made $300,000,000 in 30 minutes.” It’s not clear where 50 Cent got this number, because the token has only done $19.8 million in volume. One wallet made around $722,000 off the token, and three others also made over $100,000.

Total loss estimated at $1,000,000.

Telegram message

Sat, 22 Jun 2024 00:00:00 +0000

It appears that the online crypto sports betting platform Sportsbet.io suffered a theft of around $3.5 million in USDT and Tron’s TRX tokens. The theft was observed by crypto sleuth zachxbt, who noted that the theft seems to have been perpetrated by the same attacker who stole at least $55 million from the BtcTurk cryptocurrency exchange only hours earlier.SportsBet has not yet disclosed any theft.

Total loss estimated at $3,500,000.

Twitter thread by CertiK

Wed, 19 Jun 2024 00:00:00 +0000

Prominent blockchain security firm CertiK has accused American cryptocurrency exchange Kraken of threatening them after they reported a bug. According to CertiK, they discovered a bug in the exchange software, which they tested with multiple transactions over several days. Some of these were large transactions, which CertiK said they performed to test whether Kraken had alerting in place to detect higher-value transfers. When they reported the vulnerability to the exchange, they say the exchange patched the bug, but then threatened CertiK employees and demanded they repay a “mismatched” amount of crypto allegedly taken during the testing period.However, others have noted that the number of transactions and amount of cryptocurrency taken by CertiK while “investigating” the bug seems to far exceed the norm for whitehat security researchers, and that they took cryptocurrency amounting to millions of dollars — making their “testing” look a lot more like a blackhat theft. Furthermore, CertiK made several transfers to Tornado Cash as part of their “testing” — an entity that is sanctioned by the United States.Kraken alleged that CertiK did not disclose the full extent of their employees’ transactions, and refused to return the $3 million they had taken. They also alleged that CertiK had attempted to extort them. Kraken said they had been in contact with law enforcement, and were “treating this as a criminal case”.Ultimately, CertiK returned the funds. However, it’s not clear if criminal action may be ongoing.

Total loss estimated at $3,000,000.

"Pharma Bro's Trump Card"

Tue, 18 Jun 2024 00:00:00 +0000

After Arkham Intelligence announced a $150,000 bounty for anyone who could prove the identity of the person behind a Donald Trump memecoin called $DJT, blockchain sleuth zachxbt quickly rose to the occasion. He submitted evidence that Martin Shkreli, the “pharma bro” who spent years in federal prison for financial fraud and who was previously known for hiking the price of an anti-malaria drug 56×, was behind the token. This wouldn’t have been Shkreli’s first foray into the blockchain world, after he launched a “web3 drug discovery platform”, and then later dubiously claimed to have been hacked for over $450,000 after his computer was infected by a trojan after he torrented a porn video.Shkreli attempted to frontrun the news in a Twitter space, and came out with his own claims that he had collaborated with Barron Trump to create the token, and with Andrew Tate to pump its price. However, fellow felon and memecoin pumper Roger Stone subsequently crawled out of the woodwork to claim that neither Barron nor Donald Trump was involved with $DJT.Shkreli has yet to provide solid proof that he created the memecoin, though zachxbt’s research tends to be very strong. If true, Shkreli faces potential legal repercussions, as he is still on parole after his release in 2022. The terms of his parole require him to “refrain from engaging in self-employment which involves access to client’s assets, investments, or money, or solicitation of assets, investments, or money”, and to make financial disclosures to the courts. Shkreli was also banned from the securities industry in 2018, as part of a settlement with the SEC.

"HLG Down Over 60% as Exploiter Mints 1 Billion New Tokens"

Thu, 13 Jun 2024 00:00:00 +0000

The Holograph tokenization project was exploited on June 13 after they took advantage of a flaw in a smart contract that allowed them to mint 1 billion HLG tokens. Notionally worth $14.4 million at the time the tokens were minted, relatively low liquidity meant that the introduction of a billion additional tokens crashed the token price by 80%. The attacker ultimately was able to cash out around 348 ETH (~$1.2 million).One of the addresses involved in the exploit appears to have contributed to the Holograph protocol, though it’s not clear if they took advantage of insider knowledge to pull off the heist.

Total loss estimated at $1,200,000.

Tweet by Cyvers

Thu, 13 Jun 2024 00:00:00 +0000

After suffering a $20 million loss in a June 10 hack, the UwU Lend defi lending protocol has now seen another $3.7 million in suspicious outflows only days later. Although UwU Lend paused the protocol after the attack, they re-enabled it on June 12, claiming to have identified and resolved the vulnerability. This apparently wasn’t the case, given the same attacker quickly repeated their exploit.UwU Lend was created by Michael Patryn, aka Omar Dhanani, aka “0xSifu”, who has been behind several cryptocurrency projects that have suffered major exploits. This is not exactly helping concerns among some observers that perhaps Sifu is the common denominator in these suspicious losses.

Total loss estimated at $3,700,000.

"Do Kwon's Crypto Firm Agrees to Pay $4.5 Billion Penalty to SEC"

Wed, 12 Jun 2024 00:00:00 +0000

Terraform Labs and its former CEO Do Kwon have agreed to settle the SEC’s civil action against them with a $4.5 billion payment of disgorgement, interest, and penalties. Kwon and the company were behind the collapsed Terra/Luna stablecoin project, which imploded in May 2022. It was among the first dominoes in what ended up being an industry-wide collapse.If the settlement is approved by the judge, Kwon will personally be responsible for around $200 million of the settlement payment, with Terraform Labs shouldering the rest. Although the settlement is among the largest the SEC has received in a securities fraud lawsuit, it’s unlikely the company will ever pay anything close to the total amount, as it is in bankruptcy and claims to have only around $150 million in assets remaining. Both the company and Kwon will be banned from trading crypto asset securities.The substantial fine is among the lesser of Kwon’s worries at the moment, as he is still in jail in Montenegro pending extradition to either South Korea or the United States to face serious criminal charges for his role in the fraud.

Tweet by UwU Lend

Mon, 10 Jun 2024 00:00:00 +0000

The defi lending protocol UwU Lend was hacked for around $20 million. After various blockchain security firms observed suspicious outflows of funds, the protocol acknowledged there had been a “situation” on their Twitter account, and wrote that they had paused the protocol while they were investigating.UwU Lend was founded by Michael Patryn, aka Omar Dhanani, aka “0xSifu” — a co-founder of the ill-fated QuadrigaCX exchange and ex-con. He also pseudonymously ran the defi cryptocurrency project Wonderland until his identity was revealed after the protocol suffered a meltdown.

Total loss estimated at $20,000,000.

"Loopring suffers $5 million hack after 'Guardian' two-factor authentication service is compromised"

Sun, 09 Jun 2024 00:00:00 +0000

Although Loopring markets its wallet application as “Ethereum’s most secure wallet”, that’s evidently a pretty low bar. They disclosed that they had suffered a breach in their wallet recovery service, which allows individuals to designate trusted entities to recover assets or freeze compromised accounts. An attacker was able to “recover” assets from wallets that had only designated a single Loopring guardian, pilfering at least $5 million.Loopring announced that they had suspended their account recovery operations, and were working with law enforcement to trace the attackers.

Total loss estimated at $5,000,000.

Tweet by br1an.eth

Wed, 05 Jun 2024 00:00:00 +0000

A blockchain developer posted on Twitter that he had lost almost $50,000 after his cryptocurrency wallet was drained. He explained that he had been working on a software project on Github in a private repository that contained his wallet’s private key. In order to apply for a funding grant from the Optimism project, he had to make the repository public. However, he forgot that the secret key was in the repository.Generally, it is very bad practice to store sensitive secrets in Github, even when projects are set to private.“Got drained of everything,” he wrote on Twitter. A commenter asked how long it took for the attacker to steal the money after the private key became publicly visible. “2 min”, he replied.

Total loss estimated at $48,630.

"Velocore Incident Post-Mortem"

Sun, 02 Jun 2024 00:00:00 +0000

The Velocore DEX, built on the Linea Ethereum layer-2 blockchain, was exploited for around $6.8 million in ETH. The hacker was able to take advantage of a bug in the project’s smart contract in the logic to calculate swap fees. Using a flash loan attack funded through Tornado Cash, the attacker drained most of the tokens from the pool, bridged the tokens back to the Ethereum mainnet, and then tumbled the stolen funds back through Tornado.In an unusual move, the operators of the Linea layer-2 blockchain chose to unilaterally halt the chain in order to stop the outflow of stolen assets. Because Linea — like many layer-2 chains — is highly centralized, it was possible for the Linea team to unilaterally stop the production of blocks.This was very controversial, as a single operator being able to unilaterally control the operation of a blockchain goes against much of the cryptocurrency ethos. Following their action, they tried to explain that “Linea’s goal is to decentralize our network - including the sequencer. When our network matures to a decentralized, censorship-resistant environment, Linea’s team will no longer have the ability to halt block production and censor addresses - this is a primary goal of our network”.

Total loss estimated at $6,800,000.

"Japan's DMM Bitcoin says over $300 mln of cryptocurrency lost"

Fri, 31 May 2024 00:00:00 +0000

A Japanese cryptocurrency exchange called DMM Bitcoin has announced that they suffered an “unauthorized leak” of 4,502.9 bitcoin (~$308 million) from a company wallet. They’ve provided very little in additional details around how the loss occurred, or who may have been involved. They have taken some of their services offline as they investigate the incident.The company claims it will replace the lost funds with help from other companies in their group.This is one of the largest cryptocurrency thefts in recent history, rivaling the roughly $320 million theft from the Wormhole bridge in February 2022 and the $477 million theft from FTX in November 2022.The DMM hack was later attributed to a North Korean state-sponsored cybercrime group.

Total loss estimated at $308,000,000.

Tweet thread by zachxbt

Mon, 27 May 2024 00:00:00 +0000

According to crypto sleuth zachxbt, the team behind the Solana-based $CAT memecoin hacked the Twitter account of “Gigantic-Cassocked-Rebirth” (@GCRClassic) crypto influencer.First, the team sniped their own $CAT token launch to obtain 63% of the token supply, ultimately selling a portion of it for around $5 million. Then, they took out $2.3 million and $1 million long positions on the ORDI and ETHFI tokens, respectively. Finally, they posted from the compromised influencer account to shill the ORDI and ETHFI tokens to his massive following. Ultimately, their gambit doesn’t appear to have been incredibly successful: they made around $34,000 on the ORDI position, but lost $3,500 on the ETHFI position. However, as zachxbt noted, it’s possible they also opened positions on centralized exchanges where the outcomes aren’t publicly visible.

Total loss estimated at $30,500.

"Caitlyn Jenner Meme Coin Sows Confusion as Observers Question Its Provenance"

Sun, 26 May 2024 00:00:00 +0000

Olympic athlete-turned-Trumpworld media personality Caitlyn Jenner has confused many by apparently launching a memecoin on pump.fun and heavily promoting it on her Twitter account with more than 3 million followers. Her original post featured a photo of her grasping hands with Donald Trump, with the text “make america great again!!! 🇺🇸 and we love crypto!".At first, people widely believed her account had been hacked, given how frequently celebrity token promotions turn out to be compromised Twitter accounts. Then, she began joining Twitter spaces and posting videos about the token, but with the emergence of more and more convincing deepfakes, even those didn’t convince people that it was truly Jenner behind the token.Despite the confusion — or perhaps because of it — the token has been popular.The token launch was linked to Sahil Arora, a person allegedly connected to multiple celebrity rug pulls and pump-and-dumps. However, Jenner quickly turned on Arora shortly after the token’s launch, posting on Twitter “FUCK SAHIL! He scammed us! BIG TIME!” and that “Sahil appears to be fully out”.Jenner is not the first in her family to get mixed up with crypto. In October 2023, her stepdaughter Kim Kardashian was fined over $1 million for unlawful touting of a crypto security.

"Normie Incident Analysis"

Sun, 26 May 2024 00:00:00 +0000

An attacker perpetrated a flash loan attack on the “Normie” memecoin on the Base layer-2 blockchain to drain millions of NORMIE tokens. The vulnerability was evidently discovered in March, but never patched.Although the token claimed to have a market cap of $42 million, the attacker was only able to cash out around 224 wETH (~$882,000). However, the losses to some holders of the token were much more substantial. One individual had put around $1.16 million into $NORMIE, and those holdings are now priced at around $150.The attacker has been negotiating the possible return of funds to the project team, who has expressed interest in relaunching the token.

Total loss estimated at $882,000.

Thief wallet

Mon, 20 May 2024 00:00:00 +0000

Someone was able to mint 5 billion $GALA tokens, the native token of the Gala Games blockchain gaming project. The tokens would be notionally worth around $200 million based on their paper value, although such a massive amount wouldn’t be sellable without impacting the token price. Furthermore, the Gala Games team was able to add the attacker’s address to a blocklist shortly after the theft a few hours after the attack began, preventing them from swapping more of the tokens.Altogether, the attacker was able to swap around $21 million of the GALA tokens into ETH before the address was frozen.The attacker was able to perform the exploit because they had access to a wallet with admin access to the Gala Games smart contract. It’s not clear if the attacker is a rogue employee, or if an admin wallet was compromised.As of writing, Gala Games has not publicly acknowledged the attack.

Total loss estimated at $21,451,000.

"Pump.fun Attacker Says He Wanted to 'Kill' Solana Meme Coin Launcher"

Thu, 16 May 2024 00:00:00 +0000

Pump.fun is a Solana-based memecoin generator that soared to popularity recently amid a resurgence in memecoin trading. On May 16, the project suffered a $2 million exploit by an attacker who then began airdropping the money to somewhat random wallets.A former employee — whose real identity is known — brazenly took credit for the theft on Twitter. They wrote: “everybody be cool, this is a r o b b e r y. … I’m about to change the course of history. n then rot in jail. am I sane? nah. am I well? v much not. do I want for anything? my mom raised from the dead n barring that: life without parole.“In a Twitter Spaces chat, the attacker stated that he had worked for the company briefly, and that he had grievances against its management. “I just kind of wanted to kill Pump.fun because it’s something to do… It’s inadvertently hurt people for a long time,” he said.Pump.fun paused trading shortly after the attack, and stated that they were “cooperating with relevant parties, including law enforcement, to minimize the damage.” The attacker responded to the post: “Neener neener neener”.

"Two Brothers Arrested for Attacking Ethereum Blockchain and Stealing $25M in Cryptocurrency"

Wed, 15 May 2024 00:00:00 +0000

Two brothers, Anton and James Peraire-Bueno, were indicted for a theft involving MEV — maximal extractable value. MEV involves previewing upcoming transactions on a blockchain and taking actions to extract additional profits — which can sometimes be substantial — based on that information.According to the Justice Department, the Peraire-Buenos exploited a flaw in popular MEV software called “MEV-boost”, which is used by most Ethereum validators. By creating their own validators and “bait transactions”, they were able to trick MEV bots into proposing transactions involving illiquid cryptocurrencies, which the brothers then frontran. They were able to create false signatures that tricked a MEV-boost relay into releasing information about upcoming blocks that they were able to tamper with.The brothers were charged with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering, and face up to 20 years in prison for each charge.The Justice Department is describing the case as a “first-of-its-kind manipulation of the Ethereum blockchain”. The case is an interesting one, as some believe the practice of MEV itself exploits Ethereum users. Others believe anything you can do with code should be allowed — “code is law”. However, by signing false transactions and tricking the relay into releasing private information, the brothers’ actions do seem to go beyond simply making profits in a “code is law” Wild West, and into the realm of actual fraud.

Total loss estimated at $25,000,000.

"Alex Bridge Incident Anlaysis"

Tue, 14 May 2024 00:00:00 +0000

An attacker tried to pull off what could have been a $12 million heist from ALEX Lab’s XLink bridge after a private key was compromised. However, the sloppy work by the attacker enabled an apparent whitehat hacker to step in.The attacker was successfully able to transfer around 13.8 million STX ($2 million) on the Stack BTC layer-2 chain. However, their attempts to steal assets notionally worth around $4.3 million from the project’s BNB Chain implementation failed when they upgraded the project contract to a malicious version, but failed to prevent other people from calling the withdraw function. The attacker’s first transactions to withdraw the funds themself failed, and an apparent whitehat hacker was able to step in and complete the withdrawal ahead of the exploiter. They later negotiated a deal for the funds’ return, after offering a 10% “bounty”.The exploiter had also tried, and failed, to steal assets notionally worth around $5 million on the Ethereum blockchain, but failed to do so. ALEX Lab later announced they were able to recover or secure around $4.5 million of those assets. ALEX also later announced that they believed the attackers were part of the North Korean Lazarus Group.

Total loss estimated at $6,300,000.

Tweet by CyversAlert

Tue, 14 May 2024 00:00:00 +0000

The Sonne Finance lending protocol was exploited for at least $20 million as an attacker was able to exploit a vulnerability in some of their smart contracts. Sonne is a fork of the Compound Finance project, which has known vulnerabilities that are sometimes not properly addressed by people who reuse the code — as has happened with Radiant Capital and Rari.After being alerted to the theft by several security companies, Sonne announced they had paused the contract on the Optimism Ethereum layer-2 chain.

Total loss estimated at $20,000,000.

"Public statement"

Mon, 13 May 2024 00:00:00 +0000

After the founder of the Solana-based Cypher futures trading protocol publicly accused a core contributor of stealing funds, the contributor — publicly known only as “hoak” — has confessed to the thefts.Cypher was hacked for $1 million in August 2023, but was able to recover around $600,000 of the stolen funds, which they promised to distribute to impact users via a redemption fund. However, over a period of months and unbeknownst to the rest of the team, hoak had been dipping into the recovered funds — taking around half of what was in the fund for himself.After he was accused, hoak fessed up in a public statement where he wrote that his actions were a “culmination of what snowballed into a crippling gambling addiction and probably multiple other psychological factors that went by unchecked for too long.” He continued: “I know likely nothing I say or do will make things better - perhaps other than rotting in jail. To address the elephant in the room, the allegations are true, I took the funds and gambled them away. I didn’t run away with it, nor did anyone else.”

Total loss estimated at $316,294.

Tweet by Cyvers Alerts

Sun, 05 May 2024 00:00:00 +0000

An exploiter was able to create a fake version of the $GNUS token on the Fantom blockchain, then bridge the tokens to Ethereum and Polygon where they were then sold as though they were authentic. They were able to drain $1.27 million from the project’s liquidity pools.GNUS.ai (short for “Genius”, not a reference to the animal) is one of many AI-related blockchain projects that has sprung out of the recent AI hype. This particular one promises to allow people to “utiliz[e] unused cycles” on various computing devices for computation-intensive AI systems, using cryptocurrency for payments.

Total loss estimated at $1,270,000.

Tweet by Cyvers Alerts

Fri, 03 May 2024 00:00:00 +0000

An Ethereum wallet was apparently drained of 1,155 wrapped bitcoin (~$72.7 million) when they transferred it to a malicious address that had been operating an address poisoning scheme.Address poisoning is a scam tactic that takes advantage of crypto traders’ tendencies to copy and paste wallet addresses from their transaction histories, since the addresses are long strings of characters that are not practical to type from memory. By creating a new wallet address with identical start and/or ending character strings to addresses used by the victim, and spamming the victim with transactions from that similar address, scammers are sometimes able to get victims to erroneously copy the spoofed address for future transfers.That’s what appears to have happened in this case, when a victim transferred 1,155 wrapped bitcoin — tokens pegged to the bitcoin price meant for use on the Ethereum blockchain — to the malicious address.The victim and the exploiter later reached an agreement for the return of most of the funds, with the exploiter keeping $7.2 million as a “bounty”.

Total loss estimated at $7,200,000.

"Early Bitcoin Investor Charged with Tax Fraud"

Tue, 30 Apr 2024 00:00:00 +0000

Roger Ver, an early bitcoin investor who later became an outspoken evangelist for the fork Bitcoin Cash, has been arrested on tax fraud charges. According to the Department of Justice, Ver evaded almost $50 million in owed taxes by concealing income and lying to tax preparers about his bitcoin assets as he attempted to renounce his US citizenship and become a citizen of the tax haven St. Kitts and Nevis.Ver was arrested in Spain, and the United States will seek his extradition.Besides his tax woes, Ver has also been caught up in accusations by CoinFLEX that he owed the platform around $84 million after failing to meet a margin call. Ver has in turn claimed that CoinFLEX owed him money. CoinFLEX filed for restructuring in August 2022.

"Post-Mortem Report: Pike USDC Withdrawal Vulnerability"

Tue, 30 Apr 2024 00:00:00 +0000

Pike Finance, a cross-chain lending protocol, was exploited twice in four days as attackers discovered vulnerabilities in the project’s smart contracts.The first attack, on April 26, was enabled by a flaw in the security measures related to transfers of the USDC stablecoin. An attacker was able to change the recipient address and amount, ultimately making off with almost $300,000 in the stablecoin. Pike released a postmortem two days later, acknowledging that the bug had been identified by a third-party auditor but had not been rectified by their team.When the Pike team went to patch the smart contracts to thwart this attack, they introduced new, even worse vulnerabilities. As a result, on April 30, an attacker was able to upgrade the project’s smart contracts to malicious ones, then withdraw $1.68 million in ETH, ARB, and OP tokens.Pike Finance has offered a 20% reward for the return of the funds or information pertaining to the attacker, and has promised “a plan to make users whole”. Pike, which launched in early 2024, is backed by Circle and Wormhole.

Total loss estimated at $2,000,000.

Telegram post by zachxbt

Mon, 29 Apr 2024 00:00:00 +0000

Bahrain-based cryptocurrency exchange Rain was exploited for around $16.13 million dollars on April 29. The exchange did not publicly disclose the hack until the suspicious outflows across wallets on multiple blockchains were noticed by blockchain investigator zachxbt.After zachxbt sounded the alarm on May 13, Rain admitted that they had had a “security incident”, but stressed that customer funds were safe, and stated that the Rain Group had “covered any potential losses resulting from this incident”.The attack was later attributed to North Korean state-sponsored attackers.

Total loss estimated at $14,800,000.

"Founders And CEO Of Cryptocurrency Mixing Service Arrested And Charged With Money Laundering And Unlicensed Money Transmitting Offenses"

Wed, 24 Apr 2024 00:00:00 +0000

Keonne Rodriguez and William Lonergan Hill, founders of the Samourai Wallet, were arrested and charged with conspiracy to commit money laundering and conspiracy to operate an unlicensed money transmitting business. The charges relate to their operation of a cryptocurrency mixer that the DOJ says helped to launder over $2 billion in unlawful transactions. $100 million of that, they say, was connected to dark web markets including Silk Road and Hydra Market. Indeed, Samourai had actively marketed its products to “Dark/Grey Market participants”.Rodriguez was arrested in the United States; the United States will seek extradition for Hill, who was arrested in Portugal.Samourai Wallet advertised itself as “a bitcoin wallet made for the streets”, which would “keep your transactions private, your identity masked, and your funds secure”. It touted features including “remote self-destruct”, and would hide itself from a phone’s applications list. As charges were filed in the United States, the wallet’s website began displaying a seizure notice that informed visitors of a coordinated law enforcement action by the US Attorney’s Office in the Southern District of New York, FBI, IRS, Europol, and Portuguese and Icelandic police. The app was also removed from the Google Play Store.

"ZKasino Users Plead for Refunds as $33M of Bridged Ether Sent to Lido"

Sat, 20 Apr 2024 00:00:00 +0000

A project promising to build a decentralized casino managed to raise $33 million, despite an anonymous team that had exhibited several instances of shady behavior throughout ZKasino’s development. The project promised that everyone who bridged ETH to their layer-2 chain would be able to receive their ETH back 1:1 in thirty days.Instead, the project’s creators transferred those more than 10,500 ETH ($33 million) to Lido, an Ethereum staking service. As for the “return” of funds, the project team indeed followed through with their promises to return the crypto… except instead of ETH, depositors received the project’s native token, ZKAS, which would vest over a period of 15 months. The project announced that they had calculated the ZKAS distribution based on a discounted rate, “as a favour to our users who have bridged to participate in the ecosystem”. Gee, thanks!One investor in the project wrote, “We made a mistake investing in Zkasino early. … [I]t sounds like a scam, but 95% of crypto consists of such crap. With memecoins pumping every day, people believe this could be the next one.“It seems that ZKasino’s creators have links to other crypto scams, including a failed “ZigZagExchange”, which raised around $15 million that was allegedly misallocated to work on the ZKasino project. Crypto sleuth zachxbt had also described the team as “proven bad actors” in December, listing multiple instances in which they had avoided making promised payments.After the rug pull, the project’s planned IDO on Ape Terminal and AIT Launchpad were canceled, and MEXC (which had invested in the project’s seed round) canceled the token listing.

Total loss estimated at $33,000,000.

Tweet by Hedgey Finance

Fri, 19 Apr 2024 00:00:00 +0000

Hedgey Finance, a platform used to manage token claims, lockups, and vesting, was hit with a flash loan attack that drained $44.7 million of customer funds from the platform.The majority of assets were stolen from Hedgey on the Arbitrum layer-2 network, although around $2.1 million of them were stolen from the version deployed on the Ethereum mainnet.Hedgey Finance confirmed the exploit, and sent an optimistic and congratulatory message on-chain: “Well done for finding it! We’re assuming you executed this exploit as a white hat, so we’d like to get in touch with you to discuss next steps.” No on-chain response thus far.

Total loss estimated at $44,700,000.

Tweet thread by CertikAlert

Mon, 15 Apr 2024 00:00:00 +0000

Grand Base, a real world assets platform built on the Base layer-2 blockchain, has seen $2 million exit the platform in a hack or rug pull.The team behind the project claimed that the deployer wallet had been compromised, allowing an attacker to drain the project’s liquidity pool. Altogether, 615 ETH (~$2 million) was taken from the project.Grand Base is a platform where users can trade “gAssets”, which are crypto tokens that represent stocks in tech companies including Amazon, Apple, Google, Meta, and Microsoft.

Total loss estimated at $1,972,305.

"$26 million in 'unnecessary liquidations' hit Blast-based lender Pac Finance"

Fri, 12 Apr 2024 00:00:00 +0000

Pac Finance, a fork of the Aave lending protocol deployed on the Blast blockchain, surprised some of its users as an unannounced and unexpected code change lowered the liquidation threshold. Pac Finance said that they had asked an engineer to make changes to the smart contract, and that that person had unexpectedly decreased the threshold at which positions could be forcibly liquidated. This change resulted in $26 million being liquidated across the project.Pac Finance has said they are “actively developing a plan with [impacted users] to mitigate the issue.”

"Former Security Engineer Sentenced To Three Years In Prison For Hacking Two Decentralized Cryptocurrency Exchanges"

Fri, 12 Apr 2024 00:00:00 +0000

Shakeeb Ahmed, the hacker who stole a combined $12 million from Crema Finance and Nirvana Finance in July 2022, has been sentenced to three years in prison. Ahmed had previously worked for Amazon, where he led a bug bounty program focused on paying whitehat hackers to discover flaws in Amazon’s software.US Attorney Damian Williams described this as the first ever conviction for a smart contract hack.Ahmed forfeited around $12.3 million in stolen funds, and will pay more than $5 million in restitution.

"Solana Project Marginfi Withdrawals Top $214 Million After CEO's Resignation"

Wed, 10 Apr 2024 00:00:00 +0000

The MarginFi decentralized lending project on Solana has been at the epicenter of some major drama recently, amid concerns around oracle problems, withdrawal failures, and accusations that the project has not been paying out its promised rewards. Much of this came from a Solana staking pool, SolBlaze; MarginFi responded by describing their allegations as a “hit piece” and “misinformation”.On April 10, CEO Edgar Pavlovsky tweeted that he had resigned from MarginFi, publicly calling that he “d[idn’t] agree with the way things have been done internally or externally”. Pavlovsky had been criticized for his response to the controversy around MarginFi, in which he had been argumentative and insulting, tweeting things like “take your money out, go fuck yourself” to those who accused him and MarginFi of malfeasance.Amid the chaos, more than $210 million in TVL has exited the protocol.

"Decrypting MuskSwap: A web of Scams and Tracking Funds Through Tornado Cash"

Mon, 08 Apr 2024 00:00:00 +0000

A person or group have raised funds for various crypto projects only to abandon them, empty the project wallets, and launder the funds through Tornado Cash. The largest of the projects was called “MuskSwap”, which proclaimed: “$MUSK & MuskSwap was born to show admiration to elon musk’s super projects like solarcity, tesla, space x and his constant influence on the world finance & the crypto market.“The project described itself as a DEX with a native $MUSK token, and launched in July 2021. However, the token tanked on December 25, 2021. Although the project team tried to blame the crash on “liquidity issues” and promised paths forward, they locked the project Telegram chat on March 11, 2022. On April 5, 2022, the team withdrew remaining funds and deleted the website.Crypto analysis firm CertiK linked the MuskSwap project to several other scam tokens and projects: RocketDoge, InfinityGame, SpaceX, MUFC (themed after Manchester United), and Elona Musk. Altogether, the rug pulls have drawn in $5.1 million.

Total loss estimated at $5,100,000.

Tweet by Long Beach County

Sun, 07 Apr 2024 00:00:00 +0000

It’s hard to believe that the hamburger joint themed around the owner’s Bored Ape NFT failed to take off. Although there was novelty value in the themed restaurant, which for a time boasted that it accepted cryptocurrency payments, the excitement seemed to wear off quickly after a few early news articles. After a while, the restaurant’s crypto payments became spotty, with employees saying the system was unwieldy and unpopular among customers.Some more recent Yelp reviews described fairly mediocre food, which “[t]he NFTs don’t make up for”.The restaurant opened in April 2022, a month after owner Andy Nguyen purchased Bored Ape #6184 for $268,000, along with three Mutant Apes for an additional combined $187,000. #6184 became the restaurant’s logo, and the others were incorporated into the restaurant’s branding. The NFTs haven’t been resold since, although it’s unlikely they could recoup close to their original purchase prices — Bored Apes have been averaging a little under $50,000 in recent sales, and Mutants around $8,500 each.

"Terraform Labs and founder Do Kwon found liable in US civil fraud trial"

Fri, 05 Apr 2024 00:00:00 +0000

After hearing arguments that Terraform Labs was “built on lies” during a two-week-long trial, the jury in the civil case against the company and its founder Do Kwon found that both were liable for fraud.Kwon and his company were behind the algorithmic stablecoin, Terra, which dramatically collapsed in May 2022, sending huge ripple effects throughout the ecosystem. He and his company had lied about the stability of the token, ultimately causing massive financial damage to the tune of around $40 billion.Kwon is in custody in Montenegro after attempting to flee criminal cases in both the United States and South Korea. The civil case in the US proceeded without him.

Web3 Is Going Great

Wed, 03 Apr 2024 00:00:00 +0000

A project describing itself as “The world’s first memecoin pre-announced as a rugpull” was explicit in its marketing: “do not buy this coin, as it will go to zero.“Despite that, people sent the creator over 8.8 ETH (almost $29,000) for the project’s “pre-sale”, even as they repeated on Twitter that the project was a scam and that no one should buy it.

Total loss estimated at $28,878.

Tweet by FixedFloat

Mon, 01 Apr 2024 00:00:00 +0000

The FixedFloat cryptocurrency exchange was exploited again, this time for around $2.8 million. This follows shortly after a February 18 hack in which attackers made off with $26 million.FixedFloat acknowledged the theft in a Twitter post, and blamed the same thieves. They claimed that this theft was enabled by a vulnerability in a third-party service.

Tweet by Solareum Project

Sat, 30 Mar 2024 00:00:00 +0000

The Solana ecosystem is grappling with a spate of drained wallets. A cause has yet to be definitively determined, but some of the thefts were linked to the use of trading bots like Solareum. Solareum speculated that the exploits may have been linked to compromised Telegram bot tokens, which could have allowed the attackers to obtain private keys from message history.Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, “We at #SOLAREUM team can clarify that we DO NOT steal money.” Ah, well, in that case.Other bots may have been involved in the theft, though it’s not clear at this point. Though there was some speculation that a trading bot called BonkBot was to blame, that seems to have been unfounded.The total theft amount is not clear, but exceeds $500,000.

Total loss estimated at $500,000.

On-chain messages

Thu, 28 Mar 2024 00:00:00 +0000

The defi protocol Prisma Finance was hacked for 3,257 ETH ($11.5 million). An attacker was able to take advantage of a flaw in the project’s smart contracts, allowing them to manipulate users’ positions and steal some of their collateral. Two other watchful attackers observed the attack strategy and replicated it, stealing a combined additional 173 ETH (~$610,000).Plasma paused the protocol after detecting the attack.The first attacker, who stole the bulk of the assets, sent an on-chain message to Prisma claiming that they had performed a “whitehat rescue”, and inquired about returning the funds. In later messages, however, they asked the project to answer questions about their security practices and projects’ responsibilities to users to prevent attacks. The attacker then transferred the stolen funds to Tornado Cash — indicating their return is unlikely.In another message, the attacker was angry that Prisma had not expressed gratitude to them or remorse to their users, and was angry they had used terms like “exploit” and “attack” in their description of the incident. They demanded that the team reveal their identities, apologize, and thank the attacker in an online press conference.

Total loss estimated at $12,000,000.

"Crypto game ‘Munchables’ on Blast exploited for $63M"

Tue, 26 Mar 2024 00:00:00 +0000

The “Munchables” crypto game explains: “Schnibbles grow on every realm across the Munchable’s world. Each realm has their own unique and distinctive schniblet, and the Munchables react differently based on their compatibility to the schniblets fed to them. When creating an account for the Munchables, you must choose the location of your snuggery.” Right then.Things went awry in the land of the schnibbles and snuggeries when an attacker siphoned around 17,400 ETH ($62.5 million). Various descriptions of the attack circulated, with blockchain sleuth zachxbt attributing it to a recently hired developer, and crypto developer 0xQuit claiming the theft appeared to have been “planned since deploy”.Some began discussing the possibility that the Blast layer-2 blockchain might forcibly roll back the chain to “undo” the hack. Some have argued this is contra to the crypto ethos or would set a bad precedent, while others have argued that as a blockchain focused more on gaming and experimentation and less on decentralization and other facets of crypto ideology, it would be a reasonable step.Some hours after the attack, the exploiter was convinced to return the funds.

"Unexplained transfers on LENX protocol spark rug pull concerns"

Tue, 26 Mar 2024 00:00:00 +0000

The LENX cross-chain bitcoin liquidity protocol has recently been accused of a $10 million rug pull after community members observed massive withdrawals of treasury funds which were then sent to Binance accounts.One of the co-founders, known only as “Paul”, claimed on Discord that he was “trying to investigate” the movement of funds, which have been blamed on the project’s other co-founder, John Kim.Conversations on Discord suggest that a remaining $3 million in treasury funds were protected, and that the remaining LENX team may have been able to convince Binance to freeze the account that received stolen funds. However, little has been verifiably confirmed to date.LENX is backed by the Frax Finance lending protocol.

Total loss estimated at $10,000,000.

"Hacker mints 1B tokens in $16M Curio smart contract exploit"

Mon, 25 Mar 2024 00:00:00 +0000

Curio, a crypto project that creates tokens based on “real-world assets” (RWAs) like cars, watches, wine, and other goods, has suffered an attack that saw around $16 million drained from the project’s funds.A bug in the project’s Ethereum smart contract enabled an attacker to mint 1 billion of the project’s CGT governance token. Although the tokens were notionally priced at around $40 million, the loss to the project was estimated at closer to $16 million.Curio DAO announced that they intended to compensate users affected by the theft over a year-long period.

Total loss estimated at $16,000,000.

Tweet by CertiK

Fri, 22 Mar 2024 00:00:00 +0000

The astrology-based Lucky Star Currency project rug-pulled for $1.1 million in October 2023. You’d think that might be the end of it, but on March 22, 2024, ownership of the project was transferred to a malicious smart contract that then drained tokens priced at almost $300,000 from those who still held them.You almost have to admire the tenacity.

Total loss estimated at $297,000.

Web3 Is Going Great

Fri, 22 Mar 2024 00:00:00 +0000

Solana memecoin trading has been booming lately, with people making money by speculating on tokens themed around various memes and jokes. Amid an explosion in trading innocuously-named meme tokens like dogwifhat has also been a rise in blatantly racist tokens, named after racial slurs, featuring racist caricatures, or named after antisemitic conspiracy theories.The tokens became so popular that projects showing newly-released tokens, like DEXScreener, became full of such tokens. DEXScreener released a statement on Twitter to say that “We’ll be reviewing our token profile moderation policy in the coming days. We won’t be the gatekeepers of what happens on-chain, but we’re definitely not here to spread hate.” The replies to the tweet were, predictably, full of people accusing DEXScreener of “censorship” and “going woke”.

On-chain message

Thu, 21 Mar 2024 00:00:00 +0000

Super Sushi Samurai, a new blockchain game on the Blast layer-2 blockchain was exploited for $4.6 million when an attacker discovered a vulnerability in its smart contract. A bug in the mint functionality caused users who transferred their $SSS balance to themselves to receive twice as many tokens. An attacker took advantage of this to drain $4.6 million from the project, causing the $SSS token to plummet by 99%.The attacker contacted the project shortly after the theft, claiming to be a whitehat. They wrote, “Hi team, this is a whitehat rescue hack. Let’s work on reimbursing the users.” Super Sushi Samurai later confirmed that the funds had been returned, minus a 5% “bounty”. The team also gave the whitehat an additional 2.5% in SSS tokens and land, and brought them on to the project team as a tech adviser.

Total loss estimated at $345,000.

Tweet thread by zachxbt

Thu, 21 Mar 2024 00:00:00 +0000

A developer brought on to run a presale for the $TICKER token stole $900,000 from the project. 15% of the token supply was sent to the developer to distribute via an airdrop, but instead of doing so, the developer sold the majority of the tokens for around $900,000.After the thief was identified by blockchain sleuth zachxbt, they posted a long message on Twitter, writing, “im not sorry for any of you, tbh. you are all morons if you believe all it needs to make it here is to send your money to a custodial address and get rich”. The thief later spent some of the money on Milady NFTs and memecoins.zachxbt stated that he had identified the developer, including his full name, location, and other details. He encouraged those who were scammed to contact him if they were interested in pursuing legal action.

Total loss estimated at $900,000.

"Old Dolomite exchange contract suffers $1.8M loss from approval exploit"

Wed, 20 Mar 2024 00:00:00 +0000

The Dolomite DEX suffered a $1.8 million theft as an exploiter was able to take advantage of a vulnerability in a smart contract that had been deployed in 2019. Although most contemporary users of the exchange use a version deployed on the Arbitrum layer-2 network, the old contracts were still usable on Ethereum.An attacker apparently discovered a reentrancy bug allowing them to drain user funds from those who had approved the old contract. Altogether, around $1.8 million was taken before the team disabled the contract. The attacker quickly tumbled the stolen funds through Tornado Cash.

Total loss estimated at $1,800,000.

"SEC probing crypto companies in Ethereum investigation as hopes for ETF dim"

Wed, 20 Mar 2024 00:00:00 +0000

Fortune reported that the U.S. Securities and Exchange Commission has targeted the Swiss-based Ethereum Foundation for investigation, apparently in an effort to classify its ETH token a security. The report came out shortly after CoinDesk reported that a warrant canary had been removed from the Ethereum Foundation’s website.Although the SEC has agreed that bitcoin is a commodity and not a security, it has been hesitant to make similar explicit statements about ETH. Designation as a security could be devastating to the Ethereum project and to ETH, which is the second most popular cryptocurrency to bitcoin.

"Exchange Investigates Flash Crash That Sent Bitcoin to $8,900"

Tue, 19 Mar 2024 00:00:00 +0000

A “very small number of accounts” were able to crash the bitcoin price on the BitMEX exchange from its roughly $66,000 price to as low as $8,900. BitMEX attributed the incident to “aggressive selling behavior” by that small group.The incident underscores the thinness of the bitcoin markets on some cryptocurrency exchanges, and the ease with which a few whales can manipulate token prices.BitMEX used to be among the largest cryptocurrency trading platforms, though its popularity diminished after its founders were hit with criminal charges in 2020 for violations of the Bank Secrecy Act.

Tweet thread by Slerf

Mon, 18 Mar 2024 00:00:00 +0000

People have gotten really into memecoin trading on Solana recently. Like really into it. Someone decided they’d hop on the bandwagon with “Slerf”, a sloth-themed memecoin they said would launch with a 50% presale.Thanks to the aforementioned frenzy, the project managed to raise $10 million in the presale. However, things went sideways when the developer accidentally burned the $10 million by sending them to an address where they would be permanently inaccessible. “oh fuck”, the developer wrote ominously on Twitter, before explaining their mistake.Some speculated that the screwup may have been a marketing ploy, in which case it was very successful, because the token went on to post more than $2.7 billion in trading volume over a 24-hour period — more than the entire ETH trading volume in that period. The monumental error by the developers seemed to have no damper on the overall frenzy around memecoins, or even produced the opposite effect.Surely this trend won’t end badly.

Total loss estimated at $10,000,000.