According to a recent Financial Times article, the amount of crypto sent to addresses with known criminal associations shot to a record $14 billion in 2021, more than doubling from 2020. In the first six months of 2022, Web3 projects have lost more than $2 billion to hacks and exploits . This is according to research from data company Chainalysis. Scams, ransomware and theft rose 79% in dollar terms last year.
July 29, 2022 - Solana DeFi Protocol Nirvana Drained of $3.5 million Liquidity After Flash Loan Exploit
Nirvana Finance, a Solana-based yield protocol, suffered a $3.5 million exploit utilizing flash loans to manipulate and drain its liquidity pools, blockchain data shows. CoinDesk reports: The price of the protocol’s native ANA token fell over 80% in the past few hours, while its NIRV stablecoin lost its peg to the U.S. dollar and dropped to 8 cents at writing time, CoinGecko data shows. Nirvana allowed users to earn annual yields of over 100% on their locked assets by creating and destroying tokens based on user demand as the ANA tokens were bought from and sold to the protocol. Over $3.5 million worth of ANA was locked on the protocol before the attack on Thursday. Data from blockchain explorers shows the attack used over 10 million USDC sourced from lending tool Solend in a flash loan. At that point over $10 million worth of ANA was minted, or created, and the entire amount swapped to receive $3.5 million worth of tether (USDT) from Nirvana’s treasury wallet. This was possible because the treasury considered the 10 million USDC infusion to be genuine. However, it wasn’t, and the protocol was hence tricked into releasing its treasury’s liquidity. The total value locked (TVL) on Nirvana fell to 7 cents in European morning hours following the attack. Its entire liquidity pool was effectively drained, data from DeFi Llama shows. The 10 million USDC was returned to Solend after the exploit. The stolen funds were transferred to the Ethereum network using Wormhole, a blockchain tool that connects Solana to other networks, and converted to DAI, an Ethereum-based stablecoin, blockchain data shows. The attacker address — 0xB9AE2624Ab08661F010185d72Dd506E199E67C09 — currently holds over $3.5 million worth of DAI, blockchain data shows. Nirvana’s trading functions were suspended by developers following the attack, as per messages by admins on the protocol’s Telegram channel. Source
July 29, 2022 - 244 victims had collectively lost $42.7 million through such fake iOS & Android apps
Earlier this month, the FBI issued a formal warning to the public, noting that at least 244 victims had collectively lost $42.7 million through such fake apps.
Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors
The FBI is warning financial institutions and investors about cyber criminals creating fraudulent cryptocurrency investment applications (apps) to defraud cryptocurrency investors. The FBI has observed cyber criminals contacting US investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cyber criminals have used with increasing success over time to defraud the investors of their cryptocurrency. The FBI has identified 244 victims and estimates the approximate loss associated with this activity to be $42.7 million. The FBI encourages financial institutions and their customers who suspect they have been defrauded through fake cryptocurrency investment apps to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.
Less than two months after someone compromised the official Bored Ape Yacht Club Instagram account to steal $2.4 million worth of NFTs, BAYC creator Yuga Labs is again facing questions about its security measures. Source
May 23, 2022 - ICO-Funded Project Sparkster Converts $22M in Ether to USDC After 3 Years, No Product
Sparkster promised investors a “no-code” software-creation platform using $30 million in funds raised from investors in 2018. Source
“On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base,”
“A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.”The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.
“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong….”
Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
An update to OpenSea’s smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer “then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal.”
CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker’s account. “He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs.”
The attack seems to have resulted from a recent update to the project’s GitHub repository, which revealed a fix to a bug that had not yet been deployed to the project itself.
The attack took place on February 2nd and was noticed when a post from the Wormhole Twitter account announced that the network was being taken “down for maintenance” while a potential exploit was investigated. A later post from Wormhole confirmed the hack and the amount stolen.
120,000 Ethereum (ETH) worth around $325 million were stolen
The total value of the unauthorized withdrawals was 4,836.26 ETH and 443.93 BTC — equivalent to roughly $15.2 million and $18.6 million respectively, at current exchange rates — as well as $66,200 worth of other currencies. According to the post, 483 Crypto.com users had their accounts compromised.
“On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user,” the post reads. “This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored.”
Romance scammers made off with a total of $139 million in cryptocurrency last year, five times more than the amount stolen in 2020, according to a new report from the Federal Trade Commission (FTC). Cryptocurrency payments made up the largest fraction of the $547 million lost to scammers in 2021, with victims losing $9,770 in crypto on average.
Vulcan Forged is a game studio, non-fungible token (NFT) marketplace and decentralised application (dApps) incubator built on Ethereum, Polygon and Binance Smart Chain (BSC)
Hackers accessed 96 different wallets by stealing private keys, before draining 4.5 million PYR tokens from them. Stealing 23.7 percent of the project’s circulating supply of tokens.
Jaime Thomson, the CEO of Vulcan Forged posted a video message on Twitter, acknowledging the breach and calling December 13 the “darkest day in Vulcan Forged history”.
Bitmart’s hot wallet was compromised. $100 million was identified as having been stolen over the Ethereum blockchain, but additional investigation revealed another $96 million had been stolen over the Binance Smart Chain blockchains. More than 20 type of tokens were stolen, including altcoins like BSC-USD, Binance Coin (BNB), BNBBPay (BPay), and Safemoon, while large amounts of Moonshot, Floki, and BabyDoge were also compromised. Official and Source