According to a recent Financial Times article, the amount of crypto sent to addresses with known criminal associations shot to a record $14 billion in 2021, more than doubling from 2020. This is according to research from data company Chainalysis. Scams, ransomware and theft rose 79% in dollar terms last year.
“On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site’s broad user base,”
“A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club.”The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.
The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.
“I checked every transaction,” said the user, who goes by Neso. “They all have valid signatures from the people who lost NFTs so anyone claiming they didn’t get phished but lost NFTs is sadly wrong….”
Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea’s website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
An update to OpenSea’s smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer “then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal.”
CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker’s account. “He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs.”
The total value of the unauthorized withdrawals was 4,836.26 ETH and 443.93 BTC — equivalent to roughly $15.2 million and $18.6 million respectively, at current exchange rates — as well as $66,200 worth of other currencies. According to the post, 483 Crypto.com users had their accounts compromised.
“On Monday, 17 January 2022 at approximately 12:46 AM UTC Crypto.com’s risk monitoring systems detected unauthorized activity on a small number of user accounts where transactions were being approved without the 2FA authentication control being inputted by the user,” the post reads. “This triggered an immediate response from multiple teams to assess the impact. All withdrawals on the platform were suspended for the duration of the investigation. Any accounts found to be impacted were fully restored.”
Romance scammers made off with a total of $139 million in cryptocurrency last year, five times more than the amount stolen in 2020, according to a new report from the Federal Trade Commission (FTC). Cryptocurrency payments made up the largest fraction of the $547 million lost to scammers in 2021, with victims losing $9,770 in crypto on average.
Vulcan Forged is a game studio, non-fungible token (NFT) marketplace and decentralised application (dApps) incubator built on Ethereum, Polygon and Binance Smart Chain (BSC)
Hackers accessed 96 different wallets by stealing private keys, before draining 4.5 million PYR tokens from them. Stealing 23.7 percent of the project’s circulating supply of tokens.
Jaime Thomson, the CEO of Vulcan Forged posted a video message on Twitter, acknowledging the breach and calling December 13 the “darkest day in Vulcan Forged history”.
Bitmart’s hot wallet was compromised. $100 million was identified as having been stolen over the Ethereum blockchain, but additional investigation revealed another $96 million had been stolen over the Binance Smart Chain blockchains. More than 20 type of tokens were stolen, including altcoins like BSC-USD, Binance Coin (BNB), BNBBPay (BPay), and Safemoon, while large amounts of Moonshot, Floki, and BabyDoge were also compromised. Official and Source
A hacker managed to drain funds from across various cryptocurrency wallets on the DeFi platform, BadgerDAO. The platform confirmed that hackers had used a “maliciously injected snippet” via Cloudfare which allowed them to drain $130 million in funds, around $9 million of which was recovered as it hadn’t been withdrawn. Source and Source
A money-laundering trial in Germany shone a light on the purchase of a luxury London penthouse by cryptocurrency scammer Dr Ruja Ignatova. Charges were brought in connection to the siphoning of millions of Euros from Dr Ruja’s €4 billion scam – which consisted of selling a fake cryptocurrency called OneCoin.
Boy X Highspeed (BXH), a decentralised cross-chain exchange, was hacked in October in a hack that drained $139 million of funds. This was probably the result of a leaked administrator key, and possibly an inside job. With the private key, the attacker was able to digitally sign a transaction transferring $139 million in tokens from BXH’s account on BSC to their own account.
BXH’s CEO stated that an investigation was underway to identify the hacker. If the hacker is not found, BXH has said that it will devise a user repayment plan and is offering $1 million to teams able to help retrieve the funds.
A CryptoPunk NFT appeared to sell for $530 million after an on-chain transaction in this scam. While CryptoPunks have sold for as much as 4,200 ETH in the past, the fake sale would have been the largest by orders of magnitude. As reported above, it appears that the owner used a flash loan to make the fake purchase of the Punk, borrowing and repaying 124,000 ETH. The move was likely a marketing stunt.
In February, hackers stole $37 million and in August, $29 million. The 3rd attack saw hackers exploiting what was thought to be a vulnerability in the DeFi platform’s flash loan system. They were able to steal all of Cream Finance’s tokens and assets on the Ethereum blockchain, which amounted to $130 million. Source
The stolen crypto assets