Unciphered worked with various wallet providers to contact people whose wallets may be vulnerable, though ultimately it is up to those wallet holders to secure their funds by creating new wallets and transferring their tokens. Unciphered also noted that some Dogecoin, Litecoin, and Zcash wallets may be vulnerable due to shared code.
Up to $1 billion stored in early Bitcoin wallets may be at risk due to "Randstorm" vulnerability
While trying to help a Bitcoin holder who lost their password, researchers at Unciphered discovered a major flaw in the way early Bitcoin wallets had been created. Thanks to a flaw in an open source software library called BitcoinJS, which was later incorporated into many wallet software projects to generate Bitcoin wallets with random keys, wallets created prior to 2016 may be vulnerable to cracking. Wallets created before March 2012 are at particular risk, as the roughly 6% of those that are vulnerable (and which hold a combined ~55,000 BTC, or ~$100 million) could be cracked without requiring major computing resources.
Poloniex hacked for more than $120 million
Assets including Bitcoin, Ethereum, and Tron's TRX token, priced at more than $126 million, were stolen from Justin Sun's Poloniex cryptocurrency exchange. Researchers are still homing in on the exact amount of funds that were stolen from the company's hot wallets across multiple blockchains, but suffice to say it's a lot.
Poloniex was initially tight-lipped, posting on Twitter that they had "disabled for maintenance" an exchange wallet. Justin Sun later updated that they were investigating the "hack incident", and promised to "fully reimburse" the massive theft... somehow. He later tweeted that they would offer a 5% "bounty" to the hacker if they returned the funds within a week, threatening to "engage law enforcement" otherwise.
MEV bot exploited for almost $2 million
An MEV bot was exploited after an attacker discovered a vulnerability in its code that allowed anyone to call one of its functions that sold wBTC for wETH. Using a flash loan to imbalance a wETH/wBTC pool on Curve, the attacker then caused the bot to purchase wBTC at its inflated price. They then sold the wBTC for a profit. Altogether, the exploiter made off with 1,047 ETH ($1.975 million).
- Tweet thread by CertiK Alert [archive]
- Transaction on Etherscan [archive]
Almost $100 million liquidated over false news of Bitcoin ETF approval
A post falsely announcing that the SEC had approved a spot Bitcoin ETF caused $100 million in liquidations as the market briefly surged on the news. $81 million in short positions were liquidated as Bitcoin shot up to $30,000 from just under $28,000, and another $31 million in long positions were liquidated as the news turned out to be false.
The post by crypto media outlet CoinTelegraph was based on a faked screenshot of what appeared to be the Bloomberg Terminal. The post quickly propagated through the crypto world before people began to question its veracity. CoinTelegraph later issued an apology, blaming the incident on a failure by employees to follow the normal editorial approval process.
This adds to the list of incidents that illustrate the extent to which false reporting by traditional or crypto media, or by influential personalities, can move crypto markets. Past incidents have included a crypto Twitter personality tweeting the false rumor that Interpol had issued a red notice for Binance CEO Changpeng Zhao, and two instances of token price spikes based on false press releases claiming major corporations would accept the tokens as payment.
- "Clarification on sharing false spot Bitcoin ETF news", CoinTelegraph [archive]
Bitcoin mining hardware manufacturer Bitmain stops paying employees
Bitmain, the manufacturer of popular Bitcoin mining equipment (known as ASICs), is apparently in such dire financial straits that it can no longer pay employee salaries. Local media reported that all "bonuses and incentives" were nixed by the Beijing-based company, and the firm is considering cutting all wages by 50%. They also wrote a letter to employees, informing them that they would not be paying out September salaries until a review later in the month.
Paxos pays $500,000 fee to send $1,865
A wallet on the Bitcoin blockchain paid a 19.82 BTC ($499,171) fee to transfer 0.074 BTC ($1,865). Put another way, they spent 270x the transaction value to pay the fee. Bitcoin transaction fees are required to make any action on the Bitcoin blockchain, and people can opt to pay higher fees to incentivize their transactions being processed sooner. 19.82 BTC is far outside the realm of someone just hoping to get a speedy transaction, however — the next-highest transaction fee in that block was 0.006 BTC ($159.20).
Bitcoiner Jameson Lopp speculated that the transaction "looks like an exchange or payment processor with buggy software" based on its transaction history. "The address in question that made the fee calculation error has the characteristics of a withdraw-only hot wallet from an enterprise," he wrote.
His observations were well-founded, as it later came out that the wallet belonged to the Paxos blockchain company, who attributed the overpayment to a bug. Luckily for Paxos, the miner who snapped up the outsized fee agreed to refund it.
- Bitcoin transaction on Blockchain.com explorer [archive]
- Tweet thread by Jameson Lopp [archive]
Founder of the Thodex crypto exchange sentenced to 11,196 years in prison
As of writing, the April 2021 $2 billion Thodex exit scam is the second largest exit scam recorded in the Web3 is Going Great leaderboard. Thodex was one of the largest crypto exchanges in Turkey, until its CEO, Faruk Fatih Özer, disappeared along with $2 billion in customer funds.
He was arrested in August 2022 after a year on the run. Now, he and his brother and sister have all been sentenced to 11,196 years in prison – sentences so over the top that one has to wonder if perhaps Turkish prosecutors are worried the Özers are some kind of crypto-focused vampire crime family. They will also pay a 135 million lira fine (~$5 million).
CoinsPaid hacked for $37.3 million
The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".
After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.
Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.
Alphapo hacked for more than $60 million
The crypto payment processor Alphapo suffered a hot wallet hack on July 22 in which at least $60 million in Ethereum, Tron, and Bitcoin was stolen. Alphapo processes payments for several gambling platforms including HypeDrop, Bovada, and Ignition.
HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."
Eco-travel company We Are Bamboo loses millions of customer funds gambling on crypto
New Zealand-based We Are Bamboo may have been an ethical travel company, but they certainly weren't an ethical handler of customer funds. In late October 2022, the company abruptly announced it would be closing up its eco-travel business — without refunding customer funds due to the force majeure clause of the contract.
Now, a report from the New Zealand Herald suggests that the company's director Colin Salisbury took more than NZ$3.24 million (~US$2 million) in customer funds, put it into multiple cryptocurrency platforms over a period of almost two years, and lost it all. Another ~US$800,000 was lost in at least four fraudulent crypto platforms which just "ceased to exist".
We Are Bamboo tried to blame the collapse of their business on the COVID-19 pandemic and on a group of customers whose "actions and online influence have broken us". "Our intentions here are not to play the victim but simply share with you the levels to which this group has gone to ensure our downfall, and made it their sole purpose to attack us, our families, our staff, and our customers with the intent to destroy Bamboo," they wrote. However, a liquidator in the We Are Bamboo bankruptcy says they discovered the cryptocurrency transactions, which explained the true demise of the company.
Salisbury reportedly engaged in the crypto trading because he was concerned that the US dollar might lose value. Guess he found out the hard way what crypto could do for the value of his customers' funds.