An hour and a half after users began to report missing NFTs, OpenSea finally acknowledged the issue. They tweeted that they were "actively investigating rumors of an exploit associated with OpenSea related smart contracts", and wrote that they believed it was a phishing attack coming from outside of OpenSea, rather than an issue with their contract. It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. The attacker later transferred 1,115 ETH obtained from the attack to a cryptocurrency tumbler, worth around $2.9 million.
Seventeen OpenSea users have their NFTs stolen and flipped for a total of $2.9 million by a phishing scammer
Panic erupted on February 19 as a few users saw their wallets emptied of valuable NFTs without knowing why, and many others feared the same could happen to them. Early explanations blamed a new contract that OpenSea had rolled out, or an airdrop from a new NFT marketplace called X2Y2. People urged NFT owners to revoke permissions for both the OpenSea contract and for X2Y2 until more was known, although one of the most popular websites helping people do so went down shortly after from the high traffic.
Authorities raid Generación Zoe, an Argentine pyramid scheme propped up by cryptocurrencies
Authorities performed nine separate raids targeting Generación Zoe, a holding company raising money from thousands of Argentines. The company promised 7.5% monthly returns at the lowest level, but more if investors recruited others to the scheme. They said these returns came from cryptocurrency trading, sales of "coaching" courses, and other investment strategies. The group even had their own cryptocurrency, Zoe Cash, and had begun other ventures — including a church. The accountant from the firm and several others were arrested in the February 18 raid, but the head of the scheme was on the lam.
- "Detuvieron al contador de Generación Zoe", Página 12 (in Spanish)
- "Pierri será el abogado de Leonardo Cositorto, CEO de Generación Zoe", Infobae (in Spanish)
- "Estafas: qué es Generación Zoe y quién es Leonardo Cositorto", Clarín (in Spanish)
- "A bitcoiner against a powerful cryptocurrency pyramid from Argentina", Money Training Club
BuildFinance DAO project treasury drained after "hostile takeover"
A person managed to submit a proposal to the DAO that governs BuildFinance, a "decentralized venture builder", that would allow them to take over the project contract. The attacker succeeded in obtaining enough votes for the proposal to pass, primarily because they held an outsized number of governance tokens, and because they were able to disable community Discord features that would have alerted more of the community to the proposal. After the proposal passed and they were granted control over the project, they began minting and selling the project's native $BUILD token, draining the project treasury of about $470,000. According to BuildFinance, "As things stand, the attacker has full control of the governance contract, minting keys and treasury. The DAO no longer has control over any part of the key infrastructure." Some have questioned whether the incident can properly be described as an "attack" or "hostile takeover": everything worked exactly as it was supposed to in a "code is law" sort of way, even though it was against the intentions of the project founders and presumably most of its community.
Founder of an air taxi DAO writes of narrowly avoiding an elaborate scam attempt
thomasg.eth is the founder of Arrow, a DAO that is working to create "open-source VTOL [vertical take-off and landing] aircraft and air taxi protocol". In a long Twitter thread, he wrote about a pair of scammers, one of whom posed as a 3D artist from Ubisoft and one of whom impersonated a team member of an existing metaverse project called SpaceFalcon. After weeks of interaction, during which the supposed 3D artist supplied thomasg.eth with high-quality renderings and the supposed metaverse project team member invited him to tour the facilities of a different VTOL project, one of them invites him to test their NFT staking app. thomasg.eth was, fortunately, cautious about interacting with unfamiliar NFTs from his main wallets, at which point the scammers began to act a bit cagey. When thomasg.eth inspected the smart contracts, he realized they would enable the scammers to transfer any amount of aWETH (wETH on the Aave protocol) tokens from his wallet.
While many web3 scammers are fairly primitive in their tactics, these appeared to be running a sophisticated and highly-targeted scam. The pair worked to impersonate an existing web3 project, even buying a similar domain. They apparently hired a 3D artist to produce renderings to help ingratiate one of the scammers into the target's web3 project. And when thomasg.eth inspected the scammers' addresses, he found that they were working with at least 100 ETH in funding (currently equivalent to around $300,000). thomasg.eth is currently holding over $100 million in his wallet with the same name, so it's not hard to see why the scammers might have picked him as a target worth some extra effort.
Hackers take more than $10 million from defi project Dego Finance
Hackers drained more than $10 million from the project Dego Finance. This also plunged the value of the project's $DEGO token by about 78%. Dego claims that the hackers compromised the keys to the address providing liquidity on UniSwap and PancakeSwap. Dego, which is a decentralized finance project, asked the various major exchanges to step in and prevent trading of the token, a type of intervention by centralized exchanges that is precisely what defi is supposed to prevent from happening.
$36 million taken from retirement accounts of IRA Financial customers investing in crypto
IRA Financial, a platform for managing retirement investments, boasts of being "the first self-directed IRA company to allow their clients to invest in cryptocurrencies, such as Bitcoin, directly via a cryptocurrency exchange". Unfortunately, they were probably also the first to have that feature exploited, when an administrator account was apparently compromised and users' funds were transferred out of their connected Gemini accounts. Two days later, IRA Financial publicly acknowledged "suspicious activity that has affected a limited subset of our customers with accounts on the Gemini cryptocurrency exchange". The stolen funds, taken in a mix of Ethereum and Bitcoin, amounted to around $36 million.
Exploit of Superfluid vesting contract nets attacker $8.7 million
A vulnerability in the Superfluid crypto streaming protocol allowed an attacker to drain $8.7 million, affecting projects including Mai Finance, Stacker Ventures, Stake DAO, and the Museum of Crypto Art.
U.S. Department of Justice arrests duo for trying to launder billions stolen from Bitfinex in 2016
The U.S. Department of Justice announced that they had arrested a New York couple and seized more than $3.6 billion in Bitcoin that they were allegedly trying to launder. The fortune was a portion of what was stolen in the 2016 Bitfinex breach, which saw the exchange lose around 120,000 BTC — then valued at around $71 million but worth around $4.5 billion at today's BTC prices. The husband and wife pair, Ilya Lichtenstein and Heather Morgan, both describe themselves as tech entrepreneurs; Morgan also describes herself as a "surrealist rapper", and her work sure is surreal.
News of the arrest came only a week after 20,000 BTC from the Bitfinex hack was observed being moved. Although the DOJ didn't explicitly say that this movement led to the arrest, it seems like a safe bet.
Contracted developer makes off with all the funds for the Ratz Club NFT project
Mexican VTuber Zilverk created an NFT project called Ratz Club, built on the Solana blockchain. On February 6, the project announced that a developer they had contracted drained all of the funds from the project wallet. The project lost about 1,300 SOL, or around $140,000. The project announced that Zilverk and another developer would be putting their own money back into the project, and that "you are going to be able to replace your Ratz with a new series of Ratz, all holders will receive the same amount of Ratz they had minted for free. (Since the Ratz you already minted are kinda are useless)."
- Tweet by Zilverk (in Spanish)
- Medium post by Ratz Club
Meter Passport, another blockchain bridge, is exploited for $4.3 million
A bug in the Meter Passport smart contract allowed an attacker to pull 1400 ETH (~$4.2 million) and 2 wrapped Bitcoin (~$83,000) from the Meter Passport blockchain bridge. This was the second hack of a blockchain bridge in three days, following the enormous Wormhole Network exploit. Meter urged its users not to trade any meterBNB, which are currently unbacked, and wrote that they were "working on compensating funds to all affected users."