DeezNutz_404 hacked for $170,000

I might otherwise skip over news of a $170,000 hack, given how commonly thefts of that scale happen in the crypto world, but with a name like this... come on.

One thing that keeps me from ever trying my hand as a crypto project hacker is that if I made $170,000 from exploiting a project called "DeezNutz_404", I would immediately be caught because I wouldn't be able to resist telling everyone I know that I'd just made enough money to not have to work for a couple years by exploiting deez nuts.

Anyway, there was a bug in their code that allowed an attacker to mint infinite tokens and steal around 58.65 ETH (~$170,000).

Axie Infinity co-founder suffers $9.5 million loss after wallet compromise

Jeff "Jihoz" Zirlin, a co-founder of the Axie Infinity blockchain game, lost around $9.5 million as two of his crypto wallets were compromised. The thief stole 3,248 ETH ($9.5 million), which they quickly laundered with the Tornado Cash cryptocurrency mixer.

Some were briefly concerned that Axie Infinity's Ronin Bridge had been hacked (again), since the funds moved out of the bridge. Jihoz and others were quick to emphasize that the bridge had not been affected, and it was simply a personal wallet compromise.

Influencer "Crypto Rover" accused of pump-and-dump and other shady behavior

Influencer "Crypto Rover" taking a selfie with an exaggerated concerned expression, and the bitcoin logo next to himCrypto Rover (attribution)
A popular cryptocurrency influencer known as "Crypto Rover" has been accused by blockchain sleuth zachxbt of shady behavior, including accepting promotional payments from crypto projects and then not following through on his end of the deal, dumping tokens after promising followers he would hold, and secretly purchasing tokens for memecoin projects before pumping the price by posting about them.

Zachxbt outlined various incidents, including how Crypto Rover purchased "Stoned Pepe" tokens before posting to his hundreds of thousands of followers that he thought the token would "do at least a 10x", and claiming that he had inside info on the project. He also detailed how Rover had taken a $10,000 payment and 1% of the supply of a new token that he promised to promote, then never promoted — despite promising the team that he could "pump projects from 1/2m to 10m easy".

After zachxbt published his research, Rover deleted his Telegram channel.

Over $55 million taken from defunct AAX crypto exchange

The Hong Kong-based AAX cryptocurrency exchange suspended withdrawals in November 2022, only days after the FTX collapse and related chaos in the cryptocurrency world. They claimed that user funds were safe, but the exchange never restored service. A month later, police arrested two of the company's executives.

Now, over a year later, the Cyvers blockchain security firm has observed more than 24,000 ETH (~$55.6 million) has been moved from wallets used by the platform. Although there could be innocuous explanations for money moving off a defunct platform, whoever was moving the funds used various decentralized services to launder the money, appearing to be trying to make it more difficult to trace.

Airdrop hunters spam Github projects

A Github issue titled "github" with the text "i'm a scroll contributor"Airdrop farming Github issue (attribution)
After projects like Celestia and Starknet distributed airdrops of crypto tokens to people who had contributed to their open source Github repositories, airdrop hunters have begun spamming other projects in hope that they might one day receive tokens for their "contributions". In the recent Starknet airdrop, one individual received 1,800 STRK (~$3,200 at current estimates, though the token isn't actively trading yet) for an unmerged pull request fixing a typo in project documentation, so the hope that relatively trivial contributions could result in a windfall isn't completely unjustified.

Several repositories for crypto projects that have not launched tokens were inundated with hundreds of trivial Github issues apparently written in the hopes that in the event of an airdrop, they would be considered contributions.

"Please don't submit a GitHub issue just for farming purposes," wrote one employee of a crypto project receiving such spammy contributions. "The [project] core team is stretched thin enough as it is, please don't make our lives harder." Several projects had to limit who was allowed to open new issues in their repositories to try to tackle the spam.

FixedFloat exchange hacked for $26 million

The FixedFloat cryptocurrency exchange was exploited for around 409 BTC (~$21.17 million) and 1,728 ETH (~$4.85 million) for a total loss of just over $26 million. FixedFloat is a decentralized cryptocurrency exchange that doesn't require user registration or Know Your Customer, making it popular for hackers looking to launder stolen funds.

FixedFloat first wrote that they had "encountered some minor technical problems", then acknowledged that there had been a hack. FixedFloat is non-custodial, so no user funds were impacted, however some have reported frozen transactions and missing funds from using the service on social media.

Yuga Labs acquires Moonbirds amid speculation of insider trading

Pixel art of a white owl with one squinting eye, wearing a forest ranger hat, on a light green backgroundMoonbirds #768 (attribution)
On February 16, the NFT giant Yuga Labs announced it would be acquiring the Moonbirds NFT project. This adds to list of blue-chip NFT collections controlled by Yuga Labs, which already included their original Bored Ape Yacht Club and spin-off NFT collections, and the CryptoPunks and Meebits collections they acquired in March 2022. Decentralized!

Anyway, after the acquisition was announced, prices for Moonbirds spiked, as was to be expected.

What wasn't expected was a notable spike in trading in the days leading up to the acquisition announcement, in which some wallets began accumulating large amounts of Moonbirds and related NFTs. One such wallet purchased 80 Moonbirds, 71 Moonbird Mythics, 28 Oddities, and 13 Mythic eggs in the week leading up to the announcement, and enjoyed several hundred thousand dollars in profits after the acquisition was announced.

Trader loses $4.5 million in phishing attack

A trader known as kirilm.eth fell victim to a phishing attack, losing over 180 million BEAM tokens to a scammer. BEAM is a token belonging to the Beam blockchain gaming network, built by the Merit Circle DAO.

The stolen tokens were notionally priced at around $5.14 million, although the sale of the stolen tokens resulted in a price drop that meant the attacker ultimately was only able to trade them for 1,629 ETH (~$4.5 million). The BEAM price dropped around 10%.

YouTuber KSI accused of pump-and-dump

Crypto sleuths Coffeezilla and zachxbt teamed up on an investigation into YouTuber and crypto promoter KSI, accusing him of pumping up interest into the XCAD project and then dumping tokens priced at $850,000 shortly after, when some of his millions of followers had likely bought in and pumped the price.

Although the token dumping occurred in March 2022, zachxbt waited until now — when KSI returned to his dormant Twitter account — to release the evidence he'd collected.

KSI had previously claimed to followers that he was "holding his bags", meaning not selling the XCAD tokens he'd purchased or been given. zachxbt determined this to have been a lie. The XCAD founder later came to KSI's defense, claiming he had bought more tokens than he sold, as though that somehow justifies the behavior.

"Decentralized" social network Farcaster criticized after confiscating channel name to be used by influential crypto podcasters

Conversation with Dan Romero
Romero
hey there
/bankless wants their channel :)
can I refund you $25 worth of USDC on Base

Sender
Dan with all due respect, bankless is a brand using a common word that has been in our space for a decad
If I was using their logo and perpetrating like I was them, that would be different
This sets a really poor precedent.

Romero
Do you have examples of where you are using Bankless?
happy to be convinced otherwiseConversation between the accused squatter and Farcaster co-founder Dan Romero (attribution)
One of the promises made by proponents of crypto-focused decentralized social networks like Farcaster is that you can't be de-platformed by centralized companies, and you maintain control over your own presence on these platforms.

This made it a bit of a shock when the co-founder of the a16z-backed Farcaster blockchain-based social network messaged a user to inform them that he would be taking away the channel name he had registered, whether he agreed to it or not. According to the co-founder, Dan Romero, the popular Bankless crypto podcast had requested the bankless channel name, which the user he was messaging had already registered.

After the user argued back against Romero's offer of $25 in USDC to reimburse him for the channel name, and said it set a poor precedent, Romero stated: "ok this isn't productive. do you want USDC for the refund or warps" (referring to the non-crypto points used by the Warpcast client for Farcaster).

On one hand, some criticized the user who had registered the name for allegedly squatting on the channel name and trying to resell it. Romero defended his decision by arguing, "I never said channels were decentralized yet" (though the platform does generally claim to be "sufficiently decentralized"). Others argued the action set a bad precedent, and flew in the face of the ethos supposedly motivating these types of web3 social networks.

Romero has promised on Twitter that Farcaster channels "will be onchain later this year and like [user identifiers] won't be able to be touched." When pushed on the precedent this sets, he replied, "So let the squatter extort money?" Romero clearly needs to grapple with the fact that, like it or not, squatting is a feature of systems that take a hands-off approach to managing access to identifiers. This should not be news to anyone remotely familiar with the web, where "domaining" emerged out of the relatively laissez-faire structure of DNS — though unlike with fully decentralized identifiers, there can be some intervention when domain name speculation enters the realm of cybersquatting.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.