Hackers swipe pricey NFTs after compromising Gutter Cat Gang Twitter profile

A leopard-spotted cat with half-lidded eyes, wearing a black doo-rag and white shirt with "HODL" printed on it, on a purple backgroundGutter Cat #707 (attribution)
An attacker successfully compromised the Twitter account belonging to the popular Gutter Cat Gang NFT project, as well as the one belonging to the project co-founder, and used them to post links to phishing sites claiming to be a new NFT airdrop. Instead of receiving the tokens they were promised, those who authorized the contract had their wallets drained.

One victim lost 36 NFTs, among them a Bored Ape NFT they'd purchased for around $130,000. Altogether, the attackers successfully stole NFTs worth between $750,000 and $900,000, depending on how resale value is estimated.

The following day, Gutter Cat Gang announced that they'd regained control over the Twitter accounts and taken down the malicious tweets. They stated that they were working with law enforcement to investigate the theft, but to the dismay of some victims, did not describe any plans to compensate those who lost assets.

"Decentralized" BarnBridge closes up shop after claiming they are under SEC investigation

A small and rather unknown project called BarnBridge aimed to build a variety of defi yield projects. BarnBridge claimed to be decentralized and governed by a DAO.

On July 6, an attorney posted in the project's Discord server to say that BarnBridge and "individuals associated with the DAO" were under investigation by the U.S. Securities and Exchange Commission. The attorney wrote: "To reduce potential further legal liability, existing liquidity pools should be closed, and no more liquidity pools should be started. All work on Barnbridge related products should stop, and individuals should no longer be compensated for any work they do related to Barnbridge until further notice." Decentralized!

It's not terribly surprising that BarnBridge chose to drop the facade of decentralization when the SEC came knocking, however. A recent case by the CFTC against the Ooki DAO suggests that the mere veil of "decentralization" will not be sufficient to avoid legal liability for the actions of a DAO. However, it is interesting to see the SEC now (at least allegedly) going after a relatively small player in the defi world.

Multichain shuts down amidst $130 million suspected hack

Blockchain watchers observed $130 million in various assets flowing out of the Multichain blockchain bridge, questioning whether there had been an exploit. Multichain tweeted, "The team is not sure what happened and is currently investigating," and recommended users stop using the service and revoke contract approvals.

Several hours later, Multichain wrote that they had stopped service, and that "all bridge transactions will be stuck on the source chains. There is no confirmed resume time."

In May, Multichain suffered a bizarre slew of issues, culminating in the project team admitting that their CEO had gone missing and could not be contacted. So far, they have not reported his return.

This is also not the first hack suffered by Multichain. In January 2022, the project, bafflingly, publicly announced a security vulnerability that was affecting their tokens, without first instructing users to safeguard their tokens. Attackers quickly followed the instruction manual provided to them by Multichain, making off with around $3 million in assets.

NFTPerp blows up

A project called NFTPerp was, as the name suggests, a perpetual futures exchange for NFTs, allowing people to take long or short positions against NFTs. It relied on a vAMM — virtual automated market maker — which essentially simulates liquidity without there being any real money in the system. Such a system can be thrown out of whack if there is imbalance in the positions people are taking — for example, if everyone tries to go short on NFTs in a brutal bear market.

So anyway, that's exactly what happened. NFTPerp announced that they would be sunsetting their popular beta project after accruing bad debt.

How they're going about it has been controversial among the successful traders on the platform: essentially, those who were in profit will lose their unrealized gains, while those who had lost money in their trades will have their losses waived. "Nftperp stealing profits from winner [unrealized profit and loss] to backstop losers UPNL is insane to me", wrote one commenter. Another wrote, "If anyone else is considering NFT perps, please have the 'what happens when the illiquid market goes to zero overnight' plans clearly in place from the beginning."

Not to be deterred, the team is already preparing to launch a "v2". May it go as well as their first attempt.

Trader loses $213,000 to phishing scam, blames Twitter

Twitter reply by an account called "@burntteoast", advertising a link to a supposed "Doodles 2" projectDoodles scam (attribution)
Crypto personality LoveMake.eth wrote a Twitter thread about how they fell victim to a phishing scam in which an account appearing to belong to the cofounder of the popular Doodles NFT project advertised a fake project in the replies to a thread by a real cofounder. The Twitter account appeared to be Doodles' cofounder burnttoast, but the handle was actually burntteoast. LoveMake connected their primary wallet, which was immediately drained of 61.5 ETH (~$120,000) and $93,400 in the Tether stablecoin.

LoveMake wrote on Twitter that "I am dyslexic and didn't notice that the Burnt Toast acc was scam. It was very similar to the original & Verified." They appeared to blame Twitter's new verification process, writing, "@Twittersupport can you explain the meaning of the word 'verified'? we're waiting for days every time we change pfp or display name and then I got scammed by verified account with exact the same name and pfp as Doodles founder in million views thread?"

Several days later, they posted a thread again criticizing the prevalence of crypto scammers on Twitter. "I put millions $ into web3 projects, with over 90k$ into Twitter ads. I was rugged many times and finally robbed but not broken. Thanks to twitter the most profitable web3 activity now is a scam. Shouldn't Twitter pay more attention to its own security?"

Angry over the Azuki Elementals fiasco, Azuki holders form a DAO and immediately get exploited

After paying nearly $40 million for a new set of Azuki NFTs, the Azuki community is pissed that they were "dilutive" near-copies of the original Azuki collection. To fight back against the perceived "blatant scamming" by the Azuki creators, holders claiming to have collectively spent millions on Azuki projects formed an Azuki DAO. The DAO created a governance token, $BEAN, which it distributed to Azuki NFT owners. The DAO then embarked on a vote to hire a lawyer, sue Azuki's creator, and demand a refund of the 20,000 ETH (~$38 million) collectively spent on Elementals NFTs.

However, shortly after the DAO was created, the governance token was exploited. Attackers were able to take advantage of a flaw in the smart contract, with two exploiters stealing around 35 ETH (~$69,000). The DAO paused the contract to prevent further thefts.

File this one under "adding insult to injury".

Encryption AI rug pulls for $2 million, developer allegedly blames gambling addiction

A project called "Encryption AI" promised a Telegram bot that would provide a "secure and efficient way to launch tokens". People poured in around $2 million before the developer suddenly withdrew all the funds, crashing the token price by 99%.

The developer reportedly posted a message to Telegram, apologizing for taking the funds. "I must confess that I have fallen into a severe addiction to online gambling and casinos," the developer reportedly wrote. "Despite being only 22 years old, I have struggled to overcome this addiction, and unfortunately, I have lost nearly $300,000 over the past few months, including after the launch of [Encryption AI]."

They added, "Although I cannot guarantee when or if I will be able to make amends and relaunch [Encryption AI], I promise that I will make every effort to become a better person." Oh, well, in that case.

Poly Network exploited again

The name Poly Network may ring a bell, because in August 2021 they were exploited for an (at the time) record-setting $611 million.

Now, it's happened again, and some reports are throwing around even more massive numbers like $42 billion. In reality, the exploiters were able to mint massive quantities of tokens on multiple networks, with their wallet balances showing numbers in the billions. However, complete lack of liquidity for these tokens meant their "billions" are worth substantially less.

According to crypto research firm Beosin, the attackers have so far cashed out around 5,196 ETH (~$10.1 million) in liquid assets. Poly Network suspended services shortly after the attack.

Kraken ordered to turn over user information to U.S. tax investigators

Bad news for wealthy crypto traders on Kraken, who previously might have hoped to evade paying taxes on their past crypto trades. A judge has ordered the exchange to turn over information to the U.S. Internal Revenue Service on users who engaged in at least $20,000 in trades in any year between 2016 and 2020.

Although Kraken argued against the order, describing it as an "unjustified treasure hunt", the judge determined that the IRS was justified in its request, and ordered Kraken to cough up the records. The IRS alleged that although the exchange has more than 4 million users, and has processed $140 billion in trades since its inception in 2011, only 288,330 of those users have filed tax returns.

Huobi patches massive vulnerability after researcher allegedly tries for a year to disclose it

After the Huobi crypto exchange (finally) fixed a massive vulnerability, researcher Aaron Phillips published a blog post explaining what he had found. According to Phillips, two years ago, the exchange accidentally published a file containing Amazon Web Services (AWS) credentials, which could have allowed a bad actor to modify content on their websites and in their CDN, distribute malicious versions of their Android app, access user data and "whale reports" on high-value users, access OTC trade records and user data for OTC traders, and "carry out the largest crypto theft in history". "I had full control over data from almost every aspect of Huobi's business," wrote Phillips.

According to Phillips, it took months before he was able to get in touch with Huobi and convince them to act on the leak. Phillips first notified Huobi of the leak in June 2022, and after repeated efforts to contact the company, the credentials were only revoked in June 2023.

Huobi has tried to downplay the hack, first stating that the user data leak was "on a small scale (4,960 individuals)" and "does not involve sensitive information and does not affect user accounts and fund security". They also claimed the leaked OTC data was test data. "The log shows that only [Phillips] has downloaded, and [Phillips] has also stated that he has deleted. Therefore no leakage is actually caused," they wrote.

According to CoinGecko, Huobi is the seventeenth-largest cryptocurrency exchange by volume.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.