Skip to timeline

Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Start from the top

Massive NPM supply chain attack puts crypto transactions at risk

After a JavaScript developer's NPM account was compromised in a phishing attack, attackers used it to upload malicious versions of heavily used JavaScript color and debugging libraries, as well as simple utilities that do things like strip-ansi or determine if a variable is-arrayish. Altogether, the packages get around two billion downloads per week, and the compromise is being called the "largest supply chain attack in history".

Once the malicious code is injected, it then intercepts network traffic and API calls, scanning for cryptocurrency transactions across numerous blockchains. When a network request is made to transfer crypto, the malicious code intercepts it and replaces the destination with wallets controlled by the attackers.

Various prominent people in crypto have warned about the attack, with Ledger CTO Charles Guillemet tweeting: "If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don't use a hardware wallet, refrain from making any on-chain transactions for now."

Theme tags: Hack or scam

Nemo Protocol exploited for $2.4 million

The Nemo Protocol on the Sui blockchain suffered a $2.4 million exploit. The defi yield infrastructure protocol acknowledged the theft shortly after, explaining they had paused the protocol smart contracts as they investigated the theft. It appears the thief was able to manipulate a price oracle, siphoning $2.4 million in USDC from the project. They then bridged the funds from Arbitrum to Ethereum.
Theme tags: Hack or scam
Tech tags: DeFi

Venus Protocol user exploited for $13.5 million

A user of the Venus Protocol borrowing and lending platform was successfully phished by an attacker who gained access to their account and drained $13.5 million in stablecoins and wBETH. The user signed a malicious transaction, approving the attacker's address for token withdrawals.

Venus paused the protocol as they investigated the theft. The project then proposed a vote to force liquidation of the attacker's wallet and recover the stolen funds.

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain
Tech tags: lending

Bunni decentralized exchange exploited for $8.4 million

The Bunni decentralized exchange was exploited for approximately $8.4 million across the Unichain Ethereum layer 2 network and the Ethereum mainnet. Bunni acknowledged the theft and paused the protocol shortly after the attack.
Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

BetterBank exploited, some funds returned

The PulseChain-based defi project BetterBank was exploited by an attacker who took advantage of a vulnerability that allowed them to mint arbitrary tokens, some of which they then swapped for ETH. The attacker later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.

The vulnerable smart contract had been audited by cybersecurity firm Zokyo, which claimed they had flagged the issue during an audit. BetterBank responded by claiming that the auditors had either not identified or failed to communicate the true severity of the flaw.

Theme tags:

Bitcoiner socially engineered out of $91 million

A bitcoin holder reportedly fell for a social engineering attack after receiving communications from scammers posing as customer support for a crypto exchange and hardware wallet provider, according to crypto sleuth zachxbt. The thieves stole 783 BTC (~$91 million), which they then transferred through the Wasabi mixer to complicate tracing.
Theme tags: Hack or scam
Blockchain tags: Blockchain: Bitcoin

BtcTurk apparently hacked again, for $49 million

The Turkish cryptocurrency exchange BtcTurk has apparently been hacked again, as various blockchain security firms observed suspicious withdrawals estimated at around $49 million. BtcTurk later acknowledged it had experienced "unusual activity" in its hot wallets, and had suspended deposits and withdrawals. They did not provide any more details about the scale of the attack.

This is the second BtcTurk exploit, following an approximately $55 million theft in June 2024.

Theme tags: Hack or scam

Odin.fun bitcoin memecoin launchpad exploited for more than $7 million

Odin.fun, a bitcoin-based memecoin launchpad sort of like the popular pump.fun, was exploited for 58.2 BTC (~$7 million). The attacker had apparently manipulated the price of various tokens, then withdrew bitcoin based on the inflated prices.

A team member suggested they were unsure of the total amount stolen, "but as of right now, our company treasury isn't big enough to cover the losses".

Theme tags: Hack or scam
Blockchain tags: Blockchain: Bitcoin

Monero faces 51% attack

Monero, a privacy-focused blockchain network, has been undergoing an attempted 51% attack — an existential threat to any blockchain. In the case of a successful 51% attack, where a single entity becomes responsible for 51% or more of a blockchain's mining power, the controlling entity could reorganize blocks, attempt to double-spend, or censor transactions.

A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be "stress testing" Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.

Though Qubic has claimed to have achieved 51% of the Monero hashrate, these claims have been disputed. However, they do appear to be very close if not there already, and there have been multiple chain reorganizations — including a 6-block reorganization — suggesting that Qubic has established significant control over Monero mining.

Theme tags: Hmm
Blockchain tags: Blockchain: Monero

Memecoin promoters allegedly responsible for throwing sex toys at WNBA games

A group of crypto enthusiasts promoting a memecoin have claimed responsibility for a string of incidents in which neon green sex toys were thrown onto professional women's basketball courts during at least six WNBA games since July 29. The group described the stunts as coordinated "pranks" intended to draw attention to the coin, in an ecosystem where memecoin prices are often heavily tied to virality.

The incidents have been widely condemned as both dangerous and misogynistic by players, coaches, and the league, which has since implemented penalties including immediate ejection, a minimum one-year ban, and possible felony charges for offenders.

"It's super disrespectful," said Chicago Sky player Elizabeth Williams. "The sexualization of women is what's used to hold women down, and this is no different," stated coach Cheryl Reeve of the Minnesota Lynx. "The intent is to sexualize and demean the women players because they are women," wrote Glamour.

"This is empowering to every fucking crypto community to start thinking outside the box. Get creative and fucking do something that makes people actually laugh," said a member of the memecoin community, cheering the incidents for their virality and the subsequent impact on the coin price. The meme was even amplified by Donald Trump Jr., who posted to Instagram a photoshopped image of President Trump dropping one of the green sex toys off the roof of the White House and onto a group of women playing basketball below.

Theme tags: Yikes

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.