Researchers at Sentinel Labs have estimated that more than $1 million has been drained from various wallets via these malicious contracts.
Traders lose $1 million to malicious "trading bot" software
Scammers using AI-generated YouTube videos to promote supposedly profitable crypto bot software have convinced crypto users to deploy what is, in reality, malicious code that allows scammers to siphon funds from their wallets. The free software supposedly allows anyone to run MEV bots to profit from arbitrage strategy, but the obfuscated code people are encouraged to download and deploy is actually malicious.
Credix vanishes after $4.5 million exploit
The defi lending protocol Credix lost $4.5 million to an exploit after a hacker gained control of an admin wallet and used it to mint tokens and drain liquidity pools.
Credix subsequently announced they had negotiated with the thief, who they said agreed to return the funds "in return for money fully paid by the credix treasury". They did not disclose how much they paid to the hacker.
However, shortly after this announcement, the company deleted its social media accounts and disappeared, leading some to wonder if the "hack" may have in fact been a rug pull by insiders. The promised reimbursements have not yet materialized.
Crypto lender Abra pauses withdrawals for international customers
The Abra cryptocurrency lender sent an email to customers announcing that "Abra Earn international services are currently paused, effective immediately", attributing the decision to "broader risk management efforts" and saying it was "influenced by external circumstances outside of our control". This has raised concern among Abra customers, and carries troubling echoes of the wave of crypto lenders pausing withdrawals before they collapsed during the 2022 "crypto winter".
This isn't the first sign of shakiness at Abra, which was alleged to be insolvent by the Texas state securities regulator in 2023. The company wound down its US operations in mid-2023 and refunded $82 million to US customers, after reaching a settlement with 25 state regulators. Abra also faced a lawsuit from the US federal securities regulator in 2024, which they settled in August of that year.
$731,000 stolen in SuperRare hack
Customers of WOO X lose $14 million after exchange compromise
Attackers who compromised devices belonging to a WOO X employee stole $14 million from users of the Taiwanese WOO X cryptocurrency exchange. The phishing attack on the employee gave the hackers access to a development environment, according to statements from WOO X, and the hackers were then able to make withdrawals from customer accounts.
WOO X temporarily froze withdrawals, before reopening accounts after a security review. They offered a 10% "bounty" to the thief.
CoinDCX hacked for $44 million
The Indian cryptocurrency exchange CoinDCX was hacked, with attackers stealing around $44 million. The company announced the breach the following day, attributing it to a "sophisticated server breach" and claiming that only company funds were impacted.
BigONE hacked for over $27 million
The BigONE cryptocurrency exchange was hacked for more than $27 million, which the hacker quickly swapped for various other tokens. The attacker compromised one of the exchange's hot wallets after gaining access to the company's production network. BigONE stated they would fully cover the loss.
Blockchain security researcher zachxbt responded to the hack by saying, "I do not feel bad for the team as this CEX processed a good bit of volume from pig butchering, romance, investment scams." Elsewhere he suggested that hacks of "sketchy offshore exchanges" would be a positive for the crypto industry, serving as a "natural cleanse".
Arcadia Finance exploited for $3.5 million
The Arcadia Finance defi margin protocol was exploited for $3.5 million after an attacker found a vulnerability in a project smart contract. The attacker quickly swapped the stolen tokens and bridged them from Base to the Ethereum mainnet. The attacker stole the funds in two separate transactions that were more than four hours apart.
Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.
MoonPay apparently gets scammed out of a $250,000 donation to Trump inaugural fund
In a seizure request filed by the DC Attorney General, the Justice Department outlined how a Nigerian scammer used the classic "lowercase Ls look like uppercase Is" trick to steal $250,000 — apparently from the MoonPay crypto exchange. Using the email address steve_witkoff@t47lnaugural.com, the scammer directed "Ivan & Mouna" to deposit $250,000 in Tether to a specified wallet address. Mouna then replies to confirm the transaction, providing a link to a blockchain explorer. The FBI was only able to recover around 16% of the stolen funds, issuing seizure requests to Tether and Binance that regained control of $40,353.
As it happens, "Ivan & Mouna" match the names of MoonPay CEO Ivan Soto-Wright and CFO Mouna Siala. The crypto address used to send the transaction also appears to be one of MoonPay's company crypto wallets.
MoonPay had told Fox Business shortly before the transaction that they intended to contribute an undisclosed amount to the Trump inaugural fund.
Only weeks after the botched donation, MoonPay was selected as a payment processor for Trump's $TRUMP memecoin.
- "The DOJ Seemingly Outed Top Crypto Executives as Falling for a Nigerian Crypto Scam", NOTUS [archive]
- Complaint in US v. Approximately 40,353 USDT.ETH Cryptocurrency [archive]
Kinto token crashes; community claims rug pull, Kinto claims hack
The price of Kinto's $K token suddenly crashed 90%, sparking accusations of a rug pull. A tranche of investor tokens had just been unlocked recently, leading some to speculate that investors dumped their tokens on retail buyers.
However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that "we got hacked by a state actor". Venn seemed to corroborate Kinto's explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, "Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate."
Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.