Skip to timeline

Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Start from the top

$440,000 stolen as MicroStrategy's Twitter account is hacked

Michael Saylor sitting in front of a large model shipMichael Saylor (attribution)
MicroStrategy, the company founded and chaired by Bitcoin maximalist Michael Saylor, suffered a Twitter account compromise on February 26. Although MicroStrategy ostensibly develops software, it's better known for its massive Bitcoin holdings, driven by Saylor.

Although Saylor has been publicly critical of Ethereum, that didn't seem to raise flags among those eager to receive an airdrop of the Ethereum-based "MSTR" token that the company's Twitter account claimed they had just launched. Those who fell for the phishing link were redirected to a website that spoofed the real MicroStrategy website, with malicious code that drained funds.

Around $440,000 was stolen thanks to the fake announcement, with the majority of it coming from one wallet that was drained of a variety of tokens notionally worth around $425,000.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Ethereum

Dechat announces its token launch with a link to the wrong token

The user experience in crypto is apparently so bad that platforms can't even keep their own tokens straight. A web3 messaging project, Dechat, announced with some fanfare that the Dechat token would begin trading. In their social media post, however, they erroneously linked to the wrong token on the PancakeSwap cryptocurrency exchange. Instead of linking to the token they had developed, they included a link to a honeypot: that is, a malicious smart contract that aims to entice people to deposit funds that can then be stolen.

"You clowns literally linked a honeypot for your own token launch," wrote crypto sleuth zachxbt. Some users replied that they had lost money to the erroneous link.

Dechat quickly removed the post and created a new one with a corrected link. They also promised to reimburse users who had lost money to the honeypot.

Theme tags: Hack or scam
Blockchain tags: Blockchain: BNB Chain

BitForex shuts off website after $57 million withdrawal

The Hong Kong-based BitForex cryptocurrency exchange has shut down access to its platform after a suspicious outflow of around $57 million on several blockchains. Users who have tried to log in see a CloudFlare page explaining that they are blocked from accessing the website by CloudFlare's DDoS protection service.

The withdrawals were first noticed by blockchain detective zachxbt, who also noted that the exchange has stopped processing withdrawals and has not been replying to customer support inquiries.

It seems likely that the outflows were an exit scam rather than an outside attack, particularly given the lack of communication and somewhat shady status of the exchange. The firm faced regulatory scrutiny in Japan in mid-2023 for operating without a license, and has been accused of inflating its trading volume. Its CEO resigned in January, but promised a new team would be taking over.

Theme tags: Hmm, Rug pull, Shady business

"Fully private" Aleo blockchain accidentally sends out copies of users' identification documents

Aleo, a blockchain project that advertises it's a place for "fully private applications" with "built-in privacy" has just emailed private identification documents — including selfies and photographs of government identification cards — to the wrong users.

A user posted on Twitter that they had received an email with someone else's identification. "That makes me wonder, if I have someone else's KYC document, who else have you sent mine to?" Another person replied to the thread that they had experienced the same thing.

Aleo acknowledged their screw-up on social media, claiming that only ten individuals were impacted, and that it had happened thanks to a "copy/paste error in email metadata".

Theme tags: Hmm

Crypto tumbler Tornado Cash suffers code exploit, putting funds at risk

A community member of the Tornado Cash cryptocurrency tumbler project has reported that malicious code was added to the Tornado Cash project on January 1, which has put at risk funds deposited into the service. According to the community member, a successful governance proposal two months ago resulted in a code change, but malicious JavaScript included in the change went unnoticed.

The code leaks private notes associated with deposits to a "private malicious server" owned by the person who initiated the code change. Private notes on Tornado Cash are the keys that allow a person to later withdraw the funds they have deposited into the mixing service.

This is not the first time DAO governance has gone wrong for Tornado — in May 2023, the project underwent a hostile takeover via malicious code that went unnoticed.

Theme tags: Hack or scam
Tech tags: DAO, DeFi

Myanmar-based romance scam operation pulls in $100 million in less than two years

A pig-butchering operation in Myanmar has scammed victims of more than $100 million in Tether in less than two years, according to a report from Chainalysis and the anti-human trafficking organization International Justice Mission.

Many of the workers for the romance scam group are themselves victims of human trafficking. The operation is based in a "compound" near Myanmar's border with Thailand, and researchers estimate that thousands of trafficked workers operate the scam from the "self-contained city".

The scam may put more pressure on Tether, whose role in human trafficking and high-volume romance scam operations has been scrutinized more heavily in recent months and years. Tether has frozen some assets belonging to romance scammers in the past, but remains the token of choice for many of these groups.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Tron

RiskOnBlast gambling platform rug pulls for $1.3 million

RiskOnBlast, a gambling and trading platform on the new ethereum layer-2 Blast blockchain, appears to have performed the blockchain's first major rug pull — before the blockchain has even officially launched. Blast was created by the developers of the Blur NFT platform, and received funding from the Paradigm crypto VC.

The team behind Blast had even helped to promote the RiskOnBlast platform, tweeting from its official account that Blast was "a new challenger" in the ecosystem with "undeniable" potential.

On February 25, the platform drained more than 420 ETH (~$1.3 million) from more than 750 user wallets on their platform. The project's anonymous team then laundered the funds through various services and exchanges. All social media accounts for the project were taken offline.

Theme tags: Rug pull
Blockchain tags: Blockchain: Ethereum
Tech tags: blockchain gaming

Australian disappears with more than US$585,000 erroneously transferred to his cryptocurrency account by OTCPro

When businessman Kow Seng Chai transferred AU$99,500 (~US$65,000) to a cryptocurrency account on the Australian OTCPro cryptocurrency trading platform on January 25, he received an unexpected windfall thanks to an extra 0 erroneously added to the amount. When he saw the AU$995,000 ($650,000) in his account, he set to work, cashing out the excess funds through multiple withdrawals of the maximum amount.

OTCPro didn't notice their error until February 4, by which point Chai had already disappeared. They were able to recoup some funds that Chai had left in the OTCPro account, putting their total loss at around AU$490,000 (US$320,000).

A judge issued an injunction to try to prevent Chai from leaving the country, and issued a freeze on his assets. However, a freeze may be ineffective depending on if and how Chai has laundered the funds.

Theme tags: Hmm

Blueberry Protocol narrowly avoids $1.3 million hack

The Blueberry defi leverage project had a bug in their lending contract, where improper decimal handling allowed for an exploit. An attacker tried to exploit the vulnerability, but was front-run by c0ffeebabe.eth, a well-known MEV bot operator and whitehat who has in the past been able to front-run other exploits and return the funds to the projects.

About 457.7 ETH ($1.35 million) was drained from the project, but 366.6 ETH ($1.08 million) of that was able to be returned. The remaining ~91 ETH (~$265,000) was lost to validator payments.

Blueberry paused their protocol as they investigated the hack, and stated that they "aim for a full repayment to users as the goal".

Theme tags: Good news, Hack or scam
Blockchain tags: Blockchain: Ethereum
Tech tags: DeFi

DeezNutz_404 hacked for $170,000

I might otherwise skip over news of a $170,000 hack, given how commonly thefts of that scale happen in the crypto world, but with a name like this... come on.

One thing that keeps me from ever trying my hand as a crypto project hacker is that if I made $170,000 from exploiting a project called "DeezNutz_404", I would immediately be caught because I wouldn't be able to resist telling everyone I know that I'd just made enough money to not have to work for a couple years by exploiting deez nuts.

Anyway, there was a bug in their code that allowed an attacker to mint infinite tokens and steal around 58.65 ETH (~$170,000).

Theme tags: Bug, Hack or scam

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.