SwissBorg announced that they would be reimbursing impacted customers using treasury funds, and working with security firms and law enforcement to try to recover the stolen assets.
$41.5 million stolen from SwissBorg in Kiln API exploit
Thieves stole 192,600 SOL (~$41.5 million) from a wallet belonging to the Swiss cryptocurrency exchange SwissBorg. The attack is being blamed on a vulnerability in the API of Kiln, a staking partner used for SwissBorg's "Earn" program.
Massive NPM supply chain attack puts crypto transactions at risk
After a JavaScript developer's NPM account was compromised in a phishing attack, attackers used it to upload malicious versions of heavily used JavaScript color and debugging libraries, as well as simple utilities that do things like
strip-ansi or determine if a variable is-arrayish. Altogether, the packages get around two billion downloads per week, and the compromise is being called the "largest supply chain attack in history".Once the malicious code is injected, it then intercepts network traffic and API calls, scanning for cryptocurrency transactions across numerous blockchains. When a network request is made to transfer crypto, the malicious code intercepts it and replaces the destination with wallets controlled by the attackers.
Various prominent people in crypto have warned about the attack, with Ledger CTO Charles Guillemet tweeting: "If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don't use a hardware wallet, refrain from making any on-chain transactions for now."
Ultimately, the exploit was not very financially successful, with reports that less than $1,000 was stolen.
Nemo Protocol exploited for $2.4 million
The Nemo Protocol on the Sui blockchain suffered a $2.4 million exploit. The defi yield infrastructure protocol acknowledged the theft shortly after, explaining they had paused the protocol smart contracts as they investigated the theft. It appears the thief was able to manipulate a price oracle, siphoning $2.4 million in USDC from the project. They then bridged the funds from Arbitrum to Ethereum.
Venus Protocol user exploited for $13.5 million; most funds later recovered
A user of the Venus Protocol borrowing and lending platform was successfully phished by an attacker who gained access to their account and drained $13.5 million in stablecoins and wBETH. The user signed a malicious transaction, approving the attacker's address for token withdrawals.
Venus paused the protocol as they investigated the theft. The project then proposed a vote to force liquidation of the attacker's wallet and recover the stolen funds.
Bunni decentralized exchange exploited for $8.4 million
The Bunni decentralized exchange was exploited for approximately $8.4 million across the Unichain Ethereum layer 2 network and the Ethereum mainnet. Bunni acknowledged the theft and paused the protocol shortly after the attack.
Reddit shuts down its NFT avatars project
Three years after launching "Collectible Avatars", the NFT project they didn't want to call "NFTs" because they were already becoming kind of cringe, Reddit has decided to pull the plug. "Well, this is one of those posts. The kind that we hoped we would never have to write," they wrote.
Reddit has ended submissions for new avatars, and will shut down its avatar shop, collection display on profiles, and NFT wallet feature.
The feature is apparently so unused that the shutdown announcement garnered zero comments in the r/CollectibleAvatars subreddit. Besides posts relating to the shutdown, the most recent post in the subreddit was a year old.
This is the second blockchain-based feature Reddit has sunset, following the October 2023 decision to end their "Community Points" feature.
- "Closing up (the) Shop", post on r/CollectibleAvatars [archive]
BetterBank exploited, some funds returned
The PulseChain-based defi project BetterBank was exploited by an attacker who took advantage of a vulnerability that allowed them to mint arbitrary tokens, some of which they then swapped for ETH. The attacker later returned around $2.7 million of the stolen assets, having cashed out around $1.4 million.
The vulnerable smart contract had been audited by cybersecurity firm Zokyo, which claimed they had flagged the issue during an audit. BetterBank responded by claiming that the auditors had either not identified or failed to communicate the true severity of the flaw.
Bitcoiner socially engineered out of $91 million
A bitcoin holder reportedly fell for a social engineering attack after receiving communications from scammers posing as customer support for a crypto exchange and hardware wallet provider, according to crypto sleuth zachxbt. The thieves stole 783 BTC (~$91 million), which they then transferred through the Wasabi mixer to complicate tracing.
BtcTurk apparently hacked again, for $49 million
The Turkish cryptocurrency exchange BtcTurk has apparently been hacked again, as various blockchain security firms observed suspicious withdrawals estimated at around $49 million. BtcTurk later acknowledged it had experienced "unusual activity" in its hot wallets, and had suspended deposits and withdrawals. They did not provide any more details about the scale of the attack.
This is the second BtcTurk exploit, following an approximately $55 million theft in June 2024.
Odin.fun bitcoin memecoin launchpad exploited for more than $7 million
Odin.fun, a bitcoin-based memecoin launchpad sort of like the popular pump.fun, was exploited for 58.2 BTC (~$7 million). The attacker had apparently manipulated the price of various tokens, then withdrew bitcoin based on the inflated prices.
A team member suggested they were unsure of the total amount stolen, "but as of right now, our company treasury isn't big enough to cover the losses".