UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.
UniLend exploited for almost $200,000
The UniLend project, which advertises itself as a "unified platform for all things AI and defi", was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.
Bankless hosts slammed for dumping tokens
The hosts of the Bankless crypto podcast have landed in hot water after selling off some of the substantial quantities of $AICC tokens they were allocated as investors in the project. The $AICC project was launched by ejaaz, a co-host on an affiliated Bankless podcast, and had been promoted on Bankless shows. Each co-host received 9 million $AICC tokens in exchange for their 5 SOL (~$950) investments. The brand's venture capital arm, Bankless VC, also invested 2 SOL (~$380) and received a 3.64 million token allocation.
Shortly after the token's public launch, Bankless VC dumped 300,000 AICC (8% of their allocation) for 344 SOL ($65,300). By immediately dumping tokens on retail when the token opened for public trading, they were able to sell the tokens for an average of $0.22 — considerably higher than the $0.05 to $0.11 the token has been trading at over the last 24 hours.
When questioned about the trades, Bankless host David Hoffmann wrote: "Agree that Bankless Ventures should not be selling tokens - that was an impulsive mistake." He announced that they had repurchased the tokens they had sold, and were "discussing a self-imposed vesting schedule" for selling tokens that they themselves had promoted.
They later posted a long apology in their Discord, blaming the sales on Ben Lakoff, a general partner of Bankless VC. "Ben did not have context for this, and was in the mindset of trading a local high as you might trade a meme coin you're bullish on - or there's no way he would have done this - huge mistake, first time something like this has happened - he's devastated", explained Bankless co-host Ryan Sean Adams. He also placed some blame on AICC for not imposing any token lockups or vesting schedule that would prohibit early investors from dumping tokens on retail.
- Tweet by David Hoffman [archive]
- Tweet by David Hoffman, with Discord post by Ryan Sean Adams [archive]
- AICC investor token sales [archive]
$2.2 million stolen by fake job scammers
New York Attorney General Letitia James announced a lawsuit against a group of scammers operating a scheme in which they promised fake job opportunities to victims, convincing them they needed to first deposit cryptocurrency. Victims were told they would be generating review data for online products, but that they needed to maintain account balances equivalent or greater to the value of the products they were reviewing. They were then tricked into sending the cryptocurrency into digital wallets where they could be taken by the scammers. Those who tried to withdraw the assets were then scammed again, told they needed to pay a "blockchain verification fee" or "escrow fee".
One single victim was defrauded out of more than $100,000.
The NYAG has seized $2.2 million in Tether, and is pursuing legal action against the as-yet-unidentified scammers. Because of the unknown identities of the defendants, the NYAG will serve notice of the lawsuit via NFT — something they describe as a first by government regulators.
Moby Trade loses over $1 million to private key leak
The Moby Trade defi options protocol suffered a $1 million loss, narrowly avoiding the loss of another nearly $1.5 million. The project team stated that a hacker had "identified and exploited a vulnerability in the key management system" that was supposed to protect a private key used by the project. Using the private key, they were able to perform contract upgrades that then allowed them to drain about almost $1.1 million in wBTC, wETH, and USDC.
Another $1.47 million in assets were vulnerable as a result, but the whitehat blockchain security firm Seal911 successfully drained those funds to later be returned to the protocol once it was secured.
- "Moby Post-Mortem Report / Growth Plan", Moby Trade blog [archive]
- Moby Trade, Rekt [archive]
Orange Finance hacked
The Arbitrum-based liquidity management project Orange Finance suffered at least $840,000 in losses after hackers compromised the project's admin address, then used it to upgrade the project's smart contracts and transfer funds.
"The team is not sure what happened," wrote Orange Finance in a tweet announcing the hack, encouraging people to revoke contract approvals for the compromised addresses.
Orange Finance attempted to negotiate with the attacker via on-chain message, writing, "If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack."
Hengelo man arrested in alleged crypto pyramid scheme
A self-described crypto banker from Hengelo, Netherlands was arrested in connection to an alleged crypto pyramid scheme he'd been running. He'd originally told police that he was being harassed by investors after he told them he had lost the invested funds, and police helped him move to a safe location. However, after a group of investors amassed evidence that he was scamming the friends, associates, and others he'd lured into the scam, he's been arrested.
Victims estimate that between €1.5 million and €4.5 million (~$1.54 million – $4.64 million) was stolen.
Man reports losing $100,000 to website spoofing a crypto exchange
A man who received an inheritance in 2021 and decided to put it into crypto lost his entire $100,000 balance when he fell victim to a spoofing site in 2023. When he decided to withdraw the tokens, he Googled to find the Kraken crypto exchange where he had purchased them, and clicked on a result. However, despite the fact that it "was the first one to come up and it was branded with the same colours", the man clicked on a phishing website designed to mimic the Kraken exchange. Minutes after entering his credentials, his real Kraken account was drained. "This is money we don't have to spare," said the man. "I have three kids to put through college and this has been quite disruptive in the family."
The man contacted Canadian police, who told him the assets had been transferred out of the country and that they were unable to trace it.
NoOnes hacked for almost $8 million
After crypto sleuth zachxbt noticed an apparent theft from the NoOnes peer-to-peer crypto trading platform on January 1, CEO Ray Youssef was forced to acknowledge the theft. He claimed that the project's Solana bridge had suffered a compromised, and explained that it had been taken offline for "exhaustive pen testing".
Youssef emphasized that user funds were safe, which led to questioning from others on how that could be possible when nearly $8 million had been stolen. Youssef claimed he had reimbursed the stolen assets himself.
- Telegram post by zachxbt [archive]
- Tweet by Ray Youssef [archive]
Feed Every Gorilla hacked again for over $1 million
The "Feed Every Gorilla" project has once again been hacked, after suffering a pair of flash loan attacks in May 2022 amounting to $1.9 million in losses. The protocol also suffered losses later in 2022, thanks to an issue with a token locking service that cost FEG $2 million (though around $1.9 million was ultimately returned by the exploiter).
This time, the FEG project team blamed an issue with the project's bridge, which is a tool used to deposit and withdraw tokens from the project. An attacker was able to maliciously withdraw a large amount of FEG tokens via the flaw in the bridge, which they then sold off for around $1.07 million, tanking the FEG token price by 99% in the process. The bridge had been audited by the PeckShield blockchain security firm.
SEC fines Jump Crypto subsidiary $123 million
The SEC has levied a $123 million fine against Jump Crypto subsidiary Tai Mo Shan, which was part of a secret deal with Terraform Labs to help prop up the floundering Terra stablecoin in May 2021. Jump spent $20 million to help the supposedly “self-healing” stablecoin regain its $1 peg, earning about $1.28 billion in the process, and Terraform Labs CEO Do Kwon would later claim that the restoration to a $1 price was thanks to an automatic feature of the Terra project and not some backroom deal. This lie by Terraform Labs and Jump Crypto helped build confidence in the sustainability of the Terra token, which collapsed horrendously a year later.
The SEC also found that Tai Mo Shan had acted as a statuary underwriter for the Terra sister token Luna, which was an unregistered security.
Tai Mo Shan agreed to the fine, and to a prohibition on future violations of securities laws.
- “Tai Mo Shan to Pay $123 Million for Negligently Misleading Investors About Stability of Terra USD”, U.S. Securities and Exchange Commission [archive]