The Idols NFT loses $324,000 to exploit

An illustration of a young-looking human wearing silver armor and a blue toga, with a silver tiara, long brown hair, and blue markings on their faceIdol #1295 (attribution)
An attacker noticed a vulnerability in a smart contract for The Idols, an NFT project that also incorporates ETH staking functionality. They discovered that a function used to distribute rewards had a bug when the sender and recipient addresses were the same, allowing a holder to repeatedly claim rewards. By taking advantage of this bug, they were able to siphon 97 stETH (~$324,000) from the project.

Although The Idols boasts of two audits from several years ago, the contract containing the vulnerability may not have been audited.

UniLend exploited for almost $200,000

The UniLend project, which advertises itself as a "unified platform for all things AI and defi", was exploited for almost $200,000. An attacker was able to take advantage of a bug in a smart contract that handled token redemption.

UniLend acknowledged the hack, downplaying it as affecting "only" 4% of the platform's $4.7 million TVL. They offered a bounty to the attacker.

$2.2 million stolen by fake job scammers

Wish Online Support

I understand so if no other option then I have no solution to resolve. I only have until Monday to find the money and resolve the account or I will lose the money on my account?
My trainer was giving me false hope saying the most he ever had to deposit was $7k. I was not aware of such high money needed
Bad information leads to me losing money I guess
Please send me 7k usdt and I will cut my loses on the rest. I have no way to resolve the account. I need the money back to live on and buy my family food 

Reply: Firstly, I want to make it clear to you that your funds will remain in your account until the transaction is completed. They will not be lost or disappear, and this is something I can assure you of. 

How long will they remain in the account?

Reply: Your funds and current negative balance will remain on your account until you have completed them.
Reply: However, what I currently need to know is how long it will take for you to complete your account, so that I can better assist you in negotiating with the merchant. 
Reply: Because in the above information you have already mentioned to me that you need time toText messages between victim and scammer (attribution)
New York Attorney General Letitia James announced a lawsuit against a group of scammers operating a scheme in which they promised fake job opportunities to victims, convincing them they needed to first deposit cryptocurrency. Victims were told they would be generating review data for online products, but that they needed to maintain account balances equivalent or greater to the value of the products they were reviewing. They were then tricked into sending the cryptocurrency into digital wallets where they could be taken by the scammers. Those who tried to withdraw the assets were then scammed again, told they needed to pay a "blockchain verification fee" or "escrow fee".

One single victim was defrauded out of more than $100,000.

The NYAG has seized $2.2 million in Tether, and is pursuing legal action against the as-yet-unidentified scammers. Because of the unknown identities of the defendants, the NYAG will serve notice of the lawsuit via NFT — something they describe as a first by government regulators.

Moby Trade loses over $1 million to private key leak

The Moby Trade defi options protocol suffered a $1 million loss, narrowly avoiding the loss of another nearly $1.5 million. The project team stated that a hacker had "identified and exploited a vulnerability in the key management system" that was supposed to protect a private key used by the project. Using the private key, they were able to perform contract upgrades that then allowed them to drain about almost $1.1 million in wBTC, wETH, and USDC.

Another $1.47 million in assets were vulnerable as a result, but the whitehat blockchain security firm Seal911 successfully drained those funds to later be returned to the protocol once it was secured.

Orange Finance hacked

The Arbitrum-based liquidity management project Orange Finance suffered at least $840,000 in losses after hackers compromised the project's admin address, then used it to upgrade the project's smart contracts and transfer funds.

"The team is not sure what happened," wrote Orange Finance in a tweet announcing the hack, encouraging people to revoke contract approvals for the compromised addresses.

Orange Finance attempted to negotiate with the attacker via on-chain message, writing, "If you respond positively to our offer within 24 hours, we guarantee that no law enforcement agencies will be involved, and the matter will be treated as a white-hat hack."

Hengelo man arrested in alleged crypto pyramid scheme

A self-described crypto banker from Hengelo, Netherlands was arrested in connection to an alleged crypto pyramid scheme he'd been running. He'd originally told police that he was being harassed by investors after he told them he had lost the invested funds, and police helped him move to a safe location. However, after a group of investors amassed evidence that he was scamming the friends, associates, and others he'd lured into the scam, he's been arrested.

Victims estimate that between €1.5 million and €4.5 million (~$1.54 million – $4.64 million) was stolen.

Man reports losing $100,000 to website spoofing a crypto exchange

A man who received an inheritance in 2021 and decided to put it into crypto lost his entire $100,000 balance when he fell victim to a spoofing site in 2023. When he decided to withdraw the tokens, he Googled to find the Kraken crypto exchange where he had purchased them, and clicked on a result. However, despite the fact that it "was the first one to come up and it was branded with the same colours", the man clicked on a phishing website designed to mimic the Kraken exchange. Minutes after entering his credentials, his real Kraken account was drained. "This is money we don't have to spare," said the man. "I have three kids to put through college and this has been quite disruptive in the family."

The man contacted Canadian police, who told him the assets had been transferred out of the country and that they were unable to trace it.

Feed Every Gorilla hacked again for over $1 million

The "Feed Every Gorilla" project has once again been hacked, after suffering a pair of flash loan attacks in May 2022 amounting to $1.9 million in losses. The protocol also suffered losses later in 2022, thanks to an issue with a token locking service that cost FEG $2 million (though around $1.9 million was ultimately returned by the exploiter).

This time, the FEG project team blamed an issue with the project's bridge, which is a tool used to deposit and withdraw tokens from the project. An attacker was able to maliciously withdraw a large amount of FEG tokens via the flaw in the bridge, which they then sold off for around $1.07 million, tanking the FEG token price by 99% in the process. The bridge had been audited by the PeckShield blockchain security firm.

Crypto holder loses assets priced at $2.5 million

A crypto holder tweeted at the Ledger hardware wallet manufacturer to report that 10 BTC (~$1 million) and "~1.5m of NFTs" had been stolen from a Ledger wallet they were using. "The ledger was purchased directly from you. The seed phrase was stored in a secure location, never entered anywhere online. I never signed any malicious transactions. Everything is in my physical possession.I haven’t touched this ledger in 2 months," they wrote.

Some blamed the theft on an apparent malicious Ethereum transaction the user had signed nearly three years prior. However, while a malicious transaction signature on Ethereum could explain the NFT thefts, it should not alone enable the theft of assets on the separate bitcoin blockchain.

Despite this, Ledger blamed its customer, telling a media outlet that "As we know, the user got phished when it comes to the ETH wallet, we can assume user error on the BTC side too".

Former pastor charged with crypto scheme in which he stole $5.9 million from his former congregants

The CFTC has filed suit against Francier Obando Pinillo, an American former pastor who targeted his former congregants and other unsophisticated investors with a crypto pyramid scheme called "Solanofi". He promised victims that his supposed automated trading system was "risk free", and that they would earn guaranteed profits as high as almost 35% compounded monthly — which he "proved" to them with an online dashboard showing faked balances. They were also encouraged to recruit friends and family, and incentivized with referral fees.

Despite his promises, Pinillo had created no trading platform whatsoever, was doing no crypto trading, and simply pocketed all the money. Any payments made to his customers during the fraud were taken from newer investors, in classic Ponzi fashion.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.