$29 million stolen from from Step Finance treasury wallets
The Solana-based defi portfolio tracker Step Finance lost 261,854 SOL (~$28.7 million) when a thief gained access to treasury and fee wallets. It's not yet clear how the attacker was able to steal the funds, although Step Finance posted to Twitter that the theft occurred via a "well known attack vector". Step wrote that they were working with cybersecurity firms and law enforcement to address the incident.
Aperture Finance users lose at least $3.4 million
An attacker exploited a bug in an Aperture Finance smart contract to steal at least $3.4 million from users who had enabled "instant liquidity management" features. Aperture Finance is a defi platform that aims to allow users to trade by telling large language models their "intents".
Aperture has said they disabled portions of their web app impacted by the bug, and are working to try to trace and recover stolen funds.
$13.43 million stolen from Matcha Meta users in SwapNet exploit
Some users of Matcha Meta, a decentralized exchange aggregator on the Base blockchain, suffered losses after a thief exploited a vulnerability in its SwapNet integration. SwapNet is another DEX aggregator that integrates with Matcha Meta, and Matcha blamed a vulnerability in their smart contracts that enabled a thief to steal assets transferred via the integration.
Most of the lost funds came from a single user, who lost $13.34 million in assets. Other users lost a combined $90,000.
- "SwapNet Incident Post Mortem", Matcha Meta
Saga halts blockchain after $7 million theft
The Saga project halted its blockchain after acknowledging that $7 million had been stolen. An attacker was evidently able to mint a large quantity of Saga Dollar tokens, though it's not yet clear whether it was because of a smart contract vulnerability, private key compromise, or some other issue. The attacker was quick to swap most of the assets to ETH to thwart asset freezes or blockchain halts.
The Saga Dollar token lost its peg and fell to around $0.75 after the attack.
Crypto holder loses $283 million to scammer impersonating wallet support
A crypto holder has lost $282 million in bitcoin and litecoin after a scammer impersonating a customer support employee for the Trezor hardware wallet manufacturer successfully convinced them into revealing their seed phrase. After gaining access to the assets, they quickly swapped them to the Monero privacycoin. The volume of assets was so large that the Monero price spiked as the scammer laundered the finds. The scammer also swapped assets using the THORChain project, which boasted on social media about the "World record speedrun. ⚡️" (presumably without realizing they were bragging about a thief using their project to launder money).
Around $700,000 of the stolen assets were frozen thanks to intervention by a security firm called ZeroShadow, although this represents only 0.2% of the total loss.
Truebit exploited for over $26 million
A bug in a smart contract belonging to the Ethereum-based Truebit project allowed an attacker to steal 8,535 ETH (~$26.4 million). The thief targeted one of the project's older contracts — deployed in 2021 — which contained a bug in which the price calculation to mint sufficiently large quantities of the protocol's TRU token would overflow, erroneously allowing people to mint large amounts of TRU for next to nothing. The exploiter took advantage of this by minting TRU and swapping it for ETH, ultimately causing the TRU token price to crash 99.9%. Another subsequent attack saw around $300,000 more drained from the project.
Truebit acknowledged the hack and urged users not to interact with the vulnerable smart contract.
Unleash Protocol exploited for $3.9 million
Unleash Protocol, a project promising to allow creators to register their intellectual property on the blockchain, has been exploited for around $3.9 million. An attacker was able to gain administrative access, despite the project's governance system ostensibly being protected by a multisignature wallet. They then deployed a new smart contract, which allowed them to siphon assets from the project. The attacker then bridged the funds to ETH and laundered them via the Tornado Cash cryptocurrency mixer.
Flow blockchain exploited for $3.9 million
The Flow blockchain suffered an exploit in which an attacker was able to mint a large number of wrapped FLOW tokens, which they then swapped to tokens on other blockchains. Ultimately around $3.9 million was stolen, and the FLOW token dramatically plunged in price.
Some crypto exchanges, such as Upbit and Bithumb, halted withdrawals and deposits for FLOW after the exploit was discovered. Flow later confirmed the exploit, and said that validators "executed a coordinated halt" of the network to shut down the attack.
Binance's Trust Wallet extension hacked; users lose $7 million
The Trust Wallet Chrome extension was compromised in an apparent supply chain attack. People who used the non-custodial wallet extension after it updated to version 2.68 lost funds after malicious code was introduced to exfiltrate wallet seed phrases so that the attackers could then drain the wallets. Victims have lost a combined $7 million due to the compromise.
Binance founder Changpeng Zhao — who supposedly has no managerial role at Binance after he and the company were criminally charged in the US — announced that Binance would reimburse users who lost funds.
Crypto trader loses $50 million to address poisoning attack
A crypto trader lost almost $50 million in the Tether stablecoin after falling victim to an address poisoning attack. Because blockchain wallet addresses are long, random alphanumeric strings, traders often use the first and/or last several characters to quickly recognize wallets, and copy and paste regularly used wallet addresses from their transaction history. This has given rise to a type of scam known as "address poisoning", where scammers generate wallet addresses that share similar beginning and end characters, and use them to send transactions to wealthy victims. If they're lucky, as they were in this case, the victim will accidentally copy the similar looking scammer's wallet address when making a transfer of significant size.
After the theft, the victim sent an on-chain message to the scammer, offering a $1 million "bounty" for the return of the remaining funds. They threatened, "We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities." However, there's been no activity from the wallet since the message, and the thief had long since begun laundering the funds via Tornado Cash.
- Thief wallet, Etherscan [archive]
- On-chain message, Etherscan