WazirX exchange hacked for $235 million

After a $230 million "suspicious transfer", Indian cryptocurrency exchange WazirX has paused withdrawals and acknowledged that one of their multisignature wallets was compromised. The attacker began selling off the tokens, causing the price of tokens like Shiba Inu to drop around 10%.

WazirX is the largest cryptocurrency exchange in India. The company was acquired by Binance in 2019, but the two companies re-separated in 2023 after a bizarre public dispute.

WazirX's June 2024 proof-of-reserves reported around $500 million in total holdings, making the $235 million theft a substantial portion of the assets held at the exchange.

Blockchain sleuth zachxbt observed that the theft had some of the hallmarks of the Lazarus Group, a North Korean hacking group that has perpetrated other 9-figure heists including the $625 million Axie Infinity theft in March 2022, and the theft of more than $100 million from Atomic Wallet users.

Users of LI.FI protocol suffer losses of at least $10 million

Users of the cross-chain swapping API LI.FI Protocol, and of projects that build on top of it, suffered wallet drains amounting to at least $10 million (and counting). An attacker was able to exploit the users who had set infinite approvals. The protocol urged those who had interacted with several affected smart contracts to revoke permission, and warned: "Please do not interact with any LI.FI powered applications for now!"

Minterest hacked for $1.4 million

An attacker stole $1.4 million from the defi lending project Minterest. Using a flash loan attack, they manipulated the exchange rate calculated by the project, allowing them to withdraw more tokens than they originally loaned.

Minterest paused the supply and borrow portions of their protocol after the attack, and attempted to contact the attacker to negotiate a return of some of the funds.

Dough Finance hacked for $1.9 million

Defi platform Dough Finance was hacked for 608 ETH ($1.8 million) by a hacker using a flash loan attack funded through the Railgun privacy service.

Dough Finance sent an on-chain message to the attacker, asking them to return the "misappropriated funds", threatening that they would "pursue all criminal, legal, and administrative avenues available" in the event that the attacker did not do so.

Popular defi protocol websites replaced with wallet drainers amid mass Squarespace domain hijacking

Websites providing the frontends for some popular defi services, including Compound Finance, were compromised and replaced with wallet drainers: websites resembling the usual frontend, but which drain unsuspecting users' wallets when used.

Somewhat ironically, the "Unstoppable Domains" web3 domain service was also impacted, and their site was offline for a while before they regained control.

The hijacking appears to be thanks to an attack on Squarespace's domain registry. Crypto founder Bobby Ong has suggested that the attack is affecting domains acquired through Google Domains, which sold its business to Squarespace several months ago. "Tthe forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked," he wrote. "Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved."

Web2 is going just great!

Doja Cat's Twitter account hacked to promote meme token

Tweet by Doja Cat: "buy $DOJA or else" followed by a Solana address. There's a photo of her brandishing a toy scimitar and she's wearing a chainmail hood.Tweet from Doja Cat's hacked account (attribution)
The Twitter account belonging to rapper Doja Cat was compromised on July 8, tweeting to her 5.6 million followers that they should "buy $DOJA or else", and various other messages to that effect. Doja Cat quickly posted on her Instagram account to say that the Twitter account had been compromised.

The attacker appeared to have only marginal success, as the token reached a market cap of around $500,000 before collapsing by 96%.

Hackers have compromised a string of celebrity Twitter accounts to promote memecoins recently, including those of Hulk Hogan and Metallica.

Bittensor wallets drained

Some users of the Bittensor wallet software suffered wallet drains as thieves emptied their cryptocurrency wallets of the project’s TAO token. Around 32,000 TAO, notionally worth around $8 million, was siphoned. Although blockchain sleuth zachxbt hypothesized that the attack may have been thanks to a private key leak, Bittensor later claimed that affected users had in fact been compromised by a malicious Bittensor package that had been uploaded to Python's PyPi package manager. It's not yet clear how the malicious package made it onto the package manager.

Bittensor is among the artificial intelligence-focused cryptocurrency projects that have become popular recently amid the AI hype. Although the project website boasts that "Bittensor is creating a new future for humanity, where new economies and new commodities are decentralized by design and where no single entity is a sole authority," the group unilaterally halted the chain in the wake of the attack.

Farcana token plummets 60% amid murky explanations

The token for the Farcana blockchain shooting game plummeted in value by around 60%. First, the project team announced that one of the project wallets had been compromised. However, they later deleted that tweet, then claimed that one of their market makers had been compromised. They emphasized that their wallets had not been hacked, and that their smart contracts had not been exploited.

23.8 million FAR were taken from a wallet, and the majority were sold for around $164,000 in USDT. The exploiter still holds 3.4 million FAR, which are notionally worth $83,250 but not likely to be sellable for that amount.

Farcana raised $10 million in seed funding in November 2023 from investors including Animoca and Polygon Ventures.

Victim loses $11 million to permit phishing

A victim lost $11 million in Aave Ethereum (aEthMK) and Pendle USDe tokens after signing several permit phishing signatures. Permit phishing is a technique in which scammers convince a victim to sign a transaction that grants broad permissions, allowing the scammer to then drain assets from the wallets.

Sportsbet.io likely hacked for $3.5 million

It appears that the online crypto sports betting platform Sportsbet.io suffered a theft of around $3.5 million in USDT and Tron's TRX tokens. The theft was observed by crypto sleuth zachxbt, who noted that the theft seems to have been perpetrated by the same attacker who stole at least $55 million from the BtcTurk cryptocurrency exchange only hours earlier.

SportsBet has not yet disclosed any theft.

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.