$1.7 million rendered inaccessible for weeks in broken bridge to new Shibarium network

People were very excited when the Shiba Inu-focused "Shibarium" layer-2 Ethereum blockchain went live on August 16. The dog-themed network is part of a push to make Shiba Inu a "serious blockchain project" — though the network will use $BONE, $TREAT, $SHIB, and $LEASH tokens, and is still fundamentally based around a dog meme.

A bridge between Ethereum and the Shibarium network was released as the network went live, and eager users quickly transferred a combined 954 ETH (~$1.7 million) to the bridge contract so they could access it on the new chain. However, users started reporting that transactions were stalled, and they weren't able to access their tokens on the Shibarium side.

The team quickly shut down conversation on Discord as more issues were raised, and claimed in a blog post that the issues were caused by nothing more than the network being overwhelmed with traffic. The team denied the authenticity of screenshots of a Telegram chat appearing to show the lead developer writing that the funds were unrecoverable, insisting they were safe.

Finally, weeks after the botched launch, Shibarium re-enabled the bridge and told users they could once again access their funds. Though there have been some delays in transactions, the "stuck" funds appear to be retrievable.

SwirlLend rug pulls for around $460,000

Despite the fact that Coinbase's Base blockchain was only officially launched a week ago, and a relatively small amount of funds are locked on the chain, it's already racking up its own tally of scams and hacks.

SwirlLend was a lending protocol operating on both Base and the similarly newborn Linea chain. Shortly after its launch, the project drained a combined $460,000 from the two chains, then deleted its social media accounts.

Prime Trust files for bankruptcy

After the Nevada Financial Institutions Division issued a cease and desist describing Prime Trust as insolvent in June, then successfully requested the company be placed into receivership days later, it's no huge surprise that Prime Trust has filed for bankruptcy.

Prime Trust is a crypto custodian that previously served companies including Binance US, Swan Bitcoin, and BitGo. Just a year ago, the company announced they had raised $100 million in a Series B funding round, and planned to add crypto retirement accounts to its list of products. It's probably a good thing that didn't pan out.

According to bankruptcy documents, Prime Trust has between $50 million and $100 million in assets, but between $100 million and $500 million in liabilities. They report having between 25,000 and 50,000 creditors.

RocketSwap exploited after key compromise

Exploiters stole around 471 ETH (~$857,000) from the RocketSwap project on the Base Ethereum layer-2 blockchain. According to RocketSwap, the project had stored private keys on a server which was then hacked via brute force. "We are very sorry for your loss," they wrote on Twitter.

RocketSwap later announced a plan to airdrop tokens to "compensate" users for the theft. They also tried to reassure projects that were migrating away from RocketSwap that there was "no need to run away, your funds are safe".

Zunami Protocol exploited for more than $2.1 million

The Zunami Protocol stablecoin-focused yield farming aggregator was exploited for more than $2.1 million when an attacker was able to perform a price manipulation attack on the project's primary pool. Zunami attracted users by promising "the highest APY on the market": around 14%. The project had been audited by Ackee and HashEx.

The attack was a "classic price manipulation" exploit, according to the Ironblocks security firm. The attacker was able to steal 1,152 ETH ($2.13 million) from the protocol. They then tumbled the stolen funds through Tornado Cash.

Uniswap developer fired over FrensTech rug pull

After pulling off a rug pull that only netted 14 ETH (~$25,900), Allen Lin (known as AzFlin) lost his day job for the company that maintains the Uniswap DEX. Hope it was worth it.

Lin had created a project called "FrensTech", which aimed to capitalize on the popularity of a product called "friends.tech", and which ultimately accumulated the 14 ETH in fees before he decided to drain liquidity. Lin had not tried to conceal his identity. After the rug pull, Uniswap founder Hayden Adams wrote on Twitter: "Wanted to let people know this person is no longer with the company. Not behavior we support or condone."

Lin was unapologetic, tweeting: "got fired from uniswap, but gained 600 new followers and [crypto Twitter] villain status. net neutral tbh".

Bittrex settles with SEC for $24 million

The Bittrex crypto exchange was charged in April by the SEC for operating an unregistered exchange, broker, and clearing agency. In May, Bittrex filed for bankruptcy. Now, Bittrex has agreed to a $24 million fine to settle the charges from the SEC. If approved, Bittrex will have sixty days after filing a liquidation plan to pay the amount to the SEC — $18.4 million of which is disgorgement, plus a $5.6 million fine.

SpiritSwap to shut down after Multichain collapse

SpiritSwap announced on its Discord that the project will be shutting down on September 1 unless they can find a new team to take over the project by that time. SpiritSwap lost their entire project treasury in the collapse of Multichain, and announced that they have "run out of funds to cover the necessary operational costs." The project plans to remain operational until September 1 to remove their liquidity.

SpiritSwap was previously one of the most popular DEXes on Fantom, boasting an all-time-high of $374 million in January. It now has less than $3 million TVL, thanks in part to the Multichain collapse and to the broader cryptocurrency bear market.

SpiritSwap is only the most recent project to announce its closure as a result of the Multichain fiasco. In July, Geist Finance and Hector Network also announced they would be shutting down due to Multichain contagion.

Multiple wallets compromised due to irresponsible encryption in Libbitcoin project

A team of researchers led by the Distrust security research firm have disclosed a vulnerability they've called "Milksad". The popular Libbitcoin project was used by multiple cryptocurrency wallets to generate private keys, but it turns out it was irresponsibly implemented, producing flawed output. The team used a pseudo-random number generator seeded with only 32 bits of system time to produce private keys, meaning that private keys could be brute-forced in "a few days of computation on the average gaming PC, at most".

Nevertheless, when Distrust disclosed this to Libbitcoin, the team replied first that they were too busy, then twice that "they do not feel this is a bug".

The research team has not yet disclosed which wallets were affected by the vulnerability, but they have estimated that around $900,000 were stolen as a result.

Hundred Finance shuts down after hacks

Hundred Finance is a lending protocol that was exploited in April 2023 for around $7 million, and in March for over $6 million. Since then, they've worked with law enforcement and security contractors to recover the funds, but "imminent return of the stolen assets does not appear to be forthcoming."

The project undertook a vote to shut down the lending service, and use remaining funds in the project treasury to try to compensate those who lost funds in the attack. The project also aims to distribute to victims of the hack claims on any funds that might be returned or otherwise recovered in the future.

The vote passed with 99% of votes in support, effectively sunsetting the project.

Disney exits the metaverse

Disney has shut off the last light in its metaverse division, parting ways with "metaverse chief" Michael White. In February 2022, Disney's then-CEO described the metaverse as "the next great storytelling frontier". That sentiment appears to have been short-lived, because in March 2023, Disney cut its 50-person metaverse team, leaving only White.

Scammers target victims via web3 job search boards

Job listing website called cryptojobs.com, with a highlighted "Premium Job" reading "Beta Testers Needed for... Eco Land"Scam job listing (attribution)
Scammers are constantly coming up with creative new ways to pull off their scams, and the latest seems to be targeting web3-interested individuals via dedicated web3 jobs portals. One Twitter user described an experience in which he applied for a beta testing job for a play-to-earn crypto game, only to have his wallet drained when he downloaded what was supposed to be the game file, but was actually malware. He lost 875 ARB ($1,032), 60 OP ($140), and various other tokens.

"Jobless and a bit poorer, thanks guys!" he wrote. "You're passionate about its technology, you wanna be part of it. You DCA. You hodl. You do everything you can to do things right... you're passionate, love the space, the tech. The people. Your willingness to get a job in Web3 is enormous! I stand for on-chain values, and I wanna be a part of the wave!" he wrote in frustration, trying to explain how he'd gotten scammed. "The apparent legitimacy of these [web3 job listing] sites made me remove the 'watch out filter', and boom."

Bitsonic CEO arrested for allegedly stealing $7.5 million

Jinwook Shin, CEO of the Bitsonic crypto exchange, was arrested in South Korea for allegedly stealing funds from users of his exchange. According to the prosecutors, he allegedly manipulated prices and trading volumes on the exchange in order to profit around ₩10 billion (~$7.5 million) the beginning of 2019 and mid-2021.

Bitsonic halted its services in August 2021, claiming "internal and external issues". However, even after halting withdrawals, Shin continued to offer cryptocurrency to new clients.

Cypher protocol exploited for around $1 million

An NFT message, contained in an orange frame with "New Message" at the top. Text: "give it back you shitlord"NFT message to the attacker (attribution)
The Solana-based Cypher protocol, a decentralized futures exchange, froze its smart contract after an attacker stole a little more than $1 million in Solana tokens and the USDC stablecoin.

The project attempted to contact the hacker to negotiate the return of some of the funds. Meanwhile, various community members sent NFTs to the attacker wallet, requesting the return of the funds. One of them tried to convince the hacker, writing that they believed the attacker's identity could be discovered because they used centralized exchanges with KYC to try to withdraw funds. Another simply said "give it back you shitlord".

Steadefi exploited for over $1 million

"NOTICE: Steadefi has been exploited and all funds are currently at risk," wrote Steadefi on Twitter after an attacker was able to change the contract owner to their own address — likely indicating a private key leak. So far, 624 ETH (~$1.14 million) have been siphoned from the project.

Rumors swirl that Huobi executives have been arrested, exchange is insolvent

Hong Kong crypto news outlet Techub cited two insiders when reporting on August 5 that "at least three executives" at Huobi had been detained by Chinese police for investigation. The report sparked panic, and the exchange has seen net outflows of more than $73 million in the past week. Huobi's stablecoin balances are down 33% over the same period. Investor and crypto analyst Adam Cochran tweeted of "likely Huobi insolvency", citing Binance's bulk Tether sales, paused "audit" reports, and "weird balance shifts" at the exchange.

Huobi and related people have been busy refuting the rumors, with Huobi's social media head dismissing them as "baseless malicious attacks". Huobi "advisor" Justin Sun tweeted "4".

Worldcoin warehouse in Nairobi raided by authorities

After Kenya shut down Worldcoin's operations in the country over data privacy concerns, police have raided a warehouse in Nairobi. Authorities reportedly took "machines they believe stores data gathered by the firm" as well as various documents, according to Kenyan newspaper Kahawa Tungu.

Kenya's Office of the Data Protection Commissioner has said that Worldcoin failed to accurately disclose its intentions with the project when corresponding with regulators.

Copytrader asks for "stolen" funds back after someone tricks their bot

An Azuki NFT: an anime-style side portrait of a person with short brown hair, a beige headband tied around their head, wearing a puffy coat and holding a fanAzuki #9745, one of the NFTs purchased at an inflated price (attribution)
After noticing someone set up a bot to copy his bids, NFT trader Hanwe Chang tricked the bot into purchasing multiple NFTs at hugely inflated prices. Chang purchased a large number of Azuki NFTs using an anonymous wallet, then placed an inflated 50 ETH (~$90,700) bid on one. The bot then came along and offered the same amount on the other NFTs, and Chang accepted the overpriced bids. Altogether, Chang made 800 ETH (~$1.45 million) from the scheme, draining the bot of its available funds. Azukis have been trading with a floor price of around 5 ETH (~$9,000).

The apparent operator of the bot tweeted at Chang, accusing him of theft: "We would like to discuss a bounty with you. We are offering a 10% bounty of any funds stolen from our bot, which are yours to keep if you return the remaining 90%." In other tweets they suggested they might try to take legal action against Chang for the "theft".

Revolut shuts down crypto business in the US

Revolut, a British fintech firm, has announced it will no longer offer cryptocurrency services to its US-based customer. As is becoming typical, they blamed US regulations and "crypto market uncertainty" for the decision.

Revolut had previously been one of the crypto platforms to limit US trading in Solana, Cardano, and Polygon tokens after the SEC identified those tokens as securities in lawsuits against Binance and Coinbase.

Web3 platform Nifty's shuts down

Nifty's was a web3 business backed by the likes of Mark Cuban, Joey Lubin, Coinbase, and Dapper Labs. In 2021, they raised a $10 million seed round, and launched as an NFT-focused company in July 2021 with a collection of Space Jam NFTs to accompany the widely panned box office disappointment, Space Jam: A New Legacy.

The platform later partnered with other companies to produce NFT collections for franchises including The Matrix and Game of Thrones, the latter of which featured hilariously bad artwork. The company then pivoted to a broader web3 focus as the NFT bubble collapse led the broader crypto downturn.

However, their promised web3 platform never materialized, and now the project has reached "the end of [its] runway".

Nifty's is not to be confused with Nifty Gateway, a separate NFT platform run by the embattled Gemini crypto platform.

Uwerx crypto-based freelancer platform exploited

Uwerx is a nascent project intending to build a blockchain-based freelancer marketplace, because what better concepts to combine than blockchains and the gig economy? Sadly for them, just after completing their token presale, it was hit with a flash loan exploit that enabled an attacker to siphon 176 ETH (~$324,000) from the platform.

The project was audited by SolidProof and InterFi. The project announced that they intended to relaunch the token, and asked the exploiter to consider returning 80% of the funds, keeping 20% as a "bug bounty".

LeetSwap exploited on Base

Although Coinbase's Base blockchain is at this stage intended for testing only, people have begun bridging substantial assets to the platform and using various services in anticipation of its official launch.

One such service is LeetSwap, which describes itself as the "The #1 DEX ecosystem for elite degens built on the leetest blockchains", and which recently launched its service on Base. On August 1, LeetSwap was exploited after an attacker discovered a function that allowed them to manipulate token prices on the project for a profit of around 342 ETH (~$624,000).

LeetSwap attempted to contact the hacker via social media, asking them to return all but 50 ETH (~$92,000, or around 15% of the stolen funds).

Phisher briefly snags $20 million before it's frozen by Tether

A zero-transfer attack, also called an address poisoning attack, occurs when a phisher creates a blockchain address very similar to that of a target victim's wallet, and sends zero-value token transactions to the victim's addresses from the phishing wallet in hopes that the victim will later mistake the phishing address for the real one and send funds to it. It sounds unlikely to work, but users often fail to verify every character of the destination address they're using, opting instead to copy it from their transaction histories, and this can profit scammers substantially.

Someone intending to transfer Tether stablecoins amounting to $20 million apparently didn't think it was important to double-check the address, and fell for such an attack.

However, only 51 minutes after the theft, the victim had managed to get Tether to add the thief's address to its blacklist, freezing the assets and thwarting the attack. The rapidity of the freeze led various people to question who the victim might be who could get Tether to intervene so quickly.

BALD memecoin plunges after $25.6 million rug pull

A memecoin called $BALD, built on the Coinbase Base test network, appears to have rug pulled for at least $25.6 million. Although the Base network is meant to be used for developer testing, some people have tried to trade on the network before its official launch.

A pseudonymous crypto user called "Bald" announced that they would be selling $BALD tokens on the Base network, and the token — apparently named after the hairless Coinbase CEO Brian Armstrong — quickly skyrocketed in price. However, the token deployer emptied tokens priced at around $25.6 million from the liquidity pool two days after launch in apparent rug pull. The token price quickly plunged by around 90%.

Conspiracy theories emerged that the Bald account was in fact operated by Sam Bankman-Fried, the former CEO of FTX who is on house arrest under strict supervision and without access to most websites as he awaits trial later this year.

SEC goes after Richard Heart and his projects Hex, PulseChain, and PulseX

Richard Heart, wearing a top hatRichard Heart (attribution)
The SEC filed charges against Richard Heart, the operator of Hex, PulseChain, and PulseX. Despite Heart's best attempts at evading securities laws — including by asking people to "sacrifice" tokens in exchange for PLS and PLSX to avoid using the term "invest" — the SEC says he's been conducting unregistered securities offerings amounting to more than $1 billion.

In addition to the unregistered offerings charge, the SEC alleges Heart and PulseChain misappropriated $12.1 million to fund Heart's lavish lifestyle. Among other things, he purchased a McLaren sports car, five luxury watches, and a $4.3 million 555-carat black diamond called "Enigma", allegedly using funds from the sale.

Bug in Vyper smart contract language enables multiple exploits on Curve and related projects

Some types of Curve factory pools, including one operated by AlchemixFi and one by JPEG'd, were exploited. The attack stemmed from an issue in the Vyper language, a smart contract programming language that is similar to Solidity. Early investigations suggested that versions of the Vyper compiler had improperly implemented a re-entrancy guard, leaving some projects vulnerable to that type of attack. Vyper tweeted an announcement that the versions were vulnerable, and urged "projects relying on these versions [to] immediately reach out to us".

Curve itself lost $61 million to the exploit. AlchemixFi was exploited for around $13 million in assets, and JPEG'd suffered a $11 million loss. MetronomeDAO suffered a $1.6 million loss, Ellipsis Finance lost $68,600, and Debridge Finance lost around $24,600.

Altogether, somewhere between $88 million and $100 million was taken, though some exploits appeared to be whitehat actions intended to preserve funds. The primary exploiter also later returned some of the stolen funds, refunding the entire amount to AlchemixFi and 90% of funds to JPEG'd in exchange for a 10% "bug bounty".

Kannagi Finance rug pulls for over $2 million

The defi yield aggregator project Kannagi Finance rug pulled on July 29 as its creators drained the $2.13 million total value locked. Kannagi Finance deleted its website and social media accounts following the exit scam.

Blockchain security firm SolidProof had audited Kannagi in June.

Memecoin launch by Pauly0x costs traders at least $2.2 million

Traders hoping to get in on the next big memecoin eagerly snapped up a token called Pond0x, a Pepe the Frog-branded memecoin launched by Pauly0x. Pauly0x is Jeremy Cahen, a crypto personality best known for his creation of CryptoPhunks, NotLarvaLabs, and involvement in the Ryder Ripps lawsuit.

However, serious flaws in the Pond0x contract resulted in traders losing at least $2.2 million as people discovered that anyone could transfer coins belonging to other people. People quickly began rushing to steal coins from one another.

Pauly0x responded by blaming the traders who bought and sold the tokens, and spent the following day variously posting on Twitter that he was teaching people a lesson, that it wasn't his fault that people lost money, and suggesting that the flaw was part of a bigger plan for the project. "No one stole your tokens lol. The contract is literally designed as such," he wrote to angry traders accusing him of a rug pull. He added to the website a message reading, "GREED KILLS".

DeFiLabs rug pulls for $1.6 million

A defi project called DeFiLabs was able to rug pull for $1.6 million thanks to a backdoor written into the smart contract. After traders bought into the project, its creator was able to call the withdrawFunds function to make off with the project's assets.

DeFiLabs claimed on Twitter that the platform "encountered an unexpected issue" while "undergoing maintenance and updates".

DeFiLabs had been audited by blockchain security firm CertiK.

CoinsPaid hacked for $37.3 million

The CoinsPaid crypto payment platform, which provides payment services to various online casinos, reportedly suspended withdrawals under mysterious circumstances. The company later deleted a handful of tweets pertaining to the incident, which they ascribed to a "technical issue".

After prominent Bitcoiner Jameson Lopp tweeted that the issue "look[s] more like a hack", CoinsPaid replied "Our team is aware of the issue... Please wait for the official announcement on this topic." Crypto researcher zachxbt responded, "The issue is you got hacked by North Korea that's what lol", referencing the increasing suspicion that the Lazarus group may be behind the disruption. Sure enough, CoinsPaid later confirmed that they had been hacked for $37.3 million, and announced that they suspected the Lazarus Group was behind it.

Some have been speculating that there are connections between this incident and the $60 million hack of the Alphapo crypto payments processor on July 22. Alphapo also provided services to various online casinos. Indeed, there seem to be connections between Alphapo and CoinsPaid, and they may in fact be operated by the same people.

EraLend exploited for $3.4 million

The EraLend crypto lending platform was exploited for around $3.4 million after an attacker took advantage of a re-entrancy vulnerability to manipulate token prices and drain funds from the project. The thief then quickly distributed the stolen funds across various wallets and blockchains.

EraLend paused various functions of their protocol while they investigated the attack, and said they were working with various security research organizations and law enforcement to investigate the theft.

The BlockSec security research firm warned other projects that re-used a portion of code to be cautious if they re-used a portion of code from SyncSwap, because they could also be vulnerable.

IEGT token rug pulls for $1.14 million

The IEGT token was created on Binance Smart Chain on July 13. However, its creators "covertly minted a large amount of tokens, primed for a rug pull", as blockchain security firm SlowMist described it. Although the project reportedly had only 5 million tokens in supply, this allowed the team to sell 1 billion tokens, cashing out approximately $1.14 million in the USDT stablecoin.

Alphapo hacked for more than $60 million

The crypto payment processor Alphapo suffered a hot wallet hack on July 22 in which at least $60 million in Ethereum, Tron, and Bitcoin was stolen. Alphapo processes payments for several gambling platforms including HypeDrop, Bovada, and Ignition.

HypeDrop disabled withdrawals on their platform, and wrote on Twitter that they were experiencing "ongoing deposit and withdrawal issues" due to "an issue on the cryptocurrency provider's side."

Conic Finance exploited again, hours after first hack

Hours after suffering a $3.2 million exploit on their ETH pools, Conic Finance was hacked for a second time. Although Conic had assured the public that the incident was limited to the ETH pool and other pools were not at risk, an attacker successfully exploited their crvUSD pool. The attacker stole around $934,000, though ultimately only was able to realize around $300,000 in profit.

Party Parrot team prepares to "vote" to allocate themselves 80% of initial offering funds, around $60 million

You almost have to hand it to the Party Parrot team, they really figured out how to take advantage of ostensibly "decentralized" governance to line their own pockets. After raising $80 million in an "IDO" — initial DEX offering — in September 2021, the project is now embarking on a governance "vote" that would cash out the project treasury and distribute it to PRT token holders. However, the project team also unilaterally decided to unlock tokens held by the team in November 2022, meaning that the project now has access to 80% of the token supply — the same tokens that will decide the outcome of the vote.

If the vote passes, and it likely will given the massive supply of tokens available to the team, the team will have just decided to distribute around $60 million in remaining funds to themselves, leaving $12 million to the token holders.

One commenter on the proposal described the move as "a pure financial crime". Another wrote, "The community has already explained in painstaking detail why we're not interested in this. The pro-rata value is an extreme lowball and fails to account for many of the team's misuses of the treasury without the community's consent. The team also prematurely unlocked the team and VCs' vesting tokens, so they are the majority token holders, making this vote meaningless and a total farce."

Conic Finance exploited for $3.2 million

A re-entrancy vulnerability in the Conic Finance defi project enabled an attacker to steal 1,700 ETH (~$3.22 million) from the project's ETH pool.

Conic Finance announced that they had disabled deposits on the front-end of their project, and were working to patch the vulnerable smart contract. The team also attempted to contact the exploiter via blockchain message, asking if they "would be open to discussing any potential next steps".

Melania Trump's space NFTs likely violate NASA policy

A photo of Buzz Aldrin in a space suit on the surface of the moon, superimposed on an iPod Nano-esque object where the screen would beMan on the Moon NFT (attribution)
Melania Trump doesn't seem willing to let the flop of her first NFT project, which ended with her allegedly buying the NFT herself, slow her down. She's just announced a line of Apollo 11-themed NFTs, because apparently our former first lady is a big space buff. The Man on the Moon NFTs sell for $75 each, and feature a 1969 photo of Buzz Aldrin on the moon surface, bizarrely superimposed on what appears to be a 2007-era iPod Nano.

As a photo produced by a federal agency, NASA's image is not copyrighted. However, NASA policy outlines "strict laws and regulations", including that "NASA is not approving any merchandising applications involving Non-Fungible Tokens (NFTs), as they are not consistent with the categories of products the agency is approved to merchandise... NASA does not wish for its images to be used in connection with NFTs."

The NFTs don't seem to be exactly flying off the shelves. The collection contains 500 copies, and according to the website, only 55 have been sold in the week following the project's release, garnering Mrs. Trump $4,125.

GMETA rug pulls for $3.6 million

The GMETA project on BNB Chain saw its price plummet to near zero as the project creators drained the funds from the project. The contract creator was able to transfer large amounts of the token and swap them for the Tether stablecoin, cashing out a total of around $3.6 million.

Feds seize tens of millions from Deltec Bank in connection to fake crypto investment schemes

Documents unsealed on July 17 reveal that the U.S. Secret Service performed multiple asset seizures on U.S. bank accounts controlled by Deltec Bank, a Bahamian bank with close ties to the crypto industry. Deltec is known for its ties to the Tether stablecoin, and it has also done business with FTX/Alameda.

According to the court filing, the Secret Service was authorized to seize up to $58.5 million after establishing there was probable cause for wire fraud, bank fraud, or money laundering. The affidavit describes "organized, international criminal money laundering syndicates operating cryptocurrency investment and other wire fraud scams" which allegedly fraudulently induced victims to "transfer money into shell companies, at which point the money underwent a series of transfers, generally ending overseas, designed to conceal the source, nature, ownership, and control of the funds".

The scheme reportedly involved fake crypto sites that tricked victims into depositing money under the belief that they were investing it. Like many such scams, the sites appeared to show victims' investments increasing in value, inducing them to deposit more funds. However, when they tried to withdraw, they found they could not.

Neopets shuts down its Neopets Metaverse project

An "Acara" Neopet with a plushie body, sad expression, and squid hat and scarfNeopet #1315 (attribution)
After announcing a Neopets Metaverse project — complete with NFT collections and two different crypto tokens — in 2021, Neopets has announced they will be "transition[ing] away from the Neopets Metaverse game and redistribut[ing] those resources to the development of a game that we feel can better reflect our values and vision." The announcement came along with an announcement that the company had raised $4 million, and undergone a major change in leadership. They reassured their community that its new project, "World of Neopets", will not have any NFTs and "is NOT built on a crypto model".

The announcement referred to wanting to "design a game that's more in line with what the community has been asking for", a nod to the backlash from the Neopets community when the company decided to go web3. In September 2021, one of the most popular Neopets fan communities tweeted, "The Neopets community overwhelmingly rejects the new NFT cashgrab project. We're hard pressed finding someone outside of the NFT community that wants this."

Holders of Neopets NFTs seemed somewhat split on the announcement that the NFTs would remain tradable on secondary markets, but would not be incorporated into any game. Some described the project as a "rug", and were disappointed that the NFTs they'd purchased would never be useful in-game. "Once an NFT has no use, the price tends to tank", one person (accurately) remarked. Another commented that they'd always viewed the NFTs as little more than a collectible, and were satisfied with it never going beyond that.

Five men, including inspector in bankruptcy proceeding, charged with kidnapping "Crypto King" alleged scammer

Aidan Pleterski and a woman with her face blurred stand in front of a lime green Lamborghini in what appears to be an upscale suburbPleterski, in better days (attribution)
Five men are facing charges for allegedly kidnapping, confining, and beating Aiden Pleterski, the young, self-proclaimed "Crypto King" accused of losing $35 million in investor funds. One of the men, Akil Heywood, reportedly lost $740,000 to Pleterski's scam, and had been named by other investors to be an inspector in the bankruptcy proceeding, a role where he was intended to represent the interests of other investors. Perhaps that's what he was trying to do when he allegedly helped the group of other men kidnap Pleterski, beat him, and force him to record a video explaining what happened to the funds.

As an inspector in the bankruptcy, Heywood would have had access to details from the investigation by the bankruptcy trustee. Heywood is, incidentally, also charged with threatening the trustee in an attempt to get him to pay out $2 million in crypto. Shortly before the alleged kidnapping, Pleterski stated in an interview for the bankruptcy proceedings that Heywood had been "still, by the way, uttering threats, and very dangerous, violent threats, to me over Instagram comment sections and text messages".

Heywood has told reporters he is innocent.

Hector Network begins shutdown after Multichain collapse

Hector DAO, the governing body behind the Hector Network, voted to liquidate the project's $16 million treasury and distribute it to tokenholders, effectively putting an end to the project.

On July 14, a community manager wrote on Discord that "Hector Network ha[d] suffered significant damage to its ability to operate" after the Multichain collapse, and that the project faced a choice between liquidating the treasury and winding down or migrating to a new blockchain and trying to rebuild. The community chose the former.

According to a post on Discord, the winding-down process will likely take 6 to 12 months as the project appoints a liquidator, legal counsel, and auditor.

Scammer "Soup" makes more than $1 million through Discord hacks

A Mutant Ape wearing a leather aviator hat with teeth on the brim, with Xs for eyes, with a beer can wrapped in a serpentine tongue, and with leopard print furMutant Ape #21080, stolen by Soup (attribution)
A Canadian named Dan, who goes by "Soup" online, made more than $1 million through various phishing scams targeting Discord projects including those belonging to the Pika Protocol and Orbiter Finance. In one scam, he impersonated crypto journalist Luke Hamilton, trying to convince victims to join a fake Decrypt Discord server so he could steal their credentials.

Soup was exposed by crypto sleuth zachxbt, who also described how the scammer had spent some of his ill-gotten funds on exclusive Roblox items that sell for "high 5 figs".

Geist Finance shuts down after Multichain-related losses

Defi lending project Geist Finance announced they would be shutting down after more than $200 million was drained from the Multichain project in two separate events in early July. Geist Finance had previously allowed people to borrow against assets bridged via Multichain, and had over $29 million TVL. However, price oracles are no longer reporting accurate prices of the bridged equivalents of tokens, which are now largely unbacked thanks to the missing assets, and trading at a massive discount to the original tokens.

Geist paused their smart contracts on July 6, then reenabled the withdraw and repay functions on July 9, while waiting for news from Multichain. Now that Multichain has confirmed that the missing hundreds of millions will not be recovered, Geist has announced they will not reopen. If they were to do so, the platform would almost immediately take on bad debt as people exploited the price discrepancies.

Multichain added, "Just to be clear this is in no way an attempt to blame Chainlink oracles which worked as they should. There are no oracles for the Multichain assets themselves because there was the expectation to exchange them 1:1. Nobody is to blame except Multichain here."

Multichain finally confirms their CEO was arrested in China

After a months-long saga involving "stuck" transactions, Multichain announcing they couldn't get in contact with their CEO, rumors that the whole team was arrested, and several suspicious transactions of more than $100 million each, Multichain has finally announced that their CEO — known only as Zhaojun — was arrested on May 21. According to the project, all of his devices, hardware wallets, and mnemonic phrases were taken by Chinese police during the arrest. "Since the inception of the project, all operational funds and investments from investors have been under Zhaojun's control. This also means that all the team's funds and access to the servers are with Zhaojun and the police," they wrote.

The Multichain project claimed in a lengthy Twitter thread that the team attempted to keep the project running by using stored credentials on Zhaojun's home computer, thanks to access provided by his sister. However, they say that the July 6–7 movement of $130 million out of the project was an "abnormal" transfer by an unknown party. They claim that the July 9–10 transfer of around $107 million was his sister attempting to preserve assets by moving them into wallets she controlled. According to the team, his sister also was arrested on July 13, and "the status of the assets she has preserved is uncertain".

"Due to the lack of alternative sources of information and corresponding operational funds, the team is forced to cease operations," they wrote. They also claimed that they don't have control over the domain pointing to the frontend of the project, and so are unable to take the project offline, and resorted to pleading with GoDaddy for help in doing so.

"Honestly he deserves jail for this level of cryptography incompetence alone," wrote crypto personality 0xfoobar on Twitter.

SEC, CFTC, and FTC sue Celsius; CEO Alex Mashinsky arrested

Alex Mashinsky sitting onstage, wearing a Madonna microphone and a t-shirt reading "Banks are not your friends." with the Celsius logoAlex Mashinsky (attribution)
A multi-agency hammer came down on the bankrupt cryptocurrency lender and alleged Ponzi scheme that was Celsius. The co-founder and former CEO of the company, Alex Mashinsky, was arrested and charged with seven counts including securities and commodities fraud, wire fraud, and conspiracy to manipulate the price of Celsius' CEL token. The indictment also named Roni Cohen-Pavon, Celsius' former Chief Revenue Officer.

Alongside the indictment from the DOJ, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Federal Trade Commission (FTC) each filed their own separate lawsuits against Mashinsky and Celsius.

These latest lawsuits join an existing lawsuit, filed in January 2023, against Mashinsky by the New York Attorney General.

Digitex Futures CEO to pay $15 million over commodities violations

Adam Todd, the CEO of the Digitex Futures exchange, has been ordered to pay $3.9 million in disgorgement and $11.7 million in penalties. The Commodity Futures Trading Commission won a default judgment against him in their lawsuit alleging violations of the Commodity Exchange Act, including failing to register as a derivatives exchange, attempting to manipulate the price of the DGTX token, and failing to implement proper KYC and anti-money laundering programs.

According to Todd in a YouTube video, "We do not need to do KYC. [...] You should not have to give them because the U.S. government or whatever other [expletive] government in the world says that you need to. You do not need to. You just do not." Well, in that case.

Todd was also accused of trying to artificially inflate the price of the DGTX token by buying it on third-party exchanges, writing out his plans in excruciating detail with a customer who provided him funds to use on pumping the token.

OptyFi shuts down, citing regulatory threats and failed fundraising attempt

OptyFi, a so-called "AI-powered defi" project, announced it would be shutting down for a variety of reasons. First, they blamed their recent failed token sale, in which they had hoped to raise $600,000. They blamed this failed sale on their Discord project being hacked, and on various community members falling victim to a fake token sale link.

However, they stated that the main reason they decided to shut down the project was the "significant and mounting regulatory challenges", pointing to the recent claim by the BarnBridge defi project that they were under SEC investigation. According to OptyFi, they are concerned that the $OPTY token or OptyFi vault tokens could be deemed securities, or that the OptyFi vaults themselves could be determined to be a "Mutual Fund type vehicle".

OptyFi promised to refund any tokens purchased during the most recent token sale, but many community members still accused the project team of rug pulling. OptyFi had previously raised $2.4 million in a seed funding round in January 2022.

Platypus Finance hacked for the second time

Platypus Finance paused their pools after they were alerted to what they described as "suspicious activities". Security firm PeckShield was apparently the first to notice the activity, sending them a dreaded "hi, you might want to take a look" tweet that has become their signature way of alerting protocols that something bad has just happened. The CertiK security project also tweeted that they'd observed multiple suspicious flash loans involving the project.

This is the second apparent hack of Platypus Finance, following an $8.5 million hack only ten days after it launched in February 2023. The first hack also involved flash loans.

New Rodeo Finance project exploited for the second time in one week

An attacker manipulated a price oracle to drain 472 ETH (~$884,000) from Rodeo Finance, a new Arbitrum-based leveraged yield protocol. The thief then used Tornado Cash to tumble the funds, some of which they placed into staking programs. According to Rodeo Finance, the attacker initially exploited the protocol for closer to $1.7 million, but $810,000 was recovered. Small victories. Anyway, Rodeo paused the protocol, and stated that they are working on recovery plans.

This was actually the second attack to impact Rodeo Finance in a single week. On July 5, the same day as their public token launch, the project was exploited for around $90,000 thanks to a bug in a smart contract.