Web3 is Going Just Great

This is the second BtcTurk exploit, following an approximately $55 million theft in June 2024.

A team member suggested they were unsure of the total amount stolen, "but as of right now, our company treasury isn't big enough to cover the losses".

A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be "stress testing" Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.

Though Qubic has claimed to have achieved 51% of the Monero hashrate, these claims have been disputed. However, they do appear to be very close if not there already, and there have been multiple chain reorganizations — including a 6-block reorganization — suggesting that Qubic has established significant control over Monero mining.

The incidents have been widely condemned as both dangerous and misogynistic by players, coaches, and the league, which has since implemented penalties including immediate ejection, a minimum one-year ban, and possible felony charges for offenders.

"It's super disrespectful," said Chicago Sky player Elizabeth Williams. "The sexualization of women is what's used to hold women down, and this is no different," stated coach Cheryl Reeve of the Minnesota Lynx. "The intent is to sexualize and demean the women players because they are women," wrote Glamour.

"This is empowering to every fucking crypto community to start thinking outside the box. Get creative and fucking do something that makes people actually laugh," said a member of the memecoin community, cheering the incidents for their virality and the subsequent impact on the coin price. The meme was even amplified by Donald Trump Jr., who posted to Instagram a photoshopped image of President Trump dropping one of the green sex toys off the roof of the White House and onto a group of women playing basketball below.

Researchers at Sentinel Labs have estimated that more than $1 million has been drained from various wallets via these malicious contracts.

Credix subsequently announced they had negotiated with the thief, who they said agreed to return the funds "in return for money fully paid by the credix treasury". They did not disclose how much they paid to the hacker.

However, shortly after this announcement, the company deleted its social media accounts and disappeared, leading some to wonder if the "hack" may have in fact been a rug pull by insiders. The promised reimbursements have not yet materialized.

This isn't the first sign of shakiness at Abra, which was alleged to be insolvent by the Texas state securities regulator in 2023. The company wound down its US operations in mid-2023 and refunded $82 million to US customers, after reaching a settlement with 25 state regulators. Abra also faced a lawsuit from the US federal securities regulator in 2024, which they settled in August of that year.

WOO X temporarily froze withdrawals, before reopening accounts after a security review. They offered a 10% "bounty" to the thief.

Blockchain security researcher zachxbt responded to the hack by saying, "I do not feel bad for the team as this CEX processed a good bit of volume from pig butchering, romance, investment scams." Elsewhere he suggested that hacks of "sketchy offshore exchanges" would be a positive for the crypto industry, serving as a "natural cleanse".

Arcadia is backed by Coinbase Ventures. The project acknowledged the hack, encouraging users to revoke permissions.

As it happens, "Ivan & Mouna" match the names of MoonPay CEO Ivan Soto-Wright and CFO Mouna Siala. The crypto address used to send the transaction also appears to be one of MoonPay's company crypto wallets.

MoonPay had told Fox Business shortly before the transaction that they intended to contribute an undisclosed amount to the Trump inaugural fund.

Only weeks after the botched donation, MoonPay was selected as a payment processor for Trump's $TRUMP memecoin.

However, Kinto blamed the token crash on the exploit that was recently disclosed by VennBuild, claiming on Twitter that "we got hacked by a state actor". Venn seemed to corroborate Kinto's explanation that the crash was related to the exploit, tweeting that although they had tried to warn all vulnerable projects before publicly disclosing the bug, "Sadly the Kinto token was not found despite being vulnerable, and exploited without time to mitigate."

Kinto has announced a plan to try to fundraise to cover a $1.4 million loss in liquidity, then create a new $K token based on a snapshot of previous token holdings.

Shortly after the attack, Texture sent a message to the thief: "We are offering a 10% bounty of any funds stolen, which are yours to keep if you return the remaining 90%. You made an opsec mistake, but it’s not too late to avoid escalating the situation."

The threat and "bounty" offer apparently worked, and the hacker returned $1.98 million, keeping $220,000 as a so-called "greyhat bounty". "As the hacker has fulfilled their side of the agreement, we will not pursue the matter further," wrote Texture.

According to the researchers, they found thousands of contracts affected by the exploit, and worked with multiple protocols to upgrade contracts or withdraw vulnerable funds. The researchers theorized that the attackers were "likely a sophisticated group waiting for a bigger target, not small wins."

GMX offered a 10% "bug bounty" to the hacker if they returned the funds. The attacker later returned $40.5 million in stolen assets; unusually, this is more than the 90% return requested by GMX.

Resupply announced the theft shortly afterwards, and stated that they had paused the vulnerable contract.

Resupply is a fairly new project, having officially launched on March 20 — about three months before the exploit.

Aza Ventures was initially hesitant to name the scammer, hoping they could pressure the scammer to return the stolen funds, but later reports quickly named Self Chain founder Ravindra Kumar as the alleged culprit. Kumar posted on June 19, "I've been accused of serious wrongdoing, which is completely false."

On June 23, Self Chain announced that they had terminated Kumar as CEO "due to recent developments that diverge from the founding vision".

zachxbt noted that Nieves seems to have a gambling problem, depositing much of the stolen funds into crypto gambling websites. "You’ll see onchain how casino deposits get smaller as he loses funds," wrote zachxbt. "Recently this escalated to the point where he started stealing cuts from accomplices." He also appears to have used some of the stolen funds on luxury goods, including a Corvette and expensive watches.

Gonjeshke Darande (also "Predatory Sparrow"), a hacking group with links to Israel, claimed responsibility for the theft, accusing the platform of serving as a "key regime tool" to finance terror and violate sanctions. The cyberattack comes shortly after Israel launched air strikes on Iran.

Meta Pool acknowledged the theft in a post shortly after the exploit was noticed by a blockchain security firm, and announced that the team had paused the project's smart contract.

ALEX announced they would reimburse stolen user funds.

This is the second exploit affecting ALEX Labs, after a thief stole around $2 million in May 2024.

The theft was originally noticed by crypto sleuth zachxbt, who observed a suspicious transfer of around $11.5 million in crypto assets on May 8. The funds sold on decentralized exchanges and then laundered through various cryptocurrency mixing services.

BitoPro originally only told customers that the platform was offline for "maintenance", but disclosed the theft on June 2 after zachxbt published his findings.

Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.

This led some to question how decentralized the project truly is if the funds can be frozen in such a way.

Sui validators later voted to return the frozen assets to the Cetus project. Cetus also announced that users would be fully compensated, and that they would cover the $60 million gap with project treasury funds and a loan from the Sui Foundation.

Then, on May 12, the project posted a warning that the website for the Curve frontend was "hijacked" in an apparent domain takeover.

This is not the first such compromise for Curve, which suffered a frontend compromise in August 2022 that resulted in $620,000 in losses (later recovered with the help of some exchanges).