Despite the project's attempted reassurances, the YU stablecoin lost its $1 peg, plummeting as low as around $0.20. As of writing, about a day later, the stablecoin is still well below its peg, at around $0.94.
Yala stablecoin depegs after theft
The YU bitcoin-backed stablecoin list its intended dollar peg after what they described as "an attempted attack", later writing that there was an "unauthorized transfer of funds". Although they initially wrote that "All funds are safe", they later stated that they "identified the stolen assets on-chain and are actively working with law enforcement to pursue recovery." Research firm Lookonchain observed a large mint of the YU token that may have been related — if so, the attacker successfully stole at least 1,501 ETH ($6.75 million), and holds a substantial quantity of YU they still haven't sold.
Shibarium bridge hit with $2.4 million flash loan attack
A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.
The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.
Thorchain founder exploited for $1.35 million
John-Paul Thorbjornsen, the founder of Thorchain and Vultisig, suffered a wallet drain, reportedly after experiencing a video meeting scam from an attacker who had exploited the Telegram account belonging to one of his friends. According to JP, the scammer used a malicious video call link to place malware on his computer, which then exfiltrated private keys for one of his crypto wallets. Some questioned whether he had made up the story, as he immediately began using the story to promote his Vultisig product.
Later that week, Thorbjornsen apparently suffered another loss — this one confirmed on-chain to be around $1.35 million.
According to crypto sleuth zachxbt, the attackers appeared to be a part of North Korean crypto hacking operations. "JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits. So it’s a bit poetic he got rekt here by DPRK," he wrote.
$41.5 million stolen from SwissBorg in Kiln API exploit
Thieves stole 192,600 SOL (~$41.5 million) from a wallet belonging to the Swiss cryptocurrency exchange SwissBorg. The attack is being blamed on a vulnerability in the API of Kiln, a staking partner used for SwissBorg's "Earn" program.
SwissBorg announced that they would be reimbursing impacted customers using treasury funds, and working with security firms and law enforcement to try to recover the stolen assets.
Massive NPM supply chain attack puts crypto transactions at risk
After a JavaScript developer's NPM account was compromised in a phishing attack, attackers used it to upload malicious versions of heavily used JavaScript color and debugging libraries, as well as simple utilities that do things like
strip-ansi or determine if a variable is-arrayish. Altogether, the packages get around two billion downloads per week, and the compromise is being called the "largest supply chain attack in history".Once the malicious code is injected, it then intercepts network traffic and API calls, scanning for cryptocurrency transactions across numerous blockchains. When a network request is made to transfer crypto, the malicious code intercepts it and replaces the destination with wallets controlled by the attackers.
Various prominent people in crypto have warned about the attack, with Ledger CTO Charles Guillemet tweeting: "If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don't use a hardware wallet, refrain from making any on-chain transactions for now."
Ultimately, the exploit was not very financially successful, with reports that less than $1,000 was stolen.
Nemo Protocol exploited for $2.4 million
The Nemo Protocol on the Sui blockchain suffered a $2.4 million exploit. The defi yield infrastructure protocol acknowledged the theft shortly after, explaining they had paused the protocol smart contracts as they investigated the theft. It appears the thief was able to manipulate a price oracle, siphoning $2.4 million in USDC from the project. They then bridged the funds from Arbitrum to Ethereum.