The Saga Dollar token lost its peg and fell to around $0.75 after the attack.
Saga halts blockchain after $7 million theft
The Saga project halted its blockchain after acknowledging that $7 million had been stolen. An attacker was evidently able to mint a large quantity of Saga Dollar tokens, though it's not yet clear whether it was because of a smart contract vulnerability, private key compromise, or some other issue. The attacker was quick to swap most of the assets to ETH to thwart asset freezes or blockchain halts.
Former NYC Mayor Eric Adams accused of rug pull as NYC Token crashes
Shortly after losing his campaign for re-election as mayor of New York City, Eric Adams announced he would be launching "NYC Token". He's pitched the project as a fundraising tool to fight "antisemitism" and "anti-Americanism", and as a project to "teach our children how to embrace the blockchain technology."
He launched the project on January 12, and buyers piled in in hopes of being early to a high-profile crypto token endorsed by a public figure. However, within hours, the team began pulling liquidity as the price peaked, extracting around $2.5 million. As the price began to fall, the team added back around $1.5 million, leaving around $1 million unaccounted for.
Additionally, on-chain researchers observed at least one wallet that spent almost $750,000 to purchase around 1.5 million $NYC around 10 minutes before the token was publicly announced, leading to speculation around insider trading. However, because of the token price crash after the team began pulling liquidity, the apparent insider ultimately lost around $500,000.
People were quick to accuse Adams, or his unidentified crypto team, of rug-pulling buyers. Adams and the project's social media account have claimed that the team was simply moving or "rebalanc[ing]" liquidity, though they have not yet offered any explanation as to where the missing $1 million went.
- Tweet by RuneCrypto_ [archive]
- Tweet thread by Bubblemaps [archive]
- Tweet by NYC Token [archive]
- Tweet thread by Bubblemaps [archive]
- Wallet on Solscan [archive]
- "Pitching Crypto and Needling Mamdani: Adams’s Post-Mayoralty Takes Shape", New York Times [archive]
- "Former 'bitcoin mayor' Eric Adams faces $3 million rugpull allegation after issuing NYC Token", CoinDesk [archive]
Crypto holder loses $283 million to scammer impersonating wallet support
A crypto holder has lost $282 million in bitcoin and litecoin after a scammer impersonating a customer support employee for the Trezor hardware wallet manufacturer successfully convinced them into revealing their seed phrase. After gaining access to the assets, they quickly swapped them to the Monero privacycoin. The volume of assets was so large that the Monero price spiked as the scammer laundered the finds. The scammer also swapped assets using the THORChain project, which boasted on social media about the "World record speedrun. ⚡️" (presumably without realizing they were bragging about a thief using their project to launder money).
Around $700,000 of the stolen assets were frozen thanks to intervention by a security firm called ZeroShadow, although this represents only 0.2% of the total loss.
Truebit exploited for over $26 million
A bug in a smart contract belonging to the Ethereum-based Truebit project allowed an attacker to steal 8,535 ETH (~$26.4 million). The thief targeted one of the project's older contracts — deployed in 2021 — which contained a bug in which the price calculation to mint sufficiently large quantities of the protocol's TRU token would overflow, erroneously allowing people to mint large amounts of TRU for next to nothing. The exploiter took advantage of this by minting TRU and swapping it for ETH, ultimately causing the TRU token price to crash 99.9%. Another subsequent attack saw around $300,000 more drained from the project.
Truebit acknowledged the hack and urged users not to interact with the vulnerable smart contract.
Unleash Protocol exploited for $3.9 million
Unleash Protocol, a project promising to allow creators to register their intellectual property on the blockchain, has been exploited for around $3.9 million. An attacker was able to gain administrative access, despite the project's governance system ostensibly being protected by a multisignature wallet. They then deployed a new smart contract, which allowed them to siphon assets from the project. The attacker then bridged the funds to ETH and laundered them via the Tornado Cash cryptocurrency mixer.
Flow blockchain exploited for $3.9 million
The Flow blockchain suffered an exploit in which an attacker was able to mint a large number of wrapped FLOW tokens, which they then swapped to tokens on other blockchains. Ultimately around $3.9 million was stolen, and the FLOW token dramatically plunged in price.
Some crypto exchanges, such as Upbit and Bithumb, halted withdrawals and deposits for FLOW after the exploit was discovered. Flow later confirmed the exploit, and said that validators "executed a coordinated halt" of the network to shut down the attack.
Binance's Trust Wallet extension hacked; users lose $7 million
The Trust Wallet Chrome extension was compromised in an apparent supply chain attack. People who used the non-custodial wallet extension after it updated to version 2.68 lost funds after malicious code was introduced to exfiltrate wallet seed phrases so that the attackers could then drain the wallets. Victims have lost a combined $7 million due to the compromise.
Binance founder Changpeng Zhao — who supposedly has no managerial role at Binance after he and the company were criminally charged in the US — announced that Binance would reimburse users who lost funds.
Crypto trader loses $50 million to address poisoning attack
A crypto trader lost almost $50 million in the Tether stablecoin after falling victim to an address poisoning attack. Because blockchain wallet addresses are long, random alphanumeric strings, traders often use the first and/or last several characters to quickly recognize wallets, and copy and paste regularly used wallet addresses from their transaction history. This has given rise to a type of scam known as "address poisoning", where scammers generate wallet addresses that share similar beginning and end characters, and use them to send transactions to wealthy victims. If they're lucky, as they were in this case, the victim will accidentally copy the similar looking scammer's wallet address when making a transfer of significant size.
After the theft, the victim sent an on-chain message to the scammer, offering a $1 million "bounty" for the return of the remaining funds. They threatened, "We have officially filed a criminal case. With the assistance of law enforcement, cybersecurity agencies, and multiple blockchain protocols, we have already gathered substantial and actionable intelligence regarding your activities." However, there's been no activity from the wallet since the message, and the thief had long since begun laundering the funds via Tornado Cash.
- Thief wallet, Etherscan [archive]
- On-chain message, Etherscan
Yearn Finance suffers fourth exploit only weeks after third
Only weeks after losing $6.6 million to an infinite mint exploit, a Yearn Finance smart contract has again been exploited, allowing an attacker to make off with around 103 ETH (~$300,000). The affected contract is a legacy contract that was part of the Yearn v1 project (once known as iearn). The attacker used a flash loan to manipulate the price of tokens in the vault, allowing them to withdraw the iearn assets, which they then swapped for ETH.
This is Yearn's fourth hack, following the $6.6 million theft in November, an $11 million exploit in 2023, and an $11 million exploit in 2021. Yearn also lost around $1.4 million in 2023 in connection to the Euler Finance attack.
Ribbon Finance suffers $2.7 million exploit, plans to use "dormant" users' funds to repay active users
Ribbon Finance, which has partially rebranded to Aevo, has lost $2.7 million after attackers exploited a vulnerability in the smart contract for legacy Ribbon vaults that enabled them to manipulate oracle prices and withdraw a large amount of ETH and USDC.
Ribbon has announced it will cover $400,000 of the lost funds with its own assets. However, Ribbon is also offering users a lower-than-expected haircut on their assets by assuming that some of the largest affected accounts will not withdraw their assets, having been dormant for several years. While this plan may benefit active users, it seems like it could get very messy if those dormant users do wish to withdraw their assets and discover they've been used to pay others.
Binance employee suspended after launching a token and promoting it with company accounts
Binance has announced that the company has suspended an employee who used the platform's official Twitter accounts to promote a memecoin they had launched. The token, called "year of the yellow fruit", pumped in price after official Binance accounts coaxed followers to "harvest abundantly".
Binance publicly acknowledged that an employee had been suspended for misconduct over the incident. "These actions constitute abuse of their position for personal gain and violate our policies and code of professional conduct," Binance tweeted from its BinanceFutures account. After this announcement, the memecoin token price spiked even further.
Earlier this year, Binance fired another employee after discovering they had used inside information to profit from a token sale event.
Prysm consensus client bug causes Ethereum validators to lose over $1 million
Ethereum validators running the Prysm consensus client lost around 382 ETH ($1.18 million) after a bug resulted in delays that caused validators to miss blocks and attestations. Though the bug had been introduced around a month prior, it did not affect validators until Ethereum completed its "Fusaka" network update on December 3. Around 19% of Ethereum validators use the Prysm consensus client, which is developed by Offchain Labs.
- "Fusaka Mainnet Prysm Incident", Prysm
- Client Distribution, Clientdiversity.org
Yearn Finance hacked for the third time
Yearn Finance, a defi yield protocol, has suffered another hack. The exploiter took advantage of bugs in the project's smart contract to drain assets from several of its pools by minting a huge number of yETH tokens and then withdrawing the corresponding asset in the pools.
$2.4 million of the stolen assets, which were denominated in pxETH, a liquid staking token issued by Redacted Cartel, were recovered after the issuer burned the stolen tokens and reissued them to the team's wallet — essentially, removing the tokens from the hacker's wallet. However, the hacker routed the remaining funds through the Tornado Cash cryptocurrency mixer, which makes recovery substantially more challenging.
This is the third time Yearn Finance has been hacked, following an $11 million exploit in 2023 and another $11 million exploit in 2021. Yearn also suffered around $1.4 million in losses in 2023 in connection to the Euler Finance attack.
Upbit hacked for $30 million
The Korean cryptocurrency exchange Upbit suffered a loss of around $30 million in various Solana-based assets due to a hack. Some entities have suggested that Lazarus, a North Korean state-sponsored cybercrime group, was behind the hack.
Upbit reimbursed users who had lost funds from company reserves. The exchange was able to freeze around $1.77 million of the stolen assets.
This theft occurred exactly six years after Upbit suffered a theft of 342,000 ETH (priced at around $50 million at the time).
Aerodrome and Velodrome suffer website takeovers, again
Attackers redirected users intending to visit the websites for the decentralized exchanges Aerodrome and Velodrome to their own fraudulent versions using DNS hijacking, after taking control of the websites' domains. The platforms urged users not to visit the websites as they worked to regain control.
This is the second time such an attack has happened to these same platforms, with another DNS hijacking incident occurring almost exactly two years ago. In that instance, users lost around $100,000 when submitting transactions via the scam websites.
Cardano founder calls the FBI on a user who says his AI mistake caused a chainsplit
On November 21, the Cardano blockchain suffered a major chainsplit after someone created a transaction that exploited an old bug in Cardano node software, causing the chain to split. The person who submitted the transaction fessed up on Twitter, writing, "It started off as a 'let's see if I can reproduce the bad transaction' personal challenge and then I was dumb enough to rely on AI's instructions on how to block all traffic in/out of my Linux server without properly testing it on testnet first, and then watched in horror as the last block time on explorers froze."
Charles Hoskinson, the founder of Cardano, responded with a tweet boasting about how quickly the chain recovered from the catastrophic split, then accused the person of acting maliciously. "It was absolutely personal", Hoskinson wrote, adding that the person's public version of events was merely him "trying to walk it back because he knows the FBI is already involved". Hoskinson added, "There was a premeditated attack from a disgruntled [single pool operator] who spent months in the Fake Fred discord actively looking at ways to harm the brand and reputation of IOG. He targeted my personal pool and it resulted in disruption of the entire cardano network."
Hoskinson's decision to involve the FBI horrified some onlookers, including one other engineer at the company who publicly quit after the incident. They wrote, "I've fucked up pen testing in a major way once. I've seen my colleagues do the same. I didn't realize there was a risk of getting raided by the authorities because of that + saying mean things on the Internet."
GANA Payment hacked for $3.1 million
An attacker stole approximately $3.1 million from the BNB chain-based GANA Payment project. The thief laundered about $1 million of the stolen funds through Tornado Cash shortly after. The attacker was able transfer ownership of the GANA contract to themselves, possibly after a private key leak.
The theft was first observed by crypto sleuth zachxbt. Not long after, the project acknowledged on its Twitter account that "GANA's interaction contract has been targeted by an external attack, resulting in unauthorized asset theft."
Crypto tracking platform DappRadar shuts down, citing financial woes
Amid a month of falling crypto prices, the crypto tracking platform DappRadar has announced it will be shutting down after seven years of operation. "Running a platform of this scale became financially unsustainable in the current environment," the company announced on Twitter.
The company had previously raised several rounds of financing, with a $2.3 million seed round in 2019 and a $5 million Series A in 2021.