1519 hack event(s)
Description of the event: The venture capital DAO organization Build Finance tweeted that the project suffered a malicious governance takeover. The malicious actors successfully controlled the Build token contract by getting enough votes, minting 1,107,600 BUILD tokens in three transactions, and spent With most of the funds in Balancer and Uniswap liquidity pools exhausted, attackers continue to take control of the balancer pools via governance contracts and drain the remaining funds including 130,000 METRIC tokens, METRIC liquidity on Uniswap and Fantom Both pools subsequently came under intense selling pressure. As it stands, attackers have full control over governance contracts, minting keys, and treasuries, and the DAO no longer controls any part of critical infrastructure.
Amount of loss: 168 ETH Attack method: Governance Attack
Description of the event: On February 14, the Titano Finance project on the BSC chain was attacked. The attackers made a total of 4,828.7 BNB, or about $190w. According to the official Titano Finance investigation, “The problem arose when we trusted a contractor to deploy the PLAY contract. Although ownership was transferred back to us after deployment, it was the same deployer wallet that allowed two days ago from our PLAY Hacking that steals all Titano in the protocol.”
Amount of loss: 4,828.7 BNB Attack method: Insider Manipulation
Description of the event: IRA Financial Trust, South Dakota’s self-directed retirement account provider, has filed a lawsuit against crypto trading platform Gemini Trust Company (Gemini), alleging huge losses to the IRA as a result of Gemini’s security glitch. In February 2022, $36 million in crypto assets held by Gemini and belonging to customer retirement accounts was stolen. The lawsuit also claims that Gemini did not have adequate safeguards to protect customers’ crypto assets, failed to freeze accounts immediately after the incident, and instead allowed criminals to continue to transfer funds from customer accounts on Gemini’s trading platform after the IRA notified Gemini Middle-to-outward transfer.
Amount of loss: $ 36,000,000 Attack method: Wallet Stolen
Description of the event: Decentralized derivatives trading platform FutureSwap tweeted that an account with around 300,000 FST reward reserves (0.3% of supply) was compromised yesterday. The credentials for this account were compromised by human error, and the attacker was able to gain access on Arbitrum and transfer the available reward FST to himself.
Amount of loss: 300,000 FST Attack method: Private Key Leakage
Description of the event: BabyMuskCoin plummeted 99%, 1,571 BNB (~$660,000) was dumped, and funds were moved to Tornado. The project team claimed to have been scammed through Telegram, but Twitter and the website were down, suspected of Rugpull.
Amount of loss: 1,571 BNB Attack method: Rug Pull
Description of the event: Dego Finance, an NFT and DeFi aggregator, announced that it was hacked, and now the DEGO liquidity on UniSwap and PancakeSwap has been exhausted.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage
Description of the event: On February 8, the LockBit ransomware group claimed to have stolen substantial customer data from cryptocurrency exchange PayBito. PayBito is a cryptocurrency exchange operated by HashCash, a global blockchain, and IT services company. Some of the stolen data is published on the group's Tor leak site. In this cyberattack, the ransomware group successfully stole a database containing personal data information from more than 100,000 customers worldwide. In addition, the group also stole some email data and password hashes, some of which can easily be decrypted. To make matters worse, the gang also managed to steal the administrator's personal data, claiming that the stolen data would be released on February 21, 2022, if the ransom is not paid.
Amount of loss: - Attack method: Ransomware
Description of the event: The QI Vesting contract on the streaming digital asset protocol Superfluid has been exploited by an attacker by passing in incorrect call data. This vulnerability allows the attacker to transfer funds from Superfluid user wallets to Polygon and exchange them for ETH.
Amount of loss: $ 13,000,000 Attack method: Contract Vulnerability
Description of the event: Meter.io's cross-chain bridge was hacked, resulting in a loss of around $4.3 million ( 1391.24945169 ETH and 2.74068396 BTC). The hacker was able to exploit a vulnerability in the deposit function, which allowed them to fake BNB or ETH transfers. Meter.io announced that Meter Passport (a cross-chain bridge extension) automatically wraps and unwraps Gas Tokens (such as ETH and BNB) for user convenience. However, the contract did not prohibit the wrapped ERC20 Token from interacting directly with the native Gas Token, nor did it properly transfer and verify the correct amount of WETH transferred from the caller address.
Amount of loss: $ 4,300,000 Attack method: Contract Vulnerability
Description of the event: A South Korean DeFi project, KLAYswap stated it was hacked and lost over 2.2 billion won, or about $1.83 million, in the incident. The hacker modified the third-party JavaScript link on the front end of KLAYswap, causing the user to download malicious malware when accessing the KLAYswap page. This enabled funds to be transferred to the hacker's wallet address when conducting token-related transactions . During this time, 407 suspicious transactions were found in 325 wallets linked to this incident.
Amount of loss: $ 1,830,000 Attack method: Malicious Code Injection Attack
Description of the event: The official Discord server of the NFT project The Heart Project was hacked. Scammers deleted most of The Heart Project's Discord channels and posted scam links. According to The Heart Project, some users clicked on fraudulent links and said they lost assets. The Heart Project says it will reimburse users for lost ether.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Attackers exploited a signature verification vulnerability in the Wormhole network to mint 120k Ether on Solana, worth over $326 million. The hack was made possible by a series of signature verification authorizations, where the developers used a deprecated function to enable unverified forged signature passes.
Amount of loss: 120,000 ETH Attack method: Contract Vulnerability
Description of the event: On March 1, ZachXBT, an on-chain data analyst, tweeted: "Indian cryptocurrency exchange Bitbns concealed a $7.5 million hack from its users on February 1, 2022, and informed users that it was system maintenance." According to CryptoSlate, Bitbns CEO Gaurav Dahake admitted in an AMA session that the exchange had indeed been hacked. But Dahake claims the system was taken offline to analyze anomalies, not to hide hacking. He also said that exchanges improve their security systems after such incidents, and that Bitbns has been operating "seamlessly" since the attack. Still, Dahake would not confirm the amount of assets stolen from the exchange in the attack.
Amount of loss: $ 7,500,000 Attack method: Wallet Stolen
Description of the event: Qubit, the lending product of QBridge, a BSC ecological decentralized lending project, is suspected to have been hacked. The hackers minted a large amount of xETH collateral and consumed about $80 million in assets in the capital pool. According to SlowMist's analysis, the main reason for this attack is that when the recharge of ordinary tokens and native tokens are implemented separately, when transferring the tokens in the whitelist, it is not checked again whether they are 0 addresses, resulting in The operation that should be recharged through the native recharge function can successfully go through the recharge logic of ordinary tokens.
Amount of loss: $ 80,000,000 Attack method: Contract Vulnerability
Description of the event: The project Wegrocoin (WEGRO) on BSC suffered a Rug Pull and lost more than 1000 BNB.
Amount of loss: 1,000 BNB Attack method: Rug Pull
Description of the event: Rug Pull occurred in the BSC ecological InfinityToken (INF), which lost more than 1390 WBNB.
Amount of loss: 1390 WBNB Attack method: Rug Pull
Description of the event: The social media accounts of NFT project Mercenary have been deleted. Deployers spent over $760,000.
Amount of loss: $ 760,000 Attack method: Rug Pull
Description of the event: An OpenSea user exploited a vulnerability in the non-fungible token (NFT) market to steal hundreds of ether (ETH) from the owners of well-known collectibles such as the Bored Ape Yacht Club (BAYC) and Cyber Kongs of several items. The vulnerability appears to be related to the listing mechanism exploited by the platform and allows users to earn around 347 ETH by purchasing some NFTs at the previous listing price on different markets.
Amount of loss: 347 ETH Attack method: Listing mechanism loopholes
Description of the event: Blockverse is a Minecraft-based NFT game. Through OpenSea, investors can buy Blockverse characters and a cryptocurrency called $Diamond. Unfortunately, investors withdrew all real money invested in Blockverse, shutting down and deleting the project’s official website, Discord, and Twitter. After three days of silence, the Blockverse founders resurfaced on Twitter, apologizing and explaining their actions. More than three weeks later, the Blockverse team's promise to "get back on track" has not materialized. The Blockverse Twitter account has not been updated further, its website remains offline, and the Medium account hosting the Blockverse white paper has disappeared.
Amount of loss: 1,294 ETH Attack method: Rug Pull
Description of the event: The SolFire Finance project owner stole all investor funds and moved them to the ETH chain via a cross-chain bridge. The project's GitHub account and Twitter account have been deleted and the site is no longer accessible.
Amount of loss: $ 10,000,000 Attack method: Rug Pull