1755 hack event(s)
Description of the event: Mobile phone operator T-Mobile filed a lawsuit for failing to prevent the SIM exchange scam, which cost a customer $55,000 in Bitcoin. The plaintiff Richard Harris accused T-Mobile of improper behavior, including failing to adequately protect customer information, hiring appropriate support personnel, and violating federal and state laws that caused him to lose 1.63 bitcoins.
Amount of loss: $ 55,000 Attack method: SIM Card Attack
Description of the event: ApeRocket, the DeFi revenue mining aggregator and optimizer, released the lightning loan attack details and compensation plan. ApeRocket's BSC version and Polygon version encountered lightning loan attacks at 4:30 AM and 8:00 AM (UTC), respectively, and lost 260,000 US dollars and 1,000,000.
Amount of loss: $ 1,260,000 Attack method: flash loan attack
Description of the event: The digital collectibles market platform Bondly Finance released an analysis report on the previous attack. Bondly Finance believes that the attacker obtained access to the password account belonging to Bondly CEO Brandon Smith through a carefully planned strategy. The password account contains the assistance of his hardware wallet. Recalling the phrase to restore the phrase, after copying, allowed the attacker to access the BONDLY smart contract, and the company wallet that was also leaked, resulting in the minting of 373 million BONDLY tokens.
Amount of loss: 373,000,000 BONDLY Attack method: Private Key Leakage
Description of the event: Medium user Anonymous Dev published an article stating that there are a large number of loopholes in the BSC ecological Rabbit Finance code, which may be suspected of running away. The vulnerabilities include: 1. The total supply of tokens RABBIT is not the hard cap of 203,000,000 as the team claims; 2. The owner of Rabbit's FairLaunch can issue unlimited RABBIT tokens at any time; 3. 100% of the positions can be liquidated at any time and funds It can be stolen at any time, and there is no maximum limit on the configurable protocol parameters; 4. All funds on the platform may be stolen, and Rabbit’s EOA account can be upgraded to execute the contract at any time. The official did not respond to this matter. Although the Rabbit team did not explain why the vulnerabilities existed, or outright pleaded guilty, the Rabbit team was forced to at least add some restrictions to these security risks through a 24-hour Timelock.
Amount of loss: - Attack method: Rug Pull
Description of the event: The Polygon Space Token (pSPACE) of the Polygon platform suffered a lightning loan attack. It is reported that this is a profit-inflation bug.
Amount of loss: - Attack method: Flash loan attack
Description of the event: DeFiPie (PIE), the lending protocol on the Ethereum and Binance smart chains, was hacked. It is recommended that all liquidity providers extract all liquidity from the application. PIE tokens fell by more than 66% in 24 hours. The attacker used a re-entry attack to over-borrow and lent a portion of valuable assets. Later, the counterfeit currency was used for liquidation operations and took away the mortgaged valuable assets, which led to the DeFiPie agreement not only lent assets, but also lost all mortgage assets, and liquidity was lost.
Amount of loss: 124,999 BUSD Attack method: Reentrancy Attack
Description of the event: The NFT project Axie Infinity tweeted that its market platform was attacked by DDoS and that someone was sending spam to its server in an attempt to make it unusable. Officials say the funds are currently safe.
Amount of loss: - Attack method: DDoS Attack
Description of the event: DeFi project helios on Polygon rug pull. (0x8eb6ead701b7d378cf62c898a0a7b72639a89201)
Amount of loss: $ 1,446,704 Attack method: Rug Pull
Description of the event: The cross-chain bridge Chainswap announced the details of the stolen incident on its official blog. A total of 20 project assets were stolen, with a total value of approximately US$4 million. At present, the ChainSwap team has reached a consensus with the affected projects and initially formulated and implemented a compensation plan. According to the project investigation, due to the error in the token cross-chain quota code, the on-chain swap bridge quota is automatically increased by the signature node, the purpose of which is to be more decentralized without manual control. However, due to a logical flaw in the code, this led to a vulnerability that automatically increases the number of invalid addresses that are not whitelisted.
Amount of loss: $ 4,000,000 Attack method: Contract Vulnerability
Description of the event: The cross-chain bridge project Multichain issued an announcement stating that the newly launched V3 cross-chain liquidity pool was hacked in the early hours of yesterday, with a total loss of 2.39 million USDC and 5.5 million MIM. According to Etherscan, the hacker has sold all MIMs and obtained 548 Million DAI, which means that Multichain's total loss is more than 7.87 million U.S. dollars. According to the explanation of the reason for the theft in the Multichain announcement, two v3 router transactions were detected under the V3 router MPC account on the BSC. These two transactions have the same R value signature, and the hacker reversed the private key of this MPC account. At present, the team has fixed the code to avoid using the same R signature. Multi-chain router V3 will restart in about 48 hours. There is no security risk for v1 and v2. Multichain stated that it has taken remedial measures to provide full compensation. Multichain will refill the stolen liquidity within 48 hours, and the liquidity provider will be able to withdraw assets from the fund pool again without any loss.
Amount of loss: $ 7,870,000 Attack method: Contract Vulnerability
Description of the event: According to official news, Polkadot's ecological oracle and prediction protocol OptionRoom stated that it was affected by the "cross-chain asset bridge ChainSwap attack", and many projects including OptionRoom were affected by the hacker attack. Hackers can obtain 2.3 million ROOM tokens on Ethereum and 10 million ROOM tokens on BSC. OptionRoom noticed the hacking before the hackers sold any tokens and decided to remove liquidity from Uniswap and Pancakeswap to protect token holders and liquidity providers from being sold to the liquidity pool by hackers. By selling the deployer's tokens to the Uniswap pool, OptionRoom was able to recover $342,117. In this way, OptionRoom successfully extracted liquidity on behalf of the liquidity provider of the project. The recovered amount will be allocated according to the share of the liquidity provider.
Amount of loss: 12,300,000 ROOM Attack method: Contract Vulnerability
Description of the event: According to official sources, DAFI Protocol, an on-chain incentive protocol, stated that DAFI worth 200,000 US dollars was sold due to the “cross-chain asset bridge ChainSwap attack”. DAFI Protocol requests the community to withdraw liquidity from Uniswap and LP plans until further notice. DAFI Protocol added that the DAFI token contract and Super Staking are safe.
Amount of loss: $ 200,000 Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi asset management platform DAO ventures was stolen 300,000 DVG tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge. DAOventures stated that it has taken snapshots of DVG holders and LPs before the attack, and stated that it will compensate the affected token holders. The DAOventures team stated that the user's assets in DAOventures are safe. Before the compensation plan is announced, DAOventures reminds users not to purchase the DVG of the transaction for the time being and pay attention to the latest developments of the team.
Amount of loss: 300,000 DVG Attack method: Contract Vulnerability
Description of the event: According to official sources, the DeFi oracle Umbrella Network was stolen over 3 million UMB tokens due to a loophole in the ChainSwap contract of the cross-chain asset bridge.
Amount of loss: 3,000,000 UMB Attack method: Contract Vulnerability
Description of the event: According to official sources, Dora Factory, a multi-chain service infrastructure based on Polkadot, suffered a contract vulnerability in the cross-chain asset bridge ChainSwap. The 7,872 DORA locked in the ChainSwap cross-chain bridge contract was taken out by hackers and sold through Uniswap.
Amount of loss: $ 42,373 Attack method: Contract Vulnerability
Description of the event: Circle Internet Financial, the issuer of the US dollar stable currency USDC, reported in a regulatory filing with the US Securities and Exchange Commission (SEC) that Circle Internet Financial lost US$2 million in email fraud last month. Circle stated that the email fraud incident did not affect customer funds and accounts, Circle's information system is still safe, and the US$2 million is the company's own funds.
Amount of loss: $ 2,000,000 Attack method: Scam
Description of the event: Lookout Threat Lab security researchers exposed more than 170 Android applications, and the number of deceived users exceeded 93,000. Among them, 25 applications managed to evade the Google Play Store detection and successfully launched, but this is mainly because they do not involve any malicious operations, and may even be purely to fool users. Lookout security researchers pointed out that these counterfeit applications belong to the BitScam and CouldScam series respectively, claiming to provide cloud-based cryptocurrency mining services that can aggregate the computing power of users' mobile devices and share mining revenue. These apps are not free, and various additional payment excuses such as subscriptions and upgrades will be made. Prices range from 12.99 to 259.99 US dollars, and cryptocurrencies such as BTC or ETH are accepted as payment methods. LookoutThreatLab estimates that these malware creators defrauded 300,000 U.S. dollars through illegal sales and 50,000 U.S. dollars in cryptocurrency through fake payments and upgrade services.
Amount of loss: $ 350,000 Attack method: Scam
Description of the event: Cobra, the anonymous creator and principal of Bitcoin.org, tweeted that the Bitcoin.org website is being subjected to an "absolutely large-scale" distributed denial of service (DDoS) attack, as well as a Bitcoin ransom demand. Currently Bitcoin.org is accessible.
Amount of loss: - Attack method: DDoS Attack
Description of the event: RAI Finance, a cross-chain transaction protocol based on the Polkadot blockchain, issued a post stating that due to the vulnerability of the ChainSwap smart contract, the RAI access and payment permission addresses connected to it were also hacked and stolen. The total amount of stolen RAI in the account reached 2.9 million. On July 5, Rai Finance tweeted that after investigation by the team, hackers had returned 2.2 million RAIs to ChainSwap Deployer. The total loss caused by this incident was reduced to 670,000 RAI.
Amount of loss: $ 414,013 Attack method: Affected by ChainSwap Attack
Description of the event: A blackmailer with an ID of ZeroX is suspected of using a 0day vulnerability attack to steal 1TB of Saudi Aramco's corporate data resources. According to the ID's post on the dark web forum, the data leaked this time involves the complete information of 14,254 employees, internal analysis reports, pricing tables, refinery locations, enterprise-related system project specifications, and the most important customer data, etc. Sensitive information, the earliest data range can be traced back to 1993, spanning 28 years. The blackmailer gave Saudi Aramco a validity period of 662 hours (approximately 28 days) and demanded to pay 50 million U.S. dollars in Monero or sell it for 5 million U.S. dollars. This has also become a large-scale data breach after Saudi Aramco was hacked in 2012, 35,000 computers were affected, and 75% of the company’s computer data was deleted.
Amount of loss: - Attack method: Information Leakage