78 hack event(s)
Description of the event: According to news, the NFT series "Archive of PEACEMINUSONE" released by Korean singer Quan Zhilong has the previously disclosed CVE-2022-38217 general vulnerability, and the possibility of being used by hackers cannot be ruled out.
Amount of loss: - Attack method: CVE-2022-38217 general vulnerability
Description of the event: ParaSpace is suspected of being attacked, and it seems that 2,906 WETH have been transferred out. Many people claim that the data such as the number of borrowings, health factors, and the number of cAPEs are inconsistent. However, a security company said on Twitter that it has prevented the attack on ParaSpace and saved 2900 ETH assets.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: When PeopleDAO’s community treasury multi-signature wallet on the digital asset management platform Safe (formerly Gnosis Safe) distributed monthly contributor rewards on March 6, 76 ETH (approximately $120,000) were stolen by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The person in charge of accounting mistakenly shared a link with editing permissions in the Discord public channel. Payments to your own address and set them to be invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe's CSV Airdrop tool for reward distribution. With the assistance of SlowMist and ZachXBT, the team found that the attacked funds had been deposited in two exchanges, HitBTC and Binance, and contacted the two exchanges.
Amount of loss: 76 ETH Attack method: Malicious access to permissions
Description of the event: According to the official blog, The Sandbox issued a security incident notice on February 26 that an unauthorized third party gained access to the computer of an employee of the team and used its permissions to send a false email claiming to be from The Sandbox . Titled "The Sandbox Game (PURELAND) Access," the email contained hyperlinks to malware that could remotely install malware on a user's computer, granting it control of the computer and access to the user's personal information right. The Sandbox said that after the unauthorized access was discovered, the recipient was notified and the employee's account and access to The Sandbox were disabled, and no further impact has been identified.
Amount of loss: - Attack method: Phishing Attack
Description of the event: According to official news, the NFT project Azuki confirmed that its Twitter account was hacked, and the team has regained control of the account. Hackers posted two tweets on Azuki's Twitter account, prompting users to claim the virtual land, one of which was pinned to the top. Azuki officials remind users to be alert to this scam and not to click on any links.
Amount of loss: $ 1,740,000 Attack method: Twitter was hacked
Description of the event: The official Twitter account of Chimpers, the NFT project, was hacked and embezzled, and multiple links to fake websites were published to lure users to forge NFT through the links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official Twitter account of CyberKongz in the NFT project was attacked by hackers, who replaced the homepage links, etc. with phishing links and released false Mint information. At present, the account has been renamed and is under freezing protection.
Amount of loss: - Attack method: Twitter was hacked
Description of the event: Aurelien Michel, developer of MAYC's Mutant Ape Planet NFT series, has pleaded guilty after being arrested on charges of defrauding $2.9 million. Aurelien Michel and the other defendants marketed the Mutant Ape Planet NFT to potential buyers with promises including “rewards, sweepstakes, exclusive access to other crypto assets, and community-controlled wallets to fund the marketing of the NFT collection.” The project developer also implicitly promises that NFT holders can obtain "metaverse land". However, none of Michel's promises were kept. When all the NFTs were sold, Michel and the other defendants allegedly transferred the proceeds of $2.9 million to other wallets, including wallets under Michel’s control.
Amount of loss: $ 2,900,000 Attack method: Scam
Description of the event: For several weeks last year, Webaverse was targeted by a skilled scam gang posing as investors, Webaverse reported. The Webaverse team and the crooks met in Rome at the end of November 2022, and approximately $4 million was stolen. They reported the theft to the local Rome police station the same day, and then to the FBI a few days later on Form IC3.
Amount of loss: $ 4,000,050 Attack method: Scam
Description of the event: Browser security plug-in Pocket Universe tweeted that a new vulnerability was discovered in Opensea’s old contracts that could be used to steal users’ NFTs, potentially emptying wallets once the transaction was signed. It can steal any NFT users listed on Opensea before May 2022 (i.e. before Seaport upgrades), mainly involving the Wyvern protocol, which grants proxy contracts the right to withdraw user NFTs, and this new exploit will Trick the user into signing a transaction, giving the attacker ownership of the user's proxy contract. Cosine, the founder of SlowMist, tweeted that it is necessary to be vigilant about the new use of this old problem, which is related to the old OpenSea protocol, but many users of the old protocol have not cancelled the relevant authorization, and this use is invalid for the new OpenSea protocol (Seaport).
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: NFT platform Blur tweeted that it noticed a phishing account with the ID @Blur_DAO and reminded users not to click on fake links. The fake account tweeted that the BLUR token query was now open, and posted a phishing URL.
Amount of loss: - Attack method: Phishing attack
Description of the event: The Discord server of NFT project Vivity was attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The official wallet of NFT platform LiveArtX was stolen, and several reserved NFTs were sold. According to MistTrack analysis, the LiveArtX attacker (0x5f78...A920) has transferred 7.3 ETH and 22.39 WETH to Bitkeep, then exchanged it for USDT and transferred it to a new address (0x871e...A575).
Amount of loss: $ 39,000 Attack method: Private Key Leaked
Description of the event: The Web3 social platform Sex DAO is suspected to have been Rug. The original white paper has been deleted. Over 220,000 USDT and 4.17 billion SED (SEXDAO Token) have been transferred on the chain. Currently, the Sex DAO official website and official Twitter account are inaccessible.
Amount of loss: 220,000 USDT Attack method: Rug Pull
Description of the event: Pokémon piracy project PokémonFi has RugPull, the project and token first launched in April, the project recently deleted its Twitter account, but its website still exists.
Amount of loss: $ 708,000 Attack method: Rug Pull
Description of the event: Web3 music streaming service platform Audius community treasury was hacked, losing 18.5 million AUDIO Tokens. The hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated that the problem has been found and is currently being repaired. All Audius smart contracts on Ethereum must be stopped, including tokens. The team believes that there is no further capital risk. Before the repair is completed, token balances, transfers, etc. will be temporarily unavailable. use.
Amount of loss: $ 1,100,000 Attack method: Contract vulnerabilities
Description of the event: The permissions of the relevant administrators of the Discord of the Tableland project party were stolen. It is understood that after joining an external Discord server, Tableland members clicked the verification steps of a bot named "Dyno" and clicked a bookmark button with malicious javascript, and were then prompted to interact with the bookmark, triggering the malicious script to run. The attacker got hold of the admin account and posted a link on the announcement channel containing a fake website, anyone who clicked on the link and followed the wallet instructions would grant the attacker access to any NFTs held in their account.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The NFT access list tool PREMINT issued an alert through its official Twitter, because some users reminded that the tool's website was hacked, and the collections of NFT collectors have been stolen. Subsequently, the blockchain security company SlowMist confirmed that the PREMINT website was attacked by hackers. Hackers carried out phishing attacks by implanting malicious JS (JavaScript) files in the website, deceiving users to sign the transaction of "set approvals for all", thereby stealing users. of NFT assets. The attack lost about 280 ETH in total, amounting to $381,818, making it one of the biggest NFT hacks of the year.
Amount of loss: 280 ETH Attack method: Front-end Attack
Description of the event: Multi-chain NFT protocol Citizen Finance claims to have been attacked by an outside party that gained access to the private keys of BNB and the Polygon chain. The attackers used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC, for a total of about $94,300.
Amount of loss: $ 94,300 Attack method: Private key leak
Description of the event: Decentralized NFT financialization protocol Omni X has been attacked and stolen funds have been transferred to Tornado.cash. The main reason for this attack is that the burn function will call the callback function externally to cause the reentrancy problem, and the liquidation function uses the old vars value for judgment, resulting in the user's status identification even after reentrancy and then borrowing. Being set as unborrowed results in no repayments.
Amount of loss: 1,300 ETH Attack method: Reentry attack