81 hack event(s)
Description of the event: The NFT access list tool PREMINT issued an alert through its official Twitter, because some users reminded that the tool's website was hacked, and the collections of NFT collectors have been stolen. Subsequently, the blockchain security company SlowMist confirmed that the PREMINT website was attacked by hackers. Hackers carried out phishing attacks by implanting malicious JS (JavaScript) files in the website, deceiving users to sign the transaction of "set approvals for all", thereby stealing users. of NFT assets. The attack lost about 280 ETH in total, amounting to $381,818, making it one of the biggest NFT hacks of the year.
Amount of loss: 280 ETH Attack method: Front-end Attack
Description of the event: Multi-chain NFT protocol Citizen Finance claims to have been attacked by an outside party that gained access to the private keys of BNB and the Polygon chain. The attackers used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC, for a total of about $94,300.
Amount of loss: $ 94,300 Attack method: Private key leak
Description of the event: Decentralized NFT financialization protocol Omni X has been attacked and stolen funds have been transferred to Tornado.cash. The main reason for this attack is that the burn function will call the callback function externally to cause the reentrancy problem, and the liquidation function uses the old vars value for judgment, resulting in the user's status identification even after reentrancy and then borrowing. Being set as unborrowed results in no repayments.
Amount of loss: 1,300 ETH Attack method: Reentry attack
Description of the event: Quiuixotic, the largest NFT platform in the Optimism ecosystem, has a serious vulnerability, and a large number of user assets have been stolen. Users who have traded on this market should cancel their authorization as soon as possible. According to SlowMist analysis, only the sell order is checked in the fillSellOrder function of the market contract, and the buyer's buy order is not checked. Therefore, the attacker first creates an arbitrary NFT contract, calls the fillSellOrder function to generate a sell order, and passes the buyer parameter as the victim's address and the paymentERC20 parameter as the token address to be stolen, then the user who is authorized to the market contract can be transferred. Tokens are transferred for profit.
Amount of loss: 220,000 OP Attack method: Contract Vulnerability
Description of the event: Metaverse project Quint was hacked and lost $130,000. The root cause of the attack is that when the reStake function executes the reStake reward reStake, the reward amount of the LP token is not updated, so that the attacker can claim the issued reward multiple times.
Amount of loss: $ 130,000 Attack method: Contract Vulnerability
Description of the event: The NFT liquidity solver XCarnival was attacked, the hacker made a profit of 3,087 ETH (about 3.8 million US dollars), and the hacker has returned 1,467 ETH after the negotiation. The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn.
Amount of loss: 1,620 ETH Attack method: Contract vulnerabilities
Description of the event: Clothing brand LACOSTE's Discord was hacked, and scammers posted phishing links on the announcement channel. Recently, the Discords of several projects have been attacked, including Clyde, Good Skellas, Duppies, Oak Paradise, Tasties, Yuko Clan, Mono Apes, ApeX Club, Anata, GREED, CITADEL, DegenIslands, Sphynx Underground Society, FUD Bois, and Uncanny Club etc.
Amount of loss: - Attack method: Discord was hacked
Description of the event: KnownOrigin officially tweeted that its discord had been attacked, and reminded users not to click on any links. Other servers hacked in recent days include those of Curiosity, Meta Hunters, Parallel, Goat Society, RFTP and Gooniez.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Discord servers for Yuga Lab projects Bored Ape Yacht Club (BAYC) and Otherside appear to have been affected by phishing attacks. The attackers allegedly stole more than 145 ethereum ($256,000) worth of tokens. It appears that the community administrator's account was compromised, which gave attackers access to the administrator account on the server. They then went on to post a link to a phishing site that encouraged users to link their wallets to access "exclusive giveaways." Subsequently, the NFT project BAYC stated on its official Twitter that its Discord server was briefly attacked today, and the team quickly resolved the problem, but some NFTs were still affected.
Amount of loss: 145 ETH Attack method: Discord was hacked
Description of the event: The Discord of Homeless Friends NFT was attacked, homelessfriends[.]net is a phishing website.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The work of Animoon with 9999 NFTs is taken from Pokémon. They claim to have signed a non-disclosure agreement (NDA) with Pokémon partner TopDeck. But with no evidence of an actual P2E game being developed, the Animoon team disappeared, deleting their Twitter account and website.
Amount of loss: $ 6,300,000 Attack method: Rug Pull
Description of the event: A Rug Pull occurred in the NFT metaverse game project Pokemoney on BNBChian, its Token PMY has dropped by 99.98%%, and about 11,800 BNB (about 3.5 million US dollars) have been withdrawn and transferred.
Amount of loss: $ 3,500,000 Attack method: Rug Pull
Description of the event: The project behind the Llamaverse, the Llamascape NFT series, was hacked. Hackers targeted their Discord server and scammers took around 30-40 ETH.
Amount of loss: 30-40 ETH Attack method: Discord was hacked
Description of the event: Axie Infinity says the Mee6 bot on its main server was hacked. Hackers use Mee6 bot to add permissions to fake Jiho account to post fake announcements about mint. MEE6 is a Discord bot that allows admins to automatically assign and remove roles and send messages. The fake announcement has now been removed.
Amount of loss: - Attack method: Discord was hacked
Description of the event: Discord for NFT series Lazy Lions was hacked. Notably, this attack appears to infiltrate many other large NFT projects throughout the day, seemingly due to MEE6 staff being able to use MEE6 remotely to give themselves roles in any server.
Amount of loss: - Attack method: Discord was hacked
Description of the event: NFT project Alien Frens tweeted that Discord had been attacked. Users are asked not to click on any MINT links.
Amount of loss: - Attack method: Discord was hacked
Description of the event: There was an abnormality on the Tianqiong Digital Collection platform. The price of its collections on the secondary market skyrocketed thousands of times, and collections with a price of nearly 10 million yuan were sold in seconds. The Tianqiongshuzang announcement stated that the platform was maliciously attacked by hackers and used false balances to purchase and steal player collections.
Amount of loss: - Attack method: Fake balance
Description of the event: The ownlyio project's NFTStaking contract was attacked, with a total of 115 BNB stolen and a loss of about $36,418. The reason for this attack is that the unstake function of the pledge contract of the ownio project does not check the user's claim status, so the attacker can use the unstake function to receive the own tokens in the contract infinitely, thereby extracting all the own tokens in the pledge contract, and finally the attacker The acquired owned tokens are exchanged for 115 BNB through the pair transaction.
Amount of loss: 115 BNB Attack method: Contract Vulnerability
Description of the event: The Fury of the Fur NFT project was a collection of 3D models that sort of resembled bears. However, the NFT rollout has not been smooth - out of a total supply of 9,671 NFTs, less than 2,800 NFTs have been minted. The project attempted to relaunch but failed to generate more interest, so the creators decided to pull it out — while preserving funding, of course. The project founders have left a long message to the community that they will close the project.
Amount of loss: $ 300,000 Attack method: Rug Pull
Description of the event: Day of Defeat has rug pull, value has suddenly dropped by over 96%, and over $1.35 million in assets has been moved from BSC-based projects to external wallets. After the funds ran out, the project claimed they had been hacked by outside actors and had “reported to Binance and local authorities.”
Amount of loss: $ 1,350,000 Attack method: Rug Pull