116 hack event(s)
Description of the event: The developer of Klaytn-based NFT project Metaconz tweeted that a malicious bot was installed on the administrator account of Metaconz’s Discord overseas team on Saturday, causing 79 users to lose 11.9 ETH (about $36,000), the team said. It promised to compensate all losses, and 53 users have so far been compensated. In addition, the developer reminded that if the user executes the setApprovalForAll function in Etherscan, please transfer the wallet unconditionally. Therefore, in this attack, the hacker used this function to deprive the victim of the wallet permission.
Amount of loss: 11.9 ETH Attack method: Discord was hacked
Description of the event: According to the official news of each project, the Discord of NFT projects whose servers are currently under attack include BAYC, Doodles, Nyoki, Shamanz, Zooverse, Dreadfuls, Freaky Labs, and Kaijukingz. In addition, the source code of the verification robot Captcha has been leaked, and the private message tool Ticket tool has been attacked.
Amount of loss: - Attack method: Discord was hacked
Description of the event: According to reports, someone pretended to be a Cryptovoxels official to conduct a phishing attack, induced users to authorize, stole multiple NFTs (including Cryptovoxels Parcel Token, Art Blocks: BLOCKS Token, Mutant Ape Yacht Club: MAYC Token, etc.), and then sold them on opensea. It is reported that anonymous attackers used a vulnerability in the Discord bot to manage to direct community users to phishing sites on the official Cryptovoxels Discord channel. The attacker's address is 0x794ca38bc1e15e528a7991ce25707a25ad71b675.
Amount of loss: 50 ETH Attack method: Phishing Attack
Description of the event: Maison Ghost’s Discord was hacked, the hacker posted a fake minting link, and within minutes about 300 NFTs were stolen, including the Sandbox and 3landers NFTs, which were then sold for 128 ETH and eventually sent to Tornado.
Amount of loss: 128 ETH Attack method: Discord was hacked
Description of the event: NFT project MekaVerse tweeted that the official Discord was hacked. In addition, according to other users in the community, the wallets of hundreds of thousands of bots are suspected to have been stolen, and it seems that no users have been affected.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The NFT project VEVE officially tweeted that the system was exploited, resulting in a large number of gems being illegally obtained.
Amount of loss: - Attack method: Contract Vulnerability
Description of the event: The NFT project REALSWAK has a Rug Pull, and its official social account (@REALSWAK) has been cancelled. Scammers have transferred 1,300 BNB to the TornadoCash mixer.
Amount of loss: 1330 BNB Attack method: Rug Pull
Description of the event: According to a report by Twitter user Will Sheehan, the arbitrage bot took out more than 6w APE Coins (worth $8 each) through flash loans. After analysis, it was found that this was related to a loophole in the airdrop mechanism of APE Coin. Specifically, whether APE Coin can be airdropped depends on whether a user holds the instantaneous state of BYAC NFT, and this instantaneous state attacker can manipulate by borrowing a flash loan and then redeeming to obtain BYAC NFT. The attacker first borrows BYAC Token through flash loan, and then redeems to obtain BYAC NFT. Then use these NFTs to claim the airdropped APE, and finally use the BYAC NFT mint to obtain BYAC Token to return the flash loan.
Amount of loss: $ 500,000 Attack method: Airdrop Mechanism Vulnerability
Description of the event: Several NFT players posted on social media that a project called "NFTflow" had a Rug Pull, ran away without completing the pre-sale, and transferred the 92 ETHs from the sale to the Tornado mixer. According to the official website, NFTflow calls itself "a platform for creating liquid markets for illiquid NFTs on StarkNet".
Amount of loss: 92 ETH Attack method: Rug Pull
Description of the event: The pledge contract (0x6912B19401913F1bd5020b3f59EE986c5792DA54) of the NFT adventure game Pirate X was attacked. When users deposit their PXP tokens into this contract, their tokens will be transferred to an EOA account (0x3b74a9cb5f1399b4a5a02559e67da37d450067b7). When the user withdraws the tokens, the contract will call "Transferfrom" to transfer these funds back. The attackers put these tokens on the market and made a profit of about 212 BNB.
Amount of loss: 212 BNB Attack method: Private Key Leakage
Description of the event: The Arbitrum-based TreasureDAO NFT trading market was exposed and discovered a vulnerability. According to SlowMist analysis, the core of this vulnerability lies in the lack of judgment that the incoming _quantity parameter is not 0 before the ERC-721 standard NFT transfer, resulting in ERC -721 Standard NFT can be transferred directly and the cost of purchasing NFT is calculated as 0 when calculating the price. Hours after it was stolen, developers confirmed that hackers had begun returning stolen “Smol Brains” and other NFTs.
Amount of loss: - Attack method: Unchecked Input Data
Description of the event: According to OpenSea's official tweet, hackers sent phishing emails to all users' mailboxes at the same time as the OpenSea contract was upgraded. Many users mistakenly thought it was an official email and authorized the wallet, which resulted in the wallet being stolen. OpenSea co-founder and CEO Devin Finzer confirmed the phishing attack in a tweet.
Amount of loss: $ 3,400,000 Attack method: Phishing Attack
Description of the event: Hot wallets operated by TopGoal were attacked and compromised. In this hack, only the hot wallet operated by TopGoal, which manages the distribution of TopPrize rewards, was affected. All user assets including NFTs and TMTs are safe. The hackers transferred a total of 4,809,984 TMT from the TopGoal-operated hot wallet to the address 0x7F0D082D08874A57110c73a8853967e7C19D1a6e. The hackers then exchanged all those TMTs from PancakeSwap for over 2,600 BNB and used Tornado to transfer the BNB out of the address.
Amount of loss: 4,809,984 TMT Attack method: Wallet Stolen
Description of the event: Dego Finance, an NFT and DeFi aggregator, announced that it was hacked, and now the DEGO liquidity on UniSwap and PancakeSwap has been exhausted.
Amount of loss: $ 10,000,000 Attack method: Private Key Leakage
Description of the event: The official Discord server of the NFT project The Heart Project was hacked. Scammers deleted most of The Heart Project's Discord channels and posted scam links. According to The Heart Project, some users clicked on fraudulent links and said they lost assets. The Heart Project says it will reimburse users for lost ether.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The social media accounts of NFT project Mercenary have been deleted. Deployers spent over $760,000.
Amount of loss: $ 760,000 Attack method: Rug Pull
Description of the event: An OpenSea user exploited a vulnerability in the non-fungible token (NFT) market to steal hundreds of ether (ETH) from the owners of well-known collectibles such as the Bored Ape Yacht Club (BAYC) and Cyber Kongs of several items. The vulnerability appears to be related to the listing mechanism exploited by the platform and allows users to earn around 347 ETH by purchasing some NFTs at the previous listing price on different markets.
Amount of loss: 347 ETH Attack method: Listing mechanism loopholes
Description of the event: Blockverse is a Minecraft-based NFT game. Through OpenSea, investors can buy Blockverse characters and a cryptocurrency called $Diamond. Unfortunately, investors withdrew all real money invested in Blockverse, shutting down and deleting the project’s official website, Discord, and Twitter. After three days of silence, the Blockverse founders resurfaced on Twitter, apologizing and explaining their actions. More than three weeks later, the Blockverse team's promise to "get back on track" has not materialized. The Blockverse Twitter account has not been updated further, its website remains offline, and the Medium account hosting the Blockverse white paper has disappeared.
Amount of loss: 1,294 ETH Attack method: Rug Pull
Description of the event: There is a vulnerability in the Crypto Burger project, an NFT project on the BSC chain. "The attacker discovered a vulnerability related to the $BURG token contract, which managed to burn most of the tokens in the liquidity pool, while immediately liquidating the tokens it had previously acquired, from liquidity," the project said in a statement. $770,000 was stolen from the pool.”
Amount of loss: $ 770,000 Attack method: Contract Vulnerability
Description of the event: The creator of the NFT project Frosties absconded with the money, causing investors to lose more than $1 million. According to available information, there are 8,888 NFTs in the series with a floor price of 0.04 ETH, roughly over $120. Within an hour, all NFTs were sold, but instead of getting their assets, investors found out that the project developers closed all communication with community members. Etherscan data shows that developers have moved most of the funds from the OpenSea account to another wallet.
Amount of loss: $ 1,000,000 Attack method: Rug Pull