122 hack event(s)
Description of the event: According to Cointelegraph, Skyward Finance, the NEAR on-chain asset issuance platform, suffered a vulnerability exploit and has lost 110 NEAR tokens (about $3 million). The Ref Finance and Skyward teams have been informed of the existence of the vulnerability. The attackers reportedly purchased large amounts of Skyward Tokens on Ref Finance, then redeemed them through the Treasury on Skyward Finance, and then earned more than the value of the Skyward Tokens originally invested.
Amount of loss: $ 3,000,000 Attack method: Contract vulnerabilities
Description of the event: The ownership of the MEV infrastructure Eden Network deployer address was hacked and took control of the EDEN token contract. The attacker claims that a new token contract will be deployed, and Eden Network can redeem ownership after purchasing 200 ETH of NEDEN.
Amount of loss: - Attack method: Private key leak
Description of the event: The project Layer2DAO on Optimism was attacked by hackers. The hackers stole 49.95 million L2DAO tokens and sold some tokens by obtaining the multi-signature permission of Layer2DAO. Layer2DAO said it has repurchased more than 30 million tokens remaining in the hands of hackers through treasury funds. The L2DAO price fell by about 90% at one point.
Amount of loss: 49,950,000 L2DAO Attack method: Get multi-signature permission
Description of the event: Crypto investment platform Freeway announced on Sunday that it was halting all withdrawals from the platform, The Block reported. Terra researcher FatMan said that the names of all team members of the platform have been removed from the website, and a Rug pull is suspected to have occurred, involving an amount of $100 million.
Amount of loss: $ 100,000,000 Attack method: Scam
Description of the event: Several FTX users were hacked and stolen coins, which 3Commas said was due to phishing websites. In a collaborative investigation conducted by 3Commas and FTX, it was discovered that some API keys were associated with new 3Commas accounts, but the API keys were not obtained from 3Commas, but from outside the 3Commas platform. At the same time, FTX will provide a total of approximately $6 million in compensation to FTX accounts affected by the phishing incident.
Amount of loss: $ 6,000,000 Attack method: Phishing attack
Description of the event: Aptos ecological wallet Petra tweeted that the Aptos Labs team discovered a vulnerability on Petra on October 20. The mnemonic is related to account creation in existing wallets, and the mnemonic displayed on the page may be inaccurate. To access the exact 12 mnemonic phrases, set up, manage your account, enter your password, and click Show Key Recovery Phrase. Currently, Petra has fixed the vulnerability.
Amount of loss: - Attack method: Mnemonic Vulnerability
Description of the event: On October 19, the Moola protocol on Celo was attacked, and the hackers made a profit of about $9 million. This attack is a price manipulation attack. The attackers returned about 93.1% of the proceeds to the Moola Market project, donating 500,000 CELO to the impact market. Left a total of 650,000 CELO as a bounty.
Amount of loss: $ 9,000,000 Attack method: Manipulate the price
Description of the event: Metaverse data platform Dataverse tweeted that it has detected hackers attacking the GEO BSC contract, and reminded users not to buy GEO in BSC, any code purchased on BNB Chian from October 19th to 22nd UTC Coins are invalid. It may be caused by the "allow unlimited minting" vulnerability in the minting function of BGEO (Binance GeoDB Coin).
Amount of loss: - Attack method: Contract vulnerabilities
Description of the event: As reported by Cointelegraph, the BitBTC team has now fixed the bug after Twitter user @PlasmaPower0 disclosed a “fake minting” bug that existed in the cross-chain bridge between BitBTC and Optimism. It is reported that the vulnerability allows an attacker to fake tokens on one side of the bridge and exchange them for real tokens on the other side. Attackers have tried to extract 200 billion BitBTC tokens from Optimism through this vulnerability, but it is only a test.
Amount of loss: - Attack method: Fake mint
Description of the event: A bot named 0xbadc0de made a windfall when traders tried to sell 1.8 million cUSDC (USDC on the Compound protocol) ($1.85 million in nominal value), but only got $500 of the asset due to low liquidity in return. However, the MEV bot made a profit of 800 ETH (~$1 million) from the sold carry trade. An hour later, a hacker exploited a bug in 0xbadc0de's badc code to withdraw all 1,101 ETH (~$1.5 million) in the contract.
Amount of loss: $ 1,500,000 Attack method: Contract vulnerabilities
Description of the event: AVAX/USDC Joe LP NXUSD was attacked by flash loan, hackers made 371,000 USDC.
Amount of loss: 371,000 USDC Attack method: Flash loan attack
Description of the event: Celer said that cBridge's front-end interface suffered from DNS cache poisoning attacks. This attack targeted third-party DNS providers. Celer's own contract was not affected, and users who suffered losses in this incident, Celer, will be fully compensated.
Amount of loss: 128.4 ETH Attack method: BGP Hijacking
Description of the event: A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).
Amount of loss: $ 231,000 Attack method: Apple ID hacked
Description of the event: On August 4, the team behind the Velodrome exchange and liquidity marketplace noticed that $350,000 had been taken from a team-operated wallet that was normally used for operational funds. They announced they were beginning an investigation into the theft, which they initially believed was due to a compromised wallet. Their team member Gabagool tweeted more details, underscoring that no user funds were lost. On August 13, Gabagool posted a long confession to his Twitter account, writing that he had stolen the $350,000, and had previously taken $56,000 over the course of two months, to try to "revenge trade" the money he had lost in the crypto crash. Explaining why he took the $350,000, he wrote, "I thought I could make the 56k back and return all of the funds, which was delusional". He also wrote that "the majority of the funds have been returned to the Velodrome team. The rest will be." Velodrome later confirmed they had recovered all of the stolen money.
Amount of loss: - Attack method: Internal evil
Description of the event: CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.
Amount of loss: $ 21,000,000 Attack method: Scam
Description of the event: The online game Neopets said it encountered a hack and is currently investigating a customer data breach. The Neopets hack may affect 69 million users, and a hacker named TarTarX sold the source of the Neopets website for 4 bitcoins code and database. Neopets recently launched NFTs for its online virtual world games.
Amount of loss: - Attack method: Data leak
Description of the event: My Big Coin founder Crater has been found guilty of a cryptocurrency fraud scheme. Crater founded My Big Coin in 2013 to provide virtual payment services through the fraudulent digital currency "My Big Coins," which he marketed to investors between 2014 and 2017 by misrepresenting the nature and value of Coins . Crater and his colleagues falsely claimed that Coins was a fully functional cryptocurrency backed by $300 million in gold, oil and other valuable assets. In reality, the coins are not backed by gold or other valuable assets, have no partnership with Mastercard, and are not easily transferable. Over the course of the scheme, Crater misappropriated more than $6 million in investor funds for personal gain and merchandise spending, including spending on antiques, art and jewelry worth hundreds of thousands of dollars.
Amount of loss: $ 6,000,000 Attack method: Scam
Description of the event: On July 16, hackers compromised the Twitter account of well-known NFT artist DeeKay. The 180,000 followers of DeeKay's hacked Twitter account saw it post a link announcing a limited number of new airdrops, which directed them to a phishing site that mimicked DeeKay's real site. One victim lost 4 Cool Cat NFTs and 3 Azuki NFTs with reserve prices around 4 ETH (~$5,350) and 12 ETH (~$16,200) respectively. The total value of the stolen NFTs was approximately $150,000. DeeKay said he wasn't sure how his Twitter account was stolen, but "guessed that 2FA was shut down at a specific time."
Amount of loss: $ 150,000 Attack method: Twitter account hacked
Description of the event: According to Forbes, the official Twitter and YouTube accounts of the British Army were hacked and posted about cryptocurrencies and NFTs. The Twitter account retweeted posts promoting NFTs, and the YouTube account uploaded a video about Elon Musk and cryptocurrencies. Currently, all NFTs and encrypted content have been removed from both accounts.
Amount of loss: - Attack method: Media account hacked
Description of the event: Osmosis, the decentralized exchange (DEX) built on the Cosmos network, was shut down just before 3 a.m. ET on Wednesday after attackers exploited a liquidity provider (LP) vulnerability to steal around 5 million Dollar. About an hour after Osmosis tweeted about the attack, 4 hackers accounted for 95% of the total, according to a tweet from Osmosis, Cosmos ecosystem validator FireStake admitted on Twitter, A "momentary error of judgement" led to two members of their team who exploited the vulnerability for roughly $2 million, and they decided to voluntarily return the funds and "fix the problem."
Amount of loss: $ 3,000,000 Attack method: LP vulnerability