108 hack event(s)
Description of the event: A hacker compromised the wallet belonging to Steven Galanis, the CEO of Cameo, an app that allows people to pay various celebrities to record short messages for them. The hacker took 9,457 ApeCoin (~$69,000), 2.3 ETH (~$3,900), a Bored Ape NFT, three Otherside land plots, and other various NFTs. The hacker then flipped the Bored Ape for 77 ETH (~$131,000), and the other NFTs for a combined 16 ETH (~$27,000).
Amount of loss: $ 231,000 Attack method: Apple ID hacked
Description of the event: CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.
Amount of loss: $ 21,000,000 Attack method: Scam
Description of the event: The online game Neopets said it encountered a hack and is currently investigating a customer data breach. The Neopets hack may affect 69 million users, and a hacker named TarTarX sold the source of the Neopets website for 4 bitcoins code and database. Neopets recently launched NFTs for its online virtual world games.
Amount of loss: - Attack method: Data leak
Description of the event: My Big Coin founder Crater has been found guilty of a cryptocurrency fraud scheme. Crater founded My Big Coin in 2013 to provide virtual payment services through the fraudulent digital currency "My Big Coins," which he marketed to investors between 2014 and 2017 by misrepresenting the nature and value of Coins . Crater and his colleagues falsely claimed that Coins was a fully functional cryptocurrency backed by $300 million in gold, oil and other valuable assets. In reality, the coins are not backed by gold or other valuable assets, have no partnership with Mastercard, and are not easily transferable. Over the course of the scheme, Crater misappropriated more than $6 million in investor funds for personal gain and merchandise spending, including spending on antiques, art and jewelry worth hundreds of thousands of dollars.
Amount of loss: $ 6,000,000 Attack method: Scam
Description of the event: On July 16, hackers compromised the Twitter account of well-known NFT artist DeeKay. The 180,000 followers of DeeKay's hacked Twitter account saw it post a link announcing a limited number of new airdrops, which directed them to a phishing site that mimicked DeeKay's real site. One victim lost 4 Cool Cat NFTs and 3 Azuki NFTs with reserve prices around 4 ETH (~$5,350) and 12 ETH (~$16,200) respectively. The total value of the stolen NFTs was approximately $150,000. DeeKay said he wasn't sure how his Twitter account was stolen, but "guessed that 2FA was shut down at a specific time."
Amount of loss: $ 150,000 Attack method: Twitter account hacked
Description of the event: According to Forbes, the official Twitter and YouTube accounts of the British Army were hacked and posted about cryptocurrencies and NFTs. The Twitter account retweeted posts promoting NFTs, and the YouTube account uploaded a video about Elon Musk and cryptocurrencies. Currently, all NFTs and encrypted content have been removed from both accounts.
Amount of loss: - Attack method: Media account hacked
Description of the event: Osmosis, the decentralized exchange (DEX) built on the Cosmos network, was shut down just before 3 a.m. ET on Wednesday after attackers exploited a liquidity provider (LP) vulnerability to steal around 5 million Dollar. About an hour after Osmosis tweeted about the attack, 4 hackers accounted for 95% of the total, according to a tweet from Osmosis, Cosmos ecosystem validator FireStake admitted on Twitter, A "momentary error of judgement" led to two members of their team who exploited the vulnerability for roughly $2 million, and they decided to voluntarily return the funds and "fix the problem."
Amount of loss: $ 3,000,000 Attack method: LP vulnerability
Description of the event: Cosmos ecosystem developer @TheJunonaut tweeted that a critical bug was discovered on Osmosis that could drain all liquidity pools. Anyone can add liquidity to any pool and get an additional 50% when removing it. Responding to community discussions about the attack, Osmosis tweeted that the liquidity pool was not "completely drained" and that developers were fixing bugs, determining the size of the loss (likely around $5 million), and working on recovery.
Amount of loss: $ 5,000,000 Attack method: Liquidity Pool Vulnerability
Description of the event: According to The Block, Mirror Protocol, a synthetic asset protocol developed by Terraform Labs, was attacked again, with more than $2 million in capital losses. The capital pools of Bitcoin, Ethereum and Polkadot have been exhausted, and the remaining capital pools are linked to stocks. If the vulnerability is not fixed before the market opens at 4:00 EST (16:00 GMT), all of its token asset pools will be at risk.
Amount of loss: $ 2,000,000 Attack method: Oracle Price Vulnerability
Description of the event: On May 30, after the launch of the new Terra chain, the price of the oracle machine of LUNC (Luna Classic) reached $5, while the actual price was much lower than $5. An Anchor platform user noticed the vulnerability and deposited about 20 million tokens. Lido Bonded Luna Token, and successfully lent 40 million UST, eventually withdrawing and making a profit of about $800,000.
Amount of loss: $ 800,000 Attack method: Oracle Price Vulnerability
Description of the event: Terra research forum member FatMan tweeted that the Mirror Protocol, a synthetic asset protocol developed by Terraform Labs, has a longstanding vulnerability. Since October 2021, attackers have exploited this vulnerability for multiple attacks within a period of 7 months, and the highest single profit exceeded $4 million ($4.3 million using $10,000), none of which was recovered by Terraform Labs Or the Mirror team found out. By the time the bug was fixed, the attacker's total profit from exploiting the bug could have exceeded $30 million. FatMan said the bug was discovered and questioned by Mirror forum members 11 days ago and has since been fixed, but the Mirror team has not made any statement on the matter.
Amount of loss: $ 90,000,000 Attack method: Contract vulnerabilities
Description of the event: According to Pinpoint News, Klaytn-based DeFi project Kronos DAO misappropriated users’ DAI pledged in its vaults to invest in Kairos Cash and lost 6 million DAI. The 6 million DAI staked by users turned into 6 million Kairos Cash in the Kronos Dao Vault, which Kronos Dao explained was “used as a strategic investment.” Investors, however, questioned that the explanation was insufficient and that no advance notice was given. At present, Kronos Dao has closed Kakao Talk and Telegram communication channels, leaving only Discord as a communication channel.
Amount of loss: 6,000,000 DAI Attack method: Misappropriation of funds
Description of the event: The American actor SethGreen suffered from a phishing attack resulting in the loss of 4 NFTs. This includes 1 BAYC, 2 MAYC and 1 Doodle. The scammer sold all 4 NFTs for nearly 160 ETH (about $330,000).
Amount of loss: 160 ETH Attack method: Phishing attack
Description of the event: Popular cryptocurrency websites including Etherscan, CoinGecko, and DeFi Pulse have reported incidents of malicious pop-ups prompting users to connect their MetaMask wallets. CoinGecko founder Bobby Ong said he believes the culprit is a malicious ad script from a crypto ad network called Coinzilla. The ad appears to be from a website parodying the popular Bored Apes Yacht Club NFT project, which was taken down after the scam was discovered.
Amount of loss: - Attack method: Phishing attack
Description of the event: The Justice Department released an indictment on May 5 showing that Mining Capital Coin CEO and founder Luiz Capuci Jr. was charged with orchestrating a $62 million investment fraud. Capuci allegedly misled investors about MCC’s plan, which he said would use investors’ funds to mine new cryptocurrencies with guaranteed returns. Instead, Capuci deposited funds into his own crypto wallet and used them to fund his own Lamborghini lifestyle, real estate and yachts. Capuci also allegedly ran a pyramid scheme of promoters, promising them lavish gifts including iPads and luxury cars.
Amount of loss: $ 62,000,000 Attack method: Scam
Description of the event: According to the official release, the MM.finance website was hit by a DNS attack, and the attacker managed to inject malicious contract addresses into the front-end code. The attacker exploited the DNS vulnerability to modify the router contract address in the escrow file, and digital assets worth more than $2,000,000 were stolen, bridged to the Ethereum network through multi-chain, and then laundered through Tornado Cash.
Amount of loss: $ 2,000,000 Attack method: DNS Hijacking Attack
Description of the event: The SlowMist security team found that funds from about 52 addresses were maliciously transferred to terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x30 from April 12 to April 21, with a total loss of about $4.31 million. The SlowMist security team stated that this attack was a phishing attack on batches of Google keyword advertisements. When a user searches for the well-known Terra project on Google, the first advertisement link (the domain name may be the same) on the Google search result page is actually a phishing website. When a user visits this phishing website and connects to the wallet, the phishing website will remind you to directly enter the mnemonic phrase. Once the user enters and clicks submit, the assets will be stolen by the attacker.
Amount of loss: $ 4,310,000 Attack method: Scam
Description of the event: The Education Grants Council (UGC) of India was hacked, the hackers used the Twitter account to post a fake Azuki NFT airdrop link and changed the profile to the Azuki NFT co-creator, replacing the avatar with an Azuki-related image. The agency recovered the account after it was held hostage for six hours.
Amount of loss: - Attack method: Twitter account hacked
Description of the event: Agora was attacked and lost over $4 million.
Amount of loss: $ 4,000,000 Attack method: Contract vulnerabilities
Description of the event: In response to the hacking of multiple NFT project Discord accounts, the Discord robot Ticket Tool tweeted that a recent update to the add command had a vulnerability that allowed some type of privilege attack. Has rolled back to a previously uncompromised secure version and will investigate in detail how this happened. Furthermore, the robot itself was not compromised.
Amount of loss: - Attack method: add command to update vulnerabilities