1980 hack event(s)
Description of the event: Hedera tweeted to disclose the details of the attack. The attacker attacked the smart contract service code of the Hedera main network and transferred the Hedera Token Service tokens held by some user accounts to their own accounts. The attackers targeted accounts used as liquidity pools on multiple DEXs migrated to use the Hedera Token Service using Uniswap V2-derived contract generations, including Pangolin Hedera, SaucerSwap, and HeliSwap. When attackers moved tokens obtained through the attack to a Hashport Network bridge, bridge operators detected the activity and acted quickly to disable it. To prevent attackers from stealing more tokens, Hedera shut down the mainnet proxy, which removes user access to the mainnet.
Amount of loss: $ 570,000 Attack method: Contract Vulnerability
Description of the event: Tender.fi is suspected of being attacked by white hat hackers and lost $1.59 million. Hackers used Tender.fi’s misconfigured oracles to borrow $1.59 million worth of crypto assets with just $70 worth of GMX tokens as collateral. On March 8, on-chain data showed that the hackers who attacked the Arbitrum ecological lending protocol Tender.fi had returned their funds, and the Tender.fi team agreed to pay the hackers 62 ETH ($96,500) as a bounty.
Amount of loss: $ 1,590,000 Attack method: Oracle Attack
Description of the event: When PeopleDAO’s community treasury multi-signature wallet on the digital asset management platform Safe (formerly Gnosis Safe) distributed monthly contributor rewards on March 6, 76 ETH (approximately $120,000) were stolen by hackers through social engineering attacks. This event has nothing to do with the PEOPLE token contract. PeopleDAO collects monthly contributor reward information through Google Form. The person in charge of accounting mistakenly shared a link with editing permissions in the Discord public channel. Payments to your own address and set them to be invisible. Due to the malicious concealment, the team leader did not find it during the review. After downloading the csv file with insertef data, it was submitted to Safe's CSV Airdrop tool for reward distribution. With the assistance of SlowMist and ZachXBT, the team found that the attacked funds had been deposited in two exchanges, HitBTC and Binance, and contacted the two exchanges.
Amount of loss: 76 ETH Attack method: Permission Stolen
Description of the event: Arbitrum ecological DEX ArbiSwap is suspected of Rug Pull. ArbiSwap deployers minted 1 trillion ARBI before Rug Pull, and then converted ARBI into USDC, which caused a sharp drop in ARBI in the USDC/ARBI transaction pair. In the next block, the robot passed USDC to ARBI then traded ETH for spatial arbitrage, making a profit of 68.47 ETH. ArbiSwap has transferred 84 ETH to the Ethereum mainnet and sent it to TornadoCash.
Amount of loss: 84 ETH Attack method: Rug Pull
Description of the event: According to the official WeChat account of Ping An Xuhui, employees Zhang, Dong, and Liu from Company A decided in early March 2023 to insert a backdoor program into a certain cryptocurrency wallet software to obtain users' private keys. The three individuals illegally obtained over 27,000 mnemonic phrases and more than 10,000 private keys, successfully converting over 19,000 digital wallet addresses. In April 2024, the Xuhui District People's Court sentenced Liu, Zhang, and Dong to three years in prison for the crime of illegally obtaining data from a computer information system and fined each of them 30,000 RMB. It is worth noting that Company A is suspected to be the former Huobi company. In an exclusive report by WuShuo in 2023, it was revealed that due to the installation of trojans by former employees, some users' mnemonic phrases or private keys of iToken (formerly Huobi Wallet) were leaked. HTX responded that the trojan installation was the personal act of former Huobi employees before the acquisition, leading to the theft of others' mnemonic phrases and private keys.
Amount of loss: - Attack method: Insider Manipulation
Description of the event: Algorand ecological wallet MyAlgo issued a reminder on Twitter that the hack occurred more than a week ago, and no other actions have taken place since then. The attacked users all had large amounts of funds on their accounts and used mnemonic wallets with keys stored in the browser. ZachXBT, an on-chain data analyst, tweeted: “Due to the attack on MyAlgo, Algorand’s ecological wallet, from February 19th to 21st, more than $9.2 million in assets (19.5 million ALGOs, 3.5 million USDCs, etc.) may have been stolen on Algorand. ChangeNow shared that they were able to freeze $1.5 million.”
Amount of loss: $ 9,200,000 Attack method: Mnemonic Vulnerability
Description of the event: 80% of the funds in the liquidity pool of the DeFi project LaunchZone were suddenly drained, the price of LZ tokens fell by more than 80% from the previous value of around US$0.15 to US$0.026, and the stolen funds were about US$700,000.
Amount of loss: $ 700,000 Attack method: Contract Vulnerability
Description of the event: The DeFi project DND Token (DungeonSwap Token) on BSC has been utilized. The initial funds came from TornadoCash, and the attackers stole over 2,400 BNB (approximately $728,000) from Dungeonswap.
Amount of loss: $ 728,000 Attack method: Contract Vulnerability
Description of the event: @HideYoApes previously owned several expensive NFTs from Yuga Labs, including a Bored Ape, Mutant Ape, three Bored Ape Kennel Club NFTs, a SewerPass, and two Otherdeeds. The attacker sold all the NFTs for a profit of 127.3 wETH (~$208,000). HideYoApes explained on Twitter that he had downloaded and installed the MetaMask wallet extension from MetaMask’s official website.
Amount of loss: $ 208,000 Attack method: Phishing Attack
Description of the event: According to the official blog, The Sandbox issued a security incident notice on February 26 that an unauthorized third party gained access to the computer of an employee of the team and used its permissions to send a false email claiming to be from The Sandbox . Titled "The Sandbox Game (PURELAND) Access," the email contained hyperlinks to malware that could remotely install malware on a user's computer, granting it control of the computer and access to the user's personal information right. The Sandbox said that after the unauthorized access was discovered, the recipient was notified and the employee's account and access to The Sandbox were disabled, and no further impact has been identified.
Amount of loss: - Attack method: Phishing Attack
Description of the event: As Coindesk reported, the Solana network experienced a fork event that limited users’ ability to execute transactions. According to Solana Explorer, the network was processing about 93 transactions per second at around 2AM ET today, well below the previous network rate of nearly 5000 TPS about 15 minutes ago. Such low throughput has prohibited users from performing activities such as on-chain transactions and transfers on Solana.
Amount of loss: - Attack method: Fork
Description of the event: On February 24, 2023, Earning.farm’s USDC vault was exploited and lost about 5.15 million USDC.
Amount of loss: $ 5,150,000 Attack method: Flash Loan Attack
Description of the event: The AMM liquidity management protocol Revert Finance disclosed on Twitter that its v3utils contract was attacked, and 90% of the funds were stolen from a single account. The stolen assets included: 22983.235188 USDC, 4106.316699 USDT, 485.5786287699002 OP, 0.18217977664322793 WETH, 36.59093198260223 DAI, 211.21463945524238 WMATIC and 22 Premia. At current prices, that's about $29,000.
Amount of loss: $ 29,000 Attack method: Contract Vulnerability
Description of the event: The Baby Doll (BABYDOLL) project was hit by a flash loan attack, losing 25 BNB (~$7,900). BSC contract address is 0x449cfecbc8e8469eeda869fca6cccd326ece0c04a1cdd96b23d21f3b599adee2
Amount of loss: $ 7,900 Attack method: Flash Loan Attack
Description of the event: Hackers exploited a vulnerability in the Dexible smart contract code to withdraw funds from crypto wallets using funds approved for spending. The team added that "a small number of whales" lost 85% of the funds stolen in the attack. Data on the chain shows that Block Tower Capital, a digital asset investment company, was one of the victims. The address labeled Block Tower Capital had $1.5 million worth of TRU tokens stolen in this incident. The attackers transferred TRU tokens to SushiSwap for ether (ETH) and then to TornadoCash.
Amount of loss: $ 1,500,000 Attack method: Affected by Dexible events
Description of the event: The stablecoin trading project Platypus encountered a flash loan attack on AAVE, resulting in a total asset loss of approximately $9 million. According to the analysis, the vulnerability seems to lie in the verification of the MasterPlatypusV4 contract by the emergencyWithdraw function, which will only fail when the borrowed assets exceed the borrowing limit. The function then proceeds to transfer all of the user's deposit assets regardless of the value of the user's borrowed assets. On Feb. 18, The Block reported that at least $2.4 million has been recovered with the help of security firms after the Platypus hack.
Amount of loss: $ 9,000,000 Attack method: Flash Loan Attack
Description of the event: The DEX tool Dexible was suspected of being attacked and lost about $2 million. According to the analysis, there is a logical loophole in the selfSwap function of the Dexible contract, which will call the fill function. This function has a call to the attacker's custom data, and the attacker constructs a transferfrom function in this data, and transfers other users (0x58f5f0684c381fcfc203d77b2bba468ebb29b098) address and its own attack address (0x684083f312ac50f538cc4b634d85a2feafaab77a), causing the tokens authorized by the user to the contract to be transferred by the attacker.
Amount of loss: $ 2,000,000 Attack method: Contract Vulnerability
Description of the event: Multichain's AnyswapV4Router contract suffered a rush attack, and the attacker made a profit of about 87 Ethereum, about $130,000. After analysis, the attacker used the MEV contract (0xd050) to pre-emptively call the anySwapOutUnderlyingWithPermit function of the AnyswapV4Router contract before the normal transaction was executed (the user authorized WETH but has not yet performed the transfer), although the function uses the permit signature of the token verification, but the stolen WETH this time does not have a relevant signature verification function, and only triggers a deposit function in a fallback. In subsequent function calls, the attacker can directly use the safeTransferFrom function to transfer the WETH authorized by the _underlying address to the attacked contract to the attack contract without signature verification.
Amount of loss: $ 130,000 Attack method: Rush Attack
Description of the event: The email account of domain name registrar Namecheap has been hacked and hackers are using the account to send phishing emails. According to a report by BleepingComputer, the phishing campaign originated from SendGrid, an email platform used by Namecheap to send marketing emails and renewal notifications. The phishing emails pretended to be from logistics provider DHL and cryptocurrency wallet MetaMask. The email posing as MetaMask stated that the recipient's account had been suspended and would need to complete a KYC verification process before it could be reactivated. The email also contained a Namecheap marketing link that redirected users to a fake MetaMask page that asked users to enter their seed phrase or private key, seeking to steal the recipient's personal information and cryptocurrency wallet assets. The official MetaMask response stated that MetaMask will not collect KYC information, nor will it send emails to users about their accounts.
Amount of loss: - Attack method: Phishing Attack
Description of the event: Cybersecurity startup Unciphered has carried out an attack on encrypted hardware wallets made by OneKey. In a video on YouTube, Unciphered demonstrates a so-called "man-in-the-middle" wallet attack method that exploits a vulnerability to extract a mnemonic seed phrase, or private key, from a OneKey Mini hardware wallet. OneKey acknowledged the vulnerability in a statement and said that no one was affected as it had updated the security patch. OneKey said it has paid a bounty to Unciphered.
Amount of loss: - Attack method: "Man-in-the-middle" attack