1939 hack event(s)
Description of the event: According to SlowMist Intelligence, Nirvana, a stablecoin project on the Solana chain, was attacked by a flash loan. The attacker used a flash loan to borrow 10,250,000 USDC from Solend by deploying a malicious contract, and then called the Nirvana contract buy3 method to buy a large amount of ANA tokens. Nirvana contract swap method to sell part of ANA, get USDT and USDC, after repaying the flash loan, a total profit of 3,490,563.69 USDT, 21,902.48 USDC and 393,230.32 ANA tokens, then the hacker sold ANA tokens and passed all the dirty money through the cross-chain bridge transfer.
Amount of loss: $ 3,500,000 Attack method: Flash Loan Attack
Description of the event: CEO Michael Stollery of Titanium Blockchain Infrastructure Services (TBIS) pled guilty to securities fraud in connection to a $21 million cryptocurrency scam. The company promoted its BAR token during 2017–2018, and did not register with the SEC for its ICO. TBIS made false claims including that they had ties to companies including Apple, Boeing, and IBM, and offered various services that did not actually exist. At least 75 people participated in the ICO, giving TBIS a combined $21 million, some of which went directly to Stollery's bank account and personal expenses like a condo in Hawaii.
Amount of loss: $ 21,000,000 Attack method: Scam
Description of the event: DeFi project DRAC Network appeared Rug Pull, with the price of the token $TEDDY dropping 99.4%. 10,000 $BNB and 2 million $BUSD have been slowly transferred to Binance. It is said that the deployer deployed the contract and transferred a large quantity of $TEDDY to 0xdbe8ef79a1a7b57fbb73048192edf6427e8a5552, then pump and dump the price of $TEDDY.
Amount of loss: $ 4,500,000 Attack method: Rug Pull
Description of the event: Web3 music streaming service platform Audius community treasury was hacked, losing 18.5 million AUDIO Tokens. The hackers exchanged the funds for about 705 ETH on Uniswap. Audius officially stated that the problem has been found and is currently being repaired. All Audius smart contracts on Ethereum must be stopped, including tokens. The team believes that there is no further capital risk. Before the repair is completed, token balances, transfers, etc. will be temporarily unavailable. use.
Amount of loss: $ 1,100,000 Attack method: Contract Vulnerability
Description of the event: The online game Neopets said it encountered a hack and is currently investigating a customer data breach. The Neopets hack may affect 69 million users, and a hacker named TarTarX sold the source of the Neopets website for 4 bitcoins code and database. Neopets recently launched NFTs for its online virtual world games.
Amount of loss: - Attack method: Information Leakage
Description of the event: The Tableland Discord server was compromised by malicious actors, successfully impersonating moderators on the channel and leading community members to a fake Tableland domain that funneled targeted assets from member ETH wallets. The perpetrators utilized a fakemint scheme, which lured community members using a pretense of an exclusive, limited mint. Instead, target victims were taken to a malicious website that tricked some of them into granting specific wallet permissions. Once granted, the perpetrators were able to siphon away Tableland Rigs and other NFTs
Amount of loss: $ 45,819 Attack method: Discord was hacked
Description of the event: My Big Coin founder Crater has been found guilty of a cryptocurrency fraud scheme. Crater founded My Big Coin in 2013 to provide virtual payment services through the fraudulent digital currency "My Big Coins," which he marketed to investors between 2014 and 2017 by misrepresenting the nature and value of Coins . Crater and his colleagues falsely claimed that Coins was a fully functional cryptocurrency backed by $300 million in gold, oil and other valuable assets. In reality, the coins are not backed by gold or other valuable assets, have no partnership with Mastercard, and are not easily transferable. Over the course of the scheme, Crater misappropriated more than $6 million in investor funds for personal gain and merchandise spending, including spending on antiques, art and jewelry worth hundreds of thousands of dollars.
Amount of loss: $ 6,000,000 Attack method: Scam
Description of the event: Raccoon Network and Freedom Protocol are scam projects, scammers have transferred 20 million BUSD (IDO) to address 0xf800...469336.
Amount of loss: $ 20,000,000 Attack method: Scam
Description of the event: The permissions of the relevant administrators of the Discord of the Tableland project party were stolen. It is understood that after joining an external Discord server, Tableland members clicked the verification steps of a bot named "Dyno" and clicked a bookmark button with malicious javascript, and were then prompted to interact with the bookmark, triggering the malicious script to run. The attacker got hold of the admin account and posted a link on the announcement channel containing a fake website, anyone who clicked on the link and followed the wallet instructions would grant the attacker access to any NFTs held in their account.
Amount of loss: - Attack method: Discord was hacked
Description of the event: The NFT access list tool PREMINT issued an alert through its official Twitter, because some users reminded that the tool's website was hacked, and the collections of NFT collectors have been stolen. Subsequently, the blockchain security company SlowMist confirmed that the PREMINT website was attacked by hackers. Hackers carried out phishing attacks by implanting malicious JS (JavaScript) files in the website, deceiving users to sign the transaction of "set approvals for all", thereby stealing users. of NFT assets. The attack lost about 280 ETH in total, amounting to $381,818, making it one of the biggest NFT hacks of the year.
Amount of loss: 280 ETH Attack method: Malicious Code Injection Attack
Description of the event: On July 16, hackers compromised the Twitter account of well-known NFT artist DeeKay. The 180,000 followers of DeeKay's hacked Twitter account saw it post a link announcing a limited number of new airdrops, which directed them to a phishing site that mimicked DeeKay's real site. One victim lost 4 Cool Cat NFTs and 3 Azuki NFTs with reserve prices around 4 ETH (~$5,350) and 12 ETH (~$16,200) respectively. The total value of the stolen NFTs was approximately $150,000. DeeKay said he wasn't sure how his Twitter account was stolen, but "guessed that 2FA was shut down at a specific time."
Amount of loss: $ 150,000 Attack method: Account Compromise
Description of the event: An official incident report from Impermax Finance stated that a hacker was able to steal approximately 9M IMX from several wallets controlled by the team. The IMX was not sold immediately after the hackers stole the funds. So the official team decided to get a head start by dumping a lot of tokens on the market before the hackers did anything. The Impermax lending protocol is completely immune to this, as the attack is caused by stolen private keys, not a bug in the smart contract.
Amount of loss: 9,000,000 IMX Attack method: Private Key Leakage
Description of the event: SpaceGodzilla was attacked by price manipulation and lost approximately 25,000 USDT.
Amount of loss: $ 25000 Attack method: Price Manipulation
Description of the event: The pledge platform Freeway tweeted, “The price of its token FWT fluctuated violently on July 13 and is currently under investigation. Freeway’s blockchain bridging service provider Coffe was attacked, and a large number of FWT tokens were bridged from Coffe. The Freeway platform was not compromised in any way, nor was Supercharger. However, Freeway has temporarily disabled FWT withdrawals, deposits, and purchases on the platform,” crypto influencer FatManTerra claimed on Twitter. Projects are running a "Ponzi scheme" because large withdrawals are "delayed" even before they stop. He refers to stopping withdrawals as income of more than $100 million. FatManTerra states that the project has removed its team biographies. In an October 22 Twitter post, FatManTerra said Freeway's chief executive had made false statements about his background, which were removed from the site after FatManTerra confronted him.
Amount of loss: - Attack method: Rug Pull
Description of the event: SpaceGodzilla, a project on the BSC chain, was attacked by hackers with a flash loan. Hackers used flash loans to borrow large amounts of money, manipulated the price of SpaceGodzilla in the trading pool on PancakeSwap, and exploited vulnerabilities in the project for arbitrage. At present, the hacker has exchanged the 25,378.78 BUSD profited from this attack to BNB and transferred it through Tornado.Cash.
Amount of loss: 25,378.78 BUSD Attack method: Flash Loan Attack
Description of the event: Multi-chain NFT protocol Citizen Finance claims to have been attacked by an outside party that gained access to the private keys of BNB and the Polygon chain. The attackers used their access to transfer 244 BNB (~$55,000), 57,637 MATIC (~$32,300), and 7,000 USDC, for a total of about $94,300.
Amount of loss: $ 94,300 Attack method: Private Key Leakage
Description of the event: More than 70,000 addresses connected to Uniswap were airdropped tokens that tricked users into approving transactions that would allow attackers to control their wallets. The airdrop links users to a phishing site that resembles the real Uniswap site. Users are tricked into signing contracts, and cryptocurrencies and NFTs are stolen from wallets. One of the wallets lost more than $6.5 million worth of ether and bitcoin, and the other lost about $1.68 million worth of cryptocurrency.
Amount of loss: $ 12,900,000 Attack method: Phishing attack
Description of the event: Decentralized NFT financialization protocol Omni X has been attacked and stolen funds have been transferred to Tornado.cash. The main reason for this attack is that the burn function will call the callback function externally to cause the reentrancy problem, and the liquidation function uses the old vars value for judgment, resulting in the user's status identification even after reentrancy and then borrowing. Being set as unborrowed results in no repayments.
Amount of loss: 1,300 ETH Attack method: Reentrancy Attack
Description of the event: BIFROST officially released a report saying that the BTC address registration server of the BiFi service was attacked. According to the analysis, the attack was limited to the BTC address registration server, and neither the smart contract nor the BiFi protocol detected the vulnerability. BiFi issues and uses an address for each user who deposits BTC. The deposit addresses are signed and delivered to the address issuing server and the addresses are reflected on BiFi only in the case when the signature is verified. In the attack, the server key of the address issuing server was exposed and the attacker was able to self-sign their own deposit address. Since the attacker could generate a valid signature on the deposit address, BiFi mistakenly recognized the attacker’s BTC transfer as a BTC deposit into BiFi. As a result, the attacker was able to borrow 1,852 ETH with fake deposit.
Amount of loss: 1,852 ETH Attack method: Private Key Leakage
Description of the event: A fake Shade Inu Token project deployer removed approximately $101,000 (424 BNB) of liquidity from the liquidity pool. After investigation, this Shade Inu Token was identified as a scam, the project launched a fake Shade Inu Token, created a WBNB/SadeIT pool with the initial 200 BNB and provided liquidity to it, so the deployer made a total profit of about $53,000 ( 224 BNB).
Amount of loss: 224 BNB Attack method: Scam