67 hack event(s)
Description of the event: The Bitcoin.org website has activities to give back to the community, and it is suspected that the website has been hacked. The homepage of the website shows a Bitcoin address and states that any first 10,000 users who pay to this address will receive double the amount in return. Cobra, the co-owner of the Bitcoin.org website, tweeted that Bitcoin.org has been hacked and is investigating how hackers set up fraud patterns on the website. It is expected that operations will be suspended for a few days.
Amount of loss: - Attack method: Phishing attack
Description of the event: According to official sources, the loan agreement Vee.Finance officially released an explanation about the attack. The content is as follows: On September 20, the Vee.Finance team noticed multiple abnormal transfers. After further monitoring, a total of 8804.7 ETH and 213.93 BTC were stolen (total Worth more than 35 million U.S. dollars). The attacked Vee.Finance transaction contract address is: 0xd1F855ceF146D36CC5851E2139c54524420797f2. The attacker's address is: 0xeeeE458C3a5eaAfcFd68681D405FB55Ef80595BA. After investigation, the suspected attacker launched the attack through the above address and has obtained the stolen assets from this address. In order to ensure the safety of more users' assets, the team has suspended the platform contract and suspended the deposit and withdrawal functions. The stablecoin part is not affected by this attack.
Amount of loss: $ 35,000,000 Attack method: Utilizes cToken forgery issues and precision processing issues
Description of the event: The DONA token auction of the Jay Pegs Auto Mart project on the SushiSwap Launchpad platform MISO was attacked. The attacker inserted malicious code into the MISO front end and changed the auction wallet address to his own wallet address. The loss has now reached 865 ETH (approximately 3.07 million). Dollar). Joseph Delong, CTO of SushiSwap, said on Twitter that the vulnerability has been fixed and that FTX and Binance have been asked to provide the attacker's KYC information, but both exchanges refused to cooperate. In addition, Joseph Delong also stated that he has reported the case to the FBI through his lawyer and reminded the project party to check whether there are similar front-end vulnerabilities. According to the Ethereum block explorer Etherscan, the attacker returned all ETH to SushiSwap. The operation was divided into two transactions, the first return 100 ETH, the second return 700 ETH, and the third return 65 ETH.
Amount of loss: - Attack method: Insert malicious code at the front end
Description of the event: The expansion of the Ethereum network, Arbitrum One, released a report on network failures. Beginning at 10:14 on September 14th, EST, Arbitrum One was out of service for 45 minutes, during which time the Arbitrum Sequencer was offline, and funds were never at risk. The root cause of the downtime was a bug that caused the Sequencer to get stuck when receiving a large number of transactions in a short period of time. The Arbitrum team has located the problem and deployed a fix. The team also stated that even if the Sequencer fails, it will not affect the continuous operation of the network. Users can bypass the Sequencer and submit transactions directly to Ethereum.
Amount of loss: - Attack method: Unknown
Description of the event: Klondike Finance was attacked by hackers, with a total loss of approximately 35,281.71 KXUSD (6.5629 WETH).
Amount of loss: 35,281.71 KXUSD Attack method: Flash loan attack
Description of the event: According to the official Zabu Finance on the Avalanche chain, the attackers withdrew 4.5 billion ZABU tokens from Zabu Farm Contract, bringing the supply to 5 billion, and dumped them all to ZABU's Pangolin LPs and Trader Joe LPs, stealing about 600,000 U.S. dollars. The pledge of single currency assets is safe, and ZABU related pools are affected. The official will take a snapshot before the attack and distribute it in Zabu V2, restart V2 Farm and attach Zabu V1 Staking Pool. In addition, Zabu Finance stated that it will transfer all income from AutoFarm and IDO Launchpad back to Zabu holders. Earlier news, the Zabu Finance project on the Avalanche chain suffered a flash loan attack.
Amount of loss: 4,525,726,903 ZABU Attack method: Mortgage model is not compatible with tokens
Description of the event: A user claimed on Twitter that he had mistakenly entered an NFT auction scam and was taken away by an art website worth 336,000 US dollars of Ethereum. However, the development of the story is somewhat unexpected, because the other party returned 100 ETH in full. In this scam, the victim reported that he inquired about the NFT auction on Monday from a certain population on Discord, and then he thought he was lucky enough to win the bid for the first NFT on the website and paid 100 ETH (about 336,000 US dollars) for this. ). However, according to a BBC report on Tuesday, a hacker exploited a security hole in the artist Banksy's website and set up a web page (banksy.co.uk/NFT) to sell so-called non-fungible tokens (NFT). In the end, although the hacker returned the money, the user still lost $5,000 in transaction fees.
Amount of loss: $ 5,000 Attack method: Scam
Description of the event: The Tomb Finance token TOMB, an algorithmic stablecoin project linked to the Fantom ecosystem and FTM, had the biggest drop of 77% yesterday, and was suspected of being attacked by the community. In this regard, Tomb Finance stated that it used to collect service fees when selling TOMB. The mechanism Gatekeeper was used by a third party, which led to panic selling, but the project was not attacked and no funds were stolen. Tomb Finance explained that the team has disabled the Gatekeeper mechanism and is currently discussing future development plans. The developers have not given up on the project's plan.
Amount of loss: - Attack method: Service fee collection mechanism
Description of the event: Polkadot Eco DeFi revenue aggregator Dot.Finance suffered a lightning loan attack. Dot.Finance's token PINK plummeted 35% in a short time, from 0.77 USD to approximately 0.5 USD. The attacker made a profit of 900.89 BNB (approximately $429,724 in total).
Amount of loss: $429,724 Attack method: Flash loan attack
Description of the event: In May of this year, the SEC filed a lawsuit against five people suspected of promoting BitConnect. The SEC believes that BitConnect is an unregistered digital asset securities product, and the program has raised more than $2 billion from retail investors through the promoter network. BitConnect is a cryptocurrency investment plan with the characteristics of a Ponzi scheme launched in 2017. Its token BCC was one of the 20 most valuable cryptocurrencies at the time, with a market value of more than 2.6 billion U.S. dollars. This month, the US Securities and Exchange Commission (SEC) made a verdict on the BitConnect Ponzi scheme. The defendants Joshua Jeppesen and Laura Mascola need to pay a total of 3.5 million U.S. dollars and 190 Bitcoins, and the specific amount for Michael Noble will be later. Confirm later.
Amount of loss: $ 2,000,000,000 Attack method: Ponzi
Description of the event: Sentinel, a Cosmos ecological dVPN project, stated on Twitter that the $40 million DVPN tokens were stolen due to the leak of the mnemonic phrase on the HitBTC exchange. Sentinel stated that the user's own DVPN was safe, and HitBTC had the problem. They reported the hacking incident to Sentinel one hour after the incident. So Sentinel hopes that HitBTC will take action to return DVPN to users.
Amount of loss: $ 40,000,000 Attack method: Mnemonic leaked
Description of the event: The founder of one of Russia's largest cryptocurrency scams has been in jail for allegedly defrauding US$100 million from its investors. Finiko was established in Kazan in 2019 and pretended to be a legitimate BTC investment company. In December 2020, Finiko released its native digital currency FNK. According to local reports, the founders will take BTC from investors and reward them with FNK tokens.
Amount of loss: $ 100,000,000 Attack method: Scam
Description of the event: Solana Ecological Lending Agreement Solend tweeted that the agreement was hacked at 20:40 on August 19th, Beijing time. The attacker cracked the insecure identity check in the UpdateReserveConfig function, allowing it to liquidate all accounts. In addition, the hacker also set the APY of borrowed funds to 250%. During this period, the funds of 5 users were mistakenly liquidated, and the liquidator is currently refunding the losses of these 5 users totaling USD 16,000. Solend said that this attack did not result in the theft of funds, and that the scale of the bug bounty will be increased and a better monitoring and alarm system will be established.
Amount of loss: $ 16,000 Attack method: The insecure identity check in the UpdateReserveConfig function is cracked
Description of the event: According to Reuters, a judge of the London High Court approved the request of the artificial intelligence company Fetch.ai, ordering Binance to track down hackers who stole $2.6 million in assets in Fetch.ai's Binance account and freeze the assets stolen by the hackers. A Binance spokesperson stated that in order to protect the safety of users' property, Binance will periodically freeze accounts that are deemed to have suspicious activities. Currently, Binance is helping Fetch.ai restore assets.
Amount of loss: $ 2,600,000 Attack method: Unknown
Description of the event: BachOnChain, a core member of Duet Protocol, a multi-chain synthetic asset protocol, tweeted that the Duet Protocol pioneer network Zerogoki experienced an oracle attack a few hours ago, and the wrong price led to unrecognized transactions. BachOnChain said that the oracle has been suspended, zUSD has experienced certain fluctuations, and it is expected that the price will resume in market trading and arbitrage after a period of time.
Amount of loss: $ 670,000 Attack method: Oracle attack
Description of the event: Some Twitter users reported receiving a token airdrop named VERA (The Vera) project, but the tokens in the wallet were stolen after the official website was authorized. After inquiry, it was found that the project was suspected to be an airdrop trap. The specific method was to airdrop 80,000 tokens (worth approximately US$9,600) through a single address to attract user attention, and set up a mechanism to allow users to fail transactions on Pancakeswap, which in turn led users to the official website to cheat. Authorize the implementation of theft.
Amount of loss: - Attack method: Scam
Description of the event: A crook named "cryptopunksbot" was published on CryptoPunk's Discord server, providing NFT investors with the opportunity to win ten elusive NFT avatars. Stazie, the co-founder of the NFT game project Hedgie, accepted the false offer poster, but this move eventually cost him 16 CryptoPunks, which may be worth at least $1 million. Stazie inadvertently sent the wallet seed phrase to the scammer, resulting in the loss of some ETH. The scammer sold 5 CryptoPunks for 149 ETH ($385,000).
Amount of loss: $ 1,000,000 Attack method: Phishing attack
Description of the event: Mobile phone operator T-Mobile filed a lawsuit for failing to prevent the SIM exchange scam, which cost a customer $55,000 in Bitcoin. The plaintiff Richard Harris accused T-Mobile of improper behavior, including failing to adequately protect customer information, hiring appropriate support personnel, and violating federal and state laws that caused him to lose 1.63 bitcoins.
Amount of loss: $ 55,000 Attack method: SIM exchange scam
Description of the event: The digital collectibles market platform Bondly Finance released an analysis report on the previous attack. Bondly Finance believes that the attacker obtained access to the password account belonging to Bondly CEO Brandon Smith through a carefully planned strategy. The password account contains the assistance of his hardware wallet. Recalling the phrase to restore the phrase, after copying, allowed the attacker to access the BONDLY smart contract, and the company wallet that was also leaked, resulting in the minting of 373 million BONDLY tokens.
Amount of loss: 373,000,000 BONDLY Attack method: Control access to password accounts
Description of the event: According to official news, Polkadot's ecological oracle and prediction protocol OptionRoom stated that it was affected by the "cross-chain asset bridge ChainSwap attack", and many projects including OptionRoom were affected by the hacker attack. Hackers can obtain 2.3 million ROOM tokens on Ethereum and 10 million ROOM tokens on BSC. OptionRoom noticed the hacking before the hackers sold any tokens and decided to remove liquidity from Uniswap and Pancakeswap to protect token holders and liquidity providers from being sold to the liquidity pool by hackers. By selling the deployer's tokens to the Uniswap pool, OptionRoom was able to recover $342,117. In this way, OptionRoom successfully extracted liquidity on behalf of the liquidity provider of the project. The recovered amount will be allocated according to the share of the liquidity provider.
Amount of loss: $ 647,467 Attack method: Contract vulnerability