Category: Illegal

Categories
Crypto News Cryptocurrency Law Illegal NFTs Regulation Scams

US Senator Proposes Laws to Make Rug Pulls a Crime

Under new legislation filed in the US state of New York, lawmakers intend to confirm fraudulent rug pulls as a crime along with other crypto-specific forms of duplicity.

Companion Bill Filed in Lower Chamber

According to public records, Senate Bill S8839 “establishes the offences of virtual token fraud, illegal rug pulls, private key fraud and fraudulent failure to disclose an interest in virtual tokens”. A companion bill, Assembly Bill A8820, was also filed in the New York State Legislature’s lower chamber. The bills were introduced by State Senator Kevin Thomas and Assembly member Clyde Vanel, respectively.

The legislation places particular focus on rug pulls – a term referring to the sudden exit of a developer or founding team and the resultant defrauding of investors – given how prevalent the practice is in the crypto space. The framed New York legislation proposes limits on the ability of founding teams to sell significant percentages of their token holdings within a period of five years.

The specific text of the proposed legislation reads:

Illegal rug pulls:

1. A developer, whether natural or otherwise, is guilty of illegal rug pulls when such developer develops a class of virtual token and sells more than ten percent of such tokens within five years from the date of the last sale of such tokens.

2. This section shall not apply to non-fungible tokens (NFTs) where a developer has created less than 100 NFTs that are regarded as part of the same series or class of NFTs or where such NFTs regarded as part of the same series or class are valued at less than $20,000 at the time the rug pull occurs.

Proposed New York rug pull legislation

If the legislation is approved and signed, it will take effect 30 days after passage.

Need for Legislation Parallels the Rise of Rug Pulls

Legislation such as this is becoming all the more necessary given the rising incidence of rug pulls and crypto scams. Last year Crypto News Australia reported on a Solana NFT project that was accused of a rug pull of the coin Eternal Beings. And in December, Bent Finance confirmed that its pool had been exploited for US$1.6 million in a rug pull incident.

Categories
Crypto News Hackers Illegal Scams

Hacker Exploits DeFi Protocol ‘Zeed’ for $1 Million But Fails to Take the Funds

After the decentralised finance (DeFi) protocol ‘Zeed’ was exploited for US$1 million this week, the hacker destroyed the contract used but left all tokens, rendering them immobile:

Zeed is a lesser-known DeFi protocol, an “autonomous decentralised integrated ecosystem” that runs off the BNB Chain. The protocol was attacked by minting extra rewards that were sold on the market, thereby crashing the token’s price to zero:

After the attack, the hacker destroyed the contract used in the exploit, meaning that any tokens held by the contract could no longer be moved, according to PeckShield, who put it in a nutshell: “The hacker kills the contract, but forgets to transfer the profit.”

Another blockchain security firm, BlockSec, added: “Interestingly, the attacker does not transfer the obtained tokens out before self-destructing the attack contract. Probably, he/she was too excited.”

Yet Another DeFi Hack

Hacks are becoming an increasingly common occurrence in the DeFi space. Last year, DeFi project Cream Finance lost US$19 million in a flash loan attack – its second breach in six months. Earlier this week, Crypto News Australia reported that the Beanstalk stablecoin lost about US$182 million in yet another flash loan exploit.

Categories
DeFi Illegal Privacy Scams Tornado Cash

ETH Privacy Tool Tornado Cash Starts Blocking Sanctioned Addresses

Tornado Cash is apparently using Chainalysis oracles to block access from US Office of Foreign Assets Control (OFAC) addresses. The blockade only applies to the Tornado front-end, not the underlying smart contract:

As a fully decentralised protocol for private transactions of Ethereum, Tornado Cash last year announced it would be integrating with Arbitrum, the layer-2 solution that leverages optimistic rollups for Ethereum dApps.

Maintaining financial privacy is essential to preserving our freedom, [though] it should not come at the cost of non-compliance.

Tornado Cash

Tornado Cash works by “breaking the on-chain link between source and destination addresses”. Deposits go into a smart contract, where they are mixed around with others, and can then be withdrawn by a new address, making it more private.

The Chainalysis oracle is a smart contract that works on Ethereum and several other networks, including Avalanche, BNB Smart Chain, and sidechain and layer-two networks such as Polygon and Optimism. Simply put, Tornado Cash is a piece of code that scans crypto addresses and determines whether they are subject to sanctions from the US or other governments, and if so, the wallet is blocked.  

Tornado Cash Facilitates Hackers

Earlier this month, Inverse Finance, a decentralised lending protocol built on Ethereum, lost over US$15 million in a DeFi hack. Hackers were able to take out massive loans and get away with it through Tornado Cash.

Categories
Hackers Illegal NFTs Rarible Scams

2 Million Users’ NFTs at Risk After Security Firm Identifies Flaw in Rarible

Cyber security software firm Check Point Research (CPR) has identified a vulnerability in NFT marketplace Rarible that could have seen any of its 2 million monthly users lose their NFTs in a single transaction.

Attackers Could Have Gained Full Access

CPR has previously identified exploits, among them the infamous hack of OpenSea in October 2021. According to CPR:

CPR identified a security flaw in Rarible, the NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction. CPR immediately disclosed findings to Rarible, who acknowledged the security flaw. CPR’s revelations mark the second time that their researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world’s largest NFT marketplace.

Check Point Research

According to CPR, the exploit would have occurred when a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions, and the exploit would have begun with the victim receiving a link to a malicious NFT who then clicks on it.

Attack Methodology

CPR has provided outlines of the attack methodology:

  • Victims receive a link to the malicious NFT or browse the marketplace and click on it.
  • The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.
  • The victim submits the request and grants full access to the NFTs/crypto tokens to the attacker.

CPR immediately disclosed the findings to Rarible, which has since acknowledged the security flaw and taken action against the attack.

NFT Thefts Rampant

Earlier this year, Crypto News Australia reported a flaw on multibillion-dollar GameFi company Illuvium that caused it to drain its liquidity pools. Had it not done so, the flaw could have ended in billions of dollars lost due to the flaw.

Categories
DeFi Hackers Illegal Scams Stablecoins

Beanstalk Stablecoin Loses $182 Million in Flash Loan Exploit

An attacker has drained US$182 million from Beanstalk stablecoin protocol in a flash loan attack, the second nine-figure DeFi exploit in just a month. Beanstalk joins a growing list of Ethereum DeFi protocols to suffer multimillion-dollar breaches:

The attack on Beanstalk, a credit-based stablecoin built on Ethereum, mirrors an incident last year where PancakeBunny’s DeFi protocol suffered a US$45 million loss from the ecosystem. In the Beanstalk case, an attacker used a flash loan exploit to drain the protocol’s funds and Etherscan data shows Aave’s flash loan feature was leveraged to withdraw liquidity from the protocol. The hacker then used Uniswap to trade DAI, USDC and USDT for Ethereum.

The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack and the token was down 86 percent at the time of writing.

Native Tokens Used to Drain Funds

Beanstalk has since reported that the flash loan on Aave enabled the attacker to amass a large amount of Beanstalk’s native governance token, Stalk. Through the voting powers granted by the tokens, the attacker was then able to pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet:

Some Stolen Funds Diverted to a Ukrainian Relief Wallet

Beanstalk’s smart contracts were audited, but the audit was completed before the introduction of the flash loan vulnerability. No information has yet been forthcoming on whether funds would be reimbursed to users. According to PeckShield, the attacker appears to have donated US$250,000 of the stolen funds to a Ukrainian relief wallet.

Categories
Bored Ape Yacht Club Hackers Illegal NFTs Scams Tokens

$APE Drops 20% Following Bored Ape Yacht Club Discord Hack

ApeCoin has dropped 8 percent after the Bored Ape Yacht Club (BAYC) Discord servers suffered a phishing scam. The governance token behind the world’s largest NFT collection has plunged after news of the phishing attack was confirmed.

APE Witnesses Massive Fluctuations

APE fell from roughly US$14 on March 31 and at some point reached US$12.8, according to CoinMarketCap. The tokens were airdropped to Bored Ape and Mutant Ape NFT holders on March 16 and will serve as the governance token for the project’s newly launched decentralised autonomous organisation (DAO). APE will allow its holders to vote on the project’s roadmap and upcoming proposals.

Since the token launched, the price action has been rather volatile with APE going as high as US$39.4, before settling at a range between US$14 and $16.  

An unknown hacker gained access to the official Discord meant to host members of BAYC, Mutant Ape Yacht Club, and Mutant Ape Kennel Club, three NFTs from Yuga Labs. The attackers posted a phishing link in the Mutant Ape Kennel channel disguised as a “stealth NFT mint”, which was used to steal Mutant Ape Yacht Club #8662 from one user:

No ‘April Fools Stealth Mints’

The team at BAYC indicated in a tweet that it had “caught” the issue immediately but cautioned users not to mint any NFT using a link posted on its Discord, and indicated to users that it had no April Fools stealth mints. According to several reports, clicking on the link would result in losing the respective holders’ NFTs. It has been reported that the hacker may have carried out the attacker via Ticket Tool, a popular Discord bot that automatically generates support tickets:

Twitter users have also warned of a similar exploit on the Discord server of Doodles, another NFT collection, but at the time of writing this had not yet been confirmed:

Categories
DeFi Illegal NFTs Scams Tokens

Crypto Venture Capitalist Loses $1.7 Million in NFT Hot Wallet Phishing Attack

Arthur Cheong, founder of DeFi and Web3-focused crypto venture capitalist firm Defiance Capital, tweeted this week that a hacker had stolen over US$1.7 million worth of NFTs from his crypto wallet.

Pieces stolen include five CloneXs, 17 Azukis, 33 Second Selfs, two Hedgies and two Tsubasa NFTs, according to security firm PeckShield. A total of 59 NFTs were stolen.

Cheong said the unknown hacker compromised his device using a technique known as ‘spear phishing’:

Earlier this month, an unknown hacker began draining NFTs from an Ethereum wallet owned by Cheong, which he later confirmed on Twitter. The hacker then proceeded to sell the stolen NFTs on OpenSea and also transferred other tokens such as wETH, Lido DAO, LooksRare and DYDX to their wallet.

As it stands, the perpetrator’s wallet currently contains about 585 ETH, or around US$1.7 million, that can all be traced back to Cheong’s wallet. This figure may increase as the hacker appears to be still moving funds out of Cheong’s account:

Spear Phishing Email Likely Suspect

Cheong said the hacker used what is called a ‘spear phishing’ email to deploy malware on his device, which then proceeded to extract the seed phrase to his crypto wallet:

Phishing Attacks on the Rise

This is sadly not a unique incident, with the incidence of phishing scams rising dramatically this year. In January, OpenSea lost US$3 million in stolen NFTs. In a similar fashion, US$790,000 worth of Rare Bear NFTs were stolen in a brazen phishing attack just last week.

Categories
Bitcoin Crime Crypto News Illegal

Darknet Ecstasy Kingpin Forfeits $2.3 Million in Bitcoin

A 25-year-old man from Massachusetts in the US has been sentenced to eight years’ imprisonment for selling illicit drugs for cryptocurrencies on the dark web. In addition, he also had to forfeit US$2.3 million worth of bitcoin after starting “EastSideHigh” on the darknet.

At the age of 22, Binh Thanh Le set up “EastSideHigh”, a storefront on the Wall Street Market illegal marketplace on the darknet, selling illicit drugs such as Xanax, ecstasy (MDMA), and ketamine. Le’s illegal business netted him a profit of 59 bitcoin, which was originally seized in March 2019. At the time the funds were worth US$200,000, but now amount to a whopping US$2.3 million.

Le and Two Associates Arrested with 20+ kg of Ecstasy

Along with his bitcoin, Le also held over US$114,000 in cash and another US$42,000 generated from a sale of a car. He was indicted in June 2019 with two other people for conspiracy to manufacture and distribute drugs. At the time of his arrest and seizure, law enforcement officials found over 20 kilograms of ecstasy, approximately 6.8 kilograms of ketamine, and more than 10,000 Xanax pills in Le’s possession.

After serving his prison sentence, Le will be supervised on release for a further three years. US District Attorney for Massachusetts Rachel Rollins said: “This sentence sends a clear message to dark web criminals – the federal government is entering this space. We will find you and we will hold you accountable.” She added:

Thanks to the incredible work of our law enforcement colleagues, there is one less cybercriminal hiding in the shadows.

Rachel Rollins, US District Attorney for Massachusetts

Crypto Seizures Add Up to Massive Numbers

Recently, the US Justice Department impounded US$3.6 billion in bitcoin and arrested a wannabe rapper and her husband for conspiring to launder the funds. A January report also revealed that US$33 billion had been laundered via crypto by cybercriminals over the past five years.

Categories
Algorand DeFi Ethereum Hackers Illegal Polygon Scams

Fantasm Finance DeFi Project Exploited for $2.6 Million

This week’s attack on Fantom Network-based synthetic asset protocol Fantasm Finance saw the loss of US$2.6 million worth of Ethereum. The stolen funds were run through the Tornado cash mixing service and totalled 1,007 ETH.

According to the protocol’s Medium page, the team will conduct a postmortem and consider all compensation options for victims.

Another Day, Another DeFi Hack

The address of the attacker shows the extent of the theft, with 1.8 million FTM remaining in the pool for redemption:

Since the March 9 exploit, the attacker has been using Tornado cash to mask transactions. Tornado Cash is a service that breaks the link between source and destination addresses, thereby obscuring the transaction history.

Attacks on DeFi Remain Rife

The crypto space and DeFi, in particular, have been under attack by hackers seeking to exploit protocols. The reason for the frequency with which new projects launch without undergoing a security audit makes them very vulnerable to attackers. In January, Algorand-based DeFi platform ‘Tinyman’ was exploited for US$3 million. The team at Algorand quickly tweeted it it had been compromised and pulled the remaining liquidity from the project.

The most recent DeFi attack prior to Fantasm targeted Polygon DeFi protocol QiDao’s Superfluid vesting contract, draining US$13 million. User funds on QiDao however remained safe, as the exploit was “solely on Superfluid”, according to the Polygon-based DeFi protocol.

Categories
Crypto News DeFi Illegal NFTs Scams

Suspicious Code Detected in ETH Smart Contract Putting NFT Projects at Risk

According to the famous DeFi detective who goes by “Zahcxbt” on Twitter, 31 NFT projects may be at risk due to what he calls “suspicious code”. He posted a lengthy thread on Twitter and raised the issue of NFT project Thestarlab, which he alleges was compromised for 197.175 Ether (ETH), worth about US$580,325.

Zachxbt quoted his fellow blockchain investigator “MouseDev” who came to the following conclusion after reviewing the code behind Thestarlab:

What this means is that the contract can never truly be renounced or transferred! Only an additional owner. The original deployer will always be considered the owner! You can also check the relinquish and transfer ownership functions to see they never overwrite _creator.

MouseDev

MouseDev supposes that when the developer of the project deployed the contract, they stored two variables as the owner. “Then they later changed one of them to the null address to appear as though they relinquished but kept another unchanged variable,” MouseDev claims.

According to this information, Zachxbt claims to have uncovered 31 NFT projects that all contracted the same Fiver developer to launch the problematic smart contract. Zachxbt also remarked: “Please do proper due diligence. Always review the contract beforehand, especially if outsourced. Luckily, since then a few of the projects were able to migrate contacts and confront the Fiver dev. After reviewing internally, a few found other red flags as well.”

Thank Goodness for DeFi Detectives

DeFi detectives have been many a project’s saviour. “Void-of-Silence” posted on Twitter: “Some old info I’ve posted along with some new info out today 💚 a readdressing of the situation would be awesome or a new post about it all 🔥”

Another fellow detective who goes by “Thats AOK” replied to MouseDev’s Tweet by saying: “RUG RUG RUG RUG RUG RUG RUG.”

Last month, an infamous “internet detective” who goes by “Coffeezilla” confronted YouTuber “Ice Poseidon” and got him to admit to stealing US$500,000 in a blatant crypto scam. Coffeezilla later in February managed to expose an NFT scam that would have cost its users US$20 million, had it actually come to pass.