NFT owners have been urged to remain vigilant after 29 Moonbird tokens were stolen in a phishing attack when a malicious link netted a scammer US$1.5 million worth of Moonbird NFTs from a Proof Collective member:
Moonbirds’ Massive Launch Success Makes it a Target
Dollar, a popular Twitter personality and NFT holder, has claimed that the culprit is already “half doxxed” by the crypto exchange and that Proof Collective and its members are currently working on a full report in collaboration with the Federal Bureau of Investigation (FBI):
It is still unclear how many victims in total have fallen victim to the scam, but it serves as a harsh reminder that even the savviest of NFT investors need to be on their toes when it comes to scammers.
Recent crypto scams also serve as a harsh wake-up call for NFT owners to exercise caution when dealing with a third-party platform and to double-check anything shared by others.
Digital artist and NFT creator Mike Winkelmann, better known as Beeple, has been targeted in a serial phishing expedition that netted scammers a total of US$438,000.
Hackers Railroad Louis Vuitton Raffle
In a series of tweets over the weekend, purportedly from Beeple, links posted to a fake Louis Vuitton NFT raffle were made to capitalise on a recent real collaboration between Beeple and the luxury fashion brand.
Earlier this month, Beeple designed 30 NFTs for LV’s ‘Louis The Game’ mobile game, embedded as rewards to players. Scammers posted phishing links from Beeple’s Twitter account to fake Beeple collections that seduced unsuspecting users with the promise of a free mint for unique NFTs.
The phishing links were up on Beeple’s Twitter for several hours, with the first netting the scammers 36 ETH, or roughly US$73,000 at the time. The second link snared US$365,000 worth of ETH and NFTs, bumping the total value of the scam to about US$438,000.
Beeple later tweeted that he had regained control of his account and reminded his followers that “anything too good to be true IS A F*CKING SCAM”:
Beeple Makes Himself a Scam Magnet
Having created three of the top 10 most expensive NFTs released to date, including one that sold for US$69 million, Beeple has made himself a prime target for hacks. Last November, his installation artwork Human One, paired with an NFT, sold for almost US$29 million at auction. That same month, an admin account on the artist’s Discord channel was hacked, with users losing 38 ETH to a fake NFT drop remarkably similar to the latest exploit.
Earlier this month, Beeple made the news for an entirely different reason, partnering with pop icon Madonna on an explicit NFT collection that possibly raised more eyebrows than it did money.
Multiple DeFi protocols have been compromised after an attack on the world’s biggest domain registrar, GoDaddy. Unconfirmed reports suggest the hacker(s) may have used GoDaddy’s account recovery method to target crypto domains.
SpiritSwap, one of Fantom’s biggest DeFi exchanges, has been left vulnerable as a result:
SpiritSwap Manages to Mitigate Disaster
SpiritSwap managed to quickly take action as the attacker(s) manipulated the swap parameters and were able to take away an amount not exceeding US$18,000. SpiritSwap provided updates stating it had disabled swapping in order to prevent the hackers from stealing further funds and assured users that their contracts and funds were safe, but the domain spiritswap.finance has been compromised. Since the attack, SpiritSwap has suspended all transactions:
Swapped Funds Redirected Across DeFi Protocols
Several crypto projects use GoDaddy to host their domains, and at the time of writing the full extent of the damage was not yet clear. That said, this attack differs from the recent ‘Coinzilla Ad’ hack in which an ad caused a pop-up on sites such as CoinGecko that, when clicked, could drain a user’s wallet. In the case of GoDaddy, the attacker used the hosting platform to redirect swapped funds on DEXes such as QuickSwap and SpiritSwap:
DeFi Scams on the Rise in 2022
DeFi scams are nothing new but are becoming ever more brazen. Here is a recent list of the scams that happened in DeFi this year:
Several popular crypto websites, including those of data aggregator CoinGecko and Ethereum block explorer Etherscan, were targeted by a large-scale phishing scam last weekend that displayed malicious pop-ups prompting users to connect their MetaMask wallets.
The scam was linked to the now deactivated domain nftapes.win, which displayed the Bored Apes Yacht Club logo in an attempt to appear legitimate. At the time of writing, it was unclear how many users were affected and how much they lost.
How the Scam Worked
According to CoinGecko, the scammers hijacked the advertising platform Coinzilla, which displays ads across a wide network of crypto-related sites, injecting malicious code that triggered the fraudulent pop-ups.
From there it was a relatively straightforward phishing scam leveraging the trust of the websites they exploited. The pop-ups would prompt users to connect their MetaMask wallets, and of course once they did their digital assets were immediately transferred to the scammers.
When the advertising code was identified as the root cause of the fraudulent pop-ups, it was deactivated on the CoinGecko website.
Advertising Code a Serious Vulnerability
Twitter user and blockchain researcher @CryptoShrine explained that this type of attack is quite common and suggests that Web3 site owners should look to move away from advertising as a primary source of revenue:
8/?
Ideally, the web3 related site owners should generate revenue through other means than just advertising
malvertising is a well-known tactic used by attackers in web2 space and can be extended to web3 space as well
Scams of this nature can cause significant losses because they can affect many websites at the same time by piggybacking on the advertising code, and because the malicious pop-ups can appear on trustworthy websites it increases the likelihood of users falling victim.
Azuki NFTs have plunged 63 percent in price after the project’s pseudonymous founder Zagabond revealed his previous involvement in three failed NFT projects – some of them considered rugpulls.
Azukies are currently the sixth-highest-selling collection but now both the project and its founder face a massive backlash from the crypto Twitter community, shortly after Zagabond published a blog post talking about his previous experience building NFT projects:
In the blog post, Zagabond revealed he was behind three NFT projects before Azukies – CryptoPhunks, Tendies and CryptoZunks – all abandoned by their founders after they failed to gain traction.
Zagabond’s approach was to share his previous work and experience in the digital art field but the publication of his post backfired within hours as several users pointed out his previous projects were scams. After the blog’s publication, Azukies went from trading at an average of 20 ETH, or approximately US$49,900, to barely 9 ETH ($21,380).
Zagabond Dismisses Accusations
Zagabond quickly dismissed the accusations, saying he and the other creators delivered everything that was promised and the fact that they had no PMF, or product-market fit (the degree to which a product satisfies a market demand), didn’t mean the projects were rugs:
One Zagabond defender noted that if these projects had delivered their users what was promised, then the creators had no need to continue to work on them:
It seems that consumers still have an expectation that the team and the developers will continue to work on the project in perpetuity. And as a creative, are you indebted to these community members and this project forever?
Zagabond blog post
However, the majority remained reluctant. “No PMF yet you profited millions while buyers were left holding the bag?” one user commented.
Another Twitter user shared on-chain data about the CryptoPhunks creator performing a flashloan transaction of 5,000 ETH on the NFT marketplace LooksRare:
OpenSea has suffered a security breach on its main Discord channel, allowing hackers to promote a fake YouTube partnership with the NFT platform. OpenSea Support warned the community not to click on any links in its Discord channel, and that it would investigate the situation:
The scam was first pointed out by a Twitter user called Serpent, who shared a screenshot of the marketplace’s hacked Discord, showing the scammers promoting an NFT mint pass as part of a fake partnership with YouTube and a link to a phishing site:
Webhooks Used for Phishing
Apparently, the hacker(s) used webhooks – a technique used to augment or alter the behaviour of a web page in real-time – to access server controls.
The hacker(s) was able to stay on the server for a considerable amount of time before OpenSea staff were able to regain control. It appears that at least 13 wallets had fallen victim to the scam, as per on-chain data on Etherscan.
Another Discord Channel Hacked
Compromised Discord servers aren’t that uncommon, and more users are demanding better security protocols from the messaging platform.
It seems NFT channels are the biggest target for scammers. A month ago, Crypto News Australiareported how $APE dropped over 20 percent after the Bored Ape Yacht Club (BAYC) Discord channel got hacked.
Five months ago, blockchain gaming company Animoca had to repay users 265 ETH, or US$1.1 million, after several victims fell for fake NFTs, draining a considerable amount of money out of investors’ pockets.
An IT professional from Germany has warned fellow Reddit users after discovering that his mobile phone’s predictive text feature enabled it to correctly predict his entire recovery seed phrase after typing in the first word.
Guessing Seed Phrases: Impossible?
Seed phrases, a random selection of 2048 words originating from Bitcoin Enhancement Protocol (BIP) 39, enable users to back up or recover access to their crypto holdings. The prospect of correctly guessing the correct 12- or 24-word seed phrase is virtually impossible, even with quantum computing. To give a sense of how low the probability is, one Reddit user ran the numbers.
Imagine then the surprise of Andre, also known as u/Divinux on Reddit, when he noticed that his phone accurately guessed the 12–24 word seed phrase, in the right order. “First, I was stunned. The first couple of words could be a coincidence, right?” he said, adding:
This makes it simple to assault, get your fingers on a telephone, begin any chat app, and begin typing any phrases off the BIP39 record, and see what the telephone suggests.
u/Divinux on Reddit
However, being IT literate and recognising the risk, he decided it would be best to put word out to the community.
Different Keyboards, Different Results
To properly assess the risk, Andre decided to evaluate how a range of different keyboards performed. His findings revealed that Google’s GBoard was the least vulnerable, since it did not predict every word in the correct order. However, both Microsoft and Samsung’s keyboards were able to predict the seed phrase word-for-word by default.
He then proceeded to issue a warning to fellow crypto enthusiasts:
Not your keys not your coins, do your own research, don’t FOMO, never invest more than you are willing to lose, always double-check the address you are sending to, always send a small amount beforehand and disable your PMs in settings.
u/Divinux on Reddit
Perhaps more pertinently, he concluded that users should “do [themselves] a solid [favour] and prevent that [predictive text guessing the seed phrase] from happening by clearing [their] predictive type cache”. Others however, such as u/babaossa77, thought even that didn’t go far enough: “If you typed your seed phrase into your mobile phone I’d already consider that seed as unsafe and wouldn’t use it for any bigger funds, even after clearing the cache.”
Just two weeks ago, MetaMask issued a phishing attack notice to its users, suggesting that when it comes to security, it’s ultimately a matter of degree since one can never be truly immune to the risk of a breach.
Australia-founded crypto NFT project Sportemon Go has ceased trading on its native token SGOX, leaving investors disgruntled, to say the least.
The news has spread across all major UK news media as Sportemon Go was sponsoring Scottish football clubs Rangers and Hibs. The brand removed all presence from social media on Monday night and locked up its website before resurfacing with a notice:
The SGOX Token has ceased trading. The community voted unanimously to redeem SGOX for L1TF token. This was [a] great result for Token holders, with 1 x SGOX Token being redeemable for 1 x Liberty One Treasury Fund Token. This was overwhelmingly voted in favour by over 90% of holders, with more than 95% of tokens. Also note the Team, Athletes and other IP are currently being removed or deleted, as we finalise amicable termination agreements. These will all be removed once finalised. For further partner and token information or information on how to redeem tokens, please email: [email protected]
Rangers signed a two-year deal with Sportemon Go in October 2021 and the club has since featured the Sportemon Go logo on its player strip and TV ads for the brand.
The Edinburgh Evening News reported that Hibernian FC, aka Hibs, began to distance itself from Sportemon Go after it showed signs of financial difficulty some months ago, with commercial director Greg McEwan telling the paper: “Knowing Sportemon Go’s difficulties, we had been planning for a mutual termination of the partnership and have a new partner in place for the upcoming season, which will be announced soon.”
What Now For Sportemon Go?
Sportemon Go co-founder Ricky Jackson has taken to Twitter and Telegram to try to calm the FUD caused by the SGOX token collapse:
At the time of writing, there was no information about the new “Liberty One Treasury Fund Token” referred to in Sportemon Go’s website notice and there are reports that SGOX token holders were not adequately notified about any voting poll. With the brand’s Telegram channel history deleted, there is nothing in the discussions.
Investors took to Twitter to voice their frustrations, with some writing off their DeFi investment in the project:
The fact that the Jackson’s didn’t take any responsibility for the failure of a broken business model and blamed it all on FUD is unbelievable. They never built income streams for SGO that’s why it failed. No app, no vr, nothing…
The “FANTASTIC OFFER” of swapping SGOX for whatever the hell L1TF is/will be seems dependant upon bagholders keeping their mouths shut & not complaining. pic.twitter.com/O9ANofZrXf
There are a few folk saying that the new one will be a stablecoin but guess we’ll have to wait & see whether that really turns out to be the case. Five years is rather a long time though, and an eternity in crypto. pic.twitter.com/0ue4lnHIus
Crypto NewsAustralia reported last August that Sportemon Go was to create NFTs for Australian cricket legend Adam Gilchrist. Since then we have followed the project, and it has promised more and more platforms, features and tokens, including (but not limited to):
an SGO NFT marketplace
Australian ‘Home Town Heroes’ sports NFTs
SGO Bot NFTs
NFTs for NRL team the South Sydney Rabbitohs
NFTs for Scottish football team Rangers
Metarace virtual dog racing NFTs
Virtual Metaverses Play-to-Earn
eSports Integration for Personalisation
Rewards for gaming
Physical and Virtual Fan Experiences
SGO token launch on ETH
SGOX token launch on BSC
SGO/SGOX Staking Pool
Stablecoin Liberty Project
Delivering on all of these features would be quite a task, and it may simply be that Sportemon Go has bitten off more than it could chew.
Crypto News has contacted Sportemon Go for comment and will update this story once a response or further information is received.
It’s official, Elon Musk has bought Twitter for US$44 billion and will be taking the social media giant private. Despite various blue check Twitter accounts decrying the move as “dangerous for democracy”, Musk himself has signalled that freedom of speech will reign supreme in the online town square:
An Offer Too Good to Refuse
Under the agreement, shareholders will receive US$54.20 per share, a 38 percent premium on the company’s closing share price as of April 1, which was the last trading day before Musk disclosed his approximately 9 percent stake in Twitter.
The transaction, expected to close later this year, was financed with both debt (US$25.5 billion) and equity (US$21 billion). After initially electing to invoke a “poison pill”, thereby diluting his holdings, Musk responded with a new filing with the Securities and Exchange Commission (SEC).
At the time, Musk said:
I invested in Twitter as I believe in its potential to be the platform for free speech around the globe, and I believe free speech is a societal imperative for a functioning democracy. However, since making my investment I now realise the company will neither thrive nor serve this societal imperative in its current form. Twitter needs to be transformed as a private company.
Elon Musk
Recognising their responsibility to shareholders, the board of directors was ultimately left with little choice but to accept the offer. Bret Taylor, Twitter’s independent board chair, said:
The Twitter Board conducted a thoughtful and comprehensive process to assess Elon’s proposal with a deliberate focus on value, certainty, and financing. The proposed transaction will deliver a substantial cash premium, and we believe it is the best path forward for Twitter’s stockholders.
Bret Taylor, independent board chair, Twitter
Musk’s Priorities
While some users will be pleased to hear that Musk intends to introduce a much-needed edit button, much of the focus was on freedom of speech: “Free speech is the bedrock of a functioning democracy, and Twitter is the digital town square where matters vital to the future of humanity are debated,” Musk said.
He added: “I also want to make Twitter better than ever by enhancing the product with new features, making the algorithms open source to increase trust, defeating the spam bots, and authenticating all humans. Twitter has tremendous potential – I look forward to working with the company and the community of users to unlock it.”
Musk provided some additional context at TED 2022, highlighting it was a priority to eliminate the spam bots, which are particularly rife in the crypto industry:
One potential avenue for doing so could be to implement Michael Saylor’s suggestion of integrating the Lightning Network to make the cost of spam and scams economically unfeasible.
In order to engage, users would require an “orange tick”, which they could obtain by posting satoshis as collateral. Any breach of the rules would then result in a ban and loss of the collateral. Saylor outlined this in a recent interview, saying it could put an end to cyber attacks:
The Twitter user experience has undoubtedly been negatively impacted through censorship and the proliferation of spam bots. Hopefully, Musk will be a better custodian of the digital town square than his Silicon Valley predecessors. Initial signs are good.
Bored Ape Yacht Club’s (BAYC) Instagram account has been hacked in a phishing scam resulting in an exploit of US$2.8 million worth of NFTs:
Yuga Labs, the creator of BAYC, is investigating the attack, tweeting followers not to click on links or mint new tokens. The attacker stole 133 NFTs after using BAYC’s Instagram account to promote a fake “airdrop”. The scam promised people free tokens if they connected their MetaMask wallets to the site linked through the post.
No Compensation As Yet
It is not yet known how the hacker accessed the Instagram account, and Yuga Labs has yet to announce whether it will compensate those affected by the scam:
According to Yuga Labs, “At the time of the hack, two-factor authentication was enabled and security surrounding the Instagram (IG) account followed best practices.” It added: “We’ve regained control of the account, and are investigating how the hacker gained access with IG’s team.”
According to blockchain data, the hacker’s wallet, which has been identified in connection with the attack, holds 91 NFTs and is said to be worth US$2.8 million based on the floor prices of the respective collections. The attack has seen 24 Bored Apes and 30 Mutant Apes stolen.