Category: Scams

Categories
Crypto News Cryptocurrency Law Illegal NFTs Regulation Scams

US Senator Proposes Laws to Make Rug Pulls a Crime

Under new legislation filed in the US state of New York, lawmakers intend to confirm fraudulent rug pulls as a crime along with other crypto-specific forms of duplicity.

Companion Bill Filed in Lower Chamber

According to public records, Senate Bill S8839 “establishes the offences of virtual token fraud, illegal rug pulls, private key fraud and fraudulent failure to disclose an interest in virtual tokens”. A companion bill, Assembly Bill A8820, was also filed in the New York State Legislature’s lower chamber. The bills were introduced by State Senator Kevin Thomas and Assembly member Clyde Vanel, respectively.

The legislation places particular focus on rug pulls – a term referring to the sudden exit of a developer or founding team and the resultant defrauding of investors – given how prevalent the practice is in the crypto space. The framed New York legislation proposes limits on the ability of founding teams to sell significant percentages of their token holdings within a period of five years.

The specific text of the proposed legislation reads:

Illegal rug pulls:

1. A developer, whether natural or otherwise, is guilty of illegal rug pulls when such developer develops a class of virtual token and sells more than ten percent of such tokens within five years from the date of the last sale of such tokens.

2. This section shall not apply to non-fungible tokens (NFTs) where a developer has created less than 100 NFTs that are regarded as part of the same series or class of NFTs or where such NFTs regarded as part of the same series or class are valued at less than $20,000 at the time the rug pull occurs.

Proposed New York rug pull legislation

If the legislation is approved and signed, it will take effect 30 days after passage.

Need for Legislation Parallels the Rise of Rug Pulls

Legislation such as this is becoming all the more necessary given the rising incidence of rug pulls and crypto scams. Last year Crypto News Australia reported on a Solana NFT project that was accused of a rug pull of the coin Eternal Beings. And in December, Bent Finance confirmed that its pool had been exploited for US$1.6 million in a rug pull incident.

Categories
Crypto News Ethereum Illegal NFTs Scams

$34 Million ‘AkuDreams’ NFT Project Locked Permanently by Smart Contract Error

An error in a smart contract has led to NFT project AkuDreams locking up US$34 million worth of Ethereum. The project was hit by an exploit through its refundable Dutch auction on April 22 in which the hacker did not profit but managed to lock up the funds:

Cryptocurrency developer Foobar tweeted coding (see above) showing that “$34 million, or 11,539 ETH, is permanently locked into the AkuDreams contract … It cannot be retrieved by individual users or by the dev team.”

‘No Malice Intended’

The AkuDreams Twitter account confirmed the exploit and said: “We are locked down and consulting with some of the best on the next steps. We will mint your NFTs, and reveal them as soon as humanly possible. We will also be working to issue funds for those passholders who bid with the intention of securing a price .5 ETH below the final price.”

Refunds and Withdrawals Blocked

The auction opened at 3.5 ETH on the premise that the lowest bid would set the final price, and anyone who placed a higher bid would receive a refund. AkuDreams passholders were also promised a 0.5 ETH discount on each NFT they minted. But due to a bug in the contract, an exploiter was able to halt refunds and withdrawals from the contract, which meant that auction participants who bid above the final NFT price could not receive the ETH they were owed. As a result, refunds and withdrawals from the contract could not be passed.

AkuDreams acknowledged the issue in saying that the exploit “was not done out of malice” and that it was looking into the incident. The announcement that followed contained the admission, “To be clear, this is our fault.”

The project has promised to return funds to the community and later confirmed that the NFTs would be airdropped to bidders, and that it would honour refunds for the passholders who are owed a 0.5 ETH discount.

Exploits, Exploits, and More Exploits

The crypto space has of late been rife with exploits taking place in every sector. In October 2021, a bug in the DeFi protocol Compound saw its users mistakenly rewarded with US$80 million in COMP tokens. Qubit Finance earlier this year lost US$80 million after its protocol was hacked, making it one of the biggest exploits so far this year.

Categories
Crypto News Hackers Illegal Scams

Hacker Exploits DeFi Protocol ‘Zeed’ for $1 Million But Fails to Take the Funds

After the decentralised finance (DeFi) protocol ‘Zeed’ was exploited for US$1 million this week, the hacker destroyed the contract used but left all tokens, rendering them immobile:

Zeed is a lesser-known DeFi protocol, an “autonomous decentralised integrated ecosystem” that runs off the BNB Chain. The protocol was attacked by minting extra rewards that were sold on the market, thereby crashing the token’s price to zero:

After the attack, the hacker destroyed the contract used in the exploit, meaning that any tokens held by the contract could no longer be moved, according to PeckShield, who put it in a nutshell: “The hacker kills the contract, but forgets to transfer the profit.”

Another blockchain security firm, BlockSec, added: “Interestingly, the attacker does not transfer the obtained tokens out before self-destructing the attack contract. Probably, he/she was too excited.”

Yet Another DeFi Hack

Hacks are becoming an increasingly common occurrence in the DeFi space. Last year, DeFi project Cream Finance lost US$19 million in a flash loan attack – its second breach in six months. Earlier this week, Crypto News Australia reported that the Beanstalk stablecoin lost about US$182 million in yet another flash loan exploit.

Categories
Australia Banking Crypto News Cryptocurrency Law Regulation Scams

AUSTRAC Releases Guide to Detect and Prevent Illicit Crypto Activity

The Australian Transaction Reports and Analysis Centre (AUSTRAC) published two guides this week with hopes of helping Aussies detect and prevent illicit crypto activity.  

Focus on Ransomware, Debanking

AUSTRAC is helping companies identify when their customers are being forced to take part in paying ransomware creators or illicitly engaging with crypto. This assistance comes in the form of two guides and a warning that debanking customers without evidence is a harmful practice.

In what can be considered another positive step the government is taking to embrace cryptocurrency, the financial watchdog has been prompted to act after a recent increase in ransomware-related attacks and cases of debanking.

https://www.linkedin.com/in/stevevallas/overlay/photo/

Open dialogue, pro-active guidance, and strong relationships between government and industry are necessary to ensure businesses can identify and report behaviour that puts Australians at risk of harm.

Steve Vallas, Blockchain Australia CEO

The release of these documents follows guides from the Australian Securities and Investments Commission (ASIC) and AUSTRAC’s critical infrastructure bill.

ASIC and AUSTRAC Go After Scammers and ‘Finfluencers’

AUSTRAC and ASIC began investigating scammers deceiving crypto investors in March 2021. The investigation discovered that British scammers were stealing millions of dollars of crypto from Aussies.

The latest AUSTRAC guides come only weeks after ASIC released its guide warning Australian ‘Finfluencers’ of impending tighter regulations.

Categories
Australia Banking Scams Social media

Commonwealth Bank Issues Scam Alert Over False Crypto Platform Partnership Report

The Commonwealth Bank of Australia (CBA) issued a scam alert this week to notify the public about a false article circulating on social media sites such as Facebook that claims the bank has partnered with a crypto trading platform. 

CBA emphasises that the claims made in the story are “totally false and untrue”.

The fake story purports to be from the Australian Broadcasting Corporation (ABC) and is designed to exploit people’s trust in, and familiarity with, CBA’s brand and convince them to click through to the scammer’s website. Once on the scammer’s website, users are asked to enter personal information and transfer money.

CBA encourages anyone who receives the scam article through any channel – be it social media, email or text message – not to respond or click on any associated links.

In addition to warning its customers directly, the CBA has reported the scam to all relevant authorities and has asked social media sites to remove the story from their platforms.

CBA’s Genuine Interest in Crypto May Confuse Readers

The scammers may have chosen to use the CBA brand in their fake news story partly because the bank has been particularly enthusiastic about crypto of late.

Last month, CBA said it intended to invest heavily in crypto-related services and just weeks ago its crypto trading app, the first offered by an Australian bank, was delayed due to regulatory hurdles following a successful beta.

Categories
Crypto Wallets MetaMask Scams

MetaMask Issues Phishing Attack Security Alert for iPhone Users

Software-based crypto wallet MetaMask has warned its users on Apple devices that their assets may be at risk from an iCloud-related phishing scam. 

MetaMask tweeted out the alert on April 18, stating that users of Apple devices should ensure their Apple ID password is “strong enough” and providing instructions for disabling iCloud backups:

The alert comes after a Twitter user known as revive_dom reported losing US$650,000 of digital assets to the scam.

iCloud Stores MetaMask Seed Phrase 

The crucial vulnerability the scammers exploited is that, by default, iCloud backs up the MetaMask seed phrase and stores it digitally online. 

This means that if a MetaMask user on an Apple device hasn’t specifically turned off iCloud backups and a scammer can gain access to the user’s iCloud account, the scammer has full access to the digital assets stored in that user’s MetaMask wallet.

Classic Phishing Scam with a Twist

The details of how the scam was carried out against revive_dom were tweeted by Twitter user Serpent, who is also the founder of the NFT project DAPE: 

Essentially, the scammers raised the user’s suspicions by triggering numerous iCloud password reset attempts, which made it appear as though someone was trying to maliciously access the user’s iCloud account. 

The scammers then called the user from a spoofed number, which made them appear to be from Apple support. After the scammers established trust, the user mistakenly told them the two-factor authentication code to reset their iCloud password. The scammers then had full control of the user’s iCloud account and MetaMask wallet and stole all the user’s assets.

Scam Highlights Hot Wallet Security Risks

Most Twitter users have been supportive of revive_dom and other victims of this scam, but many have also emphasised the inherent risks of storing your assets on a hot wallet such as MetaMask and have suggested victims should have been using cold wallets such as Ledger and Trezor:

MetaMask is a popular software wallet in the Ethereum ecosystem. It has made news recently for adding a feature that allows iOS users to purchase crypto directly through the MetaMask mobile app using a debit or credit card, and for blocking users from some countries, such as Iran and Venezuela, from accessing their wallets.

Categories
DeFi Illegal Privacy Scams Tornado Cash

ETH Privacy Tool Tornado Cash Starts Blocking Sanctioned Addresses

Tornado Cash is apparently using Chainalysis oracles to block access from US Office of Foreign Assets Control (OFAC) addresses. The blockade only applies to the Tornado front-end, not the underlying smart contract:

As a fully decentralised protocol for private transactions of Ethereum, Tornado Cash last year announced it would be integrating with Arbitrum, the layer-2 solution that leverages optimistic rollups for Ethereum dApps.

Maintaining financial privacy is essential to preserving our freedom, [though] it should not come at the cost of non-compliance.

Tornado Cash

Tornado Cash works by “breaking the on-chain link between source and destination addresses”. Deposits go into a smart contract, where they are mixed around with others, and can then be withdrawn by a new address, making it more private.

The Chainalysis oracle is a smart contract that works on Ethereum and several other networks, including Avalanche, BNB Smart Chain, and sidechain and layer-two networks such as Polygon and Optimism. Simply put, Tornado Cash is a piece of code that scans crypto addresses and determines whether they are subject to sanctions from the US or other governments, and if so, the wallet is blocked.  

Tornado Cash Facilitates Hackers

Earlier this month, Inverse Finance, a decentralised lending protocol built on Ethereum, lost over US$15 million in a DeFi hack. Hackers were able to take out massive loans and get away with it through Tornado Cash.

Categories
Hackers Illegal NFTs Rarible Scams

2 Million Users’ NFTs at Risk After Security Firm Identifies Flaw in Rarible

Cyber security software firm Check Point Research (CPR) has identified a vulnerability in NFT marketplace Rarible that could have seen any of its 2 million monthly users lose their NFTs in a single transaction.

Attackers Could Have Gained Full Access

CPR has previously identified exploits, among them the infamous hack of OpenSea in October 2021. According to CPR:

CPR identified a security flaw in Rarible, the NFT marketplace with over two million active users. If exploited, the vulnerability would have enabled a threat actor to steal a user’s NFTs and crypto tokens in a single transaction. CPR immediately disclosed findings to Rarible, who acknowledged the security flaw. CPR’s revelations mark the second time that their researchers discovered security flaws in an NFT marketplace. In October 2021, CPR found security issues in OpenSea, the world’s largest NFT marketplace.

Check Point Research

According to CPR, the exploit would have occurred when a malicious NFT within Rarible’s marketplace itself, where users are less suspicious and familiar with submitting transactions, and the exploit would have begun with the victim receiving a link to a malicious NFT who then clicks on it.

Attack Methodology

CPR has provided outlines of the attack methodology:

  • Victims receive a link to the malicious NFT or browse the marketplace and click on it.
  • The malicious NFT executes JavaScript code and attempts to send a setApprovalForAll request to the victim.
  • The victim submits the request and grants full access to the NFTs/crypto tokens to the attacker.

CPR immediately disclosed the findings to Rarible, which has since acknowledged the security flaw and taken action against the attack.

NFT Thefts Rampant

Earlier this year, Crypto News Australia reported a flaw on multibillion-dollar GameFi company Illuvium that caused it to drain its liquidity pools. Had it not done so, the flaw could have ended in billions of dollars lost due to the flaw.

Categories
DeFi Hackers Illegal Scams Stablecoins

Beanstalk Stablecoin Loses $182 Million in Flash Loan Exploit

An attacker has drained US$182 million from Beanstalk stablecoin protocol in a flash loan attack, the second nine-figure DeFi exploit in just a month. Beanstalk joins a growing list of Ethereum DeFi protocols to suffer multimillion-dollar breaches:

The attack on Beanstalk, a credit-based stablecoin built on Ethereum, mirrors an incident last year where PancakeBunny’s DeFi protocol suffered a US$45 million loss from the ecosystem. In the Beanstalk case, an attacker used a flash loan exploit to drain the protocol’s funds and Etherscan data shows Aave’s flash loan feature was leveraged to withdraw liquidity from the protocol. The hacker then used Uniswap to trade DAI, USDC and USDT for Ethereum.

The market for Beanstalk’s BEAN stablecoin collapsed as a result of the attack and the token was down 86 percent at the time of writing.

Native Tokens Used to Drain Funds

Beanstalk has since reported that the flash loan on Aave enabled the attacker to amass a large amount of Beanstalk’s native governance token, Stalk. Through the voting powers granted by the tokens, the attacker was then able to pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet:

Some Stolen Funds Diverted to a Ukrainian Relief Wallet

Beanstalk’s smart contracts were audited, but the audit was completed before the introduction of the flash loan vulnerability. No information has yet been forthcoming on whether funds would be reimbursed to users. According to PeckShield, the attacker appears to have donated US$250,000 of the stolen funds to a Ukrainian relief wallet.

Categories
Coinbase Crypto News Ethereum Scams Tokens

Suspicions Raised as ETH Trader Buys $400,000 in Tokens Before Coinbase Listing

An Ethereum trader bought US$400,000 worth of tokens before being listed on Coinbase, raising suspicions of possible insider trading.

The ETH address, flagged by renowned crypto trader Cobie, was able to buy tokens due to be listed on Coinbase 24 hours before the Coinbase listing announcement. The wallet was created on April 11 and the tokens were transferred to different exchanges:

It seems the trader focused on six tokens – NDX, KROM, RADAR, RAC, DFX, and PAPER – which were under consideration for listing on the exchange, suggesting (s)he had prior knowledge before the list was made public.

After the list was published, the tokens increased dramatically in price, as usually happens with tokens listed on Coinbase. The address now has a balance of more than US$500,000, a return of over 40 percent in less than 24 hours.

Coinbase is yet to respond to any of the insider trading accusations.

Not the First Frontrunning Scandal on Coinbase

This is not the first time that Coinbase has been accused of frontrunning. In February, a trader created a fresh wallet and bought millions worth of $UPI and $AVT before Coinbase announced the listing:

Sometimes you have to take these events with a grain of humour, and that’s exactly what the crypto community has done:

Frontrunning is not uncommon in crypto companies. We’ve heard before of unethical employees buying digital assets shortly after being listed. Such was the case with Nate Chastain, a former employee at NFT marketplace OpenSea who got caught snapping some NFTs for himself in September last year:

In response to OpenSea’s centralised model and NFT frontrunning, renowned DeFi developer Andre Cronje created Artion, a decentralised and open-source marketplace built on Fantom Network.