Category: Scams

Categories
Bored Ape Yacht Club Hackers Illegal NFTs Scams Tokens

$APE Drops 20% Following Bored Ape Yacht Club Discord Hack

ApeCoin has dropped 8 percent after the Bored Ape Yacht Club (BAYC) Discord servers suffered a phishing scam. The governance token behind the world’s largest NFT collection has plunged after news of the phishing attack was confirmed.

APE Witnesses Massive Fluctuations

APE fell from roughly US$14 on March 31 and at some point reached US$12.8, according to CoinMarketCap. The tokens were airdropped to Bored Ape and Mutant Ape NFT holders on March 16 and will serve as the governance token for the project’s newly launched decentralised autonomous organisation (DAO). APE will allow its holders to vote on the project’s roadmap and upcoming proposals.

Since the token launched, the price action has been rather volatile with APE going as high as US$39.4, before settling at a range between US$14 and $16.  

An unknown hacker gained access to the official Discord meant to host members of BAYC, Mutant Ape Yacht Club, and Mutant Ape Kennel Club, three NFTs from Yuga Labs. The attackers posted a phishing link in the Mutant Ape Kennel channel disguised as a “stealth NFT mint”, which was used to steal Mutant Ape Yacht Club #8662 from one user:

No ‘April Fools Stealth Mints’

The team at BAYC indicated in a tweet that it had “caught” the issue immediately but cautioned users not to mint any NFT using a link posted on its Discord, and indicated to users that it had no April Fools stealth mints. According to several reports, clicking on the link would result in losing the respective holders’ NFTs. It has been reported that the hacker may have carried out the attacker via Ticket Tool, a popular Discord bot that automatically generates support tickets:

Twitter users have also warned of a similar exploit on the Discord server of Doodles, another NFT collection, but at the time of writing this had not yet been confirmed:

Categories
Crypto News DeFi Hackers Scams

DeFi Lender ‘Inverse Finance’ Exploited for $15.6 Million

Inverse Finance, a decentralised lending protocol built on Ethereum, has lost over US$15 million in the latest multimillion-dollar DeFi hack of the year. Hackers were able to lean on an exploit and take out massive loans and get away through Tornado Cash.

As spotted by blockchain analytics firm PeckShield, the lending protocol had 4300 ETH stolen:

The hackers targeted Inverse’s Anchor (ANC) money market by artificially manipulating token prices to borrow loans against extremely low collateral:

The hackers were funded with 901 ETH (US$3 million) from Tornado Cash in order to pull off the exploit. By tricking the price oracle into thinking the native INV token was at a much higher price, massive loans were then taken out on Anchor using INV as collateral.

List of stolen crypto. Source: EtherScan

This was done by injecting the funds into several trading pairs on SushiSwap, inflating the price of INV. A representative from PeckShield told CoinDesk that “the attack was high-risk, since the $3 million worth of crypto used to trick the price oracle would have been completely lost if the price of INV [had fallen] back to normal levels before the attacker took out the loans”.

Inverse’s Plan of Action

Inverse has since paused all borrowing and stated in a thread that a plan would be sent to governance to “ensure all wallets impacted by the price manipulation are repaid 100 percent”, adding that it would not mint new INV to repay affected users, which might affect its already falling price.

A bounty has been made available to the hacker but no further updates have been issued. To minimise the risk of future problems like this one, a representative for the protocol added that it is working with Chainlink to build a new INV oracle.

This event only adds to the list of DeFi hacks to have occurred this year. In March, Deus Finance was exploited for US$3 million in a flash loan attack, while in February QiDao also suffered a multimillion-dollar exploit.

Categories
Bored Ape Yacht Club NFTs Scams

35 NFTs Stolen in Twitter Phishing Attacks Last Week

A Mutant Ape and a Bored Ape were among 35 NFTs stolen last week via a handful of hacked verified Twitter accounts. The combined value of the phishing attack is assumed to exceed US$900,000.

The phishing incident disguised itself off the back of a Bored Ape Yacht Club (BAYC) airdrop that happened earlier this month. BAYC had airdropped ApeCoins to Mutant Ape and Bored Ape holders, which allowed for a copycat attack by scammers who hacked verified Twitter accounts and spread fake URLs impersonating a BAYC link:

Victims of the link who were prepared to pay 0.33 ETH to take part instead encountered code that allowed the hackers access to their wallets. Some victims claimed that, although the links appeared strange, they would nonetheless be safe as they were shared by trusted public figures.

Twitter is yet to comment on the incident, despite many users feeling the social media giant is partly to blame.

Other Recent Phishing Attacks

This isn’t the first large-scale phishing attack this year. Earlier in March, US$790,000 worth of Rare Bears were stolen. The phishing scam behind the NFT theft utilised the weakened security of Discord groups to share around a ‘corrupt’ link.

More recently, a crypto venture capitalist lost US$1.7 million worth of NFTs. Arthur Cheong, the founder of Web3 and DeFi venture capital firm Defiance Capital, had his hot wallet account hacked and 59 NFTs taken.

Categories
Crime Crypto Wallets Hackers Scams

Cybersecurity Uncovers 13 Malicious Wallets that Could Steal Your Crypto

A criminal plot to steal users’ digital assets via apps impersonating popular cryptocurrency wallets has been uncovered in new research by global cybersecurity firm ESET.

ESET believes it’s likely that a single criminal group is behind the coordinated scheme to steal users’ crypto funds – via more than 40 copycat websites of popular crypto wallets used to promote downloads of malicious apps.

While the malicious apps were not available on Apple’s App Store (instead requiring download and installation using a configuration profile), 13 apps impersonating the Jaxx Liberty wallet were found on the Google Play store and have subsequently been removed by Google.

Counterfeit Wallets Target Chinese Users

Primarily targeting Chinese users, across both Android and iOS devices, the malicious apps closely mimicked the appearance and functionality of legitimate wallets including MetaMask, Coinbase and Trust Wallet.  

ESET researcher Lukáš Štefanko said the malicious code used in the Trojan wallets enables users’ funds to be stolen and opened users to other risks:

These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection. This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network.

Lukáš Štefanko, ESET researcher

Beware Before You Download

ESET found the Trojan apps and fake websites were sophisticated, and also promoted using ads on legitimate sites and via groups on Telegram and Facebook.

The firm said the source code of the threat it uncovered has now been leaked online, which could encourage and enable other criminals to spread the threat even further. 

In light of the findings, Keystone Wallet tweeted a warning to its users to be wary of what they download:

Fake wallet scams are a key risk for crypto investors. Last year it was revealed that over US$500,000 had been lost due to Google Ads directing users to fake wallets, while Apple was served a US$5 million lawsuit over a phishing app disguised as a wallet that was available in the tech giant’s App Store.

Categories
Crypto News DeFi Hackers NFTs Scams

Suspicions Raised as $350,000 Bored Ape NFT Sells for Just $115

The owner of a Bored Ape NFT worth US$350,000 sold it for only 115 DAI (US$115) in what appears to be either a costly mistake or some kind of hack of the owner’s OpenSea account.

We’re accustomed to seeing NFTs – especially those from the Bored Ape Yacht Club (BAYC) – being sold for hundreds of thousands or even millions of dollars. Mistakes abound in this space, however. Three months ago, the owner of a Bored Ape mistakenly sold his NFT for US$3,000 instead of its market value price of $300,000.

In this latest case, however, bells started ringing in the NFT community as it’s unusual to see an owner of a valuable Bored Ape accepting such a low offer.

Second Undervalued Transaction, Same Buyer, Same Day

The owner of Bored Ape #835, who goes by the moniker “cchan“, accepted a bid of only 115 DAI – an Ethereum-based stablecoin – for his NFT. But what’s striking is that cchan also sold his Mutant Ape (from the Mutant Ape Yacht Club) #11670 for 25 DAI to the same buyer on the same day.

Bored Ape #835 is now owned by a user with the handle “6315EF”.

Currency Confusion or Tax Dodge?

People on crypto Twitter started conjecturing possible explanations for this event, such as cchan confusing ETH with DAI. Another possibility is tax-loss harvesting, which is selling certain assets at a loss to offset capital gains made via the sale of other assets or stocks, thus minimising the amount of taxes owing.

However, one user on Twitter said cchan was not aware of the situation, which suggests he had his account hacked:

This is quite a significant loss for cchan, having acquired his Bored Ape #835 in August last year for 15 ETH (US$51,000 today).

The NFT space is chock-full of horror stories like this. As Crypto News Australia reported a week ago, a trader with the online handle Dino Dealer sold his US$1.2 million clipart rock for less than a cent after erroneously listing the NFT for 444 wei, the smallest denomination of ETH, instead of 444 ETH.

Categories
Glitch Scams Solana

Cashio Token Plummets to Zero Amid $28 Million ‘Infinite Mint Glitch’

Cashio, a Solana-based algorithmic stablecoin project, has been exploited for US$52.8 million in an “infinite mint glitch”. Following the attack, the project’s total locked value (TVL) dropped from over US$28 million to US$579,701, and the project’s stablecoin CASH took a nosedive from US$1 to zero.

Cashio developer oxGhostChain took to Twitter to warn people “not to mint any CASH” and added that the team “are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP”:

$28m Loss Just the Beginning

The attack was initially believed to have only siphoned off US$28 million from Cashio’s protocol, but after investigations the results were bleak, as was the reaction on Twitter:

CASH price drop following the attack. Source: DeFi Llama

Ongoing Tale of Woe for Solana

Anyone can mint tokens on the platform by depositing liquidity tokens for the two stablecoins USDC and USDT from the Saber platform. Thereafter, users can redeem the stablecoin for the underlying liquidity tokens.

Solana seems to be experiencing ever more difficulties. Along with this latest exploit, the Solana network was down temporarily in January after experiencing a DDoS attack.

Categories
DeFi Illegal NFTs Scams Tokens

Crypto Venture Capitalist Loses $1.7 Million in NFT Hot Wallet Phishing Attack

Arthur Cheong, founder of DeFi and Web3-focused crypto venture capitalist firm Defiance Capital, tweeted this week that a hacker had stolen over US$1.7 million worth of NFTs from his crypto wallet.

Pieces stolen include five CloneXs, 17 Azukis, 33 Second Selfs, two Hedgies and two Tsubasa NFTs, according to security firm PeckShield. A total of 59 NFTs were stolen.

Cheong said the unknown hacker compromised his device using a technique known as ‘spear phishing’:

Earlier this month, an unknown hacker began draining NFTs from an Ethereum wallet owned by Cheong, which he later confirmed on Twitter. The hacker then proceeded to sell the stolen NFTs on OpenSea and also transferred other tokens such as wETH, Lido DAO, LooksRare and DYDX to their wallet.

As it stands, the perpetrator’s wallet currently contains about 585 ETH, or around US$1.7 million, that can all be traced back to Cheong’s wallet. This figure may increase as the hacker appears to be still moving funds out of Cheong’s account:

Spear Phishing Email Likely Suspect

Cheong said the hacker used what is called a ‘spear phishing’ email to deploy malware on his device, which then proceeded to extract the seed phrase to his crypto wallet:

Phishing Attacks on the Rise

This is sadly not a unique incident, with the incidence of phishing scams rising dramatically this year. In January, OpenSea lost US$3 million in stolen NFTs. In a similar fashion, US$790,000 worth of Rare Bear NFTs were stolen in a brazen phishing attack just last week.

Categories
Crypto News Scams Tokens

New York State Attorney Convicts ‘Saint Clair’ for Promoting ‘IGObit’ Crypto Scam

In the world of cryptocurrency, we’ve come to expect a fair degree of chicanery, ranging from modernised romance scams to blatant social media celebrity pump-n-dump schemes. The ‘IGObit’ scam, however, stands alone for sheer creativity and audaciousness.

IGObit promotional material. Source: Innercitypress

‘Guaranteed Returns’

According to a US Department of Justice report, the president of a fictitious United Nations (UN) affiliate has been convicted of defrauding investors in a cryptocurrency public offering.

After a week-long trial, Asa Saint Clair, a resident of Washington, DC, was convicted of wire fraud for devising an investment scheme that scammed more than 60 victims into providing loans to a fictitious organisation known as the “World Sports Alliance”.

Saint Clair claimed he was an affiliate of the UN and sought to “promote the values of sport” through its digital coin, IGObit, which provided a “guaranteed return on investment”.

The scheme was said to run from late 2017 until September 2019, after which Saint Clair’s yarns starting unravelling. It then became obvious that “World Sports Alliance” had absolutely no affiliation with the UN, despite him posing with the former UN secretary general, Khofi Annan.

Asa Saint Clair (left) with former UN secretary general Khofi Annan. Source: Presswire

According to the Attorney for the Southern District of New York, Saint Clair was “in reality promoting only the balance of his bank accounts”. It turns that Saint Clair managed to defraud more than 60 victims of “hundreds of thousands of dollars”. Wire fraud carries a maximum sentence of 20 years in prison and the sentencing hearing is scheduled for July 19.

At face value, one might be tempted to suggest that prospective investors were naïve for failing to conduct a basic due diligence. However, it seems as if Saint Clair was quite the promoter, given that his press release is still available online:

Screenshot of WSA press release. Source: PR Newswire

Lessons Learnt

Before investing in any cryptocurrency project, it may be prudent for any prospective investor to consider the following:

  • Who is behind it?
  • Is the person or group credible?
  • Can you verify any associations with credible third parties?
  • Does it promise “guaranteed returns”?
  • Do you have to “act now to avoid missing out”?

Remember that in the world of crypto, it is wise not to be blinded by buzzwords and, of course, it is vital to DYOR (do your own research) to avoid getting REKT (no need to explain that one).

Categories
Australia Crime Cryptocurrency Law Facebook Scams Social media

Australian Consumer Watchdog Sues Meta Over Crypto Scam Ads

The Australian Competition and Consumer Commission (ACCC) has announced it will be suing Meta over the company’s failure to block crypto scam advertisements involving Australian public figures that are in breach of Australian consumer law.

person holding silver iphone 6 https://unsplash.com/photos/iurEAyYyU_c
ACCC takes action against Meta, the owner of Facebook and Instagram. Source: ABC

False Endorsements of Crypto Investments

Dick Smith, David Koch and Andrew Forrest are some of the prominent Australian personalities unwittingly involved in a series of crypto scam ads circulating on Facebook. The ads claim that the featured celebrities have hugely benefited from cryptocurrency investments, then direct users to scam websites on the strength of these false endorsements.

The consumer watchdog believes that Meta is not doing enough to prevent the circulation of these ads on both Facebook and Instagram. The personalities in the ads have not given any permission for their names and faces to be used in the money-making schemes, and users who have engaged with this material have reportedly been the victims of intense pressure tactics, including phone calls asking for funds.

Rod Sims, the ACCC’s chair, outlined his disappointment with Meta’s lack of action and solutions in a March 18 media release:

https://www.accc.gov.au/media/image-library

Meta should have been doing more to detect and then remove false or misleading ads on Facebook, to prevent consumers from falling victim to ruthless scammers.

ACCC chair Rod Sims

Sims stated that in one circumstance an individual consumer lost A$650,000 to one of these scams. The ACCC will be seeking injunctions, penalties, declarations, costs, and other orders from Meta to ensure the practice does not continue.

Australia Cracks Down on Crypto Scams

News of the ACCC’s legal action against Meta follows an investigation into how Australians lost over A$70 million in 2021 through investment scams alone.

Scamwatch reported in July last year that investment scams involving cryptocurrency and other digital assets were on the rise. Other prominent fraud-related practices have included romance scams, personal identity theft and illegal crypto mining.

Categories
Algorand DeFi Ethereum Hackers Illegal Polygon Scams

Fantasm Finance DeFi Project Exploited for $2.6 Million

This week’s attack on Fantom Network-based synthetic asset protocol Fantasm Finance saw the loss of US$2.6 million worth of Ethereum. The stolen funds were run through the Tornado cash mixing service and totalled 1,007 ETH.

According to the protocol’s Medium page, the team will conduct a postmortem and consider all compensation options for victims.

Another Day, Another DeFi Hack

The address of the attacker shows the extent of the theft, with 1.8 million FTM remaining in the pool for redemption:

Since the March 9 exploit, the attacker has been using Tornado cash to mask transactions. Tornado Cash is a service that breaks the link between source and destination addresses, thereby obscuring the transaction history.

Attacks on DeFi Remain Rife

The crypto space and DeFi, in particular, have been under attack by hackers seeking to exploit protocols. The reason for the frequency with which new projects launch without undergoing a security audit makes them very vulnerable to attackers. In January, Algorand-based DeFi platform ‘Tinyman’ was exploited for US$3 million. The team at Algorand quickly tweeted it it had been compromised and pulled the remaining liquidity from the project.

The most recent DeFi attack prior to Fantasm targeted Polygon DeFi protocol QiDao’s Superfluid vesting contract, draining US$13 million. User funds on QiDao however remained safe, as the exploit was “solely on Superfluid”, according to the Polygon-based DeFi protocol.