Share

Crypto Hacks 2023: Full List of Scams and Exploits as Millions Go Missing

By The Bitcoin Community Newsletter October 31, 2023
Crypto Hacks 2023: Full List of Scams and Exploits as Millions Go Missing

“Read more related articles, follow on the anti-censorship long content platform yakihonne.com.

KEY TAKEAWAYS

  • Vulnerabilities and user errors expose wallets and contracts to exploits. It is important to protect measures by updating security measures, carrying out regular auditing, and having secure solutions.
  • Exchanges and DeFi platforms hold vast assets, making them prime hacking targets. Users should choose wisely who they operate with, choosing well-reputed platforms and investing diligently.
  • Scammers often impersonate legitimate social media accounts. It is important not fall victim to phishing attacks that may arise from scammy giveaways
  • Poor cybersecurity can lead to loss and breaches. Users should maintain strong passwords, employ reputable security software, and remain vigilant.

Hacks Targeting Decentralized Finance (DeFi)

The significance of ongoing vigilance is highlighted by attacks on platforms including Euler Finance, Angle Protocol, Platypus Finance, Safemoon, LendHub, and Balancer. To respond quickly, locate stolen assets, and prosecute offenders, platforms, security professionals, and law enforcement must work together. In the constantly changing crypto market, creating a safer workplace requires education, regular audits, and open communication.

To reduce risks, cryptocurrency platforms and users must place a high priority on security mechanisms, frequent audits, and the implementation of best practices. Education on social engineering, phishing, and other types of scams is essential, stressing the significance of confirming legitimacy prior to taking any action, particularly when it involves sending money or exchanging personal data.

This article will explain DeFi hacks that have happened in the past, how they occurred, the amount of funds lost, and how to mitigate against risk.

1. Euler Finance ($197 Million)

Background

On March 13, 2023, Euler Finance, a permissionless borrowing and lending protocol built on the Ethereum blockchain, fell victim to a substantial flash loan attack, which marked one of the largest in the DeFi sector. Euler Finance had a significant loss, amounting to nearly $200 million.

How Euler Finance Hack Happened

The attack was specifically enabled by a liquidity issue in the DonateToReserve function of Euler Finance’s eToken. The function was properly burning eTokens but not corresponding dTokens, causing incorrect conversion between borrowed and collateralized assets. This inconsistency was exploited by the hacker to project a false impression of the platform having fewer deposited eTokens and fake debt, as the dTokens were not being burned.

The hacker received initial funding from Tornado Cash for gas fees and to create the exploit contracts, then borrowed around $30 million in DAI from Aave via a flash loan. The hacker deposited $20 million of the borrowed DAI into Euler’s platform and exploited Euler’s borrowing capabilities to borrow 10 times the original amount deposited.

The remaining $10 million in DAI from the original loan was used to repay part of the acquired debt and borrow again until the flash loan was closed. The funds acquired were primarily in USDC, wrapped Bitcoin (wBTC), staked Ether (stETH), and DAI.

Funds Lost

Euler Finance incurred a loss of approximately $197 million worth of cryptocurrency, with its native token, EUL, experiencing a sharp decline of more than 45%.

Recovery Of Funds

Several weeks post the flash loan attack, the attacker, identifying as Jacob, returned the stolen funds via a series of encrypted messages and transactions, totaling 54,000 ETH and $10 million in DAI, marking one of the most substantial recoveries in the DeFi sector. Euler Finance subsequently acknowledged the receipt of the funds and concluded its community investigation, developing a plan to restore user assets.

How To Mitigate Against Risk

To mitigate the risks of such flash loan attacks, it is recommended to introduce circuit breakers that can temporarily halt protocols when detecting unusually large price movements or outflows, potentially stopping hacks in the early stages. Continuous monitoring of the DeFi platform vulnerabilities and ensuring accurate and consistent functions in the protocol’s mechanisms are also critical in preventing such exploits.

Final Resolution

By April 6, 2023, the issue saw a resolution with the complete return of the stolen funds by the hacker. Euler Finance declared the completion of the community investigation and is in the process of developing a plan to restore the assets to the users.

The possibility of North Korean hacking syndicate Lazarus Group’s involvement remains inconclusive, and any relationship between the Euler Finance hack and the Axie Infinity Ronin Bridge hack needs further investigation. The return of the funds and the ongoing developments to secure DeFi platforms symbolize a crucial step in the evolution and resilience of DeFi protocols.

2. Angle Protocol ($17.6 Million)

Background

Angle Protocol, a pivotal entity in the DeFi ecosystem, known for its agEUR stablecoin and various yield strategies, was indirectly affected by a hack on the Euler Protocol on March 13th, 2023. Angle Protocol has substantial holdings in Euler as part of its investment strategy to maximize yields on its USDC and DAI reserves. The hack didn’t directly breach Angle Protocol, but the interdependencies within the system led to significant collateral impacts, provoking discussions about the resilience, security, and risk management of Angle Protocol and similar platforms.

How Angle Protocol Hack Happened

The breach of Euler Protocol occurred at 9:56 am CET on March 13th, 2023. Angle Labs detected the irregularities by 10:20 am CET and promptly initiated emergency protocols to mitigate repercussions on Angle Protocol, including pausing functionalities and initiating withdrawal transactions from various platforms.

Funds Loss

The incident led to indirect losses for Angle Protocol due to its 17.6 million USDC investment in Euler, affecting its Total Value Locked (TVL) and necessitating emergency maneuvers to prevent extensive losses.

Recovery Of Funds

The stolen funds started being repaid to the Euler DAO on March 25th, 2023, and by April 4th, 2023, all funds had been returned. Discussions for redistributing the recovered funds to affected users are ongoing, with Angle Protocol expecting adequate restitution.

How To Mitigate Against Risk

The incident underscored the necessity for enhanced risk management strategies, including diversification of investments, improved transparency, enhanced emergency response protocols, and prepared payloads for immediate actions in emergencies.

Final Resolution

While Angle Protocol remained secure, the indirect impacts from the Euler breach have fostered insights and discussions on improving protocol resilience and risk management. The return and ongoing redistribution of the stolen funds mark steps towards resolving the impacts of the incident, with focus shifting towards building a more resilient and transparent system in the DeFi ecosystem.

3. Platypus Finance ($9.2 Million)

Background

Platypus finance, a DeFi protocol focusing on stablecoins and operating on the Avalanche network, experienced a significant security exploit, revealed in a blog post on February 23, 2023. It also suffered a third attack on October 12, 2023. This incident is another instance highlighting the persistent issues of security breaches in the crypto sector.

How It Happened

The protocol was exploited due to a vulnerability in its solvency check mechanism, resulting in three consecutive attacks. The attackers exploited this bug to drain $9.2 million in digital assets from the protocol, causing its native stablecoin, USP, to lose its dollar peg. The first attack was the most detrimental, draining $8.5 million in various stablecoins from the protocol’s main pool. The second attack inadvertently transferred $380,000 of stablecoins to another lending protocol, Aave. The third attack resulted in a loss of $287,000 worth of assets.

Platypus Finance suffered a third attack on October 12, 2023, which resulted in losses exceeding $2 million for the company, impacting both wrapped AVAX and liquid staked AVAX holdings.

Funds Lost

The cumulative loss from this security breach amounted to $9.2 million, consisting of a variety of stablecoins such as USDC, USDT, DAI, and Binance USD. These funds were extracted from the protocol’s main pool through a series of attacks exploiting the platform’s vulnerabilities.

Recovery Of funds

Post-exploit, Platypus finance managed to recover $2.4 million of the stolen USDC stablecoins with assistance from blockchain security firm BlockSec. Moreover, Tether intervened to freeze $1.5 million of the stolen USDT. Platypus Finance is also in the process of negotiating the release of $380,000 inadvertently transferred to Aave. However, the $287,000 stolen in the third attack is considered unrecoverable as the exploiter utilized crypto mixer Tornado Cash and encryption service Aztec Network to obscure the trail of the stolen assets.

How To Mitigate Against Risk

The series of attacks on Platypus finance underscores the importance of robust security protocols and regular audits to identify and rectify vulnerabilities in DeFi platforms. Users are advised to exercise caution and due diligence when interacting with DeFi protocols and should stay informed about the security measures employed by these platforms to safeguard their assets.

Final Resolution

Platypus finance has committed to repaying at least 63% of the user funds and is working towards potentially compensating a larger percentage if more assets are recovered. The protocol is liaising with Binance to confirm the exploiter’s identity and has filed a complaint with law enforcement in France.

The protocol is also deliberating on using its $1.4 million treasury to compensate the victims if additional recoveries are not possible. It is projected that if negotiations with Tether and Aave are successful, up to 78% of user funds could be recovered. Platypus finance plans to restart its stablecoin swap protocol in the subsequent week, excluding its depegged stablecoin, USP.

4. Safemoon ($9 Million)

Background

Safemoon, a DeFi protocol, experienced a significant security exploit last month. A hacker manipulated a flaw in the smart contracts of Safemoon and drained its liquidity pool, stealing nearly $9 million worth of SFM tokens. The exploit and the subsequent deal with the hacker became public around April 18, 2023.

How Safemoon Hack Happened

The attacker exploited a vulnerability in the smart contracts of Safemoon to drain its liquidity pool. The specific details of the flaw and the mechanics of the exploit are not provided, but it resulted in a substantial loss of SFM tokens, impacting the protocol and its users significantly.

Funds Lost

Approximately $9 million worth of SFM tokens were stolen from Safemoon’s liquidity pool during the exploit. The exact amount of lost funds was determined through on-chain data, revealing the depth of the financial impact on the protocol.

Recovery Of Funds

In a somewhat unconventional resolution, the exploiter agreed to return 80% of the stolen funds, valued at $7.1 million. This agreement was reached between the Safemoon developers and the hacker, with on-chain transactions confirming the return of the stolen assets. The transactions and the details of the agreement are visible on the Binance Smart Chain block explorer.

How To Mitigate Against Risk

The instance, once again, underscores the importance of rigorous smart contract auditing and robust security protocols to identify and rectify vulnerabilities before they can be exploited. Developers and users should remain vigilant about the security of DeFi protocols and the integrity of smart contracts to mitigate the risk of exploits and losses. Regular audits, security assessments, and community vigilance are crucial in identifying potential vulnerabilities and ensuring the security of assets within the DeFi space.

Final Resolution

The final resolution in this case is rather unusual. The hacker struck a deal with Safemoon developers to return $7.1 million of the stolen funds while retaining 20% as a bug bounty. Additionally, the Safemoon developers confirmed that no charges would be filed against the hacker, suggesting an amicable resolution that prioritizes the recovery of lost assets over punitive actions. Safemoon’s SFM token has witnessed a 2.8% rise in value over the past 24 hours since the resolution, indicating a positive market response to the development.

5. LendHub ($6 Million)

Background

LendHub, a cross-chain DeFi lending platform, experienced a significant security breach in January 2023, where an attacker exploited the platform’s protocol to unlawfully gain approximately $6 million.

How LendHub Breach Happened

The incident was facilitated by a failure to accurately remove a deprecated token from the market during an update. LendHub introduced a new version of the IBSV token with its own Comptroller contracts but did not eliminate the old token. Consequently, both tokens remained active in the market at the same price.

This redundancy allowed the attacker to manipulate the mint and redeem functionality in the old market and secure loans in the new one, creating discrepancies in liability calculations between the two markets and enabling the extraction of around $6 million in value from the new token.

Funds Lost

The hacker managed to siphon approximately $6 million by exploiting discrepancies between the old and new token contracts.

Recovery Of Funds

This information is uncertain and more information is required.

How To Mitigate Against Risk

The incident underscores the imperative of having robust and comprehensive processes in place for updating smart contracts on blockchain platforms. It highlights the potential ramifications of having competing versions of the same token available on the market due to inaccuracies or oversights during updates.

Final Resolution

The lesson from this attack emphasizes the importance of meticulous procedures for updating and removing deprecated tokens and contracts to prevent such vulnerabilities and exploits. The information provided does not state whether there were any repercussions for the attacker or what actions LendHub took post-incident to rectify the situation and enhance security.

6. Balancer ($238K)

Background

Balancer, a DeFi protocol operating on the Ethereum blockchain, experienced a security compromise on its website, with the initial warnings to the users issued on September 19, 2023. This is the second time Balancer has come under attack in less than a month, with a prior warning about a critical vulnerability being issued on August 22, which subsequently led to an estimated $2 million exploit just days later.

How Balancer Hack Happened

The details of the attack are still under investigation. However, reports suggest that users interacting with Balancer’s user interface were prompted to approve a malicious contract, which, once approved, drained the users’ wallets. It appears that when users opened the website, they were asked to change the blockchain network (chain) where they held the most amount of money, leading to a scam transaction that, once confirmed, resulted in the loss of funds.

Funds Lost

While Balancer has not officially confirmed any loss of user funds, and a contributor assured that Balancer’s vault remains secure, blockchain security firms, including PeckShield and blockchain analyst ZachXBT, have estimated that at least (238,000 in crypto had been stolen at the time of the reporting.

Recovery Of funds

Currently, there is no information provided regarding the recovery of funds. Balancer has advised users not to interact with its user interface until further notice and is likely undertaking measures to investigate and rectify the situation.

How To Mitigate Against Risk

Users are cautioned to be extremely vigilant when interacting with DeFi platforms, particularly when being prompted to approve contracts or change blockchain networks. It is crucial to verify the authenticity of such requests through official communications from the platforms and to refrain from interacting with platforms that are under investigation or have issued warnings about potential compromises.

Final Resolution

The final resolution is pending as the details of the attack are still under investigation. Balancer has warned its user community to avoid interacting with its website until it is safe to do so. In the interim, to prevent further exploits related to the previously identified vulnerability, users were advised to withdraw from the affected liquidity pools.

7. Philippines-based crypto exchange Coins.ph () 6 million)

Background

On October 17, 2023, Philippines-based crypto exchange Coins.ph fell victim to an exploit.

How The Coins.ph Hack Happened

The hacker swiftly exchanged 999,999.999 XRP lots 13 times within half an hour, accompanied by an additional lot of 200,000 XRP, as per the blockchain explorer XRP scan. Interestingly, one transaction failed to be processed. With a haul of nearly 12.2 million XRP, the hacker transferred the assets through various platforms, including OKX, WhiteBIT, OrbitBridge, SimpleSwap, ChangeNOW, Fixed Float, and other destinations.

Funds Lost

The hack resulted in the loss of over 12 million XRP tokens valued at $6 million.

Recovery Of Funds

Coins.ph took prompt action, blocking 445,000 XRP after identifying the compromised address. WhiteBIT collaborated with blockchain analytics firms Cristal and Chainalysis to trace the stolen XRP addresses, demonstrating the industry’s collective efforts to mitigate the impact of such breaches.

Hacks Targeted Via Social Media

1. The Crypto Whale Mystery ($10 Million)

Background

A mysterious hack occurred, as reported by a MetaMask developer known as Tay on Twitter, targeting numerous crypto whales and early crypto investors. The illicit activity was detected and shared by Tay, with no specific date mentioned, indicating that the affected wallets were created between 2014 and 2022.

How The Crypto Whale Mystery Happened

The only commonality among the victims is that their wallets were created between 2014 and 2022. This hack was not exclusive to MetaMask users and has affected users of all wallets, including those generated for the Ethereum presale and those created on a hardware wallet. The hackers then converted the stolen funds to Bitcoin and used a coin mixer to conceal traces.

Funds Lost

Over $10 million worth of ETH and other tokens, including more than 5,000 ETH (valued close to $10 million by the current exchange rate), and an undisclosed number of other tokens and NFTs across different EVM-compatible blockchains, were been drained from numerous victims.

Recovery Of Funds

There is no information provided on any recovery of funds or any ongoing efforts to trace or retrieve the stolen assets.

How To Mitigate Against Risk

The MetaMask developer, Tay, advised crypto users to spread their assets across different wallets to reduce the risk of losing all of their assets. The emphasis was placed on not keeping all assets in a single key or secret phrase for extended periods.

Final Resolution

The hack remains a concern, and details of how it was perpetrated are still unknown. The community and possibly the relevant authorities may be still investigating the incident.

2. Kucoin’s Twitter Scandal ($23K USDT)

Background

KuCoin, a prominent cryptocurrency exchange, experienced a security breach on April 24, 2023. The incident involved the compromise of the platform’s official Twitter account, leading to a loss of assets for its users.

How Kucoin’s Twitter Scandal Happened

Hackers gained unauthorized access to KuCoin’s Twitter account and had control over it for approximately 45 minutes. During this time, they promoted fraudulent activities, leveraging the account’s influence to deceive the platform’s users. The hackers posted about fake giveaways and other deceptive schemes, causing users to send funds to malicious addresses.

Funds Lost

The illicit activities led to 22 transactions being carried out in relation to the fraudulent promotions, including transactions involving ETH and BTC. The cumulative loss as a result of this incident amounted to over 22,628 USDT.

Recovery Of Funds

Post the security incident, KuCoin was able to promptly recover control over its compromised Twitter account. The platform has announced its commitment to reimburse the affected users for the losses incurred during the incident. KuCoin is currently conducting thorough investigations and has initiated measures to block the suspicious addresses involved in receiving the stolen funds.

How To Mitigate Against Risk

The incident underlines the imperative for users to exercise caution and due diligence, particularly concerning interactions with promotional content on social media. Crypto holders should be wary of sending tokens to entities promising inflated returns and should avoid engaging with suspicious links that attempt to impersonate legitimate ones. Users are advised to validate the authenticity of promotional content before participating in any such activities to avoid falling prey to fraudulent schemes.

Final Resolution

In response to the breach, KuCoin is intensifying its security protocols to fortify its platforms against similar breaches in the future. The platform has emphasized that the breach was isolated to the Twitter account and that its website and other social media accounts remain secure. KuCoin remains vigilant and proactive in its efforts to safeguard its users and their assets from potential threats.

Hacks Targeting Smart Contracts

1. Bonq DAO (Smart Contract) ($120 Million)

Background

February 2023, BonqDAO, a small decentralized autonomous organization (DAO), suffered a significant smart contract exploit due to an oracle hack, leading to an estimated loss of $120 million from its protocol.

How Bonq DAO hack Happened

The incident occurred, when the exploiter manipulated an oracle in one of BonqDAO’s smart contracts, allowing the alteration of the update price function. This enabled them to manipulate the price of the AllianceBlock (ALBT) token and mint large amounts of BEUR. The BEUR was subsequently swapped for other tokens on Uniswap, and the price was dropped to almost zero, triggering the liquidation of ALBT troves.

Funds Lost

The estimated loss from the hack was around $120 million, which included $108 million from 98.65 million BEUR tokens and $11 million from 113.8 million wrapped-ALBT (wALBT) tokens. The largest transaction involved in this exploit was $82.19 million.

Recovery Of Funds

BonqDAO paused the protocol and worked on a recovery solution. AllianceBlock, the issuer of ALBT tokens, is in the process of removing all liquidity on Bonq andhalted exchange trading intending to mint new ALBT tokens to those affected by the exploit up until the time of the announcement.

How To Mitigate Against Risk

Securing oracles can be done by auditing smart contracts, implementing multi-signature wallets, maintaining up-to-date software, and following best security practices can help in mitigating such risks.

Final Resolution

The Bonq protocol has been paused, and both BonqDAO and AllianceBlock are working on solutions to address the impact of the exploit, including releasing a recovery solution and minting new ALBT tokens for affected users.

2. Deus Finance ($6 Million)

Background

May 2023, Deus Finance, a Decentralized Finance (DeFi) protocol, suffered a security breach leading to a loss of over $6 million in its stablecoin DEI.

How The Deus Finance Happened

The attacker exploited a vulnerability in the BNB Smart Chain (BSC), causing a loss of more than $1.3 million. A bot initiated the hack on BSC, and subsequently, the Arbitrum network was targeted, leading to ARB/ETH deployments losing over $5 million. It was reported that the token contract had a basic implementation error as the root cause.

Funds Lost

The total funds lost amounted to over $6 million, with more than $1.3 million lost due to the BNB Smart Chain vulnerability and over $5 million lost from ARB/ETH deployments on the Arbitrum network.

Recovery Of Funds

After the attack, Deus Finance paused all contracts and burned DEI tokens to prevent further damage. The team confirmed they are in the process of comprehending the actual backing of DEI tokens and are working on a “comprehensive recovery and redemption plan” after a full analysis of the balances and snapshots.

How To Mitigate Against Risk

Auditing smart contracts and ensuring the latest security developments by adhering to best security practices can help in mitigating such risks. Additionally, implementing multi-signature wallets, maintaining up-to-date software, and using hardware wallets can also significantly reduce risk.

Final Resolution

The protocol has been paused, and DEI tokens have been burned to prevent further losses. The team is analyzing the situation and will create a comprehensive recovery and redemption plan.

Hacks Targeting Wallets

1. The LastPass Wallet Hack ($39 Million)

Background

LastPass, a widely-used password storage software, suffered a significant breach in 2022, which had severe implications for its users, especially those in the crypto community.

How The LastPass Hack Happened

An attacker leveraged information from a breach that occurred in August 2022 to target a LastPass employee. This allowed them to snag the employee’s credentials and decrypt stored customer information. The attacker also managed to steal a backup of encrypted customer vault data. This data, if subjected to a brute force attack on the account’s master password, could be decrypted.

Funds Loss

The breach led to substantial financial losses for crypto users. Initially, over $35 million in crypto was stolen from victims. A recent event added to this toll, with $4.4 million in crypto drained from 25 individuals across 80 wallets. In total, around 150 victims were affected.

Recovery Of Funds

There is no knowledge as to how victims of the hack will be compensated against their losses.

How To Mitigate Against Risk

Experts, including ZachXBT, have advised users who stored any crypto-related information in LastPass to transfer their assets immediately to avoid further losses.

Final Resolution

In the aftermath of the breach, LastPass faced legal consequences. A class-action lawsuit was filed against them in January, where individuals claimed losses of around $53,000 in Bitcoin due to the August 2022 breach. The situation underscores the vulnerabilities present even in reputed password management tools.

2. The Bitrue Exchange Heist ($23 Million)

Background

Bitrue Exchange experienced a security breach on April 14, 2023. The cryptocurrency exchange quickly identified and rectified a vulnerability that had been exploited, allowing unauthorized access and fund breaches.

How It Happened

The details regarding the exact mechanism or method utilized to exploit the vulnerability are not provided. However, the security flaw was promptly discovered by Bitrue, which enabled the exchange to rapidly respond, fix the vulnerability, and avoid further unauthorized access and fund breaches.

Funds Lost

The attackers succeeded in extracting approximately $23 million worth of digital assets. The stolen assets included a variety of cryptocurrencies such as Ether (ETH), Quant (QNT), Gala (GALA), Shiba Inu (SHIB), Holo (HOT), and Polygon (MATIC).

Recovery Of Funds

Bitrue’s immediate response was to halt all withdrawals as a precaution, with plans to resume them on April 18. The compromised wallet contained less than 5% of Bitrue’s total reserves. The company confirmed that no other wallets on the site were affected by this incident, mitigating the overall impact of the breach.

How To Mitigate Against Risk

The incident underscores the intrinsic risks of digital assets and highlights the crucial need for robust security measures within the cryptocurrency sector. To safeguard user assets and maintain investor trust, exchanges are urged to prioritize platform security, especially as the industry continues to expand.

Final Resolution

The breach was contained, and security measures were implemented to prevent further unauthorized access. While the event emphasized the vulnerability of digital assets, it also highlighted the importance of rapid response and the implementation of stringent security protocols. The exchange has resumed its normal operations, emphasizing the urgency and importance of robust security frameworks in preserving the integrity and trust in the digital asset sector.

3. Social Engineering Hack On Trust ($4 Million)

Background

Trust Wallet has recently been involved in a significant social engineering attempt wherein $4 million was deceitfully taken from Webaverse, a company operating in the realm of Web 3. This incident involved a sophisticated method involving face-to-face interaction and took place in Rome, Italy, executed by an organized criminal entity.

How Social Engineering Hack On Trust Happened

The criminal organization employed social engineering tactics to manipulate Webaverse into transferring $4 million worth of USDC from their multi-signature Trust Wallet to a single-signature one. In a multi-sig wallet, a transaction necessitates more than one private key to be signed. The criminal convinced the victim through providing counterfeit KYC and a malicious electronic version of a non-disclosure agreement, seemingly designed to pilfer funds. The individual then confirmed the transfer by photographing the victim’s wallet post-transaction, after which he disappeared.

Funds Lost

Webaverse lost $4 million in this social engineering attack, with the funds being initially in USDC. The criminal later spread the stolen money to various locations, exchanged it for ETH, wrapped the Bitcoin and USDT, and subsequently transferred them to fourteen different addresses, with one holding 83% of the stolen cryptocurrency.

Recovery Of Funds

It is still uncertain whether the recovery of funds will be received.

How To Mitigate Against Risk

To prevent such incidents, Trust Wallet recommends against entering login credentials through insecure HTTP connections, particularly those offered by public WiFi hotspots during international travel. It’s important for users to be wary of phishing attempts and to verify the authenticity of the requests, especially when they involve transferring funds or sharing sensitive information.

Final Resolution

Subsequent to this incident, Trust Wallet and the co-founder of Webaverse, Ahad Shams, are still in the process of comprehending how the perpetrator managed to carry out the theft without access to the wallet’s private key.

4. MyAlgo (Customer Information)

​​Background

Cryptocurrency wallet provider, MyAlgo, experienced a security breach, and the team has released preliminary findings of their investigation. The hack impacted several users, compromising private keys and passwords.

How MyAlgo Hack Happened

Per the initial findings, attackers deployed a Man-In-The-Middle (MITM) attack, by creating a malicious proxy, they managed to inject malicious code between MyAlgo’s wallet web app and the users. This modified MyAlgo code was set up to harvest user passwords and secret phrases and relay them to the attacker’s servers.

Funds Lost

The detailed amount of lost funds isn’t explicitly mentioned, but the attackers currently possess maliciously obtained private keys, granting them access to the associated funds. Hundreds of victims have been identified, including MyAlgo team members.

Recovery Of Funds

MyAlgo is conducting an extensive investigation to locate all compromised accounts and is cooperating with relevant authorities to apprehend the attackers. Efforts are being made to prevent the transfer of stolen funds through cryptocurrency exchanges.

How To Mitigate Against Risk

The team at MyAlgo recommended users change their MyAlgo passwords immediately and advocates the use of Ledger hardware wallets as the safest means for handling private keys or seeds, to avoid falling victim to such breaches.

Final Resolution

While the investigation is still underway, MyAlgo is working to find all compromised accounts, halt further illicit accesses, and work with law enforcement to bring the situation under control.

5. Stars Arena Hack ($3 million)

Background

Avalanche’s Stars Arena platform, which became well-liked among the Avalanche community. By acquiring “keys” or “shares” of well-known X users, users could access closed chat rooms and trade AVAX tokens. This strategy mirrored Friend.Tech, a popular social program built on Ethereum that gained a sizable user base right away.

How Did The Hack Happened

A smart contract protecting AVAX tokens on the platform was the target of an exploit that cost Stars Arena millions in funds on 7th October, 2023. Due to the exploit, hackers were able to steal almost all the locked funds, losing $3 million worth of AVAX tokens in the process.

Funds Lost

Avalanche’s AVAX tokens valued at $3 million were lost in the attack, leaving Stars Arena with just under $1 after the incident. This significant financial loss had a negative influence on both the platform and its users.

Recovery Of Funds

Following the security incident, on October 11th, Stars Arena published a message on X stating that roughly 90% of the 266,000 AVAX tokens that had been taken, or about $3 million, had been recovered.

The protocol was able to come to an agreement with the hacker and pay out a reward of 27,610 AVAX, or roughly $257,000. This amount included reimbursement for 1000 AVAX tokens worth $9,000 that the hacker had misplaced on a bridge.

How To Mitigate The Risk

Platforms must conduct extensive security assessments of their smart contracts and entire infrastructure to reduce the danger of such vulnerabilities. Regular vulnerability assessments, code reviews, and consultations with cybersecurity professionals can all help find possible holes and fix them before they are used against you.

Conclusion

The interplay between social media and cryptocurrencies has created avenues for scams and fraudulent schemes. Vulnerabilities in smart contracts and the vast assets in crypto exchanges further heighten the risks of unauthorized access and losses. It’s important for users to be vigilant, employ enhanced security measures like using hardware wallets and enabling two-factor authentication, and cautiously assess DeFi platforms and investments to safeguard against potential threats and ensure a secure crypto environment.

FAQs

How are social media platforms used for crypto-related fraudulent activities?

Social media platforms are often exploited by scammers impersonating legitimate crypto entities or influencers to promote fraudulent schemes, phishing attacks, or spread misinformation, intending to deceive users into revealing sensitive information or transferring assets.

How can vulnerabilities in smart contracts lead to crypto hacks?

Smart contracts, if poorly coded or unaudited, may contain vulnerabilities or bugs that hackers can exploit to manipulate contract functionalities, leading to unauthorized access or alterations, potentially causing loss of funds stored within the contract.

What risks are associated with crypto exchanges in relation to hacks and fraudulent activities?

Crypto exchanges can be targeted for hacks due to the vast amounts of assets they hold, vulnerabilities, inadequate security measures, or internal malpractices which may lead to unauthorized withdrawals, data breaches, or other exploitations.

How can users protect their crypto wallets from fraudulent activities and hacks?

Users can secure crypto wallets by using hardware wallets for significant amounts, employing strong, unique passwords, enabling two-factor authentication, and being vigilant against phishing attempts and malicious software.

In what ways can DeFi platforms be susceptible to fraudulent behavior and hacks?

DeFi platforms can be susceptible to various attacks like flash loan attacks, front-running, and exploits due to smart contract vulnerabilities, which can be orchestrated to drain funds or manipulate market conditions, highlighting the need for thorough platform assessment and cautious investment.

By:Andrew Kamsky Link:https://www.ccn.com/education/crypto-hacks-2023-full-list-of-scams-and-exploits-as-millions-go-missing/

#security #defi
Write a comment
No comments yet.

Related articles

by Geevis

May 4 2026

200,000 MCP servers expose a command execution flaw that Anthropic calls a feature

# 200,000 MCP servers expose a command execution flaw that Anthropic calls a feature ## Overview Geevis reads this as an execution-surface problem, not a headline about one vendor. OX Security describes MCP STDIO as a command-injection family where user-controlled command and argument values can be passed directly to server-side subprocess execution. The reported blast radius is 150M+ package downloads, roughly 7,000 publicly reachable servers, and an estimated 200,000 vulnerable deployments.

by z3t9…4962

May 2 2026 · Edited May 2, 2026
Cover image for New Paper: Agents of Chaos

New Paper: Agents of Chaos

An LLM agent was asked to delete an email. It wiped the entire mail server, posted "Nuclear options work" on a public board, and got flagged for credential theft by another agent. That's case 1 of 11 in "Agents of Chaos," a two-week red-team of autonomous AI agents. The failures are social, not technical. Static benchmarks can't catch them.

by Alien Investor

May 1 2026
Cover image for Vanadium: The Most Secure Mobile Browser — Built Into the OS

Vanadium: The Most Secure Mobile Browser — Built Into the OS

Most browsers are layered on top of an operating system that doesn't trust them. Vanadium is different. It is the OS. It is the system WebView that every app runs through. JIT-less by default. MTE-hardened. Fully de-Googled. And the best settings are the ones you don't touch.