Cryptocurrencies haven’t been doing so hot lately. The last three or four months have seen prices plummet, and the general outlook for crypto bros (and gals) has been grim. But crypto’s cruel summer and the instability that’s come with it haven’t changed the fact that fraud, theft, and financial mayhem are still going strong in the web3 world!
Approximately four months ago, we did a roundup of the biggest crypto heists of the year. At that point, in early May, a little over a billion dollars had already been stolen in various hacking incidents. We said then that we might do another slideshow four months later or “every billion stolen dollars.”
We were joking, of course, but, alas, here we are — four months later — and things haven’t much improved. That’s why we’ve decided to stick to our word. The scams and heists listed below involve some $US2 ($AU2.92) billion in stolen crypto, but some of them are the result of years of pilfering that only recently came to a head. Here’s a quick look at some of the biggest and weirdest crypto thefts of the summer.
Horizon Bridge ($AU146 Million)
On June 23rd, the crypto bridge Horizon announced that it had been the target of cybercriminals. Bridges are the platforms that facilitate the transfer of crypto assets between different blockchains. They’re a critical part of web3 infrastructure, but they also have a nasty habit of getting hacked. In Horizon’s case, hackers appear to have exploited a vulnerability in the platform to steal approximately $US100 ($AU146) million in crypto. It turns out that the culprits behind this incident — a North Korean hacker gang known as “Lazarus” — are the same ones who pulled off a similar attack on Axie Infinity, the ETH-fuelled NFT game, when they cleared a whopping $US625 ($AU912) million earlier this year.
Mirror Trading International ($AU2.48 Billion)
In June, the U.S. Commodity Futures Trading Commission filed a civil enforcement action against Mirror Trading International and its CEO, Cornelius Johannes Steynberg, for allegedly running a $US1.7 ($AU2.28) billion fraud scheme involving bitcoin. According to authorities, Steynberg created a global foreign currency commodity pool that could only be bought into using bitcoin. Steynberg brought in large amounts of money into the pool, despite not being registered as a commodity pool operator. According to federal officials, Steynberg misrepresented how the funds were being invested and “misappropriated” large amounts of the funds. When authorities went after him, Steynberg left South Africa, but he was arrested in Brazil in June on an Interpol warrant.
EmpiresX ($AU58 Million)
On June 30, the Securities and Exchange Commission announced charges against a company called Empires Consulting Corp., or EmpiresX. According to the government, this company claimed to have a crypto trading bot that would bring in “one per cent daily profits” to investors. But officials say that the crypto bot was actually fake and, instead of make large amounts of money for investors, the people behind EmpiresX allegedly misappropriated large amounts of their funds, using the money to lease a Lamborghini and make a payment on a second home, among other things. As the scheme collapsed, federal officials say that the EmpiresX founders halted investors’ withdrawals and relocated to Brazil. However, the company’s head trader, pleaded guilty to conspiracy to commit securities fraud in connection to the scheme.
Rug Pulls Galore (Assorted)
Ah, the rug pull. Such scams have become very popular as of late; they occur when the developers behind a particular crypto project pump up their asset and then suddenly pull out, absconding with investors’ money. This summer, there have been plenty of them. You can take your pick from the numerous DeFi projects that have been accused of taking the money and running: there’s the allegations against yield aggregator Blur Finance (which closed up shop after the anonymous developers made off with $US600k), the $US4.5 ($6) million allegedly yanked from investors in something called TEDDY tokens, and, just a week ago, a brand new project, SudoRare, collapsed in what investors allege was a rug pull. A recent estimate found that some $US2.8 billion vanished as a result of the scams last year alone. Not great.
Nomad Gets Hacked ($AU277 Million)
The number of crypto platforms to get hacked and robbed blind continues to rise. In August, the crypto startup Nomad joined those unfortunate ranks, announcing that it had been hacked and that some $US200 ($AU292) million in crypto had been stolen from the company’s coffers. The company subsequently attempted to negotiate with the cybercriminals and get them to return the money, though those efforts have not yet succeeded.
8,000 Solana Wallets Get Emptied ($AU8-ish Million)
In early August, developers involved with the Solana blockchain warned users about a vulnerability affecting a number of crypto hot wallets — including Slope, Phantom, and TrustWallet. The bug was being used to steal assets, developers warned. A “hot” wallet is essentially an internet-connected app that lets you to manage your crypto holdings (this, as opposed to “cold” storage — a piece of hardware with similar functionality that can be disconnected from the web). Some 8,000 of the Solana-compatible wallets appear to have been affected by this mysterious software bug, which allowed unknown cybercriminals to pilfer their contents. About $US6 ($AU8) million is thought to have been stolen.
BlueBenx ($AU46 Million)
On August 14, the Brazilian crypto exchange BlueBenx claimed that it had been the victim of a “very aggressive hack” and that cybercriminals had stolen $US32 ($AU46) million from the platform. At the time, the company froze all withdrawals from investors and reportedly fired a majority of its staff. The lack of details released by the company resulted in suspicion from some users, with some expressing the belief that they had been scammed by the exchange. Weeks later, BlueBenx changed its story, claiming that it had been scammed by fraudsters who touted a phony business deal and then used the “deal” to steal the exchange’s money.
Acala Stablecoin (1.27 Billion tokens)
Out of all of the weird web3 nonsense to invest in, stablecoins are supposed to be the safest bet. Typically, their price is pegged to something, well, stable — like the U.S. dollar or another asset whose value stays relatively consistent over time. However, in the case of a project called Acala, a cybersecurity debacle ended up destabilizing the coin and sending its value plummeting. In August, Acala’s stablecoin, aUSD, depegged and lost 99 per cent of its value. The depegging occurred as a result of a cyberattack carried out by an unknown crypto thief who exploited a bug in a related liquidity pool; the bug allowed users to mint an unlimited amount of tokens, allowing the attacker to mint close to 1.8 billion aUSD.