20 of the Biggest Cryptocurrency Scams of the Past Year

Just like they love promoting anything else, influencers also love promoting cryptocurrencies, though many such promotions end up being pump-and-dump schemes. Still, one influencer-involved scheme stood out in the past year, and it had to do with influencers from the popular esports and content organization FaZe Clan. Several group members, notably FaZe Kay, started in June 2021 promoting a charity-based cryptocurrency called SaveTheKids, promising a good return on investment while also helping raise money for children’s charities.

Except, this was an extreme case of pump and dump or perhaps a rug pull – a scheme where the creators of a coin intend to run away with investors’ money. Within hours of launching the SaveTheKids token, the altcoin jumped in price only to immediately tank, and basically become worthless. The allegation was that pre-sale investors, including some of the other promoters and FaZe Kay, dumped their tokens as soon as the price shot up. Though it is unclear the extent of his involvement, FaZe Kay was kicked out of the group. FaZe Clan itself denied involvement in its members’ activities. It is also not fully clear how much money was lost by investors or how much was gained by those who sold at the height or the token creators.

Just like cryptos, there have been numerous scams and hacks exploiting systems that facilitate trading in NFTs. In December 2021, about 615 ETH (about $2.3 million) worth of NFTs, primarily Bored Apes and Mutant Apes were stolen. Another infamous scam this January involved scammers leveraging a flaw in NFT marketplace OpenSea to purchase valuable NFTs at a much lower price than their current listing. Cryptocurrency analysis firm Elliptic estimates that NFTs with a market value of $1.1 million have been purchased in this way in January and sold for much more.

NFT collector larrylawliet claims he lost his apes and mutant JPEGs (the NFTs) to hackers. According to cybersecurity experts, the scammers tricked larrylawliet into approving interactions with what he may have thought was a dAPP, or distributed app, only it was an actual wallet. The hacker then proceeded to drain larrylawliet’s wallet of NFTs, according to Vice, and sell them – including the Bored Ape – for nearly $700,000. Larrylawliet claims the stolen NFTs could have been sold for 1,000 ETH, or $2.7 million.

If someone missed on the phenomenon that was the hit series “Squid Game” they fortunately likely also missed on the phenom that was Squid Game token. And just as the series was a smash, so was the unauthorized crypto … well, until it wasn’t.

First, the series never gave permission to use its name. And similar to other such schemes (see SaveTheKids token at No. 20), the creators and promoters likely got rich before the token lost its worth, while retail investors got duped of course. The scam was discovered in late October, when buyers of the token noticed they could not resell them. Then the over $3.3 million that was invested in the tokens got pulled by the creators, according to Wired. Before the classic rug pull scheme was revealed, major news outlets reported on the meteoric rise of the token, which reached over $2,800, without mentioning it was not affiliated with the series, thus giving it an air of legitimacy.

Indexed Finance, a decentralized finance platform, or DeFi, built on ethereum that produces tokens that track market indexes, was hacked for $16 million in October. Unlike most cases where the hackers remain anonymous, this time the hacker was identified as 19-year-old Andean “Andy” Medjedovic of Canada, a math prodigy who refuses to return the funds, “potentially setting the stage for a groundbreaking legal confrontation,” according to CoinDesk. Many in the self-regulating DeFi world see him as a champion of the “code is law” ethos as he claims he should be allowed to keep the funds.

Law enforcement has rarely been involved in hacks and attacks, and being self-regulated, it is often up to the goodwill of hackers to return the funds. That has also led to the mindset, “code is law.”

At 19, Medjedovic has apparently already earned a master’s degree in mathematics and has written mathematical research papers. He wrote complex code for the hack but did not cover his tracks well and was identified. After failing to appear at court, a judge issued an arrest warrant against Medjedovic. As of late March, Medjedovic has not been found. “The civil case will be heard in Toronto if he can be located,” according to The Record.

As noted, computing power for the mining process consumes a great deal of electricity. Gas fees are the amount of ether (ETH) — the native cryptocurrency of ethereum — required to interact with the network. These fees are used to compensate ethereum miners for the energy required to verify a transaction and for providing a layer of security. But gas fees are calculated using a variable formula and can be expensive when the network is congested, according to CoinDesk.

While gas fees can be expensive, crypto exchange Bitfinex paid a ridiculously large sum to complete a transaction. On Sept. 27, 2021, Bitfinex sent $100,000 of the stablecoin tether (USDT) to the the non-custodial exchange DeversiFi. For that, Bitfinex paid 7,626 ETH, equivalent to $23.7 million, possibly the largest gas fee ever recorded on the ethereum blockchain. This was even more erroneous considering that DeversiFi promotes access to DeFi protocols “without paying gas fees” and that the average transaction fee on the ethereum blockchain stood at 0.013 ETH, or $39.96, at the time, according to Cointelegraph.

DeversiFi said it was investigating the cause to determine how this occurred. The miner returned the funds to the exchange, however.

MonoX Finance, a blockchain startup, also fell victim to a hack. The company uses a decentralized finance, or DeFi, protocol, MonoX, that lets users trade digital currency tokens with fewer requirements than traditional exchanges. The attacker exploited a bug in the software used to draft smart contracts, stealing $31 million.

“The exploit was caused by a smart contract bug that allows the sold and bought token to be the same,” MonoX Finance explained. The attacker made transactions with the mono token, basically swapping the same tokens but also inflating the price as the system allowed the transactions and calculated a new price after each transaction. The hacker then used the funds to cash out all the other deposited tokens, including on the ethereum and polygon blockchains. Security experts told ars Technica that these kinds of attacks are common in smart contracts. Developers do not always define security properties for their code, or use older security approaches, the expert noted.

Uranium Finance, a binance smart chain-based DeFi project, lost $50 million in tokens in April 2021 in an exploit. Following the exchange’s upgrade, there was a vulnerability in its v2 contracts the hacker exploited. According to CoinDesk, “a misplaced zero in the contract’s balance field … created the opening for the attack vector.”

But the exploit may have been an inside job, according to a member of Uranium Finance’s developer team, Cointelegraph reported. The crypto community noted on several boards they question Uranium’s narrative.

Hackers stole $80 million from Qubit Finance, a decentralized finance (DeFi) platform, on Jan. 27, according to the company’s statement, which also explains how the hacker exploited the protocol. Qubit offers its QBridge protocol for investors, a bridge to convert or swap tokens between two blockchains — ethereum and the binance smart chain network.

The attackers exploited the protocol and stole 206,809 binance coins (BNB) from Qubit’s QBridge protocol, worth more than $80 million, according to PeckShield. Qubit asked the hackers to return the stolen digital assets, offering the hackers a maximum bug bounty worth $250,000.

Imagine your bank added money to your account — by accident — would you pay it back? Well, something similar happened to users of Compound, a decentralized finance, or DeFi, platform that enables users to earn interest or borrow assets against collateral. But on Thursday, 31 Sept. 2021, the ethereum-based money market protocol had a major blunder following an upgrade of its system and accidentally paid out $90 million among its users.

Shortly after the mistake, Compound’s founder began urging users (CNBC called it “begging”) to return the money they received in error. The transaction history shows where all the ethereum tokens went. According to BleepingComputer, the founder incentivized users, saying they may keep 10% as a reward. Though the founder said about $30 million have been by Sunday, other users have realized they can exploit the glitch, leaving $160 million at risk, according to Business Insider.

Japanese cryptocurrency exchange Liquid was hit by a cyberattack in August, about a week after the Poly Network hack (see No. 3). The hackers made off with a reported $97 million worth of digital coins, according to blockchain analytics company Elliptic. “This includes $45 million in Ethereum tokens, which are being converted into Ether using decentralised exchanges (DEXs) such as Uniswap and SushiSwap,” Elliptic noted, adding, “This enables the hacker to avoid having these assets frozen — as is possible with many Ethereum tokens.”

Unlike many other exchanges, Liquid is reportedly regulated by Japan’s Financial Services Agency. Liquid ranks among the top 20 crypto exchanges globally by daily trading volumes, according to CNBC.

BadgerDAO, a decentralized finance, or DeFi, protocol that allows users to use bitcoin as collateral to secure loans has fallen victim to a large hack, with $120.3 million stolen from users of the protocol, according to security researchers PeckShield. One user had around 900 bitcoin ($50.8 million) worth of tokens stolen in a single transaction, and another lost $5 million worth of tokens, TheBlock reported.

It seems hackers were able to use a stolen API key to BadgerDAO’s account on Cloudflare, the project’s content delivery network, and managed to exploit the older “web 2.0” technology. Badger CEO has implored for the funds to be returned, though it was not reported whether the money was returned. Meanwhile, Badger began a recovery and restitution phase.

Ethereum-based lending DeFi platform Cream Finance allows users to loan and speculate on cryptocurrency price variations. It is known for drawing in billions of dollars in investor funds. StealthLab explained that “Hackers used flash loans, a type of uncollateralized lending, to exploit poorly protected protocols.” The hackers likely stole all of the company’s assets and tokens running on the ethereum blockchain.

Blockchain security firms PeckShield and SlowMist first detected the hack, and Cream Finance confirmed that its “ethereum C.R.E.A.M. v1 lending markets were exploited,” with the attacker removing a total of $130 million worth of tokens from these markets.

This was the third time Cream Finance was hacked in 2021, with $38 million worth of tokens stolen in February and $19 million to $29 million in August, depending on reports. All these attacks were flash loan exploits.

Decentralized cross-chain exchange Boy X Highspeed was hacked in November 2021, with the hackers making off with $139 million in November 2021. CEO Neo Wang said the hack was probably the result of a leaked administrator key and possibly an inside job. He further told CoinDesk that the hacker either “broke into the keyholder’s computer or might have been one of BXH’s technical staff.” The “inside job” theory is supported by findings from security firm PeckShield.

The company set up a total reward of $10 million to those who help identify the hackers and retrieve the funds and offered the hackers a reward if they return the money. BXH also plans to return all stolen funds to users if the money is returned.

Play-to-earn (P2E) games platform Vulcan Forged Hackers was hacked in December, with the hackers stealing 4.5 million PYR, the platform’s native token, worth $140 million at the time, according to the company’s announcement and reports. The platform, which also runs a decentralized exchange and a non-fungible token marketplace, said the attacker gained access to the private keys (which function like digital signatures) of 96 wallets and proceeded to empty them.

While the platform offered a $500,000 bounty on information that would help identify the attacker, it proceeded meanwhile to reimburse nearly all affected wallets using Vulcan Forged’s treasury, a fund that crypto projects use to save money for crises.

Bitmart, a crypto trading platform, claimed to be hacked on Dec.4, 2021, with the hackers withdrawing $150 million worth of altcoins. According to CNBC, however, blockchain security and data analytics firm Peckshield estimates the loss at closer to $200 million in 20 different tokens, including binance coin, safemoon, and shiba inu.

The security breach was mainly caused by a stolen private key, the exchange said, affecting its ethereum and binance smart chain “hot wallets” — a wallet connected to the internet that allows owners relatively easy access to their coins at the expense of potential exposure.

Though BitMart said it will “use our own funding to cover the incident and compensate affected users,” as of January, many victims say they have yet to see the funds returned. Some have questioned why BitMart is not using its insurance to reimburse the stolen funds.

Wormhole Portal is a decentralized finance, or DeFi, cryptocurrency platform that allows users to move digital coins from one blockchain to the next. Exploiting the bridge that allows tokens to move from the solana to the ethereum blockchain, the attacker stole more than $323 million in cryptocurrency. However, Wormhole announced the next day that all funds had been restored when digital assets firm Jump Crypto replaced the equivalent amount of tokens, essentially bailing out Wormhole Portal.

What is interesting in the Wormhole hack is that the attacker had been able “to ‘mint’ 120,000 ETH out of thin air,” blockchain analysis firm Elliptic explained. Specifically, the attacker was able to mint wrapped ethereum, wETH, which is the tradable version of ethereum currency, so the attacker could convert the wETH to real ETH. The attack was also interesting because it affected the price of the solana currency.

What do you do if you want to drive up the price of art you own? Well, one owner came up with a plan – buying the art for themselves at an inflated price. Well, up until CryptoPunk, the most expensive NFT evers sold was “Beeple’s Everydays — a collage of digital art that sold at Christie’s auction for $69 million,” according to Cnet. So when CryptoPunk sold for $532 million (or 124,457 ethereum) in October, everybody paid attention.

CryptoPunk is part of a set of 10,000 NFTs that are some of the first to ever be created and usually sell for between $350,000 and $500,000, though some fetch millions. By creating several digital wallets, the owner transferred the NFT to another wallet. Then, creating a third wallet, the owner bought the NFT for $532 million using a flash loan contract and immediately transferred it back to the original wallet. Though initially raising eyebrows, the racket was immediately discovered.

Cryptocurrency platform Poly Network said in early August 2021 it was hacked, with the attacker stealing more than $600 million worth of crypto-tokens. In a bizarre twist, however, the company said the hacker began returning the tokens the following day and then announced on Aug. 23 the hacker returned almost all of the funds. The hacker/s claimed they did the attack to expose a flaw in Poly Network’s digital contracts, though some skeptics believe the hackers found it hard to launder that much money.

Poly Network is a decentralized finance platform, or DeFi, a term for financial applications based on blockchain technology that allows people to transact across blockchains or complete other transactions without relying on intermediaries, such as brokerages and exchanges. The attacker managed to exploit a vulnerability in Poly Network’s code, which allowed them to transfer crypto-tokens to their own crypto wallets, therefore stealing the funds.

They call themselves the Lazarus Group, a hacking group believed to be controlled by North Korea’s primary intelligence bureau. The U.S. has linked the group to a massive cryptocurrency heist worth $615 million from players of the popular online NFT game Axie Infinity, conducted via an attack on Ronin Network last month.

“Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29,” the FBI said in a statement. And the Treasury Department’s Office of Foreign Assets Control announced new sanctions against an ethereum wallet belonging to Lazarus.

The Lazarus Group is reportedly behind hacks worth $400 million in digital assets in at least seven attacks on cryptocurrency platforms in 2021, according to blockchain analysis company Chainalysis. North Korea is likely attempting to use crypto to evade U.S. sanctions.

In what is possibly the biggest cryptocurrency scam to date, brothers Raees Cajee, 21, and Ameer, 18, may have swindled investors out of $3.6 billion. The two have launched Africrypt in 2019, setting it up as a fund that invested in cryptocurrency and blockchain technology. In April, 2021, however, Africyrpt said its systems were hacked and tokens were stolen.

While investors claim $3.6 billion were stolen, the brothers told The Wall Street Journal that at the height of the fund they were managing $200 million and insist no more than $5 million are missing. The brothers have since fled South Africa and their whereabouts is unknown. They deny any involvement in a heist and claim they are hiding from organized crime. Their disappearance came as bitcoin’s value hit a record high last April.

In yet another twist, a mystery investor has offered to bail out the company on the condition that all charges against the Cajee brothers would be dropped. Many investors have accepted the terms of the payout, though some are still pushing for the brothers to be charged, according to different reports.