This report was updated with newly uncovered information, and re-published in December 2024.
This month’s report highlights a significant surge in rug pulls among major incidents, alongside, and perhaps due to, a concerning rise in social engineering and phishing attacks targeting individual users. These developments underscore the growing sophistication of cyber threats in the crypto ecosystem, particularly as malicious actors increasingly exploit the high potential yields in decentralized finance (DeFi) and major crypto projects.
With an alarming increase in rug pulls, hackers have adopted new tactics to attract and deceive investors, often using fake social proof and manipulated metrics to create a false sense of legitimacy. This trend signals the need for more comprehensive due diligence and user education to help investors identify and avoid these scams before they escalate.
On an individual level, phishing attacks have become more prevalent and sophisticated, often involving social engineering tactics where attackers impersonate trusted entities to deceive users into revealing sensitive information or approving harmful transactions. Unlike traditional phishing aimed at credential theft, these scams trick users into approving unauthorized wallet transactions, enabling attackers to drain funds in a single interaction.
Smart contract exploits continue to be a major attack vector, driven by flaws in contract logic, poor code quality, and unverified third-party protocols. Hackers easily exploit these weaknesses, especially with open-source contracts that allow attacks to be replicated across projects. The prevalence of attacks on base chains further amplifies the risk, as vulnerabilities in foundational layers can have widespread impacts. This highlights the urgent need for stronger security audits, rigorous testing, and better smart contract development to protect DeFi platforms and investor assets.
Key Incidents Overview
($FIRE) token [ETH] - October 1, 2024
Type: Contract Vulnerability
Description: ($FIRE), a token available to purchase on blockchain Ethereum, appeared to suffer a security breach which led to the loss of $24,000. It appears that a particular smart contract was exploited and drained 9 ETH tokens within 24 seconds of the contract’s launch.
Impact: $24,000
Lending Oracle, anonymous project - October 3, 2024
Type: Oracle Issue
Description: An unknown lending project on the Arbitrum network suffered an enormous loss due to a price oracle manipulation attack, involving the WETH-USDC liquidity pool. In blockchain, oracles are third-party services that feed external data into smart contracts, so they can interact with real world data. Oracles are third-party services that feed external data into smart contracts, enabling them to interact with real-world data - a price oracle manipulation attack may involve attackers artificially manipulating the price data provided by these oracles, in order to gain financial advantage. In this case, altering the price data may have allowed the malicious actors to liquidate loans, trigger trades, or drain funds from DeFi protocols.
Impact: $131,587.72
EigenLayer - October 5, 2024
Type: Account Compromise
Description: EigenLayer, a protocol in the Ethereum ecosystem, was reportedly drained of 1.674M $EIGEN, worth almost $6 million. The attacker swapped the stolen $EIGEN for $USDC. Most of the stolen funds had been transferred to HitBTC, but approximately 5,000 $USDC was sent to Kraken. A malicious actor compromised an email thread related to an investor's token custody transfer, resulting in the unauthorized transfer of 1,673,645 EIGEN tokens. The attacker sold these tokens via decentralized platforms and moved the proceeds to centralized exchanges.
Impact: $5,870,000
Aave sDAI Ethereum - October 10, 2024
Type: Phishing attack
Description: A user operating on the Aave, a liquidity protocol on which you can borrow, swap and stake, unknowingly fell for a phishing link, giving a malicious actor permission to gain control of their sDAI tokens. The scam involved temporary addresses pre-computed using the CREATE2 function, commonly used in phishing schemes to deceive victims into granting access to their assets.
These types of attacks serve as a reminder to users to learn how to spot and report phishing attacks rather than fall for them, given the disastrous consequences of this example.
Impact: $2,047,000
HYDT Protocol attack- October 10, 2024
Type: Price Manipulation
Description: A ‘suspicious attack’ involving price manipulation was identified, involving HYDT tokens on BSC. There doesn’t appear to be a huge amount of information available, however we know that the attack resulted in a sizable loss of $58 thousand.
Impact: $58,000
Type: Contract vulnerability
Description: Over a quarter of a million dollars were stolen when an attacker took advantage of a vulnerability in the #P719 token transfer mechanism, using a custom trading pair to discreetly extract profits without being detected by bots.
Impact: $344,000
Morpho Blue - October 14, 2024
Type: Oracle Issue
Description: Morpho is a decentralized lending platform that enables users to set up customizable lending pools. They fell victim to an attacker when a large amount of funds were siphoned from an asset pool following an exploitation of an oracle configuration vulnerability. This incident impacted the PAXG/USDC asset pool, with losses of a quarter of a million dollars due to a miscalculated price. The pools creator misconfigured the oracle settings, which caused the inflation of the PAXG price, and the attacker was able to capitalize on the discrepancy.
Impact: $250,000
Kalax - October 14, 2024
Type: Rugpull
Description: Kalax, a non-custodial yield aggregator in the Blast ecosystem, was known for its accessible, user-friendly interface. The project’s founders suddenly executed a rugpull with no warning, and deleted the website and Twitter account of Kalax.
Impact: $350,000
Ancilia & Radiant Capital - October 16, 2024
Type: Contract vulnerability and phishing attack
Description: Ancilia, a security firm, shared a tweet from ‘Radiarnt Capital’, directing users to ‘follow the link from this official message’, without realizing that the reshared tweet came from an impersonating account, pretending to be the DeFi lender. Users who interacted with the link visited a malicious website ‘designed to drain users’ assets via approval phishing’. Initially, Radiant Capital’s smart contracts had originally been compromised and allowed attackers to drain over 50 million dollars in crypto assets, and Ancilia were one of the first to report this exploit. Then, malicious actors took advantage of this and unfortunately, while trying to help, Ancilia accidentally encouraged more users to fall victim to the attackers as they search for recommended methods to secure their assets.
Impact: $58,000,000
Ambient- October 17, 2024
Type: Social engineering attack
Description: Ambient Finance, a decentralized trading protocol, suffered a front end compromise when the website domain was hacked. Attackers appeared to use Inferno Drainer, a malware suite designed to steal digital assets. Users were warned not to interact with the site, connect wallets or sign any transactions until the administrators gave the ‘all clear’ .
Impact: No losses reported
BullcoinBSC- October 17, 2024
Type: Contract vulnerability
Description: A drain of funds was detected on the project BullcoinBSC, a meme cryptocurrency. Their contract was updated to an unverified smart contract by the attacker, which contained a backdoor, allowing them to drain funds. Users were encouraged to revoke token approvals from both the original contract address and the new, unverified smart contract’s address.
Impact: Unconfirmed
IBXtrade - October 18, 2024
Type: Rugpull
Description: IBX, a relatively young exchange platform, appears to have performed a rugpull, after raising $24 million in the ARCTIC token’s pre-sale. While the team claims to have processed refunds, it appears that in actuality, they transferred funds exclusively to addresses that they control.
Impact: $24,000,000
TapiocaDAO - October 19, 2024
Type: Social engineering
Description: TapiocaDAO suffered a social engineering attack, which allowed the attacker to take control of the TAP token vesting contract. This breach enabled them to claim and sell 30 million vested TAP tokens, affecting the TAP/ETH liquidity pool owned by the DAO. The attacker also compromised ownership of the USDO stablecoin contract, adding an unlimited mint function to drain the USDO/USDC liquidity pair. Tapioca announced the attack on X, to warn users to be careful of Tapioca contracts or tokens.
Impact: $4,700,000
Indexed Finance- October 21, 2024
Type: Security breach
Description: Indexed Finance experienced a significant security breach that resulted in the loss of just under $5 million in digital assets. The attackers used Tornado Cash, a decentralized service known for its privacy features, to transfer the stolen funds. The attacker’s Ethereum wallet still contained over $5 million in digital assets, distributed across several wallets.
Impact: $4,500,000
Sharpei memecoin - October 23, 2024
Type: Rugpull
Description: A solana-based meme coin, often promoted by crypto-influencers and with a market cap of $54 million within an hour of its launch, was involved in a rug pull. It’s value instantly crashed when a small cluster of wallets sold of $3 million worth of tokens almost simultaneously. According to Bubblemaps, ‘60%of the total token supply was bought at launch and spread across 100+ addresses’ who then ‘sent its supply to a central wallet which sold everything for $3.4million.
The X Account of Sharpei meme coin announced that due to the uncertainty they are no longer able to continue operations.
Impact: $3,400,000
US Government controlled Wallet - October 24, 2024
Type: Potential security breach
Description: A suspicious transaction was flagged outgoing from a US government-controlled wallet. $20 million was transferred a single address. The assets were transferred in a number of different tokens but most were swapped into Ethereum. Within a day of the incident, $19.3 million was a transferred back into the government control wallet, and the lack of public communication about the incident may suggest that that incident was a result of compromised private keys.
Impact: $20 million - but $19.3 million returned
Ramses exchange - October 24, 2024
Type: Contract vulnerability
Description: On October 24, 2024, Ramses Exchange (@RamsesExchange) on Arbitrum lost nearly $93,000 due to a reward distribution flaw. The attacker exploited the smart contract by repeatedly claiming rewards across multiple tokenIds without reducing the total rewards pool, targeting accumulated incentives and fees while leaving liquidity provider funds intact.
Impact: $93,000
HyperCycle Token (HyPC) - October 25, 2024
Type: Contract vulnerability
Description: A price manipulation attack on Base Chain was identified, affecting unverified lending contracts.
Impact: $125,000
Price manipulation on unverified contracts - October 25, 2024
Type: price manipulation
Description: Base chain detected a price manipulation attack targeting unverified lending contracts, where the attacker gained around $1 million in tokens through excessive borrowing.
Impact: $1,000,000
Aark Digital - October 25, 2024
Type: Social engineering and impersonation scam
Description: Aark is a decentralized exchange with Arbitrum, which suffered a theft of 1,499,841 USDC and 159.09 ETH. The attack initially began in September with the impersonation of an administrator of Aark, who asked a particular user for sensitive information, ultimately giving them access to their funds. Unfortunately the fake moderator managed to drain the user’s account and transfer the funds before they were banned. This month, the Aark LP Pool was drained with funds initially transferred to the particular user mentioned earlier, with the funds then moving to various other wallets. The fake moderator who targeted the particular user was assumed to be controlling both wallets, but it appears as though this is not the case, and in reality, transaction rewards recorded from the initial incident until the pool drain demonstrate that the wallet had been steadily collecting $AARK rewards in small amounts at a time - neither the particular targeted user or the fake moderator have withdrawn the entire staked $AARK, indicating that perhaps there are other players involved. Aark is now offering a 15% bounty to the individual responsible contingent on the safe and complete return of the missing funds.
Impact: $1,429,542.90
Essence Finance - October 26, 2024
Type: Rugpull
Description: Essence Finance, a stable coin project within the Scroll ecosystem, is suspected of a rugpull incident after a sharp 89% drop in the price of its coin, CHI. The drastic decrease fueled investor skepticism about CHIs stability and cast doubt over the project’s reputation, especially after Asia-based crypto source Wu Blockchain reported a $20 million collateral withdrawal from the project just before the price collapse. The social media accounts of Essence Finance has been mostly inactive since mid September, heightening fears of a rugpull.
Impact: $20,000,000
Supply Chain Attack - Lottie Web Player, 1inch, TEN Finance and more - October 31, 2024
Type: Security breach
Description: Lottie Player, a popular JavaScript animation library, was involved in a large supply chain attack when malicious code was embedded into its npm package, infecting some versions of the library. Hackers placed malicious code in JSON files responsible for displaying animations on websites. As a result, at least one user lost 10 BTC - approximately $723,000 - after unknowingly singing a phishing transaction linked to the breach. It is assumed that attackers used a fake wallet connection prompt, tricking users with Ace drainer malware. The tool mimicked legitimate wallet connections to deceive users into authorizing fraudulent transactions. Animations displayed on websites became phishing entry points, displaying fake pop-ups that prompted users to connect their digital wallets, ultimately allowing the attackers to gain access to user funds.
Later, it was discovered that other sites were compromised as a result of the Lottie Web Player attack. The sites included 1inch and TEN Finance, among other victims. Users were advised to ‘avoid connecting wallets or interacting with platforms’ until the issues were resolved.
Impact: Extent remains unknown - at least $700,000+
Sunray Finance - October 31, 2024
Type: Contract Vulnerability
Description: Sunray, an emerging DEX on Arbitrum, suffered a supply chain attack in which a malicious actor upgraded a smart contract, allowing the minting of trillions of SUN tokens. The attack exploited a recent upgrade to Sunray’s contract, minting these additional tokens and swapping them for USDT and WETH, causing SUN’s value to plummet. This plummet eliminated almost all liquidity, which was mostly held in a single wallet associated with the SunRay DEX liquidity pool.
Impact: $2,855,000
M2 Exchange - October 31, 2024
Type: Security breach
Description: UAE- based M2 crypto exchange reported a significant security breach that led to $13.7 million in lost digital assets. The attack targeted M2’s hot wallets across various blockchain networks. Despite the exchange’s relatively fast response, the attackers siphoned a large portion of the funds before the break was contained. The stolen assets were traced back to a single wallet which converted the majority of it into ETH. The impacted assets have been reimbursed and the exchange has since strengthened its security protocols.
Impact: $13,700,000
Major Crypto Incidents -October2024 - Types
Major Crypto Incidents - October 2024
Individual use cases:
In addition to the major breaches, on-chain data analysis revealed several smaller incidents, including additional phishing attacks, address poisoning, and unauthorized transfers, with a combined total loss of over $76, 219,408. Of the eleven main incidents we analyzed, 9 of the incidents were as a result of signing malicious phishing signatures. Therefore, a large majority of these individual cases can be very easily mitigated.
Key takeaways:
October’s trends:
October’s trends are particularly interesting given the rise in hacks reliant on X. The incident involving Radiant Capital and Ancilia exclusively relied on the creation of a fake X/twitter account masquerading as Radiant Capital, sharing a malicious link.
Upon closer inspection, the handle and X/twitter name exposes the false nature of the account, however this was not spotted by the team handling the official X account of the security company Ancilia. Attacks like this, which are certainly rising in prevalence, demonstrate both ease of which malicious groups can imitate real companies and encourage users to click malicious links, and the role that unsuspecting well-meaning groups can play in accelerating the success of a hack or scam.
Additionally, October saw a rise in suspected rugpulls, with this report covering four incidents of suspected rugpulls. The Kallax, IBXTrade, Sharpei Memcoin and Essence Finance incidents were all most likely rugpulls given the sudden withdrawal of the funds. Often, common signs of a fake project with intentions of a rugpull can include a lack of transparency from the team, for example the team remaining anonymous. Additionally. Unrealistic promises like impressive high returns, a lack of audit, an opaque code, and very few users interacting with a token or platform, are very poor signs.
Summary:
The frequency of October’s attacks, of which major attacks have caused the accumulated loss of over $162,000,000, and of which individual cases have caused a loss of $76,200,000, demonstrate the severity of the threat posed by malicious actors operating in the crypto-verse.
Compared to previous months, we have particularly seen a major increase in phishing attacks and social engineering attacks. Somewhat fortunately, these types of attacks are some of the easiest to mitigate - educating individuals trading with crypto can empower them to correctly identify and report suspicious links and phishing attacks can sharply decrease the rate of individuals falling victim, and as a result, create a safer space for those trading on or administrating trading exchanges and platforms.