Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
Cryptohack Roundup: BingX, Truflation Exploits
Also: Reimbursements in Banana Gun Hack; Germany Shutters 47 ExchangesEvery week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, BingX, Truflation, OpenAI X account hacked; Germany shut 47 exchanges; Caroline Ellison sentenced; two got crypto theft charges; one got crypto scam fine; Banana Gun will refund victims; WazirX, Liminal in dispute; SEC settled with TrueCoin, TrustToken; CFTC may settle with Mango Markets.
See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation
BingX Hack
Singapore-based crypto exchange BingX's hot wallet was hacked, leading to a loss of approximately $43 million in cryptocurrency, said security analysts at PeckShield. BingX downplayed the severity of the incident, calling it "minor" and manageable, and asserted that most assets are safe in cold wallets. The breach, detected on Sept. 20, prompted the exchange to temporarily halt withdrawals. BingX told users that withdrawals will resume within 24 hours and promised a compensation plan for those affected.
Germany Shutters 47 Exchanges
The German government shuttered 47 cryptocurrency exchanges, accusing them of supporting an underground economy for cybercriminals. Authorities claim these platforms helped conceal the origins of illegal funds by failing to comply with anti-money laundering laws. Users allegedly include ransomware operators, botnet controllers and black market traders who launder criminal proceeds. The seized platforms now display warnings from German authorities, who have obtained transaction data and user information. One such exchange, Xchange.cash, processed 1.3 million transactions for 410,000 users since 2012.
Caroline Ellison Sentenced
Caroline Ellison, former CEO of Alameda Research, received a 24-month prison sentence for her involvement in the FTX collapse and must forfeit $11 billion. She pleaded guilty to multiple counts of fraud in December 2022 and cooperated with prosecutors. Her testimony was key in convicting FTX co-founder Sam Bankman-Fried, and prosecutors said that she gained no personal wealth from the scheme and lacked equity in FTX or Alameda. Bankman-Fried continues to be temporarily housed in the Metropolitan Detention Center in Brooklyn.
2 Charged in Cryptocurrency Theft Case
U.S. federal prosecutors charged Malone Lam, 20, and Jeandiel Serrano, 21, with stealing more than $230 million in cryptocurrency. The two were arrested in Miami and Los Angeles and are accused of conspiracy to steal and launder funds. The stolen assets were allegedly used for luxury expenses, including international travel, nightclub visits, cars, watches, jewelry and rental homes. The FBI, with the U.S. Attorney's Office and the IRS, is continuing the investigation, which may implicate others.
New Yorker Fined in Crypto Scam Case
A U.S. federal court has fined New York resident William Koo Ichioka $36 million for defrauding crypto investors. District Judge Vince Chhabria ordered Ichioka to pay $31 million in restitution and a $5 million civil penalty. The Commodity Futures Trading Commission said Ichioka ran a scheme from 2018, promising investors 10% returns every 30 business days. While some funds were invested as promised, Ichioka misused the rest for personal expenses such as luxury vehicles and jewelry. In August last year, the court banned Ichioka from trading or registering in CFTC-regulated markets.
Truflation Hack
Coinbase Ventures-backed crypto project Truflation lost over $5 million from its treasury multisig and personal wallets in a hack, said blockchain investigator ZachXBT. Truflation confirmed the breach on X, citing a malware attack as the reason. The Truflation team said it is investigating the incident and working with law enforcement while implementing measures to protect remaining funds. It disabled staking, and liquidity on its decentralized exchange is currently limited, the company said, adding that it has delegated $1 million in reimbursement funds for affected users.
Banana Gun to Reimburse Exploit Victims
Banana Gun pledged to refund 11 users affected by a $3 million exploit targeting its wallets. The company, which operates a popular Telegram-based trading bot, said that all affected users would be compensated without selling tokens from its treasury. The exploit, first reported last week, caused unauthorized wallet transfers. Although only a small number of users were hit, Banana Gun suspects a front-end vulnerability related to its Telegram message oracle to be the reason for the hack. After patching the issue, the bots went back online, and the company said it implemented new security measures, such as two-factor authentication and transfer delays, to prevent future attacks.
WazirX, Liminal Dispute Hack Responsibility
Two months after hackers stole over $230 million from WazirX, a dispute over responsibility continues between the India-based crypto exchange and its custody provider, Liminal. Each company blames the other, and no resolution is in sight. Legal battles have emerged, including a lawsuit by rival exchange CoinSwitch seeking to recover $6.2 million. Although WazirX has obtained a 30-day extension to investigate, only 441 users, or 0.02% of its monthly user base, supported the appeal. Despite recovery efforts, 43% of customer funds are reportedly lost. Independent audits on Liminal and WazirX found no compromise of their systems.
The hacker responsible for the breach moved $12 million worth of crypto to an intermediary address and later laundered the funds in increments through Tornado Cash. According to on-chain analytics platform Arkham, the hacker began transferring the stolen funds on Sept. 2, initially sending them directly to Tornado Cash and later using intermediary addresses for the transfers. To date, the attacker has laundered over $100 million through the sanctioned mixer, and $45.8 million remains in the original wallet.
TrueCoin, TrustToken Settle SEC Charges
The U.S. Securities and Exchange Commission settled a lawsuit against TrueCoin and TrustToken for fraudulent and unregistered sales of investment contracts involving TrueUSD, a stablecoin. The SEC alleged that from November 2020 to April 2023, the companies falsely claimed TUSD was fully backed by U.S. dollars. In reality, a large portion of the backing was invested in a risky offshore fund. By September this year, 99% of TUSD's reserves were in this fund. Without admitting guilt, both companies agreed to pay civil penalties and disgorgement. The settlement is subject to court approval.
Mango Markets May Settle With CFTC
Solana-based decentralized exchange Mango Markets may soon settle allegations from the U.S. Commodity Futures Trading Commission with a $500,000 fine. The CFTC is investigating Mango Markets for allegedly failing to register as a commodities exchange, offering illegal services to U.S. customers and lacking proper know-your-customer measures. In a Sept. 22 proposal to the Mango DAO, the exchange's legal representatives recommended the payment to avoid litigation. The DAO supported the settlement, following a similar $670,000 payment to the SEC in August to resolve charges related to unregistered securities. Mango Markets has faced regulator scrutiny since a $110 million exploit in 2022.
Crypto Scammers Hack OpenAI Press Account
Crypto scammers hacked OpenAI's press account on X, formerly Twitter, to advertise a nonexistent token $OPENAI and linked it to token-openai.com
, a phishing site mimicking the company's website. The phishing site prompted users to connect their cryptocurrency wallets, likely to steal login credentials. The post has since been deleted. This attack follows earlier hacks of OpenAI executive accounts, including that of former CTO Mira Murati in June 2023, which promoted the same scam. The attackers at the time reportedly used a tool to drain non-fungible tokens and tokens from victims' wallets once connected to the fake site.