Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Users lose $9.5 million to fake Ledger wallet app on the Apple App Store

After a fake version of the Ledger cryptocurrency wallet app made it onto the normally highly curated Apple App store, customers lost $9.5 million dollars to the malicious product. Believing it was a genuine Ledger product, people entered their seed phrases into the app, then discovered their wallets were immediately drained.

One victim, a musician who goes by G. Love, wrote: "I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant." According to him, he lost 5.9 BTC (~$445,000).

Crypto sleuth zachxbt traced some of the stolen funds through Kucoin, a Chinese cryptocurrency exchange that was recently fined and forced to exit US markets over licensing and anti-money laundering failures. "The three largest victims lost seven figures each," he wrote.

Apple removed the malicious app from their App Store on April 13, six days after it had been added.

Theme tags: Hack or scam

Hyperbridge exploited two weeks after April Fools' hack joke

Screenshot of a tweet by Hyperbridge: We've been breached We're working hard to fix this! Security Incident Report At 03:47 UTC on April 1, Hyperbridge flagged a breach totaling approximately $37M across our Ethereum, Arbitrum, and Base deployments. Initial analysis points to the Lazarus Group. We are not ruling out quantum computing or unsupervised Claude agents. We missed the window to prevent this. Yesterday, external auditors reached out but our team was offline - celebrating a new addition to the Hyperbridge family with an ungodly amount of KitKat. Yeah, one of our engineers is now a dad. Early warnings were dismissed as April Fools' pranks. That was a critical error and we own it. We are committed to making this right.Hyperbridge April Fools' tweet (attribution)
On April Fools' Day, the Hyperbridge blockchain bridge project posted a tweet claiming that the North Korean Lazarus hacking group had drained $37 million from the project. A linked blog post contained a Rickroll GIF and an explanation of "Why Hyperbridge can't be hacked".

The following day, a Hyperbridge developer posted a screenshot of a blockchain transaction, writing "Lmao the uniBTC exploiter is testing Hyperbridge. I hope you have a quantum computer bro". Another commenter replied, "Rule #1 dont actively provoke attackers".

About two weeks later, an attacker was able to forge a transaction to change the admin rights for the Polkadot/Ethereum bridge contract, allowing them to mint 1 billion DOT tokens. They were able to cash out about $237,000 due to limited liquidity.

The April Fools' posts have since been deleted.

Theme tags: Hack or scam