Web3 is Going Just Great

...and is definitely not an enormous grift that's pouring lighter fluid on our already smoldering planet.

Created by Molly White. Subscribe to her newsletter for weekly recaps.

Hyperbridge exploited two weeks after April Fools' hack joke

Screenshot of a tweet by Hyperbridge: We've been breached We're working hard to fix this! Security Incident Report At 03:47 UTC on April 1, Hyperbridge flagged a breach totaling approximately $37M across our Ethereum, Arbitrum, and Base deployments. Initial analysis points to the Lazarus Group. We are not ruling out quantum computing or unsupervised Claude agents. We missed the window to prevent this. Yesterday, external auditors reached out but our team was offline - celebrating a new addition to the Hyperbridge family with an ungodly amount of KitKat. Yeah, one of our engineers is now a dad. Early warnings were dismissed as April Fools' pranks. That was a critical error and we own it. We are committed to making this right.Hyperbridge April Fools' tweet (attribution)
On April Fools' Day, the Hyperbridge blockchain bridge project posted a tweet claiming that the North Korean Lazarus hacking group had drained $37 million from the project. A linked blog post contained a Rickroll GIF and an explanation of "Why Hyperbridge can't be hacked".

The following day, a Hyperbridge developer posted a screenshot of a blockchain transaction, writing "Lmao the uniBTC exploiter is testing Hyperbridge. I hope you have a quantum computer bro". Another commenter replied, "Rule #1 dont actively provoke attackers".

About two weeks later, an attacker was able to forge a transaction to change the admin rights for the Polkadot/Ethereum bridge contract, allowing them to mint 1 billion DOT tokens. They were able to cash out about $237,000 due to limited liquidity.

The April Fools' posts have since been deleted.

Theme tags: Hack or scam

Bitcoin Depot hacked for $3.67 million

A yellow and black Bitcoin ATM with "Bitcoin sold here" printed on the sideA Bitcoin Depot kiosk (attribution)
Bitcoin ATM operator Bitcoin Depot has disclosed a March 23 hack in which attackers stole 50.903 BTC (~$3.67 million) from company wallets. According to the company's disclosure with the SEC, the exploiters gained access to the company's IT systems and wallet credentials, allowing them to steal the assets.

Bitcoin Depot is the largest operator of crypto ATMs globally and in the United States, with approximately 8,700 kiosks in the US and 9,200 worldwide.

Theme tags: Hack or scam
Blockchain tags: Blockchain: Bitcoin