The native token of the Holograph blockchain plummeted by 80% after a malicious actor breached the protocol operator’s smart contract, minting 1 billion HLG worth $14.4 million.
On June 14, the network team confirmed the attack and reported that the flaw had been fixed. The project also reached out to centralized exchanges and law enforcement to freeze the stolen assets.
The Holograph Operator contract has been exploited by a malicious actor, enabling the hacker to mint 1 billion additional HLG
The team has patched the initial exploit & is working with exchange partners to lock the malicious accounts
The team has launched an investigation & is…
— Holograph (@holographxyz) June 13, 2024
According to Etherscan, the hacker minted 1 billion HLG over nine transactions. The first batch was initiated on June 13 around 10:00 (Kyiv/MSK).
Ten minutes later, the token began to fall, crashing from $0.014 to $0.002. At the time of writing, the coin had recovered to $0.006.
At the current rate, 1 billion HLG is valued at approximately $6.8 million. However, the hacker began converting the minted coins into USDT four hours after the attack.
Matt Casto, an analyst at venture firm CMT Digital, believes the perpetrator was a “rogue developer” who funded the recipient address of the minted HLG 26 days before the incident.
Looks like a rogue dev who funded the address 26 days ago. That address was the the one who received the minted supply. https://t.co/30E8Bqwkwt pic.twitter.com/Pv7kztTvNK
— Matt (@mcasto_) June 13, 2024
Fake Cryptocurrency Exchange
On June 13, the Securities Division of the Washington State Department of Financial Institutions (DFI) issued a warning about the fraudulent trading platform Ethfinance.
The agency initially received a complaint from an investor who discovered the exchange’s advertisement on LinkedIn and transferred about $310,000 from his “DeFi wallet.”
After trading, the user attempted to withdraw part of his deposit and profits but was unable to do so. Ethfinance’s support advised making an additional deposit. However, the client refused and was subsequently blocked.
DFI stated that the case resembles “advance-fee fraud”—a type of scam where victims are promised money, goods, or services in exchange for a small upfront payment. However, the regulator did not confirm the allegations.
DFI’s fraud tracker shows that the platform was also mentioned in another complaint. A California resident reported losing over $165,000 after being promised online training in crypto options trading.
The investor realized the situation when the “customer support CEO” on Telegram asked him to send 25% of the profits as “taxes” to complete the withdrawal.
Bounty on the Hacker
The UwU Lend DeFi protocol team has offered $5 million for identifying the hacker.
“The deadline for returning the funds you stole has passed. A $5 million reward for the first to identify and locate you,” reads an on-chain message.
Developers promised to pay the reward in Ethereum before the stolen assets are returned and a case is filed against the hacker.
UwU Lend suffered two attacks within a week. On June 10, the platform was hacked for $19.3 million. The protocol’s operations were suspended a few hours after the incident.
On June 13, the hacker withdrew another $3.72 million in various assets. The same wallet address was involved in both breaches. Initially, UwU Lend offered the hacker to return 80% of the stolen funds, but no response was received.
The protocol’s native token UWU fell by 18% after the attacks—from $3.1 to $2.5, according to CoinGecko.
Earlier in June, the decentralized exchange Velocore was attacked. A hacker withdrew approximately $6.8 million in Ethereum from pools in the L2 networks Linea and zkSyncEra.
In May, the Japanese cryptocurrency exchange DMM Bitcoin lost $305 million in a hack. The platform intends to seek financial support to compensate users.