+132 Million Lost — November Crypto Crime Report
$132 million was lost to crypto crimes in November 2024, marking the lowest criminal bounty of the year — closely mirroring the downtrend observed since the end of summer.
Of that, $25.2 million was recovered, bringing the net effective loss to nearly $107 million. This decline has been fueled by the significant underperformance of wallet drainers in recent months, with November gains barely reaching $10 million — a stark drop to nearly one-fifth of September’s total.
Most of the loss was attributed to hacks, with private key exploits taking center stage and accounting for $41.7 million lost across six incidents. Smart contract exploits accounted for $31 million across eight incidents.
This month also saw the unexpected return of oracle exploits, primarily due to sheer negligence.
What truly made November 2024 stand out was the cluster of rather eclectic crypto crime stories.
These included, in no particular order, DeFi protocols driving themselves into the ground through neglect of their security responsibilities, an ex-Fortnite pro player turned scam kingpin, an exit scam potentially disguised as a hack, an international threat group expanding its targets, kidnapping going up as market goes up, and so on and so forth.
We cherry picked some of them for our monthly report. Now, let’s dive into the most impactful crypto crime stories of November 2024!
November 2024 Crypto Crime Figures
Crypto Crime Report NOVEMBER 2024 — NEFTURECrypto Crime Report NOVEMBER 2024 — NEFTURECrypto Crime Report NOVEMBER 2024 — NEFTURE
Crypto Hacks: Protocols Lost to Negligence and a Mint-and-Dump Masquerading as a Hack?
Outrageous Neglect of Security: Polter Finance and DeltaPrime Hacks
DeFi protocols that barely meet, or outright neglect, basic security standards are unfortunately widespread — and this month has been particularly rife with such examples.
Polter Finance — Copy-Paste Code, Zero Audits, and a Costly Hack
On November 17th, Fantom-based Polter Finance DeFi was exploited for $12 million through an oracle manipulation attack.
The Polter Finance team caused the issue by introducing an oracle manipulation vulnerability when they chose to use spot prices directly from decentralized exchanges, specifically the SpookySwap V2/V3 pool prices, for their newly launched BOO token oracle.
The BOO token was newly launched and obviously lacked liquidity, making the use of SpookySwap pool prices extremely vulnerable to manipulation in low-liquidity pools.
A simple flash loan is enough to turn spot prices into faulty oracles.
And that’s exactly what the attacker did. Using a flash loan, they launched their attack, draining Polter’s liquidity pools and siphoning off the entire $12 million worth of tokens on the platform.
What made people’s eyebrows rise up to their hairlines wasn’t just the beginner-level security mistake that crashed their entire protocol. It was the fact that this rookie error perfectly aligned with the abysmal security measures the protocol was “armed” with.
Polter Finance deemed security audits unnecessary after simply copy-pasting the audited Geist code to operate their protocol.
Instead of conducting a security audit on a protocol that held the trust and millions of dollars of user funds — since there is no such thing as a perfect copy-paste of another protocol, as every protocol implements its own parameters and unique adjustments — they chose to provide Geist’s audit in lieu of their own.
Their audacity, if one chooses to call it that, was certainly well rewarded.
Polter Finance’s “Audit” Page — Source: Polter Finance
On top of that, Polter Finance has faced accusations of possibly inflating the reported funds lost in the hack. Their police report claimed higher losses, but blockchain forensics have only been able to confirm that around “only” $8.7 million was actually siphoned from the protocol.
To close this edifying case, we borrow the words of Rekt.news: “When will they learn that ‘fork and pray’ isn’t a security strategy?”
DeltaPrime: More of the Same — $11 Million Lost in Just Two Months
DeltaPrime was hacked for $4.8 million due to a critical flaw in the periphery adapter contract.
The attacker, using a flash loan, exploited two smart contract vulnerabilities, specifically input validation issues according to Certik’s investigation.
Unchecked input allowed anyone to enter an address without properly verifying whether it was valid or allowed. The attacker exploited this vulnerability to send the tokens they borrowed to any address of their choice.
The second vulnerability involved arbitrary address input, which was exploited through the claim mechanism to withdraw collateral by manipulating the address input. The attacker forced DeltaPrime to release collateral they shouldn’t have been able to access by using their own address.
The attack resulted in the theft of $753K on Arbitrum, quickly followed by another attack on Avalanche, stealing an additional $4.1M.
This multi-million-dollar hack follows DeltaPrime’s $6 million private key exploit due to admin key vulnerabilities in September 2024.
In both cases, PeckShield’s audits from 2022 and 2023 had specifically flagged the vulnerabilities that were exploited in the two attacks.
DeltaPrime chose not to update their code, leaving those glaring vulnerabilities open to attack. Literally written in black and white, sitting plainly in those audits for anyone to find and exploit — and that’s exactly what happened.
We have to ask: who wins the round? Is it worse to not have lifted a single security finger and gotten hacked, or to have paid for audits that pointed out the very causes of your downfall and still done nothing?
GIFTO : Mint-and-Dump or Hack?
On November 26th, Binance announced that it would delist the GFT/USDT trading pair on December 10th, 2024, triggering an unanticipated crisis for GFT holders.
While little market panic was anticipated, they did not foresee that the Gifto team, following the news, would mint 1.2 billion GFT tokens (worth over $8.6 million) within an eight-hour window and then deposit them into exchanges.
Effectively minting and dumping their bags onto their holders.
The mint-and-dump caused the GFT market price to plummet by 40%, resulting in over $13.5 million in gains for the minter(s), according to Certik data.
After multiple blockchain sleuths raised alarms and the community voiced their outrage, the Gifto team took to Twitter to declare “a critical security incident involving the GFT contract.”
Gifto Announcement of a Security Incident — Source: Twitter
Now, is it true, or is it just another case of an exit scam posing as a hack, as the crypto community has seen legion of? A subject we heavily breached in our report on the matter.
Scams Masquerading as Hacks: A Crypto Plague — The ZBexchange Case
While they claimed the GFT token contract had been compromised, a week has passed since then, and they haven’t come forward with more explanation about what really happened and what this “critical security incident” is all about.
Both the team’s attitude and the circumstances make suspicions run high.
A single tweet has yet to absolve the team of accusations that the project exploited the delisting as an exit strategy.
Meanwhile, perhaps more questions should be directed at Binance. The exchange never fully explained why it decided to delist GIFTO in the first place, offering only generic criteria about how delisting decisions are made.
This story, whether it ultimately proves that the team behind GIFTO were fraudsters at heart or that the project had severe security vulnerabilities, underscores the validity of Binance’s decision to delist it.
Only Binance knows the true motivations behind their choice to delist Gifto, and they may hold the key to understanding what really transpired on that fateful day.
Crypto Scams: Ex-Fortnite Pro Player Unveiled as Scam Kingpin, with $11 Million Lost to SIM Swapping Linked to a Worldwide Threat Group
The Ex-Fortnite Pro Player Turned Crypto Scam Ring Leader
Although Instagram and Twitter hacks have been a constant in the crypto landscape since 2022, 2024 saw a shift in who was targeted. Whereas NFTs and DeFi projects were once the primary focus, most of these hacks in 2024 target high-profile brands and individuals who have little to do with crypto to begin with.
These hacks are typically carried out by serial perpetrators who have mastered the process.
A thorough investigation by crypto sleuth ZachXBT in November 2024 revealed that one such serial scammer was behind at least nine account compromises over the past few months, accounting for $3.5 million lost by crypto users.
List of Hacks Allegedly Operated by Serpent — Source: ZachXBT’s Twitter
Among them were hacks targeting McDonald’s, Usher, SPX 6900, and Wiz Khalifa. After the hacks, posts promoting the scam coins on the Pump.fun meme coin launchpad were made.
Phishing Posts on McDonalds and Usher Social Media Pages — Source: ZachXBT’s Twitter
The token GRIMACE, from the McDonald’s hack, brought in over $690,000!
Following the blockchain tracks left by the scammer, ZachXBT was not only able to connect all of them together, but they also led him to the person allegedly behind them: Serpent, a former pro Fortnite player from Australia.
Serpent apparently has a profound issue with staying on the right side of morality, as he was dismissed from the league after investigations revealed he cheated in 2020.
Four years later, he was caught once again in amoral dealings, but with a crypto twist this time.
Overtime announcement over Serpent dismissal— Source: ZachXBT’s Twitter
His career as a fraudster, however, didn’t start with this slew of hacks.
ZachXBT was able to trace his tracks further back to two rug pulls. The first was a project called DAPE, launched in March 2022. The second occurred a few months before the McDonald’s hack, in March 2024, when he launched the project ERROR. He made off with 29 ETH but was banned from Twitter for this latest rug pull.
One of the reasons ZachXBT was able to connect all these dots is Serpent’s vice, which ultimately led to his downfall: gambling.
“Serpent gambles millions of dollars on Roobet, Stake, BC Game, and Shuffle each month, frequently screensharing with friends on Discord,” ZachXBT reported. Unfortunately for Serpent, the people with whom he shared his wins forwarded the recordings of him sharing multiple deposit and withdrawal addresses he used during those screenshares.
It was also revealed that Serpent didn’t operate those scams alone. ZachXBT linked a certain “DEX” from Massachusetts to the Andy Ayrey case.
According to the rather discombobulated ramblings of the accused, when he tried to explain away his involvement, Serpent used his network to leverage their CEX/Binance accounts to manipulate and gain the scam tokens he created.
He also revealed at least one other accomplice of Serpent in the Wiz Khalifa case, while presenting himself as a somewhat innocent opportunist.
Serpent’s Alleged Accomplice Declaration of Innocence — Source: ZachXBT’s Twitter
ZachXBT has sent a detailed report on the case to a victim of one of the account compromises with which ha has been working with, hopefully justice will be brought to Serpent’s victims.
Scattered Spider Entraps Dozens in Their Web of Scams
In November 2024, another major crypto crime story came to light: The Scattered Spider Case.
On November 20th, U.S. prosecutors charged five individuals in connection with an $11 million crypto theft scheme. The defendants — Noah Urban (20, Florida), Evans Osiebo (20, Dallas), Ahmed Elbadawy (23, Texas), Joel Evans (25, North Carolina), and alleged leader Tyler Buchanan (22, Scotland) — were charged with conspiracy, wire fraud, and aggravated identity theft.
The group targeted at least 29 individuals, including a victim who lost over $6.3 million in cryptocurrency. Their tactic is a mix of sending phishing links via SMS or Telegram to more sophisticated methods, such as SIM-swapping attacks, enabling them to steal login credentials for work accounts or crypto exchanges.
In the case of the $6.3 million theft, the victim’s email was compromised, then the attacker, allegedly Elbdawy, accessed their cryptocurrency wallets.
A court document alleges a victim was hacked for over $6.3 million in crypto. Source: PACER via Cointelegraph.
SIM-swapping has caused significant damage in the crypto community. It cost them at least $13.3 million during the summer of 2023 and was also behind the $447 million hack of FTX in 2022.
We have discussed the subject at length in this article:
Enhancing Security in Web3: Exploring 2FA, its Limitations, and the Menace of SIM Swapping
The most interesting part of this case is who and what these five perpetrators are linked to.
They are accused of being active participants in the Scattered Spider group (UNC3944), whose first criminal activities date back to 2021.
The crypto crimes we discussed are, in fact, just the tip of the iceberg.
In August 2022, security researchers revealed that over 130 organizations, including Coinbase, Riot Games, and DoorDash, had been targeted by a phishing campaign through Okta, an identity provider used worldwide for remote employee access. Nearly 10,000 employees had their credentials stolen by the malicious group behind the attacks, initially dubbed “0ktapus.”
“0ktapus” Modus Operandi — Source: GROUP IB
But it quickly became apparent that “0ktapus” was no monolithic group.
Authorities and security researchers discovered that the group was involved in nearly every type of hacking activity, mastering a wide range of scamming techniques.
They appeared more as an aggregation of specialized subgroups, sometimes overlapping, with strong ties to other criminal organizations, particularly ransomware gangs. The widespread scope of their activities and their diverse membership led cybersecurity firm CrowdStrike to rebrand them with a fitting name in early 2023: “Scattered Spider.”
Their most high-profile criminal acts were the September 2023 attacks on Caesars Entertainment and MGM casinos. The MGM breach, which cost the company over $100 million, led to days of disruption after Scattered Spider, in collaboration with the Russian ransomware group ALPHV, extorted MGM in exchange for their files.
In their November 2023 cybersecurity advisory, the U.S. Cybersecurity and Infrastructure Security Agency categorized Scattered Spider as “a cybercriminal group that targets large companies and their contracted IT help desks,” which “typically engages in data theft for extortion.”
The modus operandi used is similar to the one in the crypto cases and 0ktapus.
“In most instances, Scattered Spider threat actors conduct SIM swapping attacks against users that respond to the phishing/smishing attempt.The threat actors then work to identify the personally identifiable information (PII) of the most valuable users that succumbed to the phishing/smishing, obtaining answers for those users’ security questions.After identifying usernames, passwords, PII, and conducting SIM swaps, the threat actors then use social engineering techniques to convince IT help desk personnel to reset passwords and/or MFA tokens to perform account takeovers against the users in single sign-on (SSO) environments.” — Source: CISA
In addition to their unconventional typology, Scattered Spider stands out for the unusually young age of its members, and this is no coincidence.
In a September 2023 interview with TechCrunch, Allison Nixon, Chief Research Officer at Unit 221B, revealed that Scattered Spider deliberately recruits minors, also known as “advanced persistent teenagers,” due to “the lenient legal environment these minors operate in and the fact that nothing will happen to them if the police catch a kid.”
Minor or not, it appears that U.S. authorities have finally caught up with them after a long and arduous chase.
In January 2024, 19-year-old U.S.-based Noah Michael Urban was charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency.
Noah Michael Urban — Source: Krebonsecurity
One week after the five were indicted, 19-year-old Remington Ogletree from California was arrested and charged with criminal activities related to Scattered Spider, activities that netted him over $4 million. Notably, he used a money laundering service that was part of an undercover FBI operation to launder more than $125,000.
Bonus Story — Crypto Market Up, Kidnapping Up?
On November 6th, Dean Skurka, CEO of the Toronto-based crypto firm WonderFi Technologies, endured a terrifying ordeal when he was kidnapped.
WonderFi CEO Dean Skurka. Source: LinkedIn
Forced into a car in downton Toronto during rushhour by multiple individuals, Skurka was told to pay up $1 million for his release
Left with little choice, he wired electronically and was later released in Centennial Park in Etobicoke, thankfully uninjured.
WonderFi CEO Dean Skurka reportedly said in an email that he is “safe” now and that no company funds and data were impacted.
After CBC broke the news, Skurka confirmed the kidnapping, assuring the public that he was safe and that no company funds or data had been stolen.
For anyone who has been following crypto news in 2024, this latest kidnapping comes as no surprise. Since the second half of the year, it seems that crimes against individuals related to crypto have been breaking news nearly every week.
In fact, it’s the 16th reported case of physical attacks against crypto holders, executives, or influencers in 2024.
One of the most tragic cases occurred on July 28th, when a 29-year-old Moroccan Bitcoiner was kidnapped from his apartment, forced to transfer 3 BTC, and then strangled to death before being buried in a forest.
A closer look at a GitHub repository that attempts to record “known attacks against Bitcoin/crypto asset-owning entities” that are publicly reported quickly reveals that the occurrence of these crimes is intrinsically linked to the state of the crypto market.
If the market is up, physical attacks are up.
A trend confirmed by the GitHub creator, Jameson Lopp, co-founder and Chief Security Officer of Casa, a self-custody solution, in an interview with the CBC.
Based on his data, the Skurka case is the 171st instance of physical attacks in crypto theft he has recorded since December 2014.
According to him:
“The rates of these kinds of incidents tend to correlate with the exchange rate of bitcoin. […]As the price goes up, more awareness of the space permeates throughout society, and as a result, more criminally minded people decide they want to try to figure out what the ROI of executing a physical attack against a known crypto holder is.”
For Lopp, violent attacks in crypto theft are also motivated by how convenient they can be for criminals compared to robbing a bank or an armored truck.
When you think about it, “crypto kidnapping” can be considered, from a criminal perspective, as one of the most efficient forms of extortion. In this method, criminals can demand extremely large sums of money in the form of cryptocurrency, which can be transferred in a matter of minutes with just a few clicks. This makes the process faster, more discreet, and less physically demanding than traditional kidnapping.
In contrast, traditional kidnappings often involve more logistical challenges. Victims are unlikely to have millions of dollars lying around their homes, meaning family members must be mobilized to acquire the ransom from banks or other sources, adding complexity to the process. Moreover, the physical delivery of money in a traditional kidnapping creates more opportunities for law enforcement to track the ransom exchange, increasing the risk for the perpetrators.
On the other hand, with crypto kidnapping, the use of digital currencies allows criminals to bypass these obstacles.
With Bitcoin making headlines worldwide after breaking $100,000 in value, it’s highly likely that large crypto holders will face an increased threat of such crimes.
One of its latest absurd victims isn’t even human. A crypto ATM was stolen after a truck-ramming raid at a shopping center in Melbourne. Apparently, the digital nature of Bitcoin has eluded the thieves.
Source: The Bitcoin Express
Our November 2024 crypto-criminal report ends here!
Dive into our H1 2024 and Q3 2024 crypto crime reports to stay updated on what happened this year!
H1 2024 CRYPTO CRIME REPORT: $2 Billion Lost to Hacks & ScamsAlmost $1 Billion Lost: Q3 2024 Crypto Crime Report
See you all next month for another crypto crime report.
Until then, stay safe!
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.Book a demo🤝
+132 Million Lost — November Crypto Crime Report was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.