There are three major drawbacks to the crypto industry – scams, rugs and hacks. While these are common events in the Web2 space, it becomes worse when travailing in a semi-regulated industry like crypto.

An X (formerly known as Twitter) post from CertiK Alert, CertiK’s page for crypto hacks, flashloans and crypto scams alerts, revealed that $32.2 million worth of crypto assets was lost to crypto scams, hacks and exploit in October, with a YTD loss of over $1.3 billion. Crypto exploits accounted for $22 million, flashloans $1.7 million, and crypto scams $8 million.

This article covers some of the major crypto scams, hacks, attacks and exploits in October.

BigWhale.io security breach

On October 3, BigWhale experienced a security breach that led to the theft of over 7,000 $BNB (worth over $1.5 million at the time of the attack) from its smart contract. According to the team’s report, the attack was due to a private key breach. Upon discovering the breach, the team contacted its KYC auditor, Solidproof and smart contract auditor, CertiK.

BigWhale.io is a staking and lending Defi bank founded in 2020,  built on the Binance Smartchain, the protocol offers its users 2% daily returns on staked assets.

Lucky Star Currency rug

Lucky Star Currency was a project built on the narrative of astrology and NFT. Somehow, the team was able to give investors the impression that they were astrologers. These “astrologers” claimed to have built an NFT Marketplace and Award Center, and had an office in Shenzhen City, China. The project was heavily promoted to the Chinese audience via Toutiao and popular forum website, Zhihu.

On October 9, CertiK reported about an exit scam on the LSC token contracts. The token which the hacker withdrew was sold for $1.1 million.

Fantom Foundation Wallet hack

On October 17, the Fantom Foundation experienced a wallet hack, amounting to a total loss of $7 million. Crypto audit and security firm, CertiK, reported that Fantom Foundation Wallet 20 lost $470,000 on $FTM and Fantom Foundation Wallet 18 lost at least $187,000 on ETH.

The Fantom Foundation was founded in 2018 by a group of developers who worked together to build the Fantom Layer-1 network and the Fantom Virtual Machine.

“We are aware of reports indicating a small number of Fantom wallets were compromised earlier today. At this juncture, we can confirm the wallets in question were affected.” – Fantom Foundation on X

The team reassured the community that the wallets hacked were no longer utilized by the Foundation and had been reassigned to a Fantom employee.

“The significant majority of Fantom Foundation funds (more than 99%) was unaffected and remains secure. Some of these impacted wallets were labelled “Foundation Wallets”, but they were no longer being utilized by the organization and had been reassigned to a Fantom employee, making this a targeted personal attack. The funds lost by the employee are currently being tracked and investigated.”

Hope Lend exploit

On October 18, Ethereum Defi protocol, Hope Lend suffered an attack that drained the lending protocol of all its assets. According to reports from team and security experts, the hacker stole 528 ETH but had to pay a huge amount (263.91 ETH) in bribe fee to validator.

“HopeLend protocol fell victim to a hacker attack. It is important to note that the hacker did not profit from this attack. The attack resulted in a loss of approximately 528 ETH, out of which 263.91 ETH were bribed by the frontrunner to a Validator (managed by Lido). The exploit frontrunner eventually profited by 264.08 ETH.” Hope.money on X

The team also reminded the community that the hack on Hope Lend did not affect other products deployed on Hopemoney, as each product was independent.

“It is crucial to emphasize that all protocols deployed on Hope.money are independent and will not impact the various other products and protocols currently live on the platform, including HopeCard, HopeSwap and $HOPE. We are committed to ensuring the protection of the affected users’ rights and the corresponding funds remain secure.”

In another post on X, the team confirmed that the acquired asset was returned voluntrarily by a frontrunner from Armor Team. But data from Defillama shows that HopeLend holds a little amount of funds in its TVL.

Coins.ph hack

Coins.ph is a Phillipines based crypto brand launched in 2014 and regulated by the Bangko Sentral ng Pilipinas (BSP), Coins.ph offers solutions to the crypto needs of 16 million users, allowing users to buy and sell various crypto assets.

On October 20, The Block reported an exploit on Coins.ph that resulted to a loss of 12.2 million $XRP (over $6 million). A supposed hacker exchanged 999,999 $XRP lots thirteen times and another amounting to 200,000 $XRP. The $XRP tokens was sent through OKX, WhiteBIT, OrbitBridge, SimpleSwap, ChangeNOW and Fixed Float. Luckily, WhiteBIT was able to react promptly and blocked a transaction of 445,000 $XRP.

LastPass breach

LastPass is a password manager application owned by GoTo that allows users to store, secure, and autofill their passwords. With LastPass, you only need to remember one password, your Master Password, which is the key to all your account credentials.

In 2022, LastPass suffered a data breach through a compromised developer account that hackers used to access the company’s developer environment. The hackers were able to steal a portion of their source code and LastPass technical information although the team said that there was no evidence that customer data or encrypted password vaults were compromised, noting that only users knew the master password required to decrypt them.

However, a spokesperson from LastPass advised customers with weak passwords to reset their passwords.

On October 25, 2023, hackers were able to steal over $4 million in crypto assets using stolen private keys and passphrases stored in LastPass. This means hackers coud still decrypt and steal users data from LastPass, and the easiest targets were crypto users

“Just on October 25, 2023 alone another $4.4M was drained from 25+ victims as a result of the LastPass hack. Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately.” – ZachXBT on X