Plus two 51% attacks, extortion, an exploit, and an exit scam.
As prices swell and traction begins to build in everything from Bitcoin purchases to DeFi activity, there’s also quite a bit of activity going on in the underbelly of crypto — hacks, attacks, scams. Leading the week’s news was the arrest of Graham Ivan Clark, the alleged mastermind of the Twitter hack, who turned out to be a 17-year-old self-proclaimed “full time crypto trader dropout.” There were also two 51% attacks on Ethereum Classic, an exit scam on a Korean fork of YFI and an exploit on Opyn. But there was positive news too, with Square’s Cash App more than doubling its Bitcoin sales revenue from Q1, and Ethereum launching the testnet for Ethereum 2.0. And, it seems lawmakers are looking to protect future proof-of-stake validators from massive IRS headaches.
On Unchained, CipherTrace’s Dave Jevans and X Reg Consulting’s Sian Jones discuss the most consequential global crypto regulation that will be rolled out over the next few years — the travel rule. And on Unconfirmed, Michael Sonnenshein of Grayscale talks about its filing of a Form 10 for the Grayscale Ethereum Trust, which will enable it to become an SEC-reporting company.
Graham Ivan Clark, a 17-year-old Tampa resident, was arrested last Friday for allegedly being the brains behind last month’s Twitter hack, in which the accounts of Barack Obama, Jeff Bezos, Joe Biden and other prominent people were taken over. As The New York Times put it, “His arrest raised questions about how someone so young could penetrate the defenses of what was supposedly one of Silicon Valley’s most sophisticated technology companies.”
Clark had a troubled family life and spent much of his time online, where he developed a reputation for “scamming” people out of money, photos and information, according to people who, for instance, played video games such as Minecraft with him and got swindled for $50 or $100. He later got involved in cryptocurrencies and joined an online forum called OGUsers, where he described himself as a “full time crypto trader dropout,” but was later banned by the community after failing to pay Bitcoin to a user. From OGUsers, he entered a hacker community that focused on SIM swapping people’s phone numbers so as to get access to steal their cryptocurrency. That group targeted a Seattle tech investor and drained his accounts of 164 bitcoins, then worth $856,000 — now worth $1.9 million. The extortion note was signed by “Scrim,” which is allegedly one of Clark’s online aliases. In April the Secret Service seized 100 bitcoins from Clark and the Seattle tech investor received a letter from the Secret Service saying the agency had recovered 100 of his Bitcoins. Additionally, The Block reports that Clark currently has 300 BTC ($3.5 million). A friend of Clark’s said the run-in with the Secret Service frightened him, but within two weeks, according to the government affidavit, he convinced a Twitter employee that he worked in the social media company’s IT department — and from there the hack began.
In the second quarter of 2020, the Square Cash App saw revenue of $875 million, which, because it’s based on the purchase price, also reflects the runup in BTC. However, even the Cash App’s gross profit has also more than doubled, from $7 million in Q1 to $17 million in Q2. Revenue is up 600% year over year and the bitcoin gross profit is up 711% year over year. And according to this chart by The Block, as a proportion of the company’s total gross profit, it shot up from 1.24% in Q1 to 2.84% in Q2.
On a related note, after the bitcoin and ether prices both rose dramatically in the last few weeks, they also both saw a brief crash within six minutes on Sunday — with bitcoin dropping by 12% and ether by 20% — as more than $1 billion in futures was liquidated. However, the prices have mostly recovered since.
And meanwhile, according to Coin Metrics, Bitcoin addresses with at least $10 or more of cryptocurrency have hit a new all-time high of 16.6 million, up 14.5% from the previous peak of 14.5 million from January 2018.
The final testnet ahead of the launch of Ethereum 2.0 went live on Tuesday, with 20,000 validators staking 650,000 ETH. The testnet also features five clients: Teku, Prysm, Nimbus, Lodestar and Lighthouse.
If you’re looking for a good overview of the state of Ethereum today, Delphi Digital released the first of its monthly reports on Ethereum, going over pretty much every major issue on the network, including everything from whether Ethereum’s proof of stake system can compete with yield in DeFi to the details of Ethereum Improvement Proposal 1559. It shows how DeFi is leading Ethereum’s momentum, gives an analysis of demand for Grayscale’s Ethereum Investment Trust, and breaks down the various attractions of DeFi in areas such as decentralized exchanges, yield farming as a token distribution mechanism and what the growth of Bitcoin on Ethereum means for the security of the Bitcoin blockchain. One of the more interesting charts shows that 58% of ETH has not moved in over a year. Another shows that the DeFi protocols that introduced liquidity mining saw fast growth among users, though Uniswap, which does not have a token, still has the most users overall.
The Block reports that Bitcoin’s market cap is roughly five times that of Ethereum, but trading volumes for ether in the spot and futures market is rising faster. Since September 2019, on the spot markets, the ETH/BTC price ratio has more than doubled, and the trading volume of ETH is about half that of BTC, whereas in September, it was at 19%. The ratio of ETH futures trading volume to BTC futures trading volume has increased from 8% in September to 29% today.
After several days, what was initially thought to be an innocent mistake on Ethereum Classic turned out to be a 51% attack by a malicious miner. In the end, the attacker double-spent 807,260 ETC, ($5.6 million) while spending just 17.5 BTC ($192,000) to execute it. The way this person carried it out was by sending ETC from an exchange to his or her own wallets, then back to the exchange on the ETC blockchain. The attacker then used what amounted to more than 51% of the ETC hash power to mine thousands of blocks, in which he or she sent ETC from those wallets to other wallets he or she controlled instead of back to the exchange. The attacker then broadcast those blocks, which reorganized the chain, replacing those blocks containing the transactions to the exchange with the transactions to the other wallets. It seems OKEx may have been the exchange targeted.
And if that isn’t crazy enough, on Thursday, Ethereum Classic experienced a second 51% attack with a reorganization of more than 4,000 blocks. CoinDesk reported that the majority of Ethereum Classic miners are continuing to mine the shorter version of the chain, though the reorganized blockchain is currently longer.
Four members of the Congressional Blockchain Caucus wrote a letter to the Internal Revenue Service requesting that stakers not get taxed for receiving block rewards, but only on their gains when they sell. Representatives David Schweikert of Arizona, Bill Foster of Illinois, Tom Emmer of Minnesota, and Darren Soto of Florida wrote, “It is possible the taxation of ‘staking’ rewards as income may overstate taxpayers’ actual gains from participating in this new technology. It could also result in a reporting and compliance nightmare, for taxpayers and the Service alike.” One of the concerns is that staking protocols could release new tokens every few minutes, which would create hundreds of taxable events every year. Another is that gains do not always reflect income, because an individual staker’s tokens may increase by 6% but that may be because the supply of tokens on the network has increased 5%. Coin Center advocates that block rewards not be taxed as income, but “like crops, minerals, livestock, artwork and assembly widgets: they should be taxed when they are sold, not when they are created.” The advocacy group says validating on a proof-of-stake network isn’t like being paid revenue, but insead, like creating a valuable item through labor, the way one might “[grow valuable] crops on one’s own land or [extract] minerals from one’s own mines.”
DeFi Hacks, Scams and Blunders Roundup
Some users of DeFi options issuance platform Opyn lost 371,000 USDC due to an exploit on its ETH put contracts. The attacker was able to steal the collateral of some puts by “double exercising” oTokens.
Similarly, the creator of Asuka token, a fork of YFI, allegedly exit scammed. Korean crypto news outlets reported that Jongchan Jang shut down the token’s website and social media accounts; the Asuka token plummeted from $1,600 to $19.
yVault, a new product put out by yEarn, was a bit luckier when Trail of Bits caught a bug before any exploit occurred that could have allowed an attacker to drain most if not all of the pool’s yUSDC assets.
Meanwhile, The Block reports that the SEC is looking to buy a blockchain forensics tool to help it monitor smart contracts to detect the contract purpose, token sale specifications, permission management, and security and vulnerability management.
Dan Robinson of crypto VC firm, Paradigm, tweeted, upon hearing the news that the Ethereum Classic chain had been 51% attacked, “I was told that this was the immutable chain.”