Callers impersonated police in Colorado Bitcoin scam
Some residents of the state of Colorado in the United States have fallen victim to a new police impersonation scam.
According to an Oct. 31 report from local news site Summit Daily, a scammer called residents and claimed to be a representative of the local government. They told the victim that they had to pay a $10,000 fine for missing jury duty, which must be paid in Bitcoin.
In response, the victim transferred $6,000 of Bitcoin (BTC), but the real authorities stopped the victim from transferring the remaining $4,000, saving it from the attacker’s hands.
According to the report, this isn’t the only incident of BTC phone scams in the area. In another case, the attacker managed to spoof the local Sheriff’s department’s phone number.
They called several individuals claiming to be “Sergeant Schilling” and demanding money. The phony “sergeant” claimed that the individuals had missed court dates and that he had a warrant for their arrest. Unlike the previous case, none of these individuals sent any money or gave out any personal information to the attacker.
According to the report, the Sheriff’s department released a statement stating that they will never ask users to transfer BTC while on the phone.
Crypto users should be aware that blockchain transactions are irreversible. Once a user sends crypto to an address, it can’t be recovered. For this reason, users should take extra care to make sure that whoever they are sending funds to really is the person they claim to be.
Sunray Finance hit with $2.7 million attack
Perpetuals trading protocol Sunray Finance on Arbitrum was exploited for $2.7 million on Oct. 30, when an attacker managed to upgrade the protocol’s contract and mint two-hundred sextillion (200,000,000,000 trillion) of the protocol’s native SUN token, according to a report from blockchain security firm TenArmor.
The attacker subsequently swapped half of the tokens for $2.1 million worth of Tether (USDT). The attack collapsed the SUN price.
The exploiter appears to have overlooked the fact that there was a second liquidity pool for SUN. In the very next block, an arbitrage bot purchased approximately 90 sextillion SUN from the pool that the attacker had dumped the coins into, which it then sold into the second pool at a profit of approximately $560,000 worth of Ether (ETH). This collapsed the price in the second pool as well.
Sunray disclosed the attack on X, stating that there was “a sudden issuance of Sunray treasury asset tokens.” It stated that it is “working hard to recover all data” and urged users to remain patient while it investigates.
Source: Sunray Finance
Because the attacker initiated a contract upgrade, TenAmor suggested that the attack may have been caused by a leaked private key.
Crypto users should be aware that some protocols contain upgradeable contracts. These contracts contain two parts: A proxy contract that contains balances and an implementation contract that contains code.
The developer or admin can change the implementation contract at any time by having the proxy point to a different implementation, which can result in changes to the way the protocol functions.
If a protocol contains upgradeable contracts, it usually means that admins can drain it of funds anytime they want. For this reason, users should only interact with upgradeable contracts if they have a high degree of trust in the developer.
Even if the developer is completely trustworthy, upgradeable contracts can still be exploited if an attacker steals the developer’s private key, which may be what happened in this case.
Ramses Exchange falls victim to reward exploit
Another Arbitrum decentralized exchange, Ramses, was exploited for $93,000 on October 24, according to a report from blockchain security platform Blocksec Phalcon. In this case, a contract upgrade was not the cause of the losses. Instead, the code contained a flaw that allowed the attacker to “drain the vulnerable contract.”
According to Blocksec, the Ramses team was informed of the attack and took action to stop it.
Source: Blocksec Phalcon.
Another blockchain security firm, SolidityScan, provided a post-mortem report of the exploit on Oct. 25. The attacker used a single nonfungible token to receive rewards repeatedly, without needing to wait for a new reward period to elapse. It was these excessive rewards, which were not intended to be part of the protocol’s design, which allowed the reward pool to be drained, resulting in $93,000 worth of losses.
Ramses was audited by security firm Yearn Academy in 2023. SolidityScan did not state whether the exploit was present in the audited version or whether it was added later.
According to the report, the Ramses team has acknowledged the attack and stated that user balances will be unaffected.
Indian police say crypto scammer stole $297K
Police in Dhone, India are investigating claims that a crypto scammer stole funds from approximately 320 people across multiple regions of the country, gaining over 23 million Indian rupee ($297,00) from victims, according to a report from Deccan Chronicle.
The alleged scammer, Ramanjaneyulu, reportedly promised an income of 10,000 rupees ($119) per month to investors who deposited crypto with him. Accusers said that he claimed to be backed by prominent exchanges such as Binance and OKX and also claimed to represent an organic herbal company.
Police are still investigating the allegations, and no formal case has been registered.
