Almost $170 Million Lost in Last Week’s Web3 Exploits

In addition to massive losses stemming from cyberattacks, the previous week witnessed an exceptionally high number of exit scams resulting in over $3 million in damages.

Hacker working on a computer
SlowMist also warns about scammers impersonating its brand for scamming purposes.

On November 13, blockchain cybersecurity firm SlowMist reported shocking weekly incident statistics covering the period between November 5 and November 11, during which Web3 projects and their investors lost nearly $138 million. However, the latest statistics are even more unnerving — SlowMist estimates the damage caused by exploits that happened between November 11 and November 25 surpassed $168 million.

Major hacks

According to SlowMist’s experts, the attack on HTX (formerly Huobi) protocol and Heco Bridge was one of the key incidents, leading to "a substantial loss of $113.3 million." This massive exploit followed the attack on Poloniex, another exchange platform associated with TRON’s founder, Justin Sun.

Read also: Another Justin Sun’s Project Is Hacked, Over $113 Million Lost

This incident involved the compromise of the bridge’s operator wallet. The attacker exploited the Heco Bridge Operator to withdraw a significant amount of assets, totaling approximately $87 million. Additional losses occurred in HTX hot wallets on Ethereum and TRON.

SlowMist rug pull weekly statistics
Source: SlowMist, X

Another substantial theft of $54.7 million worth of cryptocurrency across multiple blockchain networks, including Ethereum, BSC, Arbitrum, Optimism, Polygon, BASE, Scroll, and Avalanche, was experienced by Kyber Network.

Today, SlowMist published its detailed analysis of the event that took place on November 23, claiming that the attack exploited the Reinvestment Curve feature of the KyberSwap Elastic pool. The Reinvestment Curve feature was designed to compound idle liquidity fees for liquidity providers, who use KyberSwap based on the Concentrated Liquidity Market Maker (CLMM) mechanism to allocate liquidity to custom price ranges. The attack caused the calculation of tokens needed for exchange, considering both base and reinvestment liquidity, to result in a higher-than-expected amount.

The compromise of the Kronos Research application programming interface (API) key also led to significant losses of 13,008 ETH valued at nearly $26.2 million.

Read also: Kronos Research Loses $26 Million in API Keys Exploit

Cybercriminals exploited withdrawal permissions on exchange platforms by manipulating the prices of seemingly insignificant tokens, subsequently causing the acquisition of overvalued assets. The withdrawal of these seemingly valuable assets, in reality, resulted in the payout of tokens with no substantial value.

Rug Pulls

According to SlowMist, last week witnessed a significant increase in exit scams, particularly on the Binance Smart Chain and Ethereum networks. At least fourteen incidents involving liquidity withdrawal by deployers led to total price collapses in various tokens, surpassing $3 million within a single week.

While rug pulls are a common type of scam in the crypto space, last week saw a spike in such incidents, many involving a theft of over $200,000. The affected projects included DarkProtocol (DARK), GigaDAO (GIGS), TrustPad (TPAD), Web (WEB), Creso (CRE), IPMB, DigiFund (DFUND), PAPABEAR (PAPA), and others. Some rug pulls involved the issuance of fake tokens for legitimate projects, such as TrustPad.

One of the largest exit scams, attributed to Changpeng Zhao (CZ), exceeded $300,000.

SlowMist’s team emphasizes that there could have been other unreported incidents.

Scammers steal the brand of SlowMist

Meanwhile, some malicious actors decided to impersonate SlowMist itself. "We have recently uncovered a wave of scam websites impersonating us. These sites illegitimately use our logo and brand to run wallet and trading platform scams," the company reported two days ago. At press time, the cybersecurity team identified thirteen incidents of fraud associated with these fake SlowMist websites.

According to cybersecurity specialists, scammers use a traffic-directing URL to redirect users to the counterfeit website. This domain name had already been used for fake websites associated with other platforms, including Vitex, BitRich, and BIKOTO.

SlowMist added that the IP address ( related to the scam websites was found to host 124 scam websites, showing intricate connections with gambling websites.