Clipper DEX and Spectral Labs both recently faced serious hacks which exploited protocol vulnerabilities, and added to the $1.48 billion in crypto losses reported for 2024. Similarly, the DEXX trading terminal suffered a $30 million breach. DEXX is working on recovering the stolen funds alongside law enforcement. Thanks to these crimes, regulatory scrutiny also intensified. The SEC filed a lawsuit against Touzi Capital for misleading investors about its crypto mining fund. On the other hand, some industry leaders expect a potential shift in regulatory enforcement under the new Trump administration.
Clipper DEX Denies Private Key Leak
Decentralized exchange (DEX) Clipper confirmed that the recent $450,000 hack of its protocol was due to a vulnerability in its withdrawal function. The DEX also dismissed earlier claims that the breach stemmed from a private key leak. The attack took place on Dec. 1, and targeted two liquidity pools. The hack resulted in the loss of about 6% of the protocol’s total value locked. Clipper assured its users that other pools remained unaffected and that the exploit was contained.
In a statement on X, Clipper clarified that the ability to withdraw funds in a single token, a feature involving a bundled swap and deposit/withdrawal transaction, appeared to be the source of the exploit. This feature has since been disabled.
Security firm Fuzzland’s co-founder, Chaofan Shou, previously speculated on X that the hack could be linked to an API vulnerability that allows unauthorized signing of deposit and withdrawal requests. Clipper, however, held firm that its design and security architecture ruled out a private key leak.
The protocol paused swaps and deposits while keeping withdrawals open, albeit requiring a mix of assets from the pool. Clipper is actively tracing the stolen funds and reached out to the attacker to encourage them to contact the team.
Crypto losses YTD (Source: Immunefi)
The hack contributes to a year that has already seen more than $1.48 billion worth of crypto stolen by the end of November, according to a report from Immunefi. This figure is still a 15% decline compared to the same period in 2023.
$200K Hack Hits Spectral Labs’ Syntax Platform
Spectral Labs also recently reported a $200,000 exploit on its Syntax platform, a no-code environment for creating on-chain AI agents. The attack happened due to a vulnerability in its bonding curve.
The flaw allowed the attacker to remove tokens at a reduced price. In response, Spectral Labs disabled access to Syntax and paused contracts to prevent any more damage. The company assured users that it is addressing the issue, running extensive tests, and collaborating with industry partners to restore functionality as soon as possible.
Crypto hacks and exploits are still a major challenge for the industry. Immunefi’s report shows that November losses from crypto hacks and fraud totaled $71 million. Some of the most serious incidents in November included the $25.5 million exploit of decentralized finance project Thala, which was caused by a vulnerability in its v1 farming contracts.
Crypto losses from November of 2024 (Source: Immunefi)
Thala recovered the stolen funds on Nov. 18 with the help of law enforcement but has not revealed the hacker's identity. Another big breach involved the DEXX on-chain trading terminal, where a private key leak resulted in huge losses.
Over 8,620 Wallets Linked to DEXX Exploit
The recent security exploit on the meme coin trading terminal DEXX drew a lot of attention from the crypto community, with more than 8,620 Solana addresses now suspected of being linked to the hacker behind the attack. On Nov. 16, DEXX fell victim to a breach that resulted in financial losses that affected at least 900 unique users.
According to SlowMist’s blockchain intelligence arm, MistTrack, most of the victims lost less than $10,000, but one individual suffered losses of more than $1 million. The total loss from the incident was initially reported to be $21 million, which made it the second-largest hack in November after the $25.5 million Thala attack.
Unfortunately, the scale of the DEXX exploit continued to grow, and SlowMist founder Cos revealed that the total losses climbed to an estimated $30 million on Nov. 29. The fluctuating prices of meme tokens impacted the overall financial damage, according to Cos. The hacker has been converting the stolen assets into Solana. SlowMist also committed to publishing any additional wallet addresses that are suspected of being linked to the attack on other blockchains, including Ethereum, BNB Chain, and Base, in the coming week.
In response to the attack, DEXX has been actively working on recovery efforts. The platform issued a public statement confirming that it is monitoring the hacker’s wallets and collaborating with blockchain security firm SlowMist and law enforcement agencies. To incentivize the return of stolen assets, DEXX offered a bug bounty and token rewards, but the hacker did not respond to these appeals. Attempts to communicate with the attacker through on-chain messages and email have also been unsuccessful.
Bruce, the operations director at DEXX, stated that the platform is actively negotiating with stakeholders, counting the losses, and addressing security vulnerabilities to relaunch the service. The company pledged to compensate the affected users, but the specifics of the compensation plan will depend on the amount of recovered funds.
SEC Sues Touzi Capital
Recent crypto crimes were not only limited to hacks. The U.S. Securities and Exchange Commission (SEC) filed a lawsuit against Touzi Capital, accusing the investment firm of misleading investors about the liquidity and profitability of its crypto asset mining fund. According to the SEC, Touzi Capital raised almost $95 million from over 1,200 U.S. investors by promoting the fund as a stable and high-yield investment tied to cryptocurrency mining operations. However, the regulator alleges that the firm misrepresented the risks and diverted investor funds into unrelated ventures.
The SEC claims Touzi Capital made false assurances to investors, and compared the fund to high-yield money market accounts while hiding its risky and illiquid nature. Despite the alleged failures of its investments, the firm reportedly continued accepting funds from new investors. The regulator’s complaint also alleges that the promised crypto mining operations were not the primary focus of the raised capital as funds were being commingled across Touzi Capital’s subsidiaries for purposes unrelated to mining.
This case is part of a broader crackdown by the SEC on alleged crypto-related frauds, including a recent unsuccessful appeal by Kristoffer Krohn, who argued that his involvement in an $18 million crypto mining scheme did not constitute a securities offering. The federal judge decided to deny Krohn’s appeal.
Despite these legal actions, industry leaders like Consensys CEO Joe Lubin suggest that the regulatory landscape for crypto firms could change dramatically very soon. At DevCon 2024 in Thailand, Lubin speculated that the reelection of Donald Trump as U.S. president might lead to the dismissal of many SEC cases, and could potentially save the industry huge amounts of legal costs. However, he pointed out that while not all cases may be dropped, the crypto sector will certainly benefit from a more favorable regulatory environment in the future.
