Tapioca DAO stops 1,000 ETH worth $2.7 million from being stolen following exploit that drains majority of its funds
Quick Take An exploiter, possibly a Norther Korean hacker, was able to obtain the private keys in a social engineering attack that drained $4.4 million worth of cryptocurrencies, the Tapioca Foundation said. The organization worked with the emergency response team SEAL911 and others to recover assets the exploiter had missed.
The Tapioca DAO suffered a massive exploit leading to an over 95% drawdown in the TAP token price. About $4.5 million worth of cryptocurrencies were stolen, though the team says it's in the process of recovering funds with assistance from web3 security firm Fuzzland and others.
"All current Tapioca DAO Platform users are advised to revoke approvals to our Contracts until the recent Compromise has been resolved,” the Tapioca Foundation said on X. “Please reach out to website support upon any issues revoking approvals."
According to the foundation, the attacker was able to compromise the token’s vesting contract giving him access to sell its 30 million vested TAP tokens — at the time worth around $1.40, now worth less than $0.04 — as well as the USDO stablecoin contract.
In total, the attacker walked away with about $4,405,600, including $2.8 million USDC and $1,575,606 in ETH drained from the USDO/USDC liquidity pair. The stolen funds were swapped for ETH, then USDT, and then bridged from Arbitrum to BNB Chain where, at press time, they remain.
Tapioca is a decentralized money market protocol based on LayerZero for borrowing cryptocurrencies across multiple blockchains. It uses a stablecoin called USDO and Tapioca Omnichain Fungible Tokens (TOFTs) to enable users to move wrapped assets between networks.
According to Fuzzland, it seems likely the attacker obtained the private keys through social engineering. On Discord, Tapioca co-founder Matt Marino said Discord member 0xRektora was contacted about a friend being hired, which tricked him into lowering his guard enough to connect the hardware wallet that the attacker used to gain ownership of TAP.
“North Korea is always the garbage collector here,” Fuzzland said, echoing ZachXBT that the connection to the Hermit Kingdom has not yet been proven and that the situation is “complicated.”
Those attacks “were the result of fake job scams” where North Korean actors posed as interview subjects or vendors to gain inside access or information needed to steal funds, ZachXBT said. There have been a slew of anecdotes and a recent CoinDesk investigation suggesting this type of “contagious interview” scam is a widespread and growing issue across crypto.
Recovering funds?
“We have coordinated and are active in a war room with the necessary individuals and entities to proceed forward, and will be communicating on further steps when the situation is under control,” the foundation wrote.
Tony, a security engineer at Fuzzland and member of the volunteer emergency response team SEAL911, was one of the members in the war room, which worked to help them recover a portion of the funds that the hacker didn't notice, he told The Block.
According to Marino on Discord, the organization moved 1,000 ETH worth about $2.7 million from a vault to a secure location — the DAO multisig. "The 1000 ETH was DAO collateral within Big Bang Origins to mint USDO for USDO/USDC LP," he added.
"The team attempted to rescue these assets by first approving the Multicall, which anyone can take away these assets. Luckily, no one found out and they managed to still rescue these assets," Fuzzland co-founder Chaofan Shou told The Block.
However, the response team has not yet been able to recover any of the stolen assets. The DAO’s treasury currently stands at $4.2 million, Marino said.
coin_news.disclaimer
coin_news.may_like
Here’s How Much Bitcoin Trump’s VP Pick JD Vance Owns
Bitcoin ETF Inflows Pause as U.S. Election Uncertainty Rises
Tornado Cash co-founder’s money laundering trial postponed to April 2025
Share link:In this post: On November 1, Judge Katherine Polk Failla rescheduled the next Storm’s trial to April 14, 2025. Storm’s defense has challenged the court’s trial postponement, going as far as filing a mandamus petition with the U.S. Court of Appeals for the Second Circuit. Roman Storm is charged with three counts: conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business.
Popular Convenience Store ‘Sheetz’ Starts Accepting Crypto