The tokenization movement is suffering a setback this week as Holograph, a protocol that makes it easier for crypto projects to move assets across EVM-compatible blockchains, experienced a cyber security incident where 1 billion HLG tokens were minted with authorization.

Data from Etherscan indicates that the attack occurred on June 13th. The attacker exploited a flaw in the protocol’s code to carry out nine transactions, allowing him to raise the token’s total supply and transfer the new HLG to a wallet he controlled.

The price of the HLG token was impacted immediately as it experienced an 80% drop shortly after the first mint took place. The price of the asset moved from $0.014 to just $0.0029 and caused the project’s market capitalization to dip from $22 to $4.8 million.

The value of the 1 billion HLG tokens minted at the time of the attack was $14.4 million or around 65.5% of the project’s total market capitalization prior to the breach.

Also read: Wall Street Embraces Web3: BlackRock Bets $47M on Tokenization with Latest Securitize Investment

Although the token was already on a downward spiral before the hack, the incident jeopardized the future of the protocol.

Holograph’s Response and Damage Control Efforts

Shortly after the attack was identified, the Holograph development team acknowledged the breach on their official social media account on x (formerly Twitter) and highlighted that they are already taking appropriate steps to secure the protocol.

“The team has patched the initial exploit & is working with exchange partners to lock the malicious accounts,” the social media post reads.

“The team has launched an investigation & is in the process of contacting law enforcement.”

Meanwhile, just a few ago, the team said that they are working with “external networks” to refund the victims of the attack for at least 75% of the money they had deposited into the protocol in the first phase.

Inside Job? Crypto Researcher Points to Rogue Developer

Users on social media have immediately pointed fingers at the developers and insiders of the project who may have decided to cash out on the token. It’s certainly possible that the hack was perpetrated by an outsider but insiders (especially developers) are more likely to find these kinds of exploits.

Matt Casto, a cryptocurrency researcher at venture capital firm CMT Digital, argued that the hack may have been an inside job perpetrated by a “rogue developer.”

Casto’s suspicions come from on-chain evidence that suggests the Ethereum Name Service (ENS) wallet address acc01ade.eth was involved in the exploit. Adding further intrigue, a GitHub page lists an individual with the same handle as a contributor to the Holograph project itself.

“Looks like a rogue dev who funded the address 26 days ago,” Casto commented. “That address was the one who received the minted supply.”

An X account with a similar handle was found. The bio describes the user as a “super shadowy coder” living in Paris and adds further weight to the insider theory. If this is all true, it is a bit odd that a “super shadowy coder” wouldn’t know not to send the illicit funds to his named address, but it’s not an unusual mistake.

Holograph reportedly completed a widely-awaited airdrop in late May to early adopters of the tokenization platform. A total of 25 million HLG tokens were distributed back then to all eligible wallets.

Social Media Users Chant “Rug Pull”

Based on the comments of multiple users and token holders on X, there is speculation that this was a mere rug pull – a scam where crypto developers attract investors by making promises about the future of a specific project to raise the price of the native token to then dump a significant share of these assets onto the public for their personal gain.

These scams typically result in a precipitous drop in the value of the asset – which is exactly what happened – and they are often concealed as “a hack” to appease the community, affected investors, and law enforcement.

Users found it suspicious that the team did not work with exchanges quickly to block the crypto wallets involved in the hack to prevent the perpetrator from laundering the assets. However, it was reported that around 4 hours after the attack, the assets were moved to an exchange and converted to Tether (USD).

As a result, most of the money from the attack may have already been withdrawn and the affected parties, the investors, may not recoup their lost money unless the protocol opts to burn the minted tokens.

Founded in 2021, Holograph is one of the many companies venturing into the growing asset tokenization industry. The platform’s innovative approach allows developers to use a single contract address across various EVM-compatible blockchains to reduce the traditional friction of managing tokenized assets while providing a safe infrastructure to settle cross-chain transactions.

The protocol attracted the interest of notable venture capitalists including Mechanism Capital and Selini Capital, both of which invested a combined total of $3 million a year ago to fund the project’s vision.

Insider Attacks Emerge as the Latest Trend in the Crypto Ecosystem

Insider threats have been affecting the growth of new protocols in the crypto space. Recent incidents include the theft of 12,300 SOL tokens from the meme coin minting platform Pump.fun attributed to a former employee who breached the code as well.

Back then, an individual whose X handle was STACCoverflow, a self-identified project developer, confessed to his crime on the social media platform and blasted the Solana project and its “horrible bosses” for a hostile work environment.

The project’s developing team ultimately confirmed that this insider was liable for the incident but stressed that the platform was safe and that this was an isolated event.

Moreover, a DeFi protocol called UwU Lend suffered two attacks that resulted in the loss of over $20 million – $19.3 million the first time and nearly $4 million the second time. The first incident took place on June 10 while the second one occurred yesterday.

Blockchain researchers emphasized that it was the same attackers who perpetrated the crime. However, they relied on different mechanisms to exploit flaws in the project’s smart contracts.

These events serve as a sobering reminder of the importance of robust security measures and strict access controls within the Web3 ecosystem to prevent its credibility from being undermined by these types of incidents.