Hackers Are Targeting Abandoned Meme Tokens in Almost-victimless Crime

The hacker has been targeting tokens with redistribution rewards


Dall-e modified by Blockworks


An opportunistic hacker has been draining the remaining liquidity from abandoned token pools in what some have called an almost-victimless exploit.

The attacker uses flash loans from DeFi protocol Balancer to borrow a significant amount of money. They then redirect those funds to drive up the volume of a chosen token’s pool. 

Once the volume of the pool increases, the attacker drains the remaining liquidity from the pool and returns the money it borrowed from the flash loan.

These attacks were first spotted by Giorgi Khazarade, the CEO of Aurox, when he was testing to find bugs and data inconsistencies in Aurox’s screener functionality.

“I noticed one token (CATOSHI) had nearly $2M in volume but $0 in liquidity, which is extremely odd,” Khazarade told Blockworks. “I thought it was a bug but when looking more into it, I found the stats our platform displayed were correct.”

In the CATOSHI exploit noted by Khazarade, the hacker borrowed an estimated $184 million in wETH through a flash loan, using approximately $1 million from that loan to purchase CATOSHI tokens.

According to a CATOSHI white paper that was published in 2022, the token had launched on Ethereum with an initial supply of 21 million. This amount was later burnt down to 11 million. 

CATOSHI’s tokenomics were a reworked version of reflect finance’s (RFI) frictionless yield generation code. It included a 6% tax, where 3% of it was redistributed to holders, 2% was burnt and 1% was directed to a charity wallet. 

This means that token holders would be given a 3% redistribution reward whenever anyone bought or sold the CATOSHI token. 

After purchasing over 166K in CATS, the attacker bridged the tokens onto the BNB chain. There they sold the tokens for roughly 10 BNB, leaving them with a total profit of $3,000-$4,000. The remaining funds were returned to pay back their flash loan.

Khazarade noted that another token, IMMORTAN, also saw a similar fate

“I noticed a second token (IMMORTAN) in our Screener with similar stats,” Khazarade said. “Large volume and just a couple hundred dollars in liquidity. A similar attack using flash loans had been launched against that token multiple times over the past week to drain the liquidity pool of about $2-3k.”

Similar to CATOSHI, IMMORTAN also had redistribution awards. According to its white paper published in 2021, a 10% tax was applied to buyers and sellers, with 8% of that tax being redistributed to holders and 2% given to the development team for operational purposes. 

“In this instance though, he executed the attack a lot. In fact, he’s still doing it even though there’s ~$100 in liquidity left. He’s basically trying to drain every penny of it,” Khazarade said. “Each attack only yielded a small amount of profit, and by my estimates, he made a combined ~$3k.”

CATOSHI and IMMORTAN are not the only tokens that have had their pools completely drained. More recently, Khazarade noted that the attacker extracted $4,000 in ETH from CATS V3. A project named ​​CRAB has also seen $2,000 in ETH cleared from its pools. 

Just yesterday, the attacker used a similar method to extract WEEB of almost $30,000 in ETH liquidity.

“I’m not 100% certain but it seems like [the attacker] routinely deployed malicious smart contracts that abuse a variety of tokens and drain their liquidities,” Khazarade said.

“Some seem to be specialized which only attack one individual token, whereas other contracts can do it for various tokens…probably because the tokens use some template code with the same bug.”

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2023

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Cover Vertex.jpg


The proliferation of new perp DEXs has led to fragmented liquidity across various DEXs and chains. Vertex, known for its vertically-integrated DEX that includes spot, perpetual, and integrated money markets, is now tackling cross-chain liquidity fragmentation through horizontal integration with the launch of new Edge instances. Vertex's integrated offerings and cross-margined account structure amplify the benefits of new instances: native cross-chain spot trading, optimized cross-chain basis trading, consistent interest rates, reduced bridging friction, and more.


Partnering with EtherFi and Angle, the fully on-chain perp DEX features bespoke collateral



Gavin Wood introduced the next evolutionary step for the Polkadot network: the Join-Accumulate Machine, or JAM


The side events were the places to be at Consensus 2024, according to attendees


Also, who’s come out swinging in the spot ether ETF fee war — and who could undercut them


I know it is not in their nature, but US regulators could learn a lot by researching the digital asset frameworks that overseas regulators have already gotten right


Also, the ETF hype train can count out at least one member