In light of recent events, I’ve decided to reshare my story and compile logs about how my reputation and community were taken advantage of and damaged by the CEO of Plug Wallet and face of ICVC.
I will preface with a bit about myself. I have been involved in this ecosystem for 3+ years and have worked professionally as a developer for over 8 years. I have built and contributed to 2 of the most popular projects in the ecosystem (Windoge98, KongSwap) and left my job to work in this ecosystem full time. I had originally gained some notoriety for Windoge98 which was a 100% grassroots grown project and still to this day has yet to be duplicated. I also began working with KongSwap a little less than a year ago to improve defi in the ecosystem and take it multichain. I know there will be people that come at me for political opinions or things I say, but one thing they can’t deny is that I have always been transparent and fair. Some of you may not like me, but you know what you get.
We’re now about 8-9 months beyond the incident and as much as I don’t want to write this post, I have to. I’ve tried to remedy the issue multiple ways to no avail. This post hopefully serves as or leads to some kind of accountability because there has been none.
Luke contacted me in December 2024 trying to recruit me for some work on Plug Wallet originally and later came to me with a proof of work mining dapp to compete with bob.
These are links to screenshots since i cant embed them all here.
At the time I thought this was a great idea. Cycles mining was the hot thing and Luke had been running one of the most popular projects on the IC at the time and he promised to handle the backend side of things.
So I said it sounds cool and agreed to do the frontend/marketing for it. I worked out a concept for the FE, sent it over to Luke, and things were relatively quiet other than some back and forth about how the mining worked and progress being made.
We hadn’t officially set a time for the launch, there had been some initial plans and ideas for a date that were subsequently delayed.
On the morning of January 2nd, Luke and his team took it upon themselves to launch the project while I was asleep without ever having let me review or even see the backend code.
Interestingly, the first person to mine a block happened to be the infamous @borovan. After launching the token, Luke ran to borovan to let him know it was live. Was this one of the reasons he came to me in the first place because he assumed I was close to Adam? For transparency sake, I had talked to Adam indirectly through Jordan and he helped provide some LP by matching ICP to BIL that I sent him. I had never spoken to him directly at the time,
I think it is also important to note the connections of Luke to people like @DavidFischer due to the issues raised by @borovan. It is my understanding that David is the money behind ICVC and WTN. Of which, Luke is a prominent face in ICVC. ICVC also exploited over 100,000 ICP from the community fund for their SNS that was funded primarily by 3 or 4 people and had a WHOPPING 22 total participants in the SNS sale, the lowest to date. I’d also like to point out that ICVC has only invested in 1 single project and has been running for over a year now. What is this money doing? I can’t help but wonder if there is a connection here?
Now we’re at January 2nd, and Luke has launched the token. I still have not received access to the backend code at this point and wont for another 2 weeks. In retrospect I should have called it off here but I was stuck between a rock and hard place. The project launched while I was asleep and people had money invested, so it wasnt quite that easy for me to just say “hey this is cancelled now” especially given the initial hype. I felt like my only choice was to see it through and pray that it worked out.
In this 2 weeks we had many issues from stuck funds to unreceived miners. The backend also took out a subnet and was unusable for some time. Luke updated the backend to distribute mining canisters across subnets. Note that at this time I have still not received access to the backend code. Also note that the recovery features were never built so there is a bunch of lost EXE and ICP that users were never able to recover.
The excuse was that they were “busy”. But it literally takes no more than 5 minutes to do this. He could have compressed it and sent me a zip file in Telegram even but I guess he was too busy to do that too.
At this point I began to snap after having to explain the difference between an icrc1 only and icrc2 token to one of the Plug Wallet devs and still not having access to the code. He did have time to add me to a stale codebase under funded-labs that they werent using actively though (this is the PR I mention below).
Note: there are two separate chats channels shown here.
Now we’re sitting at roughly 2 weeks post launch and 2 weeks before the hack. Still only access is to a stale repo.
At this point I was quite demoralized and stopped communicating for a few days. This is roughly 1 week before the exploit now.
In addition to the difficulty change he mentioned, he also changed the mining token from EXE to ICP completely destroying the original purpose of the project which was to burn EXE.
At this point we’re a few days before the hack. I cannot find the information about when the actual repository was made public, but I believe it was sometime around the 20th that I finally got access to it when everyone else did.
Again, at this point I am still angry and just tired of dealing with them. Nothing of note was said in the chat logs that still remain. So we can fast forward to the exploit:
The exploit was caused by an overflow in the rust code. The exploiter was able to mint unlimited tokens and drain the liquidity. After doing so, they swapped to ckBTC and offloaded it to a CEX.
This exploit caused untold amounts of damage to my reputation and brand. EXE lost more than 90% of it’s value (10+ million market cap to roughly 800k now). Many of my friends and many people in the community that trusted me lost a lot of money. A lot of them bought or mined the token before I had even known it launched. The ICP network as a whole lost.
The subnet that dogmi was running their own mining game on (also the subnet BIL was originally deployed on, coincidence?) also never recovered to my knowledge. I hate to introduce conspiracy theory to this, but I think it is important to note that Luke had told myself and PassionPlanet on a voice call that he knew “Robert” of the famous BOB token. I mention this because of the poltics of the time. I have no way to prove this since it was a voice call of course, so take it for what it’s worth.
To this day, Luke has not made any attempt to fix any of the damage in the communities he caused and yet he still remains prominent in the ecosystem with Dfinity promoting Plug wallet as recently as a week ago and as a key member of ICVC. Some users have mentioned that Luke did mention some form of financial compensation, but I was unable to dig up a record of that.
There are a lot of theories about who actually benefitted from the exploit and people have tried to uncover who is responsible for the attack but to my knowledge it is still unknown. All of the sketchy behavior leads me to believe it was an inside job but there is no proof I can point to. It’s not like they were some amateurs that just showed up here yesterday. These were some of the most tenured devs in the ecosystem with a large project responsible for god only knows how much of peoples money.
I hope this serves as a warning to anyone that might have to deal with Luke or the Plug Wallet team in the future that hopefully you don’t suffer the same fate as me. I would also highly advise against using their wallet for security reasons as well.
At best it’s incompetence, at worst it’s malice.
Here are some Telegram group chat logs from January 13th to present. I had ragequit this group a long time ago, so I had to have jesse pull the logs and he didnt join til the 13th. So, we can only go back that far but you can see what I was dealing with here.
For context, this group chat is the Plug team, passionplanet, jesse, and myself. Passion and jesse were making a dapp to make topping miners up easier which is why they were in there. Also notice towards the end of these logs how Luke is unresponsive and fails to even keep the main canisters cycles topped up.
I know there are a ton of details I probably missed but this post is already 2 miles long, if anyone has any questions feel free to ask and I will do my best to respond.
Cheers,
Shill
