The distributed, decentralized ledgers known as blockchains have been hailed as impenetrably secure by many in the cryptocurrency community. How could a blockchain be hacked, the thinking goes, when the ledger of transactions for a cryptocurrency ecosystem is publicly available and shared across a network, and when transactions themselves are verified by members of the community? Unfortunately for cryptocurrency market participants, though, some of these systems are not as impregnable as originally thought.
As the public awareness of crypto has grown and as token valuations skyrocketed in recent years, hackers and fraudsters may have had added incentive to find a way to steal digital currencies because of the potential for an even greater payday. Indeed, stealing cryptocurrencies—again, when tokens are massively popular in part because they have been marketed as highly secure ways of transacting and storing value—has become big business. In 2022 a record $3.8 billion worth of crypto tokens was stolen globally.
To be fair, a significant majority of stolen tokens (about 80% last year) were taken from decentralized finance (DeFi) protocols, and two-thirds of DeFi thefts involved cross-chain bridge protocols. These bridges allow users to exchange assets across different blockchains and typically hold large reserves of different tokens, potentially opening themselves up to increased attention from thieves and reduced security within a single blockchain ecosystem.
Nonetheless, blockchain and crypto hacks appear to be getting bolder than ever before. Below, we take a closer look at the most brazen blockchain and cryptocurrency hacks ever.
Mt. Gox Opens the Gates to Crypto Theft
The now-defunct crypto exchange Mt. Gox is notorious for being the target of the first major crypto hack and theft. In 2011, Mt. Gox handled about two-thirds of all bitcoin transactions when it suffered the theft of 25,000 BTC, worth roughly $400,000. While this sum may seem relatively minor compared with the valuation of bitcoin since that time, it was not the only such attack on Mt. Gox. In 2014 another incident resulted in 750,000 bitcoins lost, worth $473 million. At the time, this accounted for about 7% of all bitcoins in existence.
Binance Suffers a BNB-Related Hack
Binance remains one of the major crypto exchanges globally as of this writing, but in late 2022 it suffered losses of about $570 million when hackers were able to exploit a smart contract bug that left the blockchain vulnerable. The thieves made use of the cross-chain bridge BSC Token Hub to create extra Binance Coins (BNB) and withdraw about 2 million of these tokens, which are native to Binance.
FTX Implodes and Thieves Take Advantage
One of the boldest cryptocurrency thefts is also one of the most recent. In November 2022, cryptocurrency exchange and hedge fund FTX dominated the news when it filed for Chapter 11 bankruptcy, eventually collapsing entirely. On the same day, thieves stole more than $600 million from the company’s cryptocurrency wallets. The brazen attack may have capitalized on internal turmoil, leading the company to later announce to users that its own apps were hacked and that they should delete them. Unfortunately, the theft left many FTX account holders tokenless.
The Largest-Ever Hack: A Blockchain Gaming Platform
To date, the largest crypto hack occurred when $625 million in ethereum and the USDC stablecoin were stolen from the Ronin Network, an ecosystem affiliated with the Axie Infinity blockchain gaming platform. U.S. officials attributed the attack to the Lazarus Group, a North Korean state-backed hacking collective. The hackers reportedly were able to access private keys and forge transactions on the blockchain.
Major DeFi Attack on the Poly Network
One of the largest DeFi-related attacks took place in the summer of 2021. A single hacker exploited a vulnerability in the DeFi platform of the Poly Network to steal $611 million in a variety of tokens. Poly Network developers pleaded with the anonymous hacker to return the funds. Oddly, two days after the attack the hacker did, in fact, return about half of the stolen tokens, acknowledging that they had targeted Poly “for fun.”
Another DeFi Casualty: Wormhole
Last year, experimental DeFi platform Wormhole, a popular bridge service, suffered the loss of about $326 million in Wrapped Ethereum (WETH) tokens. Hackers attacked the platform’s leg on Solana, where users lock ETH tokens in order to receive WETH. Fortunately in this case, the parent company of Wormhole, Jump Trading, replaced the stolen funds and repaired the bridge, but this is nonetheless a lesson that hackers are ready and waiting to exploit new protocols the moment a weakness is found.
Nomad Hackers Inspire Copycats
In August of last year, another token bridge, Nomad, lost about $190 million when it suffered multiple attacks as a result of a smart contract weakness that left transaction inputs unvalidated. The particularly bold aspect of this incident was that an original attacker seems to have inspired several copycats who utilized the same weakness before it was corrected. Some of these copycat hackers even attempted to intercept stolen funds and return them to the Nomad protocol, while others followed the original hacker and stole additional tokens.
Thieves Exploit Governance Protocols
Some of the boldest blockchain thefts are not “hacks” exactly, but rather attacks on crypto ecosystems that take advantage of the structure of those systems to complete malicious actions. The infamous 51% attack—in which bad actors assume control over a blockchain by gathering a majority of participants in the network and falsifying or otherwise redirecting transactions—is one of the best-known examples of this type of exploitation. But there are many other approaches that clever teams of thieves have devised as well.
In 2022, the stablecoin protocol Beanstalk Farms fell victim to an attacker who stole $76 million by manipulating the system’s governance. The attacker used a flash loan to purchase governance tokens, and then used the authority from those tokens to pass proposals inserting malicious smart contracts.
Not all of the above attacks have targeted blockchains specifically. Some have identified security weaknesses for crypto exchanges that can be exploited, while many others have taken advantage of newer offerings like crypto bridges and DeFi protocols. In some cases, thieves have found unsecured wallets, while in other situations attackers find clever ways to take control of an entire ecosystem. Regardless of the means, the fact that crypto attacks occur as frequently as they do—and that even some of the largest players in the crypto space have suffered from thefts—should be a reminder to all cryptocurrency holders to be as careful as possible when it comes to keeping tokens secure.
Interestingly, trends may be shifting. The first quarter of 2023 witnessed some 40 attacks on crypto projects, resulting in about $400 million stolen. This is only about 30% of the attacks perpetrated during the first three months of 2022. The average hack size also declined by about two-thirds to just over $10 million as well. And perhaps most puzzlingly, more and more hackers seem to return the money that they steal: victims received back nearly half of all stolen token funds in the first quarter of this year. Hackers may truly be doing this “for fun,” as a way to exploit and reveal weaknesses in developing blockchain ecosystems, and to earn so-called “white hat” rewards offered by companies in exchange for returning their stolen funds.
Cheat Sheet
- Blockchains have long been touted for their security, but hackers have stolen many billions in crypto tokens in the last decade or so.
- In 2022, a record $3.8 billion in cryptocurrency was stolen as a result of targeted attacks and hacks.
- Many hackers target cryptocurrency exchanges, so-called token bridges that allow users to transfer between blockchain ecosystems and token types, and decentralized finance platforms that may have security weaknesses.
- Some of the boldest crypto exchange thefts include the Mt. Gox hacks, which set off the trend of crypto thefts overall, a major heist that drained popular exchange Binance of hundreds of millions of its native token, and an attack on FTX that stole hundreds of millions of dollars of tokens on the same day the exchange filed for bankruptcy.
- The largest-ever attack was on a network tied to a popular blockchain gaming platform, Axie Infinity. It resulted in about $625 million worth of tokens lost.
- DeFi attacks are proliferating and include hacks of the Poly Network, Wormhole, and more.
- Some attackers are exploiting governance procedures to redirect funds. One such attack, 2022’s theft from Beanstalk Farms, involved a hacker taking a loan to buy up governance tokens so that they could insert malicious smart contracts into the ecosystem.
- Early 2023 may signal a shift in the landscape of crypto thefts. Not only were thefts down about two-thirds compared with the first quarter of 2022, but an increasing number of hackers are returning the stolen tokens in order to claim a “white hat” reward—in effect a ransom that companies are willing to pay for the safe return of their lost assets.
Stay on top of crypto news, get daily updates in your inbox.
Read More: decrypt.co