Introduction
Just because crypto markets are down so far in 2022, doesn’t mean that cyber criminals are easing up their efforts to fill their wallets with as much crypto loot as possible. In fact, they’re doubling down. Hacks and scams in the crypto space are actually on the rise, with cybersecurity firm CertiK pointing to a crazy $1.3 billion lost to decentralized finance (DeFi) hacks last year – around double the amount from 2020. Meanwhile, blockchain analysis firm Chainalysis reported $14 billion in illicit crypto flows for 2021, a stunning 79% jump.
Last month’s hacking of the Ronin network for $600 million by what now appears to be the notorious North Korean hacker group Lazarus has put an alarming exclamation mark at the end of Q1 2022.
With the first quarter now in the rearview, it’s a good time to take stock of how last year’s cybercrime trends in crypto are matching up with this year’s most high-profile digital asset debacles.
2021 Crypto Crime Trends
Before getting into the latest hacks plaguing the crypto community, let’s establish a little background by taking a look at what some of the big players in cybersecurity said about what happened in the space last year.
CertiK Report
The cybersecurity analysts at CertiK released a report in January, which said that despite the figure for value lost in DeFi rising 160% last year, it represented a lesser proportion of the total value locked in DeFi projects compared to 2020, and this was due to the expansion of the sector. In other words, crypto crime is on the rise, but so is crypto, so bad actors take an even smaller percentage of the pie – to be exact, 17% less in proportion to DeFi’s market capitalization.
CertiK labeled centralization in the sector as the primary reason for lost funds, citing privileged ownership as one of the main issues, in particular when hackers get their hands on private keys. This can often be prevented through the use of multisig wallets, MPC technology, or even decentralized autonomous organizations (DAOs). The report also made mention of unlocked compiler versions, missing event emissions (for smart contracts), input validation problems with code, and the involvement of third parties.
Chainalysis Report
Chainalysis noted a similar relative decline in illicit crypto flows, pointing out that they reached a record low in 2021, with just 0.15% of the year’s total volume of transactions. At the same time in absolute terms, illicit activity in crypto jumped 79%, which was only offset by 550% growth in overall transactions.
Focusing on DeFi, the analysts stated that total scam revenue equaled $7.8 billion, with more than $2.8 billion coming from rug pulls, a style of crypto scam where developers suddenly remove the liquidity from a project and disappear. The problem is especially rampant in DeFi, though rug pulls can exist in other crypto sectors such as non-fungible tokens (NFTs). Around 90% of the 2021 rug pull losses stem from the $2 billion scam involving Thodex, a centralized exchange based in Turkey.
Chainalysis also said that billions were stolen from decentralized exchanges (DEXs) outright through hacks and other methods, as seen in the roughly half dozen hacks alone last December that amounted to $271 million in losses for users. To make matters worse, the report said that DeFi protocol usage for money laundering grew by 1,964% year-on-year.
The 5 Biggest Q1 2022 Crypto Hacks
Hackers stole indiscriminately from any party that allowed them to in Q1 2022, with centralized exchanges (CEX), DeFi protocols, cross-chain bridges, NFT marketplaces and Play-to-Earn (P2E) projects all exploited for hundreds of millions.
$30 Million Stolen from Crypto.com
Major centralized exchange Crypto.com experienced a massive security failure in January when hackers stole around $15 million of Ethereum and $18 million of Bitcoin from a total of 483 wallets. At first, the exchange downplayed the event, describing the hack as an “incident,” later revising their statements to acknowledge the extent of the damage. Having initially claimed that “all funds were safe,” they eventually pivoted to “customers were fully reimbursed.”
Crypto.com noticed the breach when the thieves began transacting without using the victims’ two-factor authentication (2FA). This led to a suspension of withdrawals on the exchange, the revocation of 2FA tokens, and the requirement that all users redo their 2FA.
The company conducted audits in the wake of the scandal, saying that they had “further harden[ed] their security posture,” though without specifics. In the end, a new program was announced that would see users insured up to $250,000 so long as they set up multi-factor authentication, avoid jailbroken devices, use what was termed “anti-phishing code,” and report losses to the police.
$80 Million Drained from Qubit
DeFi lending protocol Qubit Finance suffered a tremendous loss in January when hackers were able to siphon off over $80 million in crypto. The attackers made off with over 200,000 Binance Coins (BNB), tricking the platform’s QBridge protocol into releasing the tokens. According to CertiK, the hackers took advantage of a deposit option on QBridge to mint more than 77,000 qXETH, which is a stand-in for ETH bridged onto the protocol. Since the platform accepted the wrapped assets as legitimate, the hackers were able to redeem all of the BNB on QBridge. The attack, reportedly the seventh-largest in the history of DeFi, has yet to result in arrests.
$325 Million Hacked from Wormhole
In another DeFi attack, the Wormhole bridging protocol managed to lose $325 million to hackers through a security exploit in early February. At that time, it was the second-largest DeFi hack to date. Things got even stranger the next day, when the company announced it had replaced the entirety of the stolen assets.
The attackers were able to mint around 120,000 wrapped ETH on Solana, which they then maneuvered over to the Ethereum network. VC backer Jump Capital apparently covered the loss, which would’ve brought down many Solana projects had it gone unresolved. The VCs described Wormhole as “essential infrastructure” for the cross-chain world, adding that similar vulnerabilities exist in the protocol’s bridge to Terra. The incident also provoked Ethereum co-founder Vitalik Buterin to describe the future as multi-chain rather than cross-chain.
$1.7 Million Phishing Attack on OpenSea Users
In late February, OpenSea triggered alarms in the crypto community when it revealed an attack that while much smaller than some of the big DeFi hacks, opened up some new spaces for discussion of vulnerabilities. The leading NFT platform shared that 254 tokens valued at over $1.7 million, including some from Bored Ape Yacht Club and Decentraland, had been transferred to the wallet of a thief through a “phishing scam.”
It was eventually determined that the hackers exploited the Wyvern Protocol, which undergirds the smart contracts of many NFTs. This allowed them to take advantage of the blind signature process to turn unknowingly signed contracts into permission to transfer the NFTs. The attacker basically managed to write themselves a blank check, which was somehow approved by the victims. The details of this process are still murky, but the incident has thrust the practice of blind signatures into the crypto spotlight.
$625 Million Stolen off Axie Infinity’s Ronin Network
Sky Mavis’ play-to-earn (P2E) game Axie Infinity notched the record for largest DeFi hack in history in late March, when cybercriminals stole over $625 million in ETH and USDC through an attack on the game’s Ronin Bridge, an underlying network. The private keys of five of Ronin’s nine validator nodes were obtained, leading to the siphoning of funds through bogus withdrawals and a pause in transactions by the developers.
Ronin, which is a side chain of the Ethereum network, fell victim to what is becoming a string of attacks on cross-chain bridges. Four of the compromised nodes belonged to Sky Mavis, while another was related to the Axie DAO. According to the company, “the attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.” The developers emphasized they had found the hacker’s wallet and were working with law enforcement as well as Chainalysis to bring them to justice. Sky Mavis later announced that it raised $150 million in conjunction with the exchange Binance to help compensate users for their losses.
The Verdict
With the year still in its early stages, it’s entirely possible that crypto hacks in 2022 will take on a new direction: will it become the year of CEX hacks, or the year of hacked DAOs? Both seem unlikely at this moment. With the massive congestion currently seen on the Ethereum network, layer 2s and bridges are proliferating, and it seems like there are very often cracks in these onramps. It’s likely we’ll continue to see more hacks in these areas.
Within the DeFi space, we expect rug pulls and other varieties of trust-based exploits to remain on the scene for the foreseeable future, as human nature is not so easy to patch and upgrade.
In times like these, it’s important to store your crypto in a secure environment.
At CYBAVO, we offer a suite of tools that can be of use to institutions operating in the crypto world. From CYBAVO VAULT, to our Cashflow Manager for large-scale institutions, to CYBAVO Wallet SDK, to our secure ETH 2.0 Staking Service, we have the tools needed to keep digital assets safe and secure.