A look back at the major cryptocurrency hacks and breaches in 2023 resulting in over $2 billion in losses.
As 2023 draws to a close, it will go on record as the year Bitcoin and the crypto market staged a remarkable recovery from the brutal bear market. However, cryptocurrency hacks are still prevalent — with almost $2.4 billion stolen this year alone.
According to blockchain security and analysis company Certik, Q3 was the quarter with most hacks this year, with close to $700 million stolen across 184 known hacks in this period. Per the report, Q3 alone saw more losses due to hacks than Q1 and Q2 combined.
Though these figures are daunting, they are down considerably from last year’s total of more than $3.5 billion.
According to SlowMist, there were 450 confirmed hacks in 2023 so far, with decentralized protocols on Ethereum and BNB Smart Chain being the most common attack targets.
Many of these platforms are built on open-source software, which, while promoting transparency and community collaboration, also potentially exposes vulnerabilities that can be exploited by those with deleterious intent.
Faced with little to no legal repercussions in many cases and the potential for a retrospective bug bounty offer, those with the technical know-how can be enticed to put their skills to malicious use.
Unfortunately, this has painted a red target on the back of insecure cryptocurrency exchanges, platforms, protocols, and the users who have ultimately borne the brunt of these attacks. Indeed, most of the funds lost due to the hacks listed below will likely never be recovered.
Let's dive into the worst hacks of 2023.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
Kyber Network: $54.7 Million
November 2023 marked the date of a security incident affecting Kyber Network, as an attacker took advantage of a vulnerability linked to liquidity and managed to steal approximately $54.7 million from KyberSwap Elastic.
The breach targeted KyberSwap's liquidity pools across multiple blockchain networks, including Arbitrum, Ethereum, Optimism, and Polygon. The hacker exploited a reentrancy vulnerability in the mint function of a new token, leading to a significant loss of funds and a 90% drop in the platform's Total Value Locked (TVL).
In an unusual turn of events, the hacker offered to return the stolen funds if a list of demands were met. Among the demands, the attacker requested full control of the Kyber Network company and a complete surrender of all on-chain and off-chain company assets.
The hacker asked for their demands to be met by December 10 or the treaty would fall through.
Source: Etherscan
It appears the team behind Kyber did not bend the knee to the attacker and is instead moving forward with a compensation plan that involves offering treasury grants to affected users.
Curve: $73.5 Million
No stranger to hacks, Curve was once again exploited in July 2023 after an attacker took advantage of a faulty recursive lock in several of its Vyper 0.02.15 stablecoin pools to drain their funds.
The main protocols and pools affected by the attack were the Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools.
In a positive turn of events, a large proportion of the stolen funds were returned to Curve Finance after the hacker accepted a 10% retroactive whitehat bounty. Meanwhile, Metronome and Alchemix recovered $6 million and $13 million respectively thanks to the efforts of multiple whitehat hackers.
Almost two weeks after the hack, Curve pledged to make whole those still affected after evaluating their losses to ensure resources are fairly distributed.
Euler Finance: $197 Million
Movement of stolen funds mapped by Chainalysis
In perhaps one of the most bizarre events this year, Euler Finance was subject to a $197 hack back in March 2023.
The hacker utilized an intricate flash loan attack to exploit a faulty function in the Euler smart contracts. Through a flash loan attack, the hacker was able to get away with $197 million worth of various cryptocurrencies, including DAI, wBTC, stETH, and USDC — almost entirely draining the protocol.
However, the company behind Euler Finance was able to trace the attacker and open a line of communication. This seemingly spooked the attacker into doing the right thing, as the hacker promptly returned “all recoverable funds” to the Euler treasury.
Since then, the Euler team has opened redemptions to the public, allowing them to reclaim the funds they initially lost in the attack. The Euler Protocol has remained disabled, but the team has hinted that a new modular open lending solution is on the way.
Mixin Network: $200 Million
Mixin Network is a decentralized network designed to facilitate efficient cross-chain trading for digital assets.
In September 2023, it was hit by a catastrophic cloud service-based attack which led to around $200 million worth of customer assets being stolen. Shortly after the attack, the Mixin network was suspended.
According to the official announcement, the Mixin team plans to do its best to minimize these losses.
In a later live stream, Mixin Network founder Feng Xiaodong stated that the platform would only be able to refund up to 50% of the stolen assets and that the rest would be eventually covered by "tokenized liability claims" which Mixin will attempt to pay with its future profits.
As has become commonplace following hacks of this scale, Mixin initially offered the hacker(s) a $20 million retroactive bug bounty if they returned the remaining funds. This has, unfortunately, fallen on deaf ears, since the attacker already exchanged the stolen USDT to DAI to prevent it being frozen on-chain.
Multichain Bridge: $126 Million
At the time one of the most popular cross-chain bridge protocols, Multichain was hacked on July 7, 2023, leading to the exfiltration of $126 million worth of various cryptocurrencies.
As one of the largest crypto hacks on record, the attack involved multiple blockchain networks including Fantom, Moonriver, and Dogechain as well as a wide variety of crypto assets.
To date, the origin of the hack still hasn’t been identified, but there is a chance that a hacker was able to gain control of Multichain’s MPC keys. There are suspicions that the hack may have been an inside job (also known as a rug pull).
This suspicion arose partly due to the disappearance of Multichain’s CEO, known as Zhaojun, in May 2023, and the subsequent inability of the team to perform necessary technical maintenance on the platform.
Surprisingly, the Multichain front end is still up and running to this day. Users can initialize a bridge for their assets but this transfer will never complete. The team behind the platform publicly noted that they are unable to bring down the website or service since they do not have access to the Multichain domain account and warned against using the service.
Atomic Wallet: $100 Million+
In June 2023, Atomic Wallet — then one of the more popular crypto self-custody wallets — suffered a major breach which led to over $100 million in losses across approximately 0.1% of its userbase.
The attack, reportedly perpetrated by the infamous North Korean hacking group known as Lazarus was one of the most unexpected security incidents this year — since self-custody is generally considered safer than third-party custody.
Though the exact cause of the breach remains unclear, several potential options have been suggested, including insufficient entropy in generating private keys (i.e. private keys could be brute-forced) and supply chain attacks.
In the aftermath of the hack, at least 3 lawsuits are progressing against Atomic Wallet, its development company Atomic Systems and its owner Konstantin Gladych. The company has remained tight-lipped on its plan to help affected users, and has described the investigation of the root cause as “complex”.
Stake: $41 Million
In September 2023, the prominent crypto gambling platform Stake suffered a "sophisticated breach" which led to the loss of $41 million across Ethereum, Polygon and BNB Smart Chain assets.
The funds stolen during the attack included 6,001 ETH, 3.9 million USDT, 1.1 million USDC and 900k DAI. Shortly after the hack, the attacker began moving the funds across chains, with a large chunk eventually swapped to native BTC.
The hack, again potentially perpetrated by Lazarus, is unusual in that it did not involve a breach of Stake’s hot wallet private keys. Instead, according to Stake founder Edward Craven, the hackers accessed Stake’s internal transaction approval system, allowing them to process unauthorized transactions.
Unlike many of the other attacks on this list, the Stake hack did not affect customer funds. Instead, the hacker breached a hot wallet designated for paying out large wins.
How To Stay Safe
As an alternative financial industry without a centralized entity enforcing fiscal responsibility, crypto users are heavily reliant on self-custody solutions and up-to-date knowledge of crypto security practices.
Unfortunately, a startling number of cryptocurrency users, including those who are extremely technically savvy, still fall victim to hacks and scams.
With that in mind, we have prepared some resources below to help you maximize the security of your funds.
- How to Protect Your Crypto From Hacks in 2022 and 2023
- Self-Custody: Where and How to Store your Crypto Safely
- Five Tips for Managing Your Risks in DeFi
Stay safe as we head into 2024!
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.
