This year's many hacks have damaged the industry's reputation — and left big questions about the safety of cross-chain bridges needed for a multi-chain crypto ecosystem.
Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts
As of August, cryptocurrency users had been robbed of $1.6 billion. By the end of November, that number had grown past $3.5 billion.
The worst month was October — dubbed "Hacktober" — with more than 44 exploits bringing thieves more than $760 million.
Often set up rapidly to support specific blockchains or projects, many have proved to have very exploitable code. But here's the problem: they are key to a multi-chain industry succeeding. Chainalysis head of research Kim Grauer was quoted by Pymnts as saying:
"The reputational risk is huge. I can't emphasize that enough. Having a hack happen every day makes it so that every trader, everyone involved in DeFi has an awareness that they could be the victim of a hack. And that's not healthy for sustainable long-term growth. That's not healthy for the industry. That is, in fact, a major reason why people are likely not getting into DeFi, not testing the waters."
Of course, that was before Sam Bankman-Fried showed how untrustworthy centralized exchanges could be by having his Alameda Research trading firm allegedly borrow and lose some $10 billion of his FTX exchange customers' funds without permission.
For all that, 2022 is notable in that far more hacked funds were recovered than were stolen. In just two cases, the Department of Justice seized almost $7 billion in Bitcoin: $3.36 billion stolen in 2012 from the Silk Road dark web marketplace, and $3.6 billion stolen in 2016 from the Bitfinex exchange. Years after these crimes, detectives are catching up.
Crypto.com, $30 million
It took four days, but Crypto.com finally admitted that the Jan. 16 "incident" it reported was actually a hack that saw 483 customers lose about $32 million in Bitcoin and Ether from their exchange wallets. CEO Kris Marszalek said in a tweet that "no customer funds were lost" — which was true in the sense that they were reimbursed.
The exchange halted withdrawals for about 14 hours while it "hardened the infrastructure in response to the incident."
What happened, it turned out, is that a hacker found an exploit that let them bypass the exchange's two-factor authentication requirements. This left accounts protected only by a password, which were apparently compromised externally.
In response, Crypto.com on Jan. 20 announced it was moving from 2FA to multi-factor authentication. It also instituted a 24-hour delay on adding new fund withdrawal addresses, and launched a Worldwide Account Protection Program that provides up to $250,000 of protection if certain security protocols have been followed and a police report has been filed.
Qubit Finance, $80 million
DeFi crypto lending/borrowing protocol Qubit Finance was the target of the first cross-chain bridge exploit hacks of 2022, losing $80 million in BNB to someone who figured out how to mint "unlimited" xETH tokens without depositing any collateral on its QBridge.
They then traded it for the 206,809 BNB tokens available. A "bug bounty" was offered for its return, to no avail.
It was reportedly run through the since sanctioned Tornado Cash mixing service and made untraceable.
Wormhole, $326 million
Jump Trading's Wormhole serves as a bridge between Solana and Ethereum. In this case, a flaw in the code allowed the hacker to mint 120,000 Wrapped Ether (wETH) — usable on the Solana blockchain — without depositing any Ether. Those wETH were then traded in for real ETH.
This was a comfort to the many Wormhole users who saw their life savings disappear for several days. One wrote:
"I lost $100,000 in your attack. I am a nurse. These are all my savings. I hope you can return it to me. Everyone will get sick. Think of the nurses who care for you when you are sick. I wish you always healthy and enjoy the happiness of the world. GOD BLESS YOU."
That's the thing about bridge hacks — they tend to have a huge number of victims as the funds stored in the bridge as collateral belong to individual users. So, it's like robbing individual wallets on a centralized exchange insteading of targeting funds belonging to the exchange itself. The main difference being that decentralized bridge programs don't use offline cold wallets like centralized exchanges do.
IRA Financial Trust, $37 million
The least clear part of the IRA FInancial Trust hack, in which $21 million of Bitcoin and $15 million in Ether were drained from Roth IRA accounts held in custody by the Gemini exchange, is who was to blame.
What is clear is that, on Feb. 8, someone using an account under the name Benjamin Chloe began withdrawing BTC, ETH and cash from other accounts that were protected by a wide range of security features including 2FA and whitelisted withdrawal addresses, CoinDesk reported.
At the time, Gemini told victims that the "transfer requests were made by utilizing properly authenticated accounts controlled by IRA Financial Group, which were used to execute asset transfers to another account."
Saying that these requests were in line with the IRA Financial approval process, Gemini said they looked legitimate, adding:
"To date, our investigation has found no indication of any unauthorized access to your account resulting from any security failure or breach of Gemini systems."
It told Bloomberg: "While IRA Financial's accounts are serviced on the Gemini platform, Gemini does not manage the security of IRA Financial's systems."
In June, IRA Financial denied it was to blame, accusing Gemini in a lawsuit of failing to protect accounts by giving the company a master account with a "master key" that allowed the user to bypass individual account security features, creating "a single point of failure." It added:
"Critically, Gemini never informed IRA about the power of this master key. To the contrary, Gemini itself handled IRA's master key as if it was a mundane piece of information, repeatedly exchanging unsecured, unencrypted emails with IRA containing the master key."
Like the Qubit hack, the IRA Financial funds were run through Tornado Cash to hide their whereabouts.
DoJ Seizes Funds Stolen in Bitfinex Hack, $3.6 billion
The arrests and seizure came after a $500 Walmart gift card allegedly bought with stolen funds was traced to purchases made via Morgan's mobile, according to reports.
Cashio, $52 million
Several months before the $48 billion collapse of the UST algorithmic stablecoin, a far smaller stablecoin crashed and burned. The Solana blockchain-native Cashio algorithmic stablecoin lost its dollar peg to fall far below one penny after faulty code allowed a hacker to exploit an "infinite mint glitch" to make off with $52 million.
The way Cashio worked was anyone could mint CASH stablecoins by depositing USDC and USDT stablecoins into a liquidity pool. The problem was that the DeFi project's smart contracts failed to verify that the user's collateral was real, allowing the thief to mint real CASH tokens with fake collateral.
While the project was killed, the hacker later claimed to have returned the funds of anyone whose account held less than $100,000.
"The intention was only to take money from those who do not need it, not from those who do," the hacker wrote, according to Vice. That said, there were a lot of "prove it"-style requirements attached ranging from proof of ownership to providing justification of why victims deserved their own money back.
"an explanation of the source of this money and why you need it back. more detail is better. money will not be refund [SIC] to rich american [SIC] and european [SIC] that don't need it."
A number of victims tried, many calling the thief "Robinhood." One such request from someone claiming to be a victim read:
"Robinhood, I have tried my luck in crypto but ended up with massive losses, debt, and PTSD. My life is in disarray. 3 ETH will put me back in a slightly better position to turn my life around. Please."
It's not clear if funds were returned.
Ronin Network, $625 million
The Ronin Network was used to turn ETH into RON tokens, enabling users to take part in the play-to-earn game Axie Infinity — and was also targeted in March.
It's difficult to know what was more shocking when the hack emerged: that a staggering $625 million worth of ETH and USDC had been stolen, or that the theft hadn't been noticed for six days.
This really is quite a long time not to notice that you're missing more than a half billion dollars.
Beanstalk, $182 million
Another algorithmic stablecoin, Beanstalk's BEAN was chopped down by a hacker who used an enormous flash loan to briefly take control of the project's governance with a two-thirds supermajority that enabled the passage of new rules that sent about $182 million worth of the assets backing it to an address of their choosing.
In all, almost 25,000 ETH and 36 million BEAN tokens were looted — although given that BEAN depegged and lost most of its value in minutes, they weren't worth much. The attack required an Aave flash loan of almost $1 billion to buy 79% governance power for a few seconds, and in the end, the thief netted about $77 million — as well as a $250,000 "donation" sent directly to Ukraine's crypto donation address.
It started with a pair of malicious governance proposals — one draining the tokens, the other sending them — which weren't noticed in the 24-hour waiting period required by the smart contract. The supermajority allowed the hacker to pass them under an emergency no-waiting-period provision.
While BEAN's value dropped to almost nothing, developer Beanstalk Farms revived it on Aug. 6. While it regained its peg, the market cap is presently only about one third of what it was before the hack.
Fei Rari, $80 million
NFT hacks, $458,000
A pair of NFT-based hacks this month displayed the risks of trusting official outlets too much.
"Stay safe out there, anything too good to be true IS A F****** SCAM. And as a side note, there will never be a SURPRISE MINT I mention one time in one place starting at 6am Sunday morning."
At least one victim — who recognized that they'd clicked without thinking — said they'd lost their life savings.
Elrond's Maiar Exchange, $113 million
The Maiar Exchange, a decentralized exchange on the Elrond Network blockchain, was hacked for $113 million worth of Elrond eGold.
Elrond developer Andrei Marinica explained that a new virtual machine function was found to have an exploitable flaw.
While it was discovered and a patch was created, adding to the code is a process that takes several days. There's a good reason for that — look back at the Beanstalk hack in April — but the downside is that the patch wouldn't go live until June 8. Unfortunately, with the patch in place and waiting to go live, a bigger and more dangerous flaw was found. That's when security went off the rails. He said:
"Bafflingly, these discoveries are discussed quite nonchalantly on the public Elrond Developers channel during the weekend, without raising any security or safety concerns. Since a patch is known to come to the network in two days, there is little attention to responsible disclosure and immediate action."
The hacker moved fast. The developers took Maiar Exchange offline but the damage was done. Maiar's native token dropped 90% and Elrond's 7%.
Horizon Bridge, $100 million
The Harmony blockchain's Horizon Bridge connects it to both Ethereum and BNB Chain (then known as Binance Smart Chain) — with ETH, USDC, USDT, DAI, BNB and a number of other assets including NFTs able to be moved onto Harmony.
Nomad Bridge, $190 million
It's not entirely accurate to call the $190 million Nomad Bridge attack "a hack." Free-for-all is more like it.
The basics are pretty simple. An update on the Moonbeam-Ethereum cross-chain bridge was not sufficiently scrutinized and had a hole that allowed a small amount of Wrapped Bitcoin sent from Moonbeam to unlock a much larger amount on Ethereum.
Essentially, attackers could "bypass the message verification process and drain the tokens from the bridge contract," blockchain security firm Certik said.
"This is why the hack was so chaotic — you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it," explained Sam Sun, a researcher for Web3 investment firm Paradigm, in a Twitter thread.
Wintermute, $160 million
Witntermute, an automated market maker, had a hot wallet hacked for $160 million spread across 90 different cryptocurrencies, with no more than $2.5 million of any one token taken. The problem appeared to be a flaw in the hot wallet's security rather than Wintermute.
While the number is large, founder and CEO Evgeny Gaevoy said that its over-the-counter (OTC) and centralized finance operations are unaffected and that the firm is "solvent with twice over that amount in equity left."
Three weeks later, the firm was able to pay off a $96 million, uncollateralized loan a day before it came due. The firm offered a bug bounty, but apparently hasn't heard from the thief.
Binance Bridge, $586 million
While "Hacktober" was the worst month in a year chock full of DeFi hacks, the vast majority of the more than $760 million stolen came from a hack of the Binance's cross-chain bridge for its BNB Chain, the fourth-largest blockchain with a market cap of $57 billion.
A flaw in the chain's Binance Bridge allowed a hacker to create two million BNB tokens, worth $570 million, out of thin air. Because of that, no individual bridge user was injured.
And, a lot less was lost as Binance was able to shut down the BNB Smart Chain (BSC) before the attacker could move more than $100 million worth of stolen tokens off the chain. CoinMarketCap is owned by Binance.
Binance's chief communications officer Patrick Hillmann told CoinDesk on Oct. 10 that as the number of attacks on cross-chain bridges grows, "the communities that rally around these blockchains are getting much better at shutting them down quickly, updating their systems and being able to prevent a worst case scenario from happening."
But, he added, if attackers become better organized they could do more damage.
Two weeks later, Binance CEO Changpeng "CZ" Zhao told CNBC that thanks to some information from law enforcement agencies, the company is getting closer to identifying the culprit.
Mango Markets, $114 million
The second big exploit that month targeted Mango Markets, a DeFi trading platform on the Solana blockchain. Except, it was really an exploit but a market manipulation — and a legal one according to Avraham Eisenberg, a trader who outed himself as part of "a team that operated a highly profitable trading strategy."
The attack and/or trading strategy worked like this, CoinDesk explained: use $5 million in USDC stablecoins to buy up MNGO tokens and short the token, buy another $5 million worth to hedge, then use other funds to buy up the thinly traded MNGO token, which low liquidity, on the spot market, driving the price from $0.02 to $0.91 in 10 minutes. The second $5 million account was then worth $420 million, and Eisenberg cleaned out MNGO's $116 million liquidity.
Its native Mango token was down 40% on the day of the attack. Eisenberg said:
"I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are."
As this led the Mango Markets exchange into insolvency, and left its insurance fund unable to cover liquidations, he said:
"To remedy the situation, I helped negotiate a settlement agreement with the insurance fund with the goal of making all users whole as soon as possible as well as recapitalizing the exchange."
This entailed giving back $67 million (and getting a promise not to pursue criminal charges or freeze tokens.) Which got him little thanks in the Mango community. However, there was a great deal of gloating when an attack on Aave's CURV token failed, leaving him $17 million in the red.
Derebit, $28 million
Crypto derivatives exchange Derebit was hacked to the tune of $28 million by someone who got into its hot wallets. Chief commercial officer Luuk Strijers said that only 1% of its holdings are kept in hot wallets, and that the loss will be covered by the exchange, which temporarily halted trading.
DoJ Seizes Silk Road Hack Funds, $3.36 billion
The Department of Justice announced its second $3 billion-plus seizure of stolen Bitcoin in November. The 50,676 BTC was found in the home of James Zhong, who has pleaded guilty to robbing it from the Silk Road darknet market in 2012.
The action actually took place in Nov. 2021 — which would have been a much better time to sell it — and Zhong faces up to 20 years in prison for wire fraud, according to U.S. Attorney for the Southern DIstrict of New York Damian Williams. He said:
"Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds. This case shows that we won't stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin."
FTX, $477 million
The attack, which several experts and even Bankman-Fried himself has suggested was an inside job, occurred on Friday, Nov. 11, the day FTX filed for bankruptcy.
Some $280 million has been converted to ETH, and another $74 million to BTC via the RenBridge cross-chain bridge as on Nov. 21, Elliptic CEO Tom Robinson told CNBC.
"This is a common tactic in the laundering of crypto thefts," Robinson said, adding that RenBridge has been used to launder hundreds of millions of dollars in crypto his firm believes came from ransomware and hacking. To make matters even worse, RenBridge is owned by Alameda.