Blockchain analysis firm Chainalysis said 2022 was “the biggest year ever” in terms of the number of crypto projects hit with attacks and drained of funds—and that was in October. It certainly felt like it.
1/ After four hacks yesterday, October is now the biggest month in the biggest year ever for hacking activity, with more than half the month still to go. So far this month, $718 million has been stolen from #DeFi protocols across 11 different hacks. pic.twitter.com/emz36f6gpK
— Chainalysis (@chainalysis) October 12, 2022
Just the hacks highlighted here add up to an enormous $2.2 billion, and these hacks represent only a small portion of the total attacks observed in 2023.
The seeming lack of security this year has made an already brutal bear market even tougher for many. Chainalysis tells Decrypt that a full accounting of the year will be included in a wrap-up report next year. (Figures in this piece represent the value of the funds at the time of the incident.)
1. FTX: $650 million
It’s been the biggest crypto event—and arguably the biggest news story—of 2022: super-popular digital asset exchange FTX spectacularly collapsed, losing billions of dollars-worth of funds.
It filed for Chapter 11 bankruptcy November 12, but that wasn’t the end of its woes: the celebrity endorsed exchange was then hit by a mystery attack.
Several wallets allegedly belonging to FTX were drained of around $640 million in tokens. The funds were then moved around to other exchanges and converted into different cryptocurrencies.
And it still isn’t clear who stole the assets. At the collapsed exchange’s first court hearing, counsel to FTX’s new management James Bromley said that a “substantial amount” of the exchange’s assets are missing or have been stolen.
2. Binance (Binance Smart Chain): $566 million
Hackers hit a blockchain associated with the world’s biggest crypto exchange on October 6, making away with $566 million in BNB.
The exploit targeted the cross-chain bridge BSC Token Hub. Hackers essentially conjured tokens out of nothing using artificial withdrawal proofs. No users of Binance or its blockchain lost funds in this attack, though.
Despite the huge amount of tokens pinched, the criminals weren’t able to pocket them all—Binance CEO Changpeng Zhao said they were able to prevent around 80% to 90% of the targeted funds from being taken by the hacker.
This is because BSC chain validators froze the network following the attack—but hackers did manage to move around $100 million in funds to other chains.
3. Ronin: $552 million
Hackers hit Ronin, a sidechain for the popular NFT game Axie Infinity, in March, pinching an estimated $552 million in Ethereum and USDC. When the exploit was disclosed by Axie Infinity developer Sky Mavis one week later, the value of the funds stolen had risen to $622 million.
How’d they do it? By using “hacked private keys” to forge transactions and claim the funds.
The funds were laundered quickly—as they typically are in hacks—with around $7 million in Ethereum sent to cryptocurrency mixing service Tornado Cash (now banned by U.S. government).
The U.S. Treasury later identified wallet addresses allegedly tied to North Korea’s Lazarus hacking group in the attack.
4. Wormhole: $326 million
Decentralized finance protocols got hit hard this year. DeFi is the catch-all term for apps that automate things banks and brokerages do, and they are still new and experimental. This means security is an issue, particularly with bridges, which allow users to transfer funds between chains.
In February, the popular bridge Wormhole got hit with an exploit. Hackers targeted its leg on Solana (where users must first lock Ethereum into a smart contract to get an equivalent amount in Wrapped Ethereum, or WETH) to mint tokens. 120,000 in WETH tokens, to be exact. At the time, that was $326 million.
WETH is token pegged to the price of Ethereum on a 1:1 basis, useful in the DeFi world for moving around funds quickly.
Jump Trading, Wormhole’s parent company and a major player in the Solana ecosystem, was able to step in and save the day by replacing what was stolen and getting the bridge up and running again.
5. Nomad: $190 million
Another bridge got hit in August. Nomad, which lets users move digital assets between different blockchains, lost all its funds—held in Ethereum, USDC, DAI, FXS, and CQT—after hackers took advantage of a bug in the upgrade.
After those behind the protocol offered a 10% reward to hackers who returned the tokens—without enforcing law enforcement—funds started to trickle back in.
About $22 million was recovered but the attack prompted the FBI to warn investors about how cyber criminals were eying up vulnerable DeFi platforms like never before.