exploits

Crypto thieves steal $363M in Nov, the most ‘damaging’ month this year

The Poloniex and HTX/Heco Bridge exploits as well as the KyberSwap flash loan attack were the three largest incidents in November, according to blockchain security firm CertiK.

The cryptocurrency industry has now seen its most “damaging” month for crypto thievery, scams and exploits in 2023, with crypto criminals walking away with $363 million in November, according to a blockchain security firm.

Around $316.4 million came from exploits alone, flash loans inflicted $45.5 million in damage, and $1.1 million was lost to various exit scams, CertiK stated in a Nov.

The largest exploits in November occurred on Poloniex and HTX/Heco Bridge, with losses of $131.4 million and $113.3 million, respectively.

The third largest exploit was inflicted on a single victim who lost $27 million from a phishing attack.

Meanwhile, the $45 million KyberSwap attack accounted for nearly all damage done for flash loan attacks in the month.

The latest monthly figure has surpassed an earlier record of $329 million, set in September, caused mainly by the $200 million Mixin Network attack.

As of the end of November, about $1.7 billion has now been lost to exploits, exit scams and flash loan attacks in 2023.

Read more

Crypto thieves steal $363M in Nov, the most ‘damaging’ month so far

The Poloniex and HTX/Heco Bridge exploits as well as the KyberSwap flash loan attack were the three largest incidents in November, according to blockchain security firm CertiK.

The cryptocurrency industry has now seen its most “damaging” month for crypto thievery, scams and exploits, with crypto criminals walking away with $363 million in November, according to a blockchain security firm.

Around $316.4 million came from exploits alone, flash loans inflicted $45.5 million in damage, and $1.1 million was lost to various exit scams, CertiK stated in a Nov.

The largest exploits in November occurred on Poloniex and HTX/Heco Bridge, with losses of $131.4 million and $113.3 million, respectively.

The third largest exploit was inflicted on a single victim who lost $27 million from a phishing attack.

Meanwhile, the $45 million KyberSwap attack accounted for nearly all damage done for flash loan attacks in the month.

The latest monthly figure has surpassed an earlier record of $329 million, set in September, caused mainly by the $200 million Mixin Network attack.

As of the end of November, about $1.7 billion has now been lost to exploits, exit scams and flash loan attacks in 2023.

Read more

7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

DeFi platforms lost over $21 million to hackers throughout February, according to data released by DeFi project aggregator DefiLlama.

Reentrancy, price oracle attacks and exploits across seven protocols caused the decentralized finance (DeFi) space to bleed at least $21 million in crypto in February. 

According to DeFi data analytics platform DefiLlama, one of the largest in the month was the flash loan reentrancy attack on Platypus Finance, which led to $8.5 million of funds lost.

DefiLlama highlighted six other noteworthy hacks in the month, the first being the price oracle attack on BonqDAO on Feb 1.

DeFi platforms suffered seven attacks throughout February. Source: DefiLlama

BonqDAO: $1.7 million

BonqDAO revealed to its followers in a Feb. 1 post that its Bonq protocol was exposed to an oracle attack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.

The exploiter increased the ALBT price and minted large amounts of Bonq Euro (BEUR). The BEUR was then swapped for other tokens on Uniswap. Then, the price decreased to almost zero, which triggered the liquidation of ALBT.

Blockchain security firm PeckShield estimated the losses to be around $120 million; however, it was later revealed hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO.

Orion Protocol: $3 million

Just a day later, on Feb. 2, decentralized exchange Orion Protocol suffered a loss of roughly $3 million through a reentrancy attack, where attackers used a malicious smart contract to drain funds from a target with repeated withdrawal orders.

Orion Protocol CEO Alexey Koloskov confirmed the attack at the time, assuring everyone that “All users’ funds are safe and secure.“

“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said.

DForce Network: $3.65 million

DeFi protocol dForce network was another February victim of a reentrancy attack resulting in around $3.65 million in losses.

In a Feb. 10 post, dForce confirmed the exploit; however, in a twist, all funds were returned when the attacker came forward as a white hat hacker.

“On Feb. 13, 2023, the exploited funds were fully returned to our multisig on both Arbitrum and Optimism, a perfect ending for all,” dForce said.

Platypus Finance: $9.1 million

On Feb. 16, DeFi protocol Platypus Finance suffered a flash loan attack resulting in $8.5 million being drained from the protocol.

A post-mortem report from Platypus auditor Omniscia noted that the attack was possible because of code in the wrong order.

On Feb. 23, the team announced that they are seeking to return around 78% of the main pool funds by reminting frozen stablecoins.

The team also confirmed second and third incidents, which led to another $667,000 exploited, bringing total losses to around $9.1 million.

French police arrested two suspects related to the hack and seized around $222,000 worth of crypto assets on Feb. 25.

Hope Finance: $1.86 million

A few days later, on Feb. 20, users of Arbitrum-based algorithmic stablecoin project Hope Finance fell prey to a smart contract exploit, which saw roughly $2 million stolen from users.

Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users of the scam.

A member of the CertiK team told Cointelegraph at the time that the scammer had changed the details of the smart contract, which led to funds being drained from Hope Finance genesis protocol:

“It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.”

Dexible: $2 million

Multichain exchange aggregator Dexible was hit by an exploit that targeted the app’s selfSwap function, with $2 million worth of cryptocurrency lost due to the Feb. 17 attack.

According to a Feb. 18 post from the exchange, “a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.“

After investigating, the Dexible team found the attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado Cash into unknown BNB (BNB) wallets.

LaunchZone: $700,000

BNB Chain-based DeFi protocol LaunchZone had $700,000 worth of funds drained on Feb. 27.

According to blockchain security firm Immunefi, an attacker leveraged an unverified contract to drain the funds.

“An approval had been made to the unverified contract 473 days ago by the LaunchZone deployer,” Immunefi said.

Related: Crypto exploit losses in January see nearly 93% year-on-year decline

The February figures are a stark increase from January, according to DefiLlama figures.

The tracker lists only $740,000 in hacks to DeFi platforms in the month across two protocols — Midas Capital and Roe Finance.

In its 2023 Crypto Crime Report, blockchain data firm Chainalysis revealed that hackers stole $3.1 billion from DeFi protocols in 2022, accounting for more than 82% of the total amount stolen in the year.

DeFi exploits and access control hacks cost crypto investors billions in 2022: Report

Cyber criminals used a variety of methods to siphon funds through hacks and exploits in 2022, amounting to over $2.8 billion in losses.

Cyber criminals used a variety of novel ways to carry out hacks and exploits in 2022, with over $2.8 billion of cryptocurrency stolen last year.

According to a report from CoinGecko using data sourced from DeFiYield’s REKT Database, nearly half of the total crypto stolen in 2022 was fleeced using diverse methods. This includes bypassing verification processes, market manipulation, ‘crowd looting’ as well as smart contract and bridge exploits.

The biggest hack of 2022 was carried out through an access control hack. Sky Mavis, the developer behind the popular game Axie Infinity, saw its Ronin bridge hacked in March, leading to $625 million being drained from the bridge between the Ronin chain and Ethereum network.

It was later revealed that North Korean hacking group Lazarus gained access to five private keys that were used to sign transactions from five Ronon Network validator nodes. This was how the hackers drained 173,600 ETH and 25.5 million USDC from the bridge.

According to CoinGecko, access control exploit is carried out by attackers that have gained access to wallets or accounts through compromised private keys, networks or security systems. As Cointelegraph explored last year, cross-chain bridge hacks were prevalent in 2022, with 65% of funds stolen from these types of attacks alone.

Related: Crypto exploit losses in January see nearly 93% year-on-year decline

The second largest exploit of 2022 took place in February, with attackers bypassing verification with a forged signature on the Wormhole token bridge before minting $326 million worth of crypto. Wormhole’s failure to validate “guardian” accounts allowed hackers to mint tokens without needing the required collateral.

“Crowd looting” came to the fore in August, as an insecure smart contract configuration on the decentralized finance token bridge Nomad allowed users to withdraw an unlimited amount of funds. Hundreds of wallets took advantage of the exploit, with over $190 million drained.

Mango Markets suffered a market manipulation exploit in October, as a hacker purchased and artificially inflated Mango (MNGO) tokens before taking out under-collateralized loans from the project’s treasury. Some $116 million was stolen in the flash loan attack.

Reentrancy attacks, in which attackers make use of a malicious smart contract that drains funds from a target with repeated withdrawal orders, amounted to $81 million stolen last year.

Oracle issue hacks led to $54 million of funds stolen. This method sees hackers gain access to an oracle service and manipulate its price feed data service to enforce smart contract failure or carry out flash loan attacks.

Phishing attacks only amounted to $17 million of cryptocurrency stolen in 2022. This method was prevalent between 2017 and 2020, as attackers preyed on unwitting victims through social engineering methods to steal login credentials and private keys.

An oracle attack in February 2023 is the largest hacking incident to date of the new year. Hackers managed to manipulate the price of the AllianceBlock token through an oracle hack, leading to an estimated $120 million being stolen from the protocol.

Crypto exploit losses in January see nearly 93% year-on-year decline

Around $8.8 million was lost to crypto exploits in January, a massive decline from the figures this time last year.

Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a steep decline in losses from exploits compared to the same time last year.

According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January.

There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB).

The January figures are 92.7% lower than the $121.4 million lost to exploits in January 2022.

PeckShield reported that the largest exploit from last month, representing 68% of the total, was a Jan. 12 attack against LendHub that drained $6 million from the decentralized finance lending and borrowing platform.

Other notable exploits for the month included Thoreum Finance, which lost $580,000 and Midas Capital, which was exploited for $650,000 in a flash loan attack.

January’s figure is also down 68% from December 2022, which saw almost $27.3 million in exploit losses, according to PeckShield.

Other losses not included in the data include a $2.6 million rug pull on the FCS BNB Chain token, according to DeFiYield’s Rekt database. There was a further $150,000 lost to fake BONK tokens, and a $200,000 rug pull on the Doglands Metaverse gaming platform, DeFiYield reported.

A phishing attack on the GMX decentralized trading protocol on Jan. 4 also resulted in a victim losing as much as $4 million.

Related: Crypto wallets combat scammers with transaction previews and blocklists

Despite the relatively quiet month, blockchain security company CertiK told Cointelegraph in early January that there is unlikely to be a slowdown in attacks and exploits this year.

The firm also reported that the $62 million in crypto stolen in December was the “lowest monthly figure” in 2022.

As of the end of last year, the ten largest exploits of 2022 resulted in a whopping $2.1 billion stolen from crypto protocols.

Metaverse exploitation and abuse to rise in 2023: Kaspersky

Cybercriminals will flock to the metaverse next year to prey on unsuspecting virtual world participants, according to a report by cybersecurity firm Kaspersky.

Malware, ransomware attacks and phishing are not the only scourges of the crypto industry, as the Metaverse could become a big target next year, according to cybersecurity experts.

In its “Consumer cyberthreats: predictions for 2023” report on Nov. 28, cybersecurity firm Kaspersky forewarned that there will be greater exploitation of the metaverse due to lacking data protection and moderation rules.

Kaspersky acknowledged there are currently only a handful of metaverse platforms, but the number of metaverses is set to expand in the coming years and the market could even top $50 billion by 2026. That expansion will entice cyber criminals to the ecosystem seeking to exploit unwitting virtual world participants:

“As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification.”

Social media is already a hotbed of data breach activity, so it stands to reason that the metaverse will be an extension of this. As reported by Cointelegraph earlier this year, Social media was responsible for more than $1 billion in crypto scam-related losses in 2021.

Kaspersky also predicted that virtual abuse and sexual assault will spill over into Metaverse ecosystems. It mentioned cases of “avatar rape and abuse,” adding that without protection mechanisms or moderation rules, “this scary trend is likely to follow us into 2023.”

Meta, the firm formerly known as Facebook, has already received a lot of pushback over its metaverse ambitions due to the lack of user protection and privacy concerns on its social media platform.

The report predicted that in-game virtual currencies and valuable items will be one of the “prime goals” among cybercriminals who will seek to hijack player accounts or trick them into fraudulent deals to fork over valuable virtual assets. Most modern games have introduced some form of monetization or digital currency support, which will become a honeypot for malicious actors.

Related: The Metaverse is a new frontier for earning passive income

Kaspersky noted that new forms of social media will also bring more risks. It specifically mentioned a shift to augmented reality-based social media, adding that cybercriminals can start “distributing fake trojanized applications” to infect devices for further malicious purposes.

Threats to new AR-based social media and metaverse platforms are primarily data and money theft, phishing and account hacking, the report concluded.

Scary stats: $3B stolen in 2022 as of ‘Hacktober,’ doubling 2021

Blockchain security firm Peckshield shared the stats on Halloween night, but also added the month saw $100 million in crypto returned.

The month of October has broken all records for crypto exploits and the amount of digital loot pilfered — living up to its new moniker of “Hacktober” — according to the latest figures.

On Oct. 31, blockchain security firm PeckShield tweeted some scary statistics for the month, reporting a total of $2.98 billion in stolen digital assets as of Oct. 31, 2022, which is nearly double the $1.55 billion lost in all of 2021.

“Hacktober” saw around 44 exploits affecting 53 protocols, it added. Malicious actors made off with a whopping $760 million in the month. However, $100 million had been returned. 

After October, March was the second-highest month for hacked funds, with just under $710 million stolen. The majority of this was from the Ronin bridge exploit, which resulted in $625 million in crypto assets being pilfered.

The top exploit for October was by far the BNB Chain which lost $586 million, according to PeckShield. It listed the Mango Markets DeFi protocol as second, despite it including an agreement with the exploiter to return some of the funds.

There were several other notable exploits in October, according to DeFiYield’s Rekt Database. These include the Freeway crypto yield platform, which it classified as a $60 million rug pull, Transit Swap, which losted $29 million, Team Finance taking a $13 million hit and Moola Market, losing $9 million.

Related: Barely halfway and October’s the ‘biggest month’ in crypto hacks

DeFiYield released its own report on Nov. 1, depicting the dire state of the hackfest that took place last month.

It claims that more than $1 billion was lost to crypto scams in October though it includes what it considers as rug pulls and Ponzis in addition to direct protocol exploits. DeFiYield reported 35 total incidents for the month, 15 of which were rug pulls.

On a brighter note, the report stated that almost $890 million in crypto funds had been recovered so far in 2022.

FBI issues alert over cybercriminal exploits targeting DeFi

Smart contracts governing DeFi platforms identified as a particular cause for concern for the enforcement agency.

The United States Federal Bureau of Investigation (FBI) has issued a fresh warning for investors in decentralized finance (DeFi) platforms, which have been targeted with $1.6 billion in exploits in 2022. 

In a Tuesday public service announcement on the FBI’s Internet Crime Complaint Center, the agency said the exploits have caused investors to lose money — advising investors to conduct diligent research about DeFi platforms before using them while also urging platforms to improve monitoring and conduct rigorous code testing.

The law enforcement agency warned that cybercriminals are out in force to take advantage of ”investors’ increased interest in cryptocurrencies,” and ”the complexity of cross-chain functionality and open source nature of Defi platforms.”

The FBI observed cybercriminals exploiting vulnerabilities in smart contracts that govern DeFi platforms in order to steal investors’ cryptocurrency. 

In a specific example, the FBI mentioned cases where hackers used a “signature verification vulnerability” to plunder $321 million from the Wormhole token bridge back in February. It also mentioned a flash loan attack that was used to trigger an exploit in the Solana DeFi protocol Nirvana in July. 

However, that’s just a drop in a vast ocean. According to an analysis from blockchain security firm CertiK, since the start of the year, over $1.6 billion has been exploited from the DeFi space, surpassing the total amount stolen in 2020 and 2021 combined.

FBI recommends due diligence, testing

While the FBI admitted that “all investment involves some risk,” the agency has recommended that investors research DeFi platforms extensively before use and, when in doubt, seek advice from a licensed financial adviser.

The agency said it was also very important that the platform’s protocols are sound and to ensure they have had one or more code audits performed by independent auditors.

Typically, a code audit involves a review of the platforms underlying code to identify vulnerabilities or weaknesses, which could be exploited.

According to the FBI, any DeFi investment pools with an “extremely limited timeframe to join” or “rapid deployment of smart contracts” should also be approached with extreme caution, especially if they have not conducted a code audit.

Crowdsourced solutions, generating ideas or content by soliciting contributions from a large group of people, were also flagged by the law enforcement agency:

“Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.”

The FBI said DeFi platforms can also do their part to increase security by testing their code regularly to identify vulnerabilities, along with real-time analytics and monitoring.

An incident response plan and informing users about possible platform vulnerabilities, hacks, exploits or other suspicious activity are also among the recommendations.

However, failing all that, the FBI urges American investors targeted by hackers to contact them through the Internet Crime Complaint Center or their local FBI field office.

Related: FBI issues public warning over fake crypto apps

Earlier this year, U.S. Deputy Attorney General Lisa Monaco announced the FBI was stepping up its efforts to address crime in the digital asset space with the formation of the Virtual Asset Exploitation Unit.

The specialized team is dedicated to cryptocurrency and includes experts to help with blockchain analysis as part of a shift in focus toward disruption of international criminal networks, rather than just their prosecution.