hacking

Crypto exploit losses in January see nearly 93% year-on-year decline

Around $8.8 million was lost to crypto exploits in January, a massive decline from the figures this time last year.

Aside from the bullish crypto market rally in January, there’s been more positive industry news as the month saw a steep decline in losses from exploits compared to the same time last year.

According to data from blockchain security firm PeckShield on Jan. 31, there were $8.8 million in losses from crypto exploits in January.

There were 24 exploits over the month, with $2.6 million worth of crypto being sent to mixers such as Tornado Cash. The breakdown of assets sent to mixers includes 1,200 Ether (ETH) and around 2,668 BNB (BNB).

The January figures are 92.7% lower than the $121.4 million lost to exploits in January 2022.

PeckShield reported that the largest exploit from last month, representing 68% of the total, was a Jan. 12 attack against LendHub that drained $6 million from the decentralized finance lending and borrowing platform.

Other notable exploits for the month included Thoreum Finance, which lost $580,000 and Midas Capital, which was exploited for $650,000 in a flash loan attack.

January’s figure is also down 68% from December 2022, which saw almost $27.3 million in exploit losses, according to PeckShield.

Other losses not included in the data include a $2.6 million rug pull on the FCS BNB Chain token, according to DeFiYield’s Rekt database. There was a further $150,000 lost to fake BONK tokens, and a $200,000 rug pull on the Doglands Metaverse gaming platform, DeFiYield reported.

A phishing attack on the GMX decentralized trading protocol on Jan. 4 also resulted in a victim losing as much as $4 million.

Related: Crypto wallets combat scammers with transaction previews and blocklists

Despite the relatively quiet month, blockchain security company CertiK told Cointelegraph in early January that there is unlikely to be a slowdown in attacks and exploits this year.

The firm also reported that the $62 million in crypto stolen in December was the “lowest monthly figure” in 2022.

As of the end of last year, the ten largest exploits of 2022 resulted in a whopping $2.1 billion stolen from crypto protocols.

Crypto’s recovery requires more aggressive solutions to fraud

After 2022, we need to do more to assure skeptical users that they can invest in cryptocurrency without fearing that their funds will be lost.

It’s hardly an exaggeration to say that our industry is facing tough times. We’ve been in the midst of a “crypto winter” for some time now, with the prices of mainstays, including Bitcoin (BTC) and Ether (ETH), tumbling. Likewise, monthly nonfungible token (NFT) trading volumes have fallen more than 90% since their multibillion dollar peak back in January of this year. Of course, these declines have only been exacerbated by the numerous black swan events rocking the crypto world, such as the FTX and Three Arrows Capital meltdowns. Taken together, it shouldn’t be a surprise that crypto is facing a trust deficit. 

While the destructive actions of reckless CEOs must be addressed and the individuals responsible for these events must be held accountable, our industry cannot stop there if we are to rebound. To address the trust deficit that crypto faces, better security for the end user against the threat of scams and hacks must be a priority.

Don’t think so? According to research firm Chainalysis, $3.2 billion worth of digital assets were stolen in 2021. It’s not looking better for our industry this year, with $718 million in overall hacking-related losses having been reported in October alone. When it comes to scams, the picture darkens as report after report shows that known crypto scams, such as rug pulls and wallet drainers, are on the rise. Between July 2021 and August 2022, an eye-popping $100 million in investor funds were lost through unsophisticated NFT scams. And this number is likely an under-count given that most NFT scams are micro-scams impacting individual users that never get reported.

Related: Developers could have prevented crypto’s 2022 hacks if they took basic security measures

Phishing links trick end users into emptying their wallets. Front-running schemes with videos promising “HUGE RETURNS” to convince people to download bogus software that gives con artists access to their assets. Even direct attacks that disrupt bridges like Ronin and Nomad. Look around and you’ll see that scams and hacks aren’t just costing the crypto industry billions in digital assets — they’re eroding trust in crypto in a more meaningful way than even the black swan events of 2022.

Sure, we can shun and cast out the Sam Bankman-Frieds and Do Kwons and all the other bad-actor CEOs. But if we want to convince the general public and customers that crypto is safe to interact with and invest in, we must tackle the problem of scams and hacks head-on.

How exactly can we make Web3 safe for all? The basic principles of cryptocurrency lie in decentralization, transparency and immutability. Crypto should be for everyone, and for that to be the case, we as an industry must lower users’ required effort and associated level of risk with regard to getting started with crypto, whether that’s purchasing or trading NFTs, or buying and selling Bitcoin. As it stands, crypto is too complex and difficult for everyday people to understand. With the absence of better tooling and anti-scam software, it’s simply too easy for scams and hacks to take place and spread.

Related: 5 tips for investing during a global recession

The development of anti-scam tools is certainly one way our industry could turn the tide against scams and hacks. Continually increased investment in security layers, and systems to compensate users in the event of hack or scam-related losses will help. But if the cost and headache of security for end users remains higher in crypto than it is in traditional finance, robust mainstream adoption will never occur. This is perhaps our biggest barrier to rebounding as an industry and onboarding the next 100 million users.

The first step in solving a problem is recognizing one. Our industry has a trust deficit, and scams and hacks have just as much to do with it as the FTX and Three Arrows debacles. Crypto is often colloquially referred to as a “dark forest,” where transacting parties that are identified as exploitable typically end up exploited (or destroyed). I personally don’t want to live in a dark forest, and neither do users. It’s on us to create a lighted path forward. End-user security can’t be just a buzzword for our industry anymore — it must be a key pillar of our turnaround.

Riccardo Pellegrini is the co-founder and CEO of Web3 Builders. He served previously in positions including head of product for Amazon Web Services’ Data Exchange, and as CEO of Crossfield Digital. He finished his undergraduate career and obtained an MBA both at Harvard University.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Developers need to stop crypto hackers — or face regulation in 2023

One report indicates that more than $2.5 billion in crypto was lost to cross-chain bridge hacks over the last two years alone.

Third-party data breaches have exploded. The problem? Companies, including cryptocurrency exchanges, don’t know how to protect against them. When exchanges sign new vendors, most just innately expect that their vendors employ the same level of scrutiny as they do. Others don’t consider it at all. In today’s age, it isn’t just a good practice to test for vulnerabilities down the supply chain — it is absolutely necessary.

Many exchanges are backed by international financiers and those new to financial technologies. Many are even new to technology altogether, instead backed by venture capitalists looking to get their feet wet in a burgeoning industry. In and of itself, that isn’t necessarily a problem. However, firms that haven’t grown up in the fintech arena often don’t fully grasp the extent of the security risks inherently involved in being a custodian of hundreds of millions of dollars in digital assets.

We’ve seen what happens in the face of inadequate security, which goes beyond vendor management and stretches into cross-chain bridges. Just in October, Binance faced a bridge hack worth nine figures. Then there’s also the Wormhole bridge hack, another nine-figure breach. The Ronin bridge hack resulted in the loss of well over a half billion dollars in assets.

In fact, a new report indicates that over a two-year period, more than $2.5 billion in assets was stolen thanks to cross-chain bridge hacks, dwarfing the losses associated with breaches related to decentralized finance lending and decentralized exchanges combined.

Third-party breaches aren’t just a problem for the crypto industry, though, and they certainly aren’t confined to small players. Earlier this year, the New York City school system had a breach involving a third-party vendor that affected more than 800,000 people. Third-party breaches are the new frontier for bad actors.

Related: Government crackdowns are coming unless crypto starts self-policing

This is especially true as nation-states rely more and more on hackers as a matter of foreign policy. In particular, groups out of North Korea and Russia are looking for honey pots from which they can siphon off assets. This makes the cryptocurrency industry a prime target.

The only way to stem these issues before they take down the industry is to realign how it perceives third-party security initiatives. Third parties need complete and thorough vetting before they’re allowed access to institutional data of any kind. Once they are allowed access, it is critical to limit their reach to only the data that is absolutely necessary and revoke those permissions when no longer required, as would have been beneficial to those involved in the Ronin breach. Beyond that, it is critical to review the privacy practices of each vendor.

Like with bridges, the risk of third-party vendors is in the connection with the institution’s system. Most cross-chain bridges are breached after bugs are introduced into the code or when keys are leaked. These bridge attacks can be mitigated and, in many cases, prevented. Whether the breaches result from false deposits or validator issues, human error is often a problem. After hacks make the headlines, investigations show that these errors in code could’ve been fixed with foresight.

In particular, which steps could have had an effect on the cross-bridge hacks, like Binance, that we’ve recently seen? Bridge code needs to be regularly audited and tested before and after its release. One of the most effective ways to do this is to employ bug bounties. Smart contract addresses need constant monitoring, as do false deposits. There should be a security team in place, one that utilizes artificial intelligence to flag potential risks, to oversee these risk management endeavors.

Related: The feds are coming for the metaverse, from Axie Infinity to Bored Apes

With more thought put into security on the front end, there would be fewer bad headlines. It is far less expensive to hire white hat hackers to find exploits before bad actors do than it is to wait for the bad actors to find them themselves.

Historically, the industry has had its fair share of bad headlines. It has even had its fair share of nine-figure hacks. This year, it seems they’ve become an almost accepted part of the digital assets industry. However, as politics become increasingly intertwined with cryptocurrency regulation, never before has there been a greater threat. As hackers with nation-state backing take greater advantage of these third-party connections, they will come under greater scrutiny. There is no doubt about that. It is only a question of when.

That question will likely be answered as soon as the United States Congress finalizes new legislation on the matter. It makes sense that regulation would be the logical next step — unless the industry acts with great haste.

Richard Gardner is the CEO of Modulus, which builds technology for institutions including NASA, Nasdaq, Goldman Sachs, Merrill Lynch, JPMorgan Chase, Bank of America, Barclays, Siemens, Shell, Microsoft, Cornell University and the University of Chicago.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Scary stats: $3B stolen in 2022 as of ‘Hacktober,’ doubling 2021

Blockchain security firm Peckshield shared the stats on Halloween night, but also added the month saw $100 million in crypto returned.

The month of October has broken all records for crypto exploits and the amount of digital loot pilfered — living up to its new moniker of “Hacktober” — according to the latest figures.

On Oct. 31, blockchain security firm PeckShield tweeted some scary statistics for the month, reporting a total of $2.98 billion in stolen digital assets as of Oct. 31, 2022, which is nearly double the $1.55 billion lost in all of 2021.

“Hacktober” saw around 44 exploits affecting 53 protocols, it added. Malicious actors made off with a whopping $760 million in the month. However, $100 million had been returned. 

After October, March was the second-highest month for hacked funds, with just under $710 million stolen. The majority of this was from the Ronin bridge exploit, which resulted in $625 million in crypto assets being pilfered.

The top exploit for October was by far the BNB Chain which lost $586 million, according to PeckShield. It listed the Mango Markets DeFi protocol as second, despite it including an agreement with the exploiter to return some of the funds.

There were several other notable exploits in October, according to DeFiYield’s Rekt Database. These include the Freeway crypto yield platform, which it classified as a $60 million rug pull, Transit Swap, which losted $29 million, Team Finance taking a $13 million hit and Moola Market, losing $9 million.

Related: Barely halfway and October’s the ‘biggest month’ in crypto hacks

DeFiYield released its own report on Nov. 1, depicting the dire state of the hackfest that took place last month.

It claims that more than $1 billion was lost to crypto scams in October though it includes what it considers as rug pulls and Ponzis in addition to direct protocol exploits. DeFiYield reported 35 total incidents for the month, 15 of which were rug pulls.

On a brighter note, the report stated that almost $890 million in crypto funds had been recovered so far in 2022.

Blockchain security firm warns of new MetaMask phishing campaign

Blockchain security firm Halborn has warned users of the latest phishing emails doing the rounds.

A cybersecurity firm has issued warnings over a new phishing campaign targeting users of the popular crypto wallet MetaMask.

In a Thursday post written by Halborn’s technical education specialist Luis Lubeck, the active phishing campaign used emails to target MetaMask users and trick them into giving out their passphrase. 

The firm analyzed scam emails it received in late July to warn users of the new scam. Halborn noted that at an initial glance, the email looks authentic with a MetaMask header and logo and with messages that tell users to comply with Know Your Customer (KYC) regulations and how to verify their wallets.

However, Halborn also noted there are several red flags within the message. Spelling errors and a fake sender’s email address were two of the most obvious. Furthermore, a fake domain called metamaks.auction was used to send the phishing emails.

Phishing attacks are social engineering attacks using targeted emails to lure victims into revealing more personal data or clicking links to malicious websites that attempt to steal crypto.

There was also no personalization in the message, the firm noted, which is another warning sign. Hovering over the call to action button reveals the malicious link to a fake website which prompts users to enter their seed phrases before redirecting to MetaMask to empty their crypto wallets.

Halborn, which raised $90 million in a Series A round in July, was founded in 2019 by ethical hackers offering blockchain and cybersecurity services.

In June, Halborn researchers discovered a case where a user’s private keys could be found unencrypted on a disk in a compromised computer. MetaMask patched its extension versions 10.11.3 and later following the discovery.

However, there was no mention of the new email phishing threat on MetaMask’s Twitter feed at the time of writing.

Related: Phishing risks escalate as Celsius confirms client emails leaked

Last week, Celsius users were warned of a phishing threat following the leak of customer emails by a third-party vendor employee.

In late July, security researchers warned of a new malware strain called Luca Stealer appearing in the wild. The information stealer has been written in the Rust programming language and targets Web3 infrastructure such as crypto wallets. Similar Malware called Mars Stealer was discovered targeting MetaMask wallets in February.

‘Nobody is holding them back’ — North Korean cyber-attack threat rises

“Even though the tradecraft is not perfect right now… it’s still a fresh market for North Korea,” says former CIA analyst Soo Kim.

North Korea-backed cyberattacks on cryptocurrency and tech firms will only become more sophisticated over time as the country battles prolonged economic sanctions and resource shortages. 

Former CIA analyst Soo Kim told CNN on Sunday that the process of generating overseas crypto income for the regime has now become a “way of life” for the North Koreans:

“In light of the challenges that the regime is facing — food shortages, fewer countries willing to engage with North Korea […] this is just going to be something that they will continue to use because nobody is holding them back, essentially.”

She also added that it is likely that their crypto attacking “tradecraft” will only improve from here on.

“Even though the tradecraft is not perfect right now, in terms of their ways of approaching foreigners and preying upon their vulnerabilities, it’s still a fresh market for North Korea,” said Kim.

The RAND Corporation policy analyst made the comments almost two months after the release of a joint advisory from the United States government about the infiltration of North Korean operatives across freelance tech jobs — posing risks of intellectual property, data and funds theft that could be used to violate sanctions.

Former FBI intelligence analyst Nick Carlsen told CNN that DPRK operatives embedded in these firms would not only earn income used to skirt sanctions, but they could also potentially identify vulnerabilities in certain client systems that their hacker comrades could take advantage of.

“Any vulnerability they might identify in a client’s systems would be at grave risk,” explained Carlsen.

Related: Crypto market crash wipes out millions from North Korea’s stolen crypto funds

In a lengthy Twitter exposé about North Korean hackers, The DeFi Edge noted that these crypto attacks typically target bridges, focus on companies based in Asia and often begin by targeting unsuspecting employees.

The country has been identified as being allegedly behind some of the largest cyberattacks in recent crypto history, including the $620 million hack of Axie Infinity and the $100 million hack of the Harmony protocol.

A report from Coinclub on June 29 estimated there are as many as 7,000 full-time hackers in North Korea working to raise funds through cyberattacks, ransomware and crypto-protocol hacks.