The first cryptocurrency, Bitcoin (BTC), was developed in 2009 as a way for individuals to send money over the internet, providing them with an alternative payment system that operates outside the control of traditional finance and banks. This concept turned out to be very alluring to a large number of developers, who in the past 13 years have released thousands of different cryptoassets. While crypto was supposed to be used in peer-to-peer (P2P) transactions, a number of platforms were developed to facilitate the trading of these various assets, which eventually drew the attention of malicious actors looking to make a quick buck through scams, exploits, and hacks.
The popularity of the asset class exploded around 2017, when the price of BTC jumped from bellow $1,000 in January to almost $18,000 in December, drawing the attention of the general public who were eager to make good investments and increase their wealth. The sudden price increase also drew the attention of malicious actors, who in the beginning primarily targeted centralized exchanges and used scam projects to drain funds from investors. With the rise of crypto crime, exchanges were forced to prioritize the security of their platforms, but this only stimulated hackers to evolve and find new targets for their schemes.
One of these targets was decentralized finance (DeFi), which exploded in popularity in 2020 with the launch of Compound Finance’s “yield farming” program. Data from blockchain analytics firm Chainalysis shows that crypto exchanges were the main target of attacks up until 2020, but then the focus was switched to DeFi, and in 2022 around 90% of all attacks targeted DeFi protocols and platforms.
The biggest year for crypto crimes so far is 2021 — with hackers having stolen close to $3.2 billion — but 2022 is on the verge of breaking that record with two months left until the end of the year and $3 billion already stolen. Now that October has ended — which became the largest month for crypto crime even before reaching its half way point — we have decided to take a look at the top hacks and exploits that took place in 2022.
The largest crypto hack of 2022 happened back in March, when an attacker was able to steal 173,600 Ether (ETH) and 25.5 million USDC — with a combined cost of $625 million at the time — from the Ronin Network, which supported the popular Axie Infinity blockchain gaming platform. The individual used hacked private keys in order to forge fake withdrawals, draining the funds from the Ronin bridge in just two transactions.
While the Ronin sidechain had nine validators — requiring five signatures for withdrawals — meant to protect against these types of attacks, the attacker managed to gain control over five private keys, consisting of Sky Mavis’ four Ronin validators and a third-party validator run by Axie’s DAO. He was able to achieve this through a backdoor in Ronin’s gas-free RPC node, which he abused to get the signatures.
Back in February, the Wormhole token bridge — which allows users to send and receive tokens between Ethereum, Solana, BNB Chain, Polygon, Avalanche, Oasis, and Terra — lost around 120,000 Wrapped Ether (WETH) tokens, which at the time were worth roughly $325 million. The hacker was able to bypass the cross-chain bridge’s verification and fraudulently mint WETH tokens, and then redeemed roughly 94,000 of those tokens for ETH on the Ethereum network, and swapped the rest for other altcoins on Solana.
The Wormhole team quickly offered a $10 million bug bounty for the return of the funds, but their pleas were left unanswered. In order to avoid significant inflation, which would have degraded user confidence in the bridge, Wormhole’s parent company Jump Crypto decided to replenished the missing 120,000 ETH.
Another cross-chain bridge that fell victim to a security exploit was Nomad, which back in August had almost all of its funds (over $190 million) drained from the platform. Unlike other exploits, the Nomad bridge incident was not conducted by a single entity or group, but involved hundreds of addresses.
The first suspicious transaction — which is considered as the genesis of the exploit — took place at 9:32 P.M. UTC on 1 August, when around 100 Wrapped BTC (WBTC) were removed from the platform. This was then followed by a free-for-all, as hundreds of transactions systematically drained all digital assets from the platform. Researches noted there was a fatal flaw within the Replica contract on the bridge, which allowed numerous individuals to simply find a transaction that worked, replace the other person’s address with yours, and then re-broadcast it.
Ethereum-based stablecoin protocol Beanstalk Farms lost all of its $182 million total value locked (TVL) on 17 April after an exploit in the protocol’s governance system was discovered. Blockchain security firm PeckShield noted that the attacker was able to use a flash loan to accumulate a large amount of Beanstalk’s native governance token, STALK, which he then used to propose and pass his own proposals (BIP-18 and BIP-19), asking the protocol to donate funds to Ukraine.
Overall, the attacker was able to get away with roughly $80 million in various crypto assets, which caused the BEAN stablecoin to collapse from its $1 peg, wiping the protocol’s $182 million TVL. The stolen funds were then laundered through Tornado Cash to obfuscate their origin. The attacked did however send 250,000 USDC to the Ukraine Crypto Donation wallet before he disappeared.
Prominent United Kingdom-based crypto market maker Wintermute lost around $162 million after its DeFi operations were hacked in September, though its centralized finance and over-the-counter operations were not affected. Blockchain security firm Certik noted the hack was not due to a smart contract vulnerability, but that a vulnerable private key was used to attack the platform, and speculated that it was either leaked or brute-forced. Certik also suggested that a vulnerability in the popular Profanity vanity address generator was the most likely cause of the hack.
What made the incident worse was the fact that the market maker had a $200 million outstanding DeFi debt to several platforms, the largest of which was a $92 million Tether (USDT) loan issued by TrueFi. Wintermute, however, was able to repay its TrueFi loan on 14 October, only one day before it was due to mature.
Solana-based DeFi platform Mango Markets was exploited for roughly $114 million on 11 October when an attacker manipulated price oracle data which allowed him to take out large under-collateralized crypto loans. The individual had deposited $5 million in USDC on the platform that he used to open outsized long position in MNGO-PERP. The price of MNGO then increased substantially, inflating his account’s collateral value, which he then used to take massive debt positions on the Mango borrowing and lending platform.
The individual later made a governance proposal, requesting that Mango uses its remaining funds to repay bad debt within the protocol, but that was shot down by the community. A counteroffer was then put to the vote, proposing that the exploiter returns $67 million of the stolen tokens, and keep the remaining $47 million as bug bounty. While the event is considered more a market manipulation than a hack or exploit, we still decided to include it as it resulted in a substantial loss for the platform.
The blockchain created by popular cryptocurrency exchange Binance, BNB Chain, suffered from an exploit of its cross-chain bridge at the start of October, which saw extra BNB tokens being minted on the network. While the initial estimate of the exploit was close to $600 million, a BNB Chain developer revealed on Reddit that the attacker had drained somewhere between $100 million and $110 million. The individual further explained that the exploit was perpetrated on the BSC Token Hub, a bridge between the BNB Beacon Chain and the BNB Chain. The exploit was the result of a bug in the bridge’s smart contract that allowed hackers to forge transactions and send money back to their crypto wallets.