The cryptocurrency industry has continued to face problems due to hacking and protocol abuse over the years.
This trend continued until 2023. But there was good news. The amount of hacking has decreased by more than 50% compared to the previous year.
According to TRM Institute, the amount of cryptocurrency stolen by hackers this year was estimated at $1.7 billion, less than half of the $4 billion recorded in 2022. Even though overall losses have decreased, a lot of money has still been stolen from individual projects.
This year has seen several high-profile hacking incidents affecting major companies such as Multichain, Euler Finance, Mixin Network, and Atomic Wallet.
Then in November, three cryptocurrency projects linked to Tron founder Justin Sun – Poloniex, HTX and Heco Bridge – suffered a total loss of more than $200 million in a series of attacks.
A recurring issue in many of these incidents involves the misuse of private keys, allowing perpetrators to access user funds. The North Korean hacking group Lazarus was involved in several attacks during the year, resulting in a total loss of over $300 million.
In this article, we investigate the largest cryptocurrency thefts of the year, examining the projects affected and the factors that contributed to each attack.
Mixin Network — $200 million
Hong Kong-based cryptocurrency project Mixin Network suffered the largest cryptocurrency attack of the year.
On September 23, the company was forced to abruptly halt operations after hackers looted a whopping $200 million from users’ hot wallets.
mix reported “A cloud service provider’s database has been attacked by hackers.” The company did not provide further explanation, but there is a belief among analysts that the affected databases may have held the private keys of user accounts, i.e. secret phrases that unlock their cryptocurrency holdings.
Euler Finance – $197 million
Few events have captured the boldness and vulnerability of DeFi as vividly as the March 2023 exploit against lending protocol Euler. At this time, $197 million worth of cryptocurrency disappeared due to a strange sleight of hand.
The criminal? This hacker exploited a vulnerability in the lending protocol by manipulating the exchange rate between eDAI, a stable coin issued by Euler, and dDAI. An attacker was able to inflate the eDAI/dDAI ratio by repeatedly calling the “donateToReserves” function using DAI.
They utilized flash loans, a type of loan that is repaid within the same Ethereum transaction, to disrupt the balance of the liquidity pool holding the two tokens. This led to the liquidation of dDAI-denominated borrower positions to take funds out of the protocol.
But the story doesn’t end there. The attackers later returned the stolen funds in a twist called a “white hat” move. Almost everything but a small bounty from loot flowed back to the team to provide relief to the victims.
Multichain — $125 million
In July, $125 million in cryptocurrency was taken from various blockchains supported by multichain, a cross-chain bridge, with Fantom reportedly taking the largest amount of funds. This happened shortly after the bridge was stopped between the teams. Quotation “Unforeseen circumstances have created a number of challenges.”
The exact cause of the hack is still unclear as no definitive after-action report has been released yet.
One possible factor, explained by security firm Halborn, suggests that the private keys of the bridge’s smart contracts were compromised by hackers exploiting a bug in the code.
As concern grew over the disappearance of Multichain CEO Zhaojun just before the hack, concerns were raised that the team itself may be responsible for the incident.
Prior to the event, he was arrested by Chinese authorities and found to have exclusive control over protocol funds, contrary to Multichain’s initial claims of decentralization. The multichain bridge is currently no longer functional.
Poloniex – $120 million
In November 2023, suspected North Korean Lazarus Group hackers accessed private keys and stole a whopping $120 million from Poloniex’s hot wallet.
The immediate results were predictable. Transactions and withdrawals have been halted. The exchange said it would compensate affected users. Poloniex has operated as a centralized exchange since 2014. Tron founder Justin Sun acquired the exchange in 2019.
Atomic Wallet — $100 million
In June 2023, user wallet accounts on cryptocurrency wallet app Atomic were emptied. Hackers stole $100 million worth of assets from approximately 5,500 users. The primary cause of the incident remains unclear, as Atomic has not yet provided an explanation.
The exploit is suspected to have been caused by a code vulnerability pointed out by security analysts at Least Authority a year before the incident. SlowMist analysts also establish Potential problem.
Elliptic, an on-chain analytics company that tracked more than 5,500 targeted wallets, said North Korean hacking association Lazarus Group was behind the attack.
Last August, a group of victims in Russia filed a class action lawsuit against the company behind Atomic, accusing it of failing to protect user assets. A few months later, the company responded with a motion to dismiss the lawsuit in U.S. court.
Heco Bridge, HTX – $99 million
In November, a large-scale exploit was witnessed on the main cross-chain bridge of Heco, a blockchain set up by the HTX exchange. The perpetrators gained control of the bridge’s key smart contracts or operator accounts, resulting in the theft of over $86 million in various cryptocurrencies.
Initial analysis suggests that the intruder manipulated the bridge’s smart contract code and bypassed its security protocols. This manipulation allowed the hacker to issue unauthorized tokens (via the bridge contract), which were exchanged for ether and then sent out of the bridge.
HTX (formerly Huobi) also suffered a loss of $12 million from hot wallets. HTX advisor and Tron founder Justin Sun revealed that a white hat bounty reward was offered to the attackers. The offer appeared to be accepted and the platform recovered $8 million (of the $12 million stolen).
Curve — $73 million
In July, there was an attack on Curve Finance, one of the largest DeFi decentralized exchanges. Due to a vulnerability in the Vyper programming language used, several liquidity pools on the platform were exploited, allowing hackers to steal approximately $73 million in various crypto assets.
The security flaw allowed attackers to exploit smart contract logic to maliciously exfiltrate funds. This involved a re-entrancy attack where hackers manipulated a smart contract to withdraw funds in rapid succession.
A malfunctioning re-entry guard within Vyper facilitated this attack. Projects built on Curve’s factory pool were affected, including JPEG, Metronome, and Alchemix.
The Curve team quickly patched the vulnerability and eventually recovered approximately $50 million (70% of the stolen funds), alleviating the concerns of many users and stakeholders. The recovered funds were either returned directly by the ethical hackers involved or stored with the help of MEV bot operators such as c0ffeebabe.eth.
CoinEx — $55 million
Last September, CoinEx, a centralized cryptocurrency exchange based in Hong Kong, reported a large-scale hacking incident. Hackers stole more than $55 million in various cryptocurrencies by infiltrating the exchange’s hot wallets designed for instant trading.
Suspicions were raised again that the North Korean group ‘Lazarus’ was involved in this incident. Investigators have identified a link between the CoinEx hack and the separate theft of betting platform Stake.com, which the Federal Bureau of Investigation said was linked to the Lazarus hacking group. Analysis revealed that the wallet address that received the stolen funds from Stake.com had direct interaction with the CoinEx hackers’ wallet.
KyberSwap — $54 million
Decentralized exchange (DEX) aggregator KyberSwap stole approximately $54 million in cryptocurrency through an attack on its Elastic platform.
The November 22 attack stemmed from a vulnerability in the tick interval boundary of Kyber’s centralized liquidity pool, which allowed perpetrators to artificially double liquidity and deplete its value.
In an attempt to negotiate, Kyber offered the hackers a 10% white hat bounty in exchange for returning the funds. However, the hacker was not interested in collecting the bounty and made other demands through bizarre on-chain messages, including asking the team for complete control over the project.
The team separately recovered $4.7 million in funds stolen by third-party MEV bots.
Stake.com — $41 million
Cryptocurrency-based betting platform Stake.com suffered damage due to misuse of wallet private keys. On September 4, 2023, approximately $41 million worth of cryptocurrency was stolen from the platform.
The FBI attributed the attack to Lazarus following a report analyzing addresses that received stolen funds from Stake.com on Ethereum, the BNB chain, and the Polygon network.
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.