Blockchains are safe, yet they have fallen prey to multiple crypto crimes. The total cost of stolen crypto started rising soon after Bitcoin’s launch and is now estimated at $19B. Crypto heists usually accelerate during bull markets.
Read: DeFi protocol founded by ‘Sifu’ hacked for $19.4 million
Crystal Platform’s research shows that the total value of crypto stolen in multiple scams or hacks amounts to $19B. Between 2011 and 2024, the size and value of thefts increased, as did the opportunities to divert coins, tokens, and NFT.
The recent report accounts for 785 incidents, with many smaller heists and personal wallet thefts left unnoticed. Crystal Platform is the most conservative in its estimates regarding crime and loss reports.
Scams and frauds proved the most efficient tools for taking crypto, raking in $8B. Centralized exchange and system hacks accounted for $6B in losses. DeFi, the latest type of hack, accrued $5B in various exploits.
The biggest raw number of attacks happened in 2023 for 286 events. The report has a narrower view of hacks, while the PeckShield count saw more than 600 major events in 2023. Chainalysis has a wider definition of crypto crime, citing more than $24B in exploits just for 2024. Liquidations and trading exploits are also included as malicious usage of crypto technology by some researchers.
There were only 56 attacks in 2024, mostly valuable system hacks. The biggest and most significant hacks usually target BTC and ETH. None have surpassed the Plus Token hack case, which took $2.9B in BTC and ETH.
In the past, hackers could attack projects with significant treasuries. Some heists also involved a human factor, relying on low wallet security. The biggest permanent threat discovered was the Lazarus group of hackers tied to the North Korean regime.
Beyond big hacks, personal scams that target specific wallets are also returning. Malware to extract crypto assets is still deployed, able to target wallets that are logged in and allow transactions.
In 2023, an estimated $3B was lost directly through rug pulls, not counting the notional value wiped out. According to the Hacken report, rug pulls account for 65% of loss events. Those types of attacks coincided with the boom in new token creation.
The most targeted networks in 2023 were Ethereum and Binance Smart Chain. Base, a relatively newer network, saw only six attacks in 2023, with four rug pulls. Scaling blockchains like Polygon, Arbitrum, Optimism and Fantom saw a relatively low number of attacks. While the underlying protocols are sound, the apps they carry can hide risks or perform deliberate rug pulls.
DeFi launches new wave of exploits
Decentralized apps, especially ones dealing with trading and value transfers, are becoming the target for crypto theft. DeFi hacks are more elaborate and use a different skillset. Among the top types of thefts, DeFi protocols are threatened by bridge draining and flash loan liquidity pool draining.
Also read: $16 Million Exploit Hits Curio Ecosystem: 1 Billion CGT Tokens Minted Illegally
So far, the Ronin bridge hack was the biggest in size, taking away more than $600M. Widely used swapping hubs like BNB Bridge and Wormhole have also suffered exploits. All three did not have an audit of the smart contract. Hackers managed to notice a vulnerability and cause bridge withdrawals. Bridges are still key infrastructure in DeFi, where cross-chain trading and movement of tokens still requires manual approval of transactions.
Even bigger projects are not immune, as in the case of Gala Games. The metaverse and gaming project suffered an exploit of its minting contract, which created unauthorized tokens.
To prevent heists, implementing centralized control over token movements is a viable solution. DeFi projects, stablecoins, and other value hubs often decide to implement this control and the ability to block wallet holders.
For that reason, hackers will often swap funds into Ethereum on its mainnet and mix the haul through Tornado Cash or another mixing service. In that case, the project has no resort to freeze the funds. Most attacks happen against unaudited smart contracts, where the project itself has made an error or inefficiency without noticing.
Cryptopolitan reporting by Hristina Vasileva