It’s a sobering fact that no one knows exactly the scale of crypto thefts in 2021, or across any timeframe for that matter.
One of crypto’s unique propositions is the absence of central authority, so there is no industry body maintaining a single database of incidents.
Various individual organisations publish estimates, arriving at different figures as to the true scale, as each has their own methodology, but there is a general consensus that over $7bn in value was stolen in 2021, across several hundred incidents.
Though this represents a diminishing percentage of overall crypto activity, our top 10 list of hacks in 2021 means that anything below $100million doesn’t even get a mention.
#1 Thodex - $2bn Turkish Exit Scam
An Exit Scam describes a Founder or Team waiting until a project has built value, then absconding with customer/investor funds.
The consensus is that 2021’s largest single crypto theft took place in Turkey where on April 22nd the 319,000 customers of the Thodex crypto exchange woke up to find that trading had been halted. Days later it emerged that CEO, Fatih Faruk Özer, had absconded with the Private Keys, pulling off a classic Exit Scam.
Despite claiming that the suspension was to enable an investigation into suspicious accounts, it soon became clear that Özer had fled to neighbouring Albanian, taking with him access to an estimated $2billion of crypto.
Among the repercussions of the crypto theft - one of two exchange exit scams in 2021 - was a bill sent to the Turkish Parliament in December, regulating crypto in country where the national currency, the Lira, has seen dramatic volatility, at one point halving in value against the US Dollar.
How to protect against an Exit Scam?
Exit Scams are hard to see coming. Some may be planned, others just a reaction to an imploding business. It is also sensible to establish the credibility of a business via its structure, size of team and professionalism. Look into the background of those behind the project and their credibility, including investors. Monitor social media and forums for signs that a project is becoming unresponsive or slow in processing withdrawals.
#2 Finiko Billion Dollar Russian Ponzi
A specific type of financial scheme named after the Italian con artist, Charles Ponzi, which attracts investors on the basis of unrealistic returns which are funded from newer investors. Ponzi schemes reach a mathematical break point where the number of new deposits required to service existing investors becomes too great and the scheme collapses.
Unless you’re based in Russia or Ukraine you may be unaware of the second biggest crypto scam of 2021. It might take years to understand the true scale of the Finiko Ponzi, but initial estimates suggest around 800,000 deposits, valued in total at around $1.5bn, were made in Bitcoin to the automated profit generation system, promising short-term returns of 30%.
The average loss was the equivalent of $10,000, though again this is hard to calculate. By their nature, those few who get into Ponzi schemes early might make money, but as numbers grow, tempted by unrealistic gains, collapse is inevitable. Finiko emerged back in December 2019 lasting until July 2021 before the Ponzi imploded.
How to protect against a Ponzi Scheme?
If the returns seem too good to be true, then they probably are. Be especially suspicious if there is real detail around how returns are generated, only vague references to things like algorithmic trading.
#3 Poly Network $600mill Reprieve From Mr.White Hat
A Smart Contract is a set of rules, defined in code, that execute specific value-based functions. Commonly used in DEFI (Decentralised Finance) and DAOs (Decentralised Autonomous Organisations). As they are written by humans Smart Contracts can be exploited because code contains errors which produce unintended consequences.
Poly Network made a name by enabling billions of dollars of value to be transferred (bridged) across multiple blockchains, but is now associated with much less welcome fame.
Subscribe To The NGRAVE Blog
Get the latest insights on crypto, security, blockchain, and more.
In August of 2021 a total of $610million of funds were stolen after a hacker exploited a vulnerability in cross-chain smart contracts. A bizarre back-and-forth between Poly and the Hacker on Twitter ensued which eventually resulted in the return of all funds, with Poly christening him ‘Mr. White Hat’ and an unofficial security advisor.
Though the funds were returned, the reputational damage to Poly was huge, as for the time-being at least, they will be stuck with the unwanted title of the largest every single DEFI hack.
#4 Cream Finance Turns Sour With Quartet of Hacks
A Rentrancy attack allows Smart Contract logic to be used against itself in unexpected ways. A Flash Loan is a sophisticated crypto service designed to take advantage of arbitrage opportunities, but without the need for collateral. Though Flash Loans provide the valuable service of improving price efficiency, they enable Flash Loan Attacks, where bad actors find economic opportunity within the increasing complexity and lack of oversight.
There’s a famous saying about learning from being deceived: “Fool me once, shame on you; Fool me twice, shame on me”. It seems that Cream Finance (part of the wider Yearn ecosystem) have created its own special category, given that they suffered a quartet of exploits in 2021 amounting to losses of $215million.
Given Cream is a DEFI protocol, each of the losses resulted from Smart Contract Exploits - including Rentrancy and Flash Loan Attacks - which might suggest that Cream really made no effort to learn from their mistakes.
The truth is that the attacks used fiendishly clever recursive logic, borrowing & redeploying assets multiple times across several DEFI platforms in a matter of seconds, to ultimately exploit the logic of Cream Finance’s governance token.
How to mitigate Smart Contract exploits?
The DEFI ecosystem is evolving at such a fast pace, with increasing complexity, that flaws in logic, like Flash Loan attacks, are considered an occupational hazard of DEFI. You can mitigate the risk by:
Only using audited services
Taking out Smart Contract insurance
Check whether projects have hastily reused code from elsewhere
Taking extra caution with highly volatile coins offering unrealistic APYs
#5 Bitmart Private Keys Hacked For $196million
A Hot Crypto Wallet is one which is online by default. Businesses, like crypto exchanges, employ Hot Wallets in order to service day-to-day withdrawal requests, but being online they are natural targets for hackers. It only takes the Private Keys to be exposed for funds to be drained.
Bitmart may rank outside of the top 100 centralised exchanges by volume, but the theft of Private Keys to two Hot Wallets still allowed $196million to be stolen by hackers in December. $100million came from the Ethereum blockchain and a similar amount from BSC.
The Cayman Islands based operation provided limited information as to how the keys were exposed leading to comparisons with the BXH insider job hack. CEO, Sheldon Xia, promised that all losses would be covered by the exchange.
How to mitigate an exchange Hot Wallet hack?
To protect yourself from losing funds in Hot Wallet hacks don’t keep your funds on exchange. Store the majority of your funds in a Cold Wallet, like the NGRAVE ZERO, and where you need funds for day-to-day activity, ensure you follow security best practice.
#6 Vulcan Forged Plans To Live Long & Prosper Hit By Hack
Play-to-earn emerged as one of the most exciting new sectors of crypto in 2021, and the increasing value building in P-to-E projects inevitably led to a hack. Vulcan Forged saw the Private Keys of 96 of its largest users exploited leading to the loss of $140million in their native PVR token.
Though the loss was covered by Vulcan Forged’s treasury, news that 9% of total PVR supply had been stolen sent price crashing by 34% spreading the pain to all token holders.
How to mitigate hacks of Play-to-Earn platforms?
The advice here is the same as when dealing with Hot Wallets in general. When not directly interacting with a platform keep your funds and NFTs in Cold Storage, and do plenty of due diligence on the provider in advance.
#7 BXH Hacked For $139million From The Inside
The inside job is one of the oldest techniques in financial crime, relying on someone within an organisation allowing criminals to gain entry. In the early days of bricks-and-mortar banks, this might mean stealing keys, or providing a point of access. The same is true with crypto, with insiders either facilitating access to Private Keys or Admin functions.
The obscurely named Decentralised Exchange, Boy X Highspeed, was looted for $139million in November after the admin key to a Binance Smart Chain address was reportedly leaked by a member of staff.
The conclusion was reached by an external security consultancy, which suggested that the other possibility was that the computer on which the key was stored could have been infected via a phishing attack. Either way Boy X Highspeed learned a harsh lesson about crypto crime.
How to mitigate against an Inside Job hack?
The only meaningful way to mitigate an inside job hack is to establish a level of trust and credibility in a service to feel comfortable that their security practices wouldn’t have a single point of failure.
#8 Badger DAO Sett Raided For $120million
Like a chain, a crypto service is only as strong as its weakest link. Third party services can be hacked to either give direct access to code, and enable a direct exploit, or indirect access through marketing services, enabling them to perpetrate a scam by fooling customers.
Phishing Attacks aren’t unique to crypto. They are sophisticated attempts to get inside computer systems by hiding viruses inside documents, links or images sent to unsuspecting staff. Once an internal user has been phished attackers work their way through internal systems to steal Private Keys or inject malicious code.
Badger DAO, a DEFI platform providing ways to earn return on Bitcoin, lost $120million after Cloudflare - a third party solution for security and content delivery - was exposed via a phishing attack, allowing malicious code snippets to be injected into the Badger front end.
The code changed the permissions wallets granted when interacting with the platform, resulting in a huge loss of funds. Losses were concentrated on the largest users as the attackers hit wallets on a top-down basis.
Badger has proposed one of the most progressive restitution schemes, which is complicated by the fact that the majority of its 32,000 users were unaffected, but will be asked to bail out the 10 super-users who took the brunt of the loss.
How to mitigate against Phishing hacks
It is impossible to know how many third party services a crypto service uses, and the level of access given, and it only takes one employee to click a dodgy link to give a hacker access. All you can do is make a judgement on the importance an organisation gives to security, and whether by growing quickly, they might be cutting corners.
#9 Liquid Sees $100million Leak Out In Hack
Liquid Global, a Japanese exchange, lost $100million in a hack in August, which shows that even the most secure systems always have a vulnerability.
The exchange protects its Private Keys using an approach called MPC - Multiparty Computation. This effectively breaks keys into chunks - shards - that are stored at separate locations, none of which have sight of the full key string, which when need are generated collectively.
Given the secure nature of MPC custody the suggestion is that the real damage was done when the service was compromised in November 2020, enabling systems to be circumvented.
How to mitigate an MPC hack
MPC and multi-signature approaches to custody are among the safest, but nothing is ever 100% safe. Humans always introduce an element of fallibility so you either trust a counterparty, or store your funds in a hardware wallet and trust yourself.
#10 Polygon Narrowly Avoids Billion Dollar Disaster
Though the Polygon exploit reported in December doesn’t warrant a mention on the basis of the comparatively small loss, but for the tip-off from a ‘White Hat’ hacker, this could easily have smashed the record for the biggest ever DEFI heist.
A vulnerability in a Polygon Smart Contract put 9 billion MATIC tokens, worth a staggering $20bn, at risk. The loss of $1.4million seems like a birthday present given what could have happened, on top of which $2.2million was paid to Leon Spacewalker, the pseudonym of the good Samaritan that raised the alarm.
The changing nature of crypto risk
One of the reasons why it is so difficult to establish the true scale of crypto crime is the difficulty of reaching a consensus on what constitutes a theft.
By most definitions DEFI accounted for the majority of what were considered exploits in 2021, but the unique nature of the Smart Contracts that power DEFI mean that one man’s hack is another man’s economic opportunity.
This is the continuation of the argument that started with the hack that split the Ethereum community back in 2015.
Given the scale of hacks, precedents are starting to emerge from the way individual platforms - through their DAOs - respond in terms of restitution, asset recovery/blacklisting and the burden that falls on the community in terms of restitution and the impact on the value of governance tokens.
The loss of confidence in a platform, how that manifests in the value of the underlying governance token and the steps taken to try and make good by adjusting tokenomics, all mean that everyone shares the burden, so everyone can be considered the victim.
Judging by the comments coming out of the SEC, the clock is really ticking on how DEFI deals with the issue of Smart Contract exploits.
“Right now, we just don’t have enough investor protection in crypto. Frankly, at this time, it’s more like the Wild West.” SEC Chairman, Gary Gensler, August 2021 in Aspen, Colorado.
“This asset class is rife with fraud, scams, and abuse in certain applications. There’s a great deal of hype and spin about how crypto assets work. In many cases, investors aren’t able to get rigorous, balanced, and complete information. If we don’t address these issues, I worry a lot of people will be hurt.”
The drum beat coming out of the SEC regarding crypto regulation got louder as at the turn of the year they announced the appointment of a special crypto advisor, Corey Frayer, suggesting that 2022 might be the year they act.
The demand for DEFI from both users and investors seems to continue in spite of the scale of Smart Contract vulnerability and it seems unlikely that the industry can self-organise to find a way to deal with the problem that doesn’t dilute the decentralised and permissionless way in which it works. Some kind of regulatory response seems inevitable.