The 10 Biggest Cryptocurrency Hacks and Exploits of 2023

[ad_1]

Over the years, the cryptocurrency industry has been challenged by hackers and protocol mining attacks.

This trend will continue until 2023. However, there is good news: the number of hackers dropped by more than 50% year-on-year.

according to TRM laboratoryThe amount of cryptocurrency stolen by hackers this year is estimated at $1.7 billion, less than half of the $4 billion recorded in 2022. Although the total losses have decreased, this is still a huge amount of money stolen from a single project.

There have been several serious hacks this year, affecting well-known entities such as Multichain, Euler Finance, Mixin Network, and Atomic Wallet.

Then, in November, three cryptocurrency projects linked to Tron founder Justin Sun — Poloniex, HTX, and Heco Bridge — collectively lost more than $200 million in a series of mining attacks.

A recurring issue in many of these incidents are private key mining attacks, allowing criminals to obtain users’ funds. Throughout the year, the North Korean hacker group Lazarus participated in multiple attacks, causing overall losses of more than $300 million.

This article will take an in-depth look at the biggest cryptocurrency heists of the year, examining the projects affected and the factors that led to each attack.

Mixin Network — $200 million

Mixin Network, a Hong Kong-based cryptocurrency project, suffered the largest cryptocurrency mining attack of the year.

On September 23, the company had to abruptly shut down operations after hackers stole a staggering $200 million from users’ hot wallets.

Mising Report “Cloud service provider’s database hacked.” While the company did not provide further explanation, analysts believe the affected database may hold the private keys to users’ accounts – public secret phrases that lock their holdings of cryptocurrency.

Euler Finance – US$197 million

Few events illustrate the audacity and fragility of DeFi as vividly as the March 2023 exploit of the Euler lending protocol. As a result, $197 million worth of cryptocurrency disappeared in a strange way.

Hackers exploited vulnerabilities in the lending agreement by manipulating the exchange rate between eDAI and dDAI, the stablecoins issued by Euler. By repeatedly using the “donateToReserves” function with DAI, the hacker was able to increase the eDAI/dDAI ratio.

They used flash loans (a type of loan that is repaid in the same transaction on Ethereum) to disrupt the balance of the liquidity pools holding the two aforementioned tokens. This triggered the liquidation of the borrower’s dDAI position to withdraw funds from the protocol.

But the story doesn’t end there. In a move known as “white hat”, the attacker returned the stolen funds. The victim gets almost all of his money back (except for a small bonus from the loot that is transferred back to the team).

Multi-chain – $125 million

In July, the Multichain cross-chain bridge was said to have suffered an attack that resulted in the loss of up to $125 million in cryptocurrency on the different blockchains it supported. Among them, Fantom is the one who does the most damage.This happens immediately after the bridge is paused in the team context Quote “Many problems are caused by unforeseen circumstances.”

The exact cause of the hack is currently unclear as no reports have been released.

according to explain According to security firm Halborn, the private keys of the smart contracts in the bridge could have been compromised as hackers exploited a bug in the code.

Since Multichain CEO Jun Zhao disappeared before the hack, many feared the team was behind the incident.

Prior to this incident, he was arrested by Chinese authorities and revealed that he had exclusive control over the protocol’s funds, contradicting Multichain’s previous claims about decentralization. The multi-chain bridge is no longer active.

Poloniex — $120 million

In November 2023, hackers suspected of belonging to North Korea’s Lazarus group stole a staggering $120 million from Poloniex’s hot wallets, possibly by obtaining private keys.

Subsequently, trading and withdrawal services were immediately suspended. The exchange said it would refund affected users. Poloniex has been operating as a centralized exchange since 2014. Tron founder Justin Sun acquired the exchange in 2019.

Atomic Wallet – $100 million

In June 2023, cryptocurrency wallet application Atomic deleted user wallet accounts. Hackers stole more than $100 million worth of assets from approximately 5,500 users. The main reason behind the incident is unclear as Atomic has yet to provide an explanation.

Many suspect that the exploit may have been caused by a code vulnerability flagged by security analysts at Least Authority a year before the incident.Slow Mist Analyst also Look for potential problems.

On-chain analytics company Elliptic, which tracked more than 5,500 wallets targeted by the attack, said the North Korean hacker association Lazarus Group was behind the attack.

In August, a group of victims in Russia filed a class-action lawsuit against the company behind Atomic, saying it failed to protect users’ assets. The company responded months later with a motion to dismiss the U.S. court lawsuit.

Heco Bridge, cooperative — $99 million

In November, the main cross-chain bridge on Heco, a blockchain built by exchange Cooperative, suffered a major mining attack. Criminals took control of the bridge’s main smart contract or operator account, resulting in the theft of over $86 million in various cryptocurrencies.

Preliminary analysis suggests that the intruders manipulated the bridge’s smart contract code and compromised security protocols. This allows hackers to create unauthorized tokens (via the bridge contract) and then exchange them for ETH and transfer them out of the bridge.

HTX (formerly Huobi) also lost $12 million in its hot wallet. Justin Sun, advisor to the cooperative and founder of Tron, said that white hat bounties are given to attackers. The offer was apparently accepted, and the platform recovered $8 million (of the $12 million stolen).

Curve – $73 million

In July, disaster struck Curve Finance, one of the largest decentralized exchanges in DeFi. Several liquidity pools on the platform have been subject to exploit attacks due to vulnerabilities in the Vyper programming language they use. As a result, hackers stole approximately $73 million in different digital currencies.

Security holes that allow attackers to withdraw funds are attacks that exploit smart contract logic. This method is often called a re-entrancy attack, where the hacker manipulates the smart contract to withdraw funds in rapid succession.

A malfunctioning re-entry protection device in the Vyper contributed to the attack. Projects built on the Curve pool platform (such as JPEG’d, Metronome, and Alchemix) are affected.

Team Curve quickly fixed the vulnerability and ultimately recovered approximately $50 million (70% of the stolen funds), alleviating the concerns of many users and stakeholders. Recovered funds will be returned directly to ethical hackers or kept with the support of MEV project operators such as c0ffeebabe.eth.

CoinEx – $55 million

In September, Hong Kong-based centralized exchange CoinEx reported a major hack. Hackers broke into the exchange’s hot wallet used for instant trading and stole more than $55 million in various tokens.

North Korea’s Lazarus Group is suspected of being involved in this incident. Investigators have determined a link between the CoinEx hack and another theft from gambling platform Stake.com, which the FBI says is linked to the Lazarus hacking group. Analysis shows that the wallet address that received the stolen funds from Stake.com had direct interactions with the CoinEx hacker’s wallet.

KyberSwap — $54 million

Decentralized exchange (DEX) aggregator KyberSwap’s Elastic platform was attacked, resulting in the loss of approximately $54 million in cryptocurrency.

The November 22 mining attack stemmed from a vulnerability in the tick cycle boundaries of Kyber’s centralized liquidity pool, which allowed perpetrators to artificially double liquidity and exhaust price benefits.

To negotiate, Kyber offered the hackers a 10% white hat bounty to recover the funds. However, the hacker seemed uninterested in accepting the bounty and made other demands in a strange on-chain message, including asking the team to take full control of the project.

The team recovered $4.7 million in funds drained by third-party MEV robots.

Stake.com — $41 million

Cryptocurrency-based betting platform Stake.com has fallen victim to an attack that exploited its wallet private keys. On September 4, 2023, an estimated $41 million worth of cryptocurrency was stolen from the platform.

FBI attribution A report attributed the attack to Lazarus, based on their analysis of addresses on the Ethereum, BNB Chain, and Polygon networks that received stolen funds from Stake.com.