Why Multimillion-Dollar Crypto Hacks Are Now Normal

One hack after another: The US federal police agency FBI recently said that the Lazarus Group, a team of military computer scientists apparently run by the North Korean government, was responsible for hacking the Ronin Network cryptocurrency platform in March 2022.

Attackers allegedly stole $620 million in cryptocurrency ether. That would be a surprising number in almost any context. Yet in the far west environment of the crypto scene, the Ronin hack is just one of at least eight “megaheists” in the last year, in which hackers each stole over $100 million. dollars in cryptocurrency.

“Things are moving so fast that people can’t keep up,” said Kim Grauer, research director at blockchain analytics firm Chainalysis, which tracks hacks. “People are now building into their investment strategy a kind of acceptance of the risk that they could be hacked and lose everything.”

According to Chainalysis, hackers stole around $3.2 billion in the various cryptocurrencies in 2021, six times more than in 2020. There have already been six hacks this year, stealing at least $100 million – and dozens of smaller hacks, where at least 10 million was at stake.

The crypto year 2022 is thus getting its own headline-grabbing start. It all started when Qubit Finance, a new decentralized finance protocol, lost $80 million to hackers in January. When the anonymous crypto blog “rekt.news” reported on the incident, the author summed up the feeling of helplessness that accompanies the rapid pace of these major hacks: “Will anyone remember next week ?” It was an appropriate question. Before the end of the same week, $325 million worth of cryptocurrency platform Wormhole was stolen when attackers exploited an improperly patched vulnerability.

Why does this keep happening? In the cryptocurrency industry, companies form quickly and security is often overlooked. Scams are commonplace and investors often do not really analyze the risk involved in a variety of new types of investments. “This industry is growing so rapidly,” says expert Grauer. “There are so many ways for new businesses to connect that people are investing at an unprecedented rate and pouring money into platforms that aren’t particularly well structured or managed.” It’s a common investment strategy to invest in maybe 50 different new protocols and tokens and hope that “one of them will go to the moon,” she says. “But how are you supposed to do proper due diligence on the 50 investments?”

Poorly managed teams that simply use open source software they are unfamiliar with are rampant in the crypto economy (and elsewhere). Hackers know this – and they use it to steal huge sums of money. In February’s hack of Wormhole, a decentralized financial (“DeFi”) platform that aims to “bridge” between blockchains, a hacker took action after a patch to fix a critical vulnerability failed. been applied to the main project. The necessary code appeared late on the public GitHub page. Wormhole’s software was not updated immediately – and the hacker found the problem first. The vulnerability was exploited within hours.

The biggest crypto thefts involved coins stolen from centrally stored wallets. This type of crime still amounts to around $500 million per year according to Chainalysis, but pales in comparison to the amounts stolen from DeFi platforms, which totaled nearly $2.5 billion last year. DeFi systems, which often work with so-called smart contracts, want to be transparent and open source – almost like an ideology. Unfortunately, in practice, that all too often means rickety multimillion-dollar software projects that are figuratively held together with tape and chewing gum.

“There are several reasons why DeFi projects are more vulnerable to hackers,” says Grauer. “The code is open source. Anyone can walk through it and check for errors. This is a big problem that we’ve seen many times that doesn’t happen with centralized crypto exchanges.”

Bug bounty programs, in which companies pay hackers to find and report security vulnerabilities, are a tool in this industry’s defense arsenal. There is also a small industry of crypto audit firms that step in and give a stamp of approval to a project. However, a quick review of the worst crypto hacks of all time shows that an audit is no panacea – and often neither auditors nor projects can be held accountable when attacks do occur. Wormhole had been checked by the security firm Neodyme just months before the theft.

Many of these hacks are well organized. North Korea has arguably long used hackers to steal money and fund its regime, which is largely cut off from the mainstream global economy. Cryptocurrencies in particular are a gold mine for Pyongyang. Hackers in the country have stolen billions of dollars in recent years, according to the FBI. However, most hackers targeting cryptocurrencies are not funding a rogue state. Instead, the already robust cybercriminal ecosystem simply targets weak opportunistic targets.

For budding cybercrime kingpins, the toughest challenge then is to successfully launder all the stolen cryptocurrency and turn it into something physically usable – say, cash or, in the case of Korea from the North, probably firearms. This is where law enforcement and intelligence services come in. In recent years, law enforcement around the world has invested heavily in blockchain scanning tools to track and, in some cases, even recover stolen funds.

Proof of this is the recent Ronin hack. Two weeks after the theft, the crypto wallet containing the stolen coins was placed on a US sanctions list because the FBI could link it to North Korea. This makes loot harder to use, but certainly not impossible.

More from MIT Technology Review

More from MIT Technology Review

More from MIT Technology Review

More from MIT Technology Review

While new tracing tools have begun to shed light on some of the major crypto hacks, the ability of law enforcement to recover funds and return them to investors remains limited. This is inherent in the system.

“Money laundering is often more sophisticated than the hacks themselves,” Christopher Janczewski, a former senior IRS agent who specializes in cryptocurrency cases, told MIT Technology Review. At least for now, the huge risk of losing your money is still part of the crypto game.


To the home page

Leave a Comment