Why multi-million dollar crypto hacks are now normal

One hack follows the next: The US Federal Bureau of Investigation (FBI) recently stated that the Lazarus Group, a team of military computer specialists apparently led by the North Korean government, was responsible for the March 2022 hacking of the cryptocurrency platform Ronin Network.

The attackers are believed to have stolen $ 620 million in the cryptocurrency ether. That would be a surprising number in almost any context. Yet the Ronin hack in the crypto scene’s wild west environment is just one of at least eight “megaheists” in the past year, in which hackers have each stolen more than $ 100 million in cryptocurrency.

“Things are going so fast that people can not keep up,” says Kim Grauer, research director at blockchain analytics firm Chainalysis, which tracks the hacks. “People are now building into their investment strategy a kind of risk acceptance that they may be hacked and lose everything.”

According to Chainalysis, criminal hackers stole about $ 3.2 billion in the various cryptocurrencies in 2021, six times more than in 2020. There have already been six hacks this year, stealing at least $ 100 million – and dozens of smaller hacks, of which at least 10 mio. was at stake.

The crypto year 2022 thus gets its own headline-snatching start. It started when Qubit Finance, a new decentralized finance protocol, lost $ 80 million to hackers in January. When the anonymous crypto blog “rekt.news” reported on the incident, the author summed up the feeling of powerlessness that accompanies the rapid pace of these big hacks: “Will anyone remember this next week?” That was an appropriate question. Before the end of the same week, the $ 325 million cryptocurrency platform Wormhole was stolen as attackers exploited an incorrectly targeted vulnerability.

Why does it keep happening? In the cryptocurrency industry, companies are formed quickly and security is often neglected. Fraud is widespread, and investors often do not properly analyze the risks associated with a number of the new types of investments. “This industry is growing so fast,” says expert Grauer. “There are so many ways for new businesses to get online that people are investing at an unprecedented rate and pouring money into platforms that are not particularly well-structured or managed.” It is a common investment strategy perhaps to invest in 50 different new protocols and tokens and hope that “one of them goes to the moon,” she says. “But how do you do proper due diligence on all 50 investments?”

Poorly managed teams that just use open source software that they do not know are prevalent in the crypto economy (and elsewhere). Hackers know this – and they use it to steal huge sums. In the February hack of Wormhole, a decentralized finance (“DeFi”) platform that aims to “bridge” between blockchains, a hacker acted after a patch to fix a critical vulnerability was not applied to the main project. The required code appeared late on the public GitHub page. Wormhole’s software was not updated immediately – and the hacker first found the problem. The vulnerability was exploited within hours.

The largest cryptocurrencies involved previous coins stolen from centrally stored wallets. This type of crime still amounts to about $ 500 million a year, according to Chainalysis, but pales in comparison to the amounts stolen from DeFi platforms, which totaled nearly $ 2.5 billion last year. DeFi systems, which often work with so-called smart contracts, want to be transparent and open source – almost like an ideology. Unfortunately, in practice, that all too often means shaky multimillion-dollar software projects that are figuratively held together with duct tape and chewing gum.

“There are a few reasons why DeFi projects are more vulnerable to hackers,” Grauer explains. “The code is open source. Anyone can go through it and check for errors. It’s a big problem that we’ve seen many times, and it does not happen with centralized crypto exchanges.”

Bug bounty programs where companies pay hackers to find and report security vulnerabilities are a tool in this industry’s defense arsenal. There is also a small industry of crypto audit firms stepping in and giving a stamp to a project. However, a cursory glance at the worst cryptocurrencies of all time shows that an audit is not a panacea – and that neither the auditors nor the projects can often be held accountable when attacks occur. Wormhole had been screened by security firm Neodyme a few months before the theft.

Many of these hacks are well organized. North Korea has probably long used hackers to steal money and finance its regime, which is largely cut off from the traditional world economy. Cryptocurrencies in particular are a goldmine for Pyongyang. According to the FBI, the country’s hackers have stolen billions of dollars in recent years. However, most hackers targeting cryptocurrencies do not fund a rogue state. Instead, the already robust cybercrime ecosystem is simply targeting opportunistically weak targets.

For the budding cybercrime kings, the more difficult challenge is to launder all the stolen cryptocurrency and turn it into something physically usable – for example, cash or, in the case of North Korea, arguably weapons. This is where law enforcement and intelligence services come in. In recent years, police around the world have invested heavily in blockchain analysis tools to track and in some cases even recover stolen funds.

Proof of this is the recent Ronin hack. Two weeks after the robbery, the crypto wallet with the stolen coins was placed on a US sanctions list because the FBI could link it to North Korea. This makes the prey harder to use, but certainly not impossible.

More from the MIT Technology Review

More from the MIT Technology Review

More from the MIT Technology Review

More from the MIT Technology Review

While new tracking tools have begun to shed light on some of the major cryptocurrencies, law enforcement’s ability to recover funds and return them to investors remains limited. This is inherent in the system.

“Money laundering is often more sophisticated than the hacks themselves,” Christopher Janczewski, a former senior IRS case agent specializing in cryptocurrency cases, told the MIT Technology Review. At least for now, the huge risk of losing your money is part of the crypto game.


To the start page

Leave a Comment