Our Blog and Media Coverage

Cryptocurrency Crime Statistics: A Visual Guide

Ever since the pseudonymous Satoshi Nakamoto set out the case for a decentralized, trustless blockchain where everyone held their own account and transactions were verified by anyone who wanted to take part, millions of people have embraced Bitcoin and other cryptocurrencies built on the concept.

However, a truly decentralized financial system remains elusive as long as blockchain-based platforms are vulnerable to exploits. Crypto heists have become an all too familiar occurrence in the fast-paced world of digital assets, where anonymity and decentralization can be both a blessing and a curse. Just recently DeFi platform Euler Finance was drained of nearly $200M in assets.

While not the biggest heist in history, the Euler hack once again reminds us that blockchains remain vulnerable to cybercrime. Moreover, thanks to various integrations allowing various DeFi protocols to connect to one another, Money Legos, the contagion spread quickly to additional platforms.

As the community picks up the pieces from this latest attack, it’s worth taking a step back to examine the history of crypto heists, from the infamous Mt. Gox scandal to more recent DeFi exploits. Let’s delve into the dark side of the crypto world.

Not yet mainstream, but not completely fringe either

The proliferation of blockchain-based assets continues to grow. While the tumultuous events of 2022 have hampered interest, adoption rates remain higher than in the past. The global adoption of cryptocurrency is estimated to have reached approximately 4% of the global population in 2022, approximately 400 million people.

According to Chainalysis, growth is particularly high across emerging market regions such as the Middle East and N. Africa (MENA) and Latin America (LatAm). However, countries like Vietnam, the Philippines, and Ukraine still top the charts. In general, regions plagued by rampant inflation, monetary mismanagement, and mistrust of government agencies/regimes show a higher-than-average adoption rate.

Crypto-crime continues its upward spiral

According to Chainalysis’s latest crypto-crime report, illicit cryptocurrency volumes reached an all-time high in 2022, despite the market pullback.

History of Major Crypto Thefts/Heists

There has been a consistent increase in the number of heists and thefts over the years. Hacking has become a lucrative business, where experienced hackers seek out the best return on investment. Recent hacks indicate that hackers are becoming increasingly savvy in their targeting and their tactics. Moreover, history has shown that it is difficult to completely protect blockchain-based platform. The only way that has been shown to completely secure digital assets is by storing them offline in a ‘truly’ cold vault – one that never connects to the internet.

Tracking crypto crime over time reveals that as the rate of heists has grown exponentially, so too has the sum of assets stolen. A big jump occurred between 2020 and 2021, and to a lesser extent between 2021 and 2022.

An examination of the largest crypto heists in time

According to data from Comparitech, there have been nearly 600 crypto heists to date which have resulted in a siphoning of almost $10B, at current market valuation this is nearly $50B.

Of those 600 heists, 40+ times cybercriminals made away with over $50M each, accounting for 80% of all assets stolen.

The Ronin Bridge heist in 2022 was the biggest. Hackers then gained control of the network’s validator keys, stealing over $620M in assets. The Poly Network heist in 2021 looted nearly $610M in assets, coming in second.

Exchanges, DeFi protocols, and bridges are the most vulnerable

Cybercriminals are increasingly targeting points of centralization in cryptocurrency’s decentralized world. Like any business, hackers are looking to maximize their return on investment, so points of centralization make for better targets.

Of all the large heists, exchanges and DeFi protocols have been targeted most and lost the most assets (approximately 35% of the $10B worth of assets stolen, each). Bridges, come in third with 15% of the assets stolen.

That said, this has changed over time. The popularity (or perhaps vulnerability is a better word) of exchanges has declined over the years. Prior to 2021, the majority of large heists occurred at exchanges, this went down to 30% in 2021 and then 18% in 2022. DeFi, on the other hand, was most vulnerable in 2021, with over 58% of the asset value being depleted from DeFi protocols. This percentage went down in 2022. Bridges became vulnerable in 2022, we have yet to see how they perform in 2023.

Cybercriminals are targeting points of centralization because these targets manage large volumes of digital assets making the possible ROI of an attack particularly attractive.

62% of the assets are stolen via private key compromise

An examination of the biggest heists of the last decade makes clear that one of the most common inroads for hackers to steal large amounts of crypto is via a private key compromise. Whether the private key is to a hot wallet, a cold vault, or the admin or API key doesn’t matter. All are game, and … all are vulnerable.

In fact, any internet-connected device, even if connected for a short period of time, is vulnerable.

This is why securing the private key is of such importance. In a cryptocurrency transaction, the private key is used to sign all transactions, providing mathematical proof of ownership. In other words, the private key enables control and access to digital assets. As a result, it is paramount for institutions to take steps to protect their private keys and keep them safe from unauthorized access.

In second place are smart contract exploits – wherein hackers are able to trick a smart contract or exploit the code to their advantage. Smart contract exploits have taken off in the past couple of years, as smart contracts (and DeFi) are increasingly adopted.

The analysis indicates that:

  • Hackers are always two steps ahead – the speed and ingenuity of hackers are consistently pushing the boundaries of knowledge.
  • Lack of security awareness and an “it won’t happen to me” mindset – until it does.
  • Lack of truly cold solutions and proper private key hygiene.

History has taught us time and again that the only way to truly secure digital assets is by safeguarding the majority of assets in a ‘truly cold vault’ – one which does not require internet connectivity to create, sign or send transactions. Only then is your private key truly secure.

When paired with an MPC wallet the institution can benefit from maximum security and the flexibility required to enjoy market upsides.

Download our infographic here. For more information, and to learn more about the possible solutions, click here.



Legal Disclosure: This document, and the information contained herein, has been provided to you by Galaxy Digital Holdings LP and its affiliates including GK8 (“Galaxy Digital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Galaxy Digital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Galaxy Digital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Galaxy Digital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Galaxy Digital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Galaxy Digital and, Galaxy Digital, does not assume responsibility for the accuracy of such information. Affiliates of Galaxy Digital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other Websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Galaxy Digital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Galaxy Digital Partners LLC. For all inquiries, please email contact@galaxydigital.io. ©Copyright Galaxy Digital Holdings LP 2023. All rights reserved.