Ever since the pseudonymous Satoshi Nakamoto set out the case for a decentralized, trustless blockchain where everyone held their own account and transactions were verified by anyone who wanted to take part, millions of people have embraced Bitcoin and other cryptocurrencies built on the concept.
However, a truly decentralized financial system remains elusive as long as blockchain-based platforms are vulnerable to exploits. Crypto heists have become an all too familiar occurrence in the fast-paced world of digital assets, where anonymity and decentralization can be both a blessing and a curse. Just recently DeFi platform Euler Finance was drained of nearly $200M in assets.
While not the biggest heist in history, the Euler hack once again reminds us that blockchains remain vulnerable to cybercrime. Moreover, thanks to various integrations allowing various DeFi protocols to connect to one another, Money Legos, the contagion spread quickly to additional platforms.
As the community picks up the pieces from this latest attack, it’s worth taking a step back to examine the history of crypto heists, from the infamous Mt. Gox scandal to more recent DeFi exploits. Let’s delve into the dark side of the crypto world.
The proliferation of blockchain-based assets continues to grow. While the tumultuous events of 2022 have hampered interest, adoption rates remain higher than in the past. The global adoption of cryptocurrency is estimated to have reached approximately 4% of the global population in 2022, approximately 400 million people.
According to Chainalysis, growth is particularly high across emerging market regions such as the Middle East and N. Africa (MENA) and Latin America (LatAm). However, countries like Vietnam, the Philippines, and Ukraine still top the charts. In general, regions plagued by rampant inflation, monetary mismanagement, and mistrust of government agencies/regimes show a higher-than-average adoption rate.
According to Chainalysis’s latest crypto-crime report, illicit cryptocurrency volumes reached an all-time high in 2022, despite the market pullback.
There has been a consistent increase in the number of heists and thefts over the years. Hacking has become a lucrative business, where experienced hackers seek out the best return on investment. Recent hacks indicate that hackers are becoming increasingly savvy in their targeting and their tactics. Moreover, history has shown that it is difficult to completely protect blockchain-based platform. The only way that has been shown to completely secure digital assets is by storing them offline in a ‘truly’ cold vault – one that never connects to the internet.
Tracking crypto crime over time reveals that as the rate of heists has grown exponentially, so too has the sum of assets stolen. A big jump occurred between 2020 and 2021, and to a lesser extent between 2021 and 2022.
According to data from Comparitech, there have been nearly 600 crypto heists to date which have resulted in a siphoning of almost $10B, at current market valuation this is nearly $50B.
Of those 600 heists, 40+ times cybercriminals made away with over $50M each, accounting for 80% of all assets stolen.
The Ronin Bridge heist in 2022 was the biggest. Hackers then gained control of the network’s validator keys, stealing over $620M in assets. The Poly Network heist in 2021 looted nearly $610M in assets, coming in second.
Cybercriminals are increasingly targeting points of centralization in cryptocurrency’s decentralized world. Like any business, hackers are looking to maximize their return on investment, so points of centralization make for better targets.
Of all the large heists, exchanges and DeFi protocols have been targeted most and lost the most assets (approximately 35% of the $10B worth of assets stolen, each). Bridges, come in third with 15% of the assets stolen.
That said, this has changed over time. The popularity (or perhaps vulnerability is a better word) of exchanges has declined over the years. Prior to 2021, the majority of large heists occurred at exchanges, this went down to 30% in 2021 and then 18% in 2022. DeFi, on the other hand, was most vulnerable in 2021, with over 58% of the asset value being depleted from DeFi protocols. This percentage went down in 2022. Bridges became vulnerable in 2022, we have yet to see how they perform in 2023.
Cybercriminals are targeting points of centralization because these targets manage large volumes of digital assets making the possible ROI of an attack particularly attractive.
An examination of the biggest heists of the last decade makes clear that one of the most common inroads for hackers to steal large amounts of crypto is via a private key compromise. Whether the private key is to a hot wallet, a cold vault, or the admin or API key doesn’t matter. All are game, and … all are vulnerable.
In fact, any internet-connected device, even if connected for a short period of time, is vulnerable.
This is why securing the private key is of such importance. In a cryptocurrency transaction, the private key is used to sign all transactions, providing mathematical proof of ownership. In other words, the private key enables control and access to digital assets. As a result, it is paramount for institutions to take steps to protect their private keys and keep them safe from unauthorized access.
In second place are smart contract exploits – wherein hackers are able to trick a smart contract or exploit the code to their advantage. Smart contract exploits have taken off in the past couple of years, as smart contracts (and DeFi) are increasingly adopted.
The analysis indicates that:
History has taught us time and again that the only way to truly secure digital assets is by safeguarding the majority of assets in a ‘truly cold vault’ – one which does not require internet connectivity to create, sign or send transactions. Only then is your private key truly secure.
When paired with an MPC wallet the institution can benefit from maximum security and the flexibility required to enjoy market upsides.
For more information, and to learn more about the possible solutions, click here.