10 Largest Crypto Hacks, Heists and Exploits of the Past 15 Monthsby Fintech News Singapore September 10, 2021
Cryptocurrency-related hacks and scams continue to cost businesses and consumers billions in losses each year. Although overall crypto-related fraud activities have declined since at least 2019, data from blockchain analytics and crypto intelligence firm Ciphertrace suggests that criminals are now moving to decentralized finance (DeFi) applications and protocols.
Data from the Cryptocurrency Crime and Anti-Money Laundering Report, August 2021, show that by the end of July, major crypto thefts, hacks and frauds totaled US$687 million, a number that continues to dwarf.
In 2019, crypto thefts, hacks and frauds surged to US$4.5 billion. That number dipped to US$1.9 billion in 2020, and the US$687 million figure recorded between January and July 2021 suggests that this year’s level shouldn’t surpass that of previous years.
DeFi-related crime surges
Despite the overall positive outlook on crypto crime, a breakdown of the types of thefts and fraud shows that DeFi-related crimes continue to grow quarter-over-quarter (QoQ), netting criminals a total of US$471 million between January and July 2021.
DeFi is a fast-growing space within the crypto industry that seeks to provide traditional financial products like loans and trading without the need for a middlemen. DeFi products use decentralized apps (DApps) that perform financial functions on blockchain-based infrastructure leveraging smart contracts.
DeFi-related hacks totaled US$361 million between January and July 2021, or three-quarters of the total crypto-related hack volume this year — a 2.7x increase from 2020.
DeFi-related fraud continues to rise, as well, surging from just US$41 million for the whole year 2020 to US$113 million in the January-July 2021 period.
Since our last update in May 2019, a lot of major crypto-related hacks and heists have dominated headlines and thieving enterprises and consumers out of billions of dollars.
Continuing from that list we’ve compiled a list of the top 10 biggest crypto hacks, heists and exploits of the past 15 months.
November 2019: Upbit, US$48.5 million
South Korea-based cryptocurrency exchange told customers in November 2019 that hackers had led to the theft of US$48.5 million worth of ether by gaining access to the exchange’s hot wallet.
Upbit released a statement afterward telling users that it would cover all of the losses with the exchange’s assets.
September 2020: KuCoin, US$281 million
In September 2020, US$281 million in cryptocurrencies were stolen from KuCoin, a Singapore-headquartered digital asset exchange, affecting roughly US$150 million in user funds. At the time, this represented the third-largest theft ever against a crypto exchange.
A confidential report by United Nations (UN) experts released earlier this year said that the theft “strongly suggests” links to North Korea.
February 2021, Alpha Homora, US$37.5 million
On February 2021, an attacker successfully drained over US$37 million from DeFi protocol Alpha Homora.
Leveraging Cream’s Iron Bank protocol-to-protocol lending platform, the criminal was able to use Alpha Homora to borrow and lend repeatedly with Cream Finance’s Iron Bank, which allowed for leveraged lending.
March 2021: PAID Network, US$180 million
In March 2021, DeFi platform PAID Network was attacked via a vulnerability that allowed a hacker to create millions of new tokens.
While the exploit netted US$180 million in PAID tokens at the time of the attack, only a portion of the tokens were converted to wrapped ether, while the rest rapidly lost value due to inflation. Nevertheless, the hacker managed to bag a total of US$3 million.
April 2021: Africrypt, US$4 billion
In April 2021, Ameer Cajee, one of the creators of Africrypt, a South African crypto investment platform, contacted investors informing them that the protocol had been hacked. The founder requested that investors not contact lawyers or law enforcement as it would “delay the recovery process.” At the time, the company held over US$4 billion worth of bitcoin.
Since June 2021, Ameer and Raees Cajee, the two founders, have reportedly disappeared, taking US$3.6 billion worth of cryptocurrencies with them.
April 2021: EasyFi, US$80 million
In April 2021, EasyFi Network, a DeFi project on the Polygon Network, reported that a hacker stole roughly US$80 million worth of funds from its wallet. EasyFi founder and CEO Ankitt Gaur said that hackers compromised the Metamask browser extension by hacking into his computer.
Using the compromised private key, the criminal drained US$6 million from EasyFi’s stablecoin liquidity pools and stole an additional 2.98 million EASY tokens worth US$75 million at the time of the hack.
April 2021: Uranium Finance, US$50 million
In April, DeFi project Uranium Finance was drained of more than US$50 million. The attacker exploited a bug in Uranium Finance’s smart contract to swap a single token for almost all other tokens in the protocol’s liquidity pool.
May 2021: PancakeBunny, US$200 million
In May 2021, the PancakeBunny protocol suffered an exploit that allowed the attacker to drain US$200 million worth of cryptocurrencies from the platform.
The large amount of Bunny tokens acquired by the hacker was then dumped on the market, causing its price to plummet over 95%. It’s estimated that the attacker profited by close to US$3 million.
August 2021: Poly Network, US$610 million
In August 2021, DeFi platform Poly Network suffered a highly publicized cyberattack, losing US$610 million in the biggest DeFi hack in history. The hackers said that they did the attack for fun to expose a vulnerability in the platform’s smart contract.
Keeping their word, the hackers returned nearly all of the US$610 million stolen within the next two weeks following the heist.
August 2021: Liquid, US$97 million
In August 2021, nearly US$100 million worth of cryptocurrencies were stolen from Japan-based crypto exchange Liquid.
The hacker quickly sent US$20 million worth of ether to Tornadocash.com, a non-custodial mixer for ether and ERC20 tokens. The hacker also used decentralized exchange Uniswap, among others, to liquidate ERC20 tokens. An estimated US$32 million still remains in the hacker’s wallet.