The 10 biggest cryptocurrency hacks and exploits of 2023

The cryptocurrency industry has continuously encountered challenges from hacks and protocol mining attacks over the years.

This trend continues through 2023. However, there is good news: the number of hacks is down more than 50% year-on-year.

According to TRM Labs, the amount of cryptocurrency stolen by hackers this year is estimated at about $1.7 billion, not yet half the $4 billion recorded in 2022. Although total losses have decreased, that is still a large amount of money stolen from individual projects.

This year saw a number of serious hacks, affecting prominent entities such as Multichain, Euler Finance, Mixin Network and Atomic Wallet.

Then, in November, three cryptocurrency projects linked to Tron founder Justin Sun – Poloniex, HTX and Heco Bridge – lost a total of more than $200 million in a series of mining attacks.

A recurring problem in many of these incidents is private key mining attacks, allowing perpetrators to access users’ funds. Throughout the year, North Korean hacking group Lazarus was involved in multiple attacks, resulting in overall losses of more than $300 million.

This article will take a deep dive into the biggest cryptocurrency heists of the year, looking at the projects affected and the factors that contributed to each attack.

Mixin Network — $200 million 

Mixin Network is a Hong Kong-based cryptocurrency project that suffered the largest cryptocurrency mining attack of the year.

On September 23, the company had to abruptly shut down operations after hackers stole a staggering $200 million from users’ hot wallets.

Mixin reports that “the cloud service provider’s database has been attacked by hackers”. While the company offered no further explanation, analysts believe the affected database may have held private keys for users’ accounts – which are open secret phrases lock their cryptocurrency holdings.

Euler Finance — $197 million 

Few events capture the audacity and vulnerability of DeFi as vividly as the March 2023 exploit on the Euler lending protocol. As a result, $197 million worth of cryptocurrency disappeared with a strange trick.

A hacker exploited a vulnerability in the lending protocol by manipulating the exchange rate between stablecoins issued by Euler: eDAI and dDAI. By repeatedly placing the “donateToReserves” function with DAI, the hacker was able to increase the eDAI/dDAI ratio.

They used a flash loan (a type of loan that is repaid in the same transaction on Ethereum) to disrupt the balance of the liquidity pool holding the above two tokens. This triggered the liquidation of borrowers’ dDAI positions to withdraw funds from the protocol.

But the story doesn’t end there. In a twist – known as a “white hat” move, the attacker returned the stolen funds. The victims got almost all their money back (except for a small bonus from the loot that was transferred back to the team).

Multichain — $125 million 

In July, the Multichain cross-chain bridge was said to have been hit by an exploit that resulted in the loss of up to $125 million in cryptocurrencies across the various blockchains they supported. Among them, the biggest damage was on Fantom. This happened right after the bridge was paused amid team quote “many problems due to unforeseen circumstances.”

The exact cause of the hack remains unclear as of yet as no reports have been issued.

According to security company Halborn’s explanation, it is possible that the private keys of smart contracts in the bridge were compromised. breach due to hackers exploiting errors in the code.

Many people have raised concerns that the team is behind this incident because Multichain CEO Zhaojun disappeared right before the hack.

Prior to this event, he was arrested by Chinese authorities and it was revealed he had exclusive control over the protocol’s funds, contradicting Multichain’s previous claims of decentralization. The Multichain bridge is no longer active.

Poloniex — $120 million 

In November 2023, hackers suspected of belonging to North Korea’s Lazarus Group siphoned a staggering $120 million from Poloniex’s hot wallet, possibly by gaining access to private keys.

Immediately after that, trading and withdrawal services were suspended. The exchange said it will refund affected users. Poloniex has operated as a centralized exchange since 2014. Justin Sun, founder of Tron, acquired the exchange in 2019.

Atomic Wallet — $100 million 

In June 2023, cryptocurrency wallet app Atomic deleted user wallet accounts. Hackers stole more than $100 million worth of assets from about 5,500 users. The main reason behind the incident remains unclear as Atomic has yet to provide an explanation.

Many suspect the exploit could be due to code vulnerabilities flagged by security analysts at Least Authority a year before the incident. Analysts at SlowMist also found potential problems.

On-chain analytics firm Elliptic tracked more than 5,500 wallets targeted in the attack, saying North Korean hacking association Lazarus Group was behind it.

In August, a group of victims in Russia filed a class action lawsuit against the company behind Atomic for failing to protect users’ assets. A few months later, the company responded with a motion to dismiss the lawsuit in U.S. court.

Heco Bridge, Cooperative — $99 million 

In November, the main cross-chain bridge on Heco – a blockchain established by the exchange Cooperative – was caught up in a major mining attack. The perpetrator gained control of the bridge’s main smart contract or operator account, resulting in the theft of over $86 million in various cryptocurrencies.

Initial analyzes show that the intruder manipulated the bridge’s smart contract code and broke security protocols. This allows hackers to create unauthorized tokens (through a bridge contract), which are then exchanged for ETH and transferred out of the bridge.

HTX (formerly Huobi) also suffered a loss of $12 million from its hot wallet. Justin Sun, advisor to the Cooperative and founder of Tron, said the white hat bounty was given to the attacker. This offer was apparently accepted, so the platform recovered $8 million (out of the $12 million stolen).

Curve — $73 million 

In July, disaster struck Curve Finance, one of DeFi’s largest decentralized exchanges. Several liquidity pools on the platform have been subject to exploit attacks due to vulnerabilities in the Vyper programming language they use. Accordingly, hackers stole about $73 million in different digital currencies.

The security vulnerability that allows attackers to withdraw funds is an attack that exploits smart contract logic. This method is often called a reentrancy attack, in which hackers manipulate smart contracts to withdraw funds consecutively and quickly.

A malfunctioning reentry guard in Vyper facilitated this attack. Projects built on Curve’s pool platform such as JPEG’d, Metronome and Alchemix are all affected.

Team Curve quickly patched the vulnerability and ultimately recovered approximately $50 million – 70% of the stolen funds – alleviating concerns for many users and stakeholders. The recovered funds are returned directly to ethical hackers or are kept with the support of MEV program operators, such as c0ffeebabe.eth.

CoinEx — $55 million 

In September, Hong Kong-based centralized exchange CoinEx reported a major hack. Hackers broke into the exchange’s hot wallet, designed to be used for instant transactions, and made off with more than $55 million in various coins.

North Korea’s Lazarus group is suspected of being involved in this incident. Investigators have identified a link between the CoinEx hack and another theft at betting platform Stake.com that the US Federal Bureau of Investigation said was linked to the Lazarus hacking group. Analysis revealed that the wallet address that received the stolen funds from Stake.com had direct interaction with the CoinEx hacker’s wallet.

KyberSwap — $54 million 

Decentralized exchange (DEX) aggregator KyberSwap was hit by an exploit via an attack on its Elastic platform, losing approximately $54 million in cryptocurrency.

The November 22 mining attack originated from a vulnerability in the tick-period boundaries of Kyber’s centralized liquidity pools, allowing the perpetrators to artificially double liquidity and drain the price treat.

In an effort to negotiate, Kyber proposed a 10% white hat bonus to the hacker to get the money back. However, the hacker appeared uninterested in receiving the bounty and made other demands in a bizarre on-chain message, including asking the team for complete control of the project.

The team recovered $4.7 million in funds drained by third-party MEV bots.

Stake.com — $41 million 

Cryptocurrency-based betting platform Stake.com has fallen victim to an attack that exploited its wallet private keys. On September 4, 2023, an estimated $41 million in cryptocurrency was stolen from the platform.

The FBI attributed the attack to Lazarus in a report, based on their analysis of the receiving addresses funds stolen from Stake.com on the Ethereum, BNB Chain and Polygon networks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Chatbot AI D2
XX