In 2021 we saw an incremental rise in the adoption and interest in the cryptocurrency industry, leading to the increase in the development and investment of DeFi platforms.
The total value across the cryptocurrency industry reached upwards of $230bn. The booming valuation has caused hackers to target unaudited DeFi protocols with increasingly sophisticated attacks.
Some of the biggest cryptocurrency hacks faced in 2021:
Poly Network - $600m
More than $600m in assets were stolen from the multi-chain protocol, including $264m worth of assets stolen from Ethereum wallets, $250m from Binance Smart Chain wallets and $85m from Polygon.
Following the hack, the cryptocurrency industry banded together to stop the funds being used and ‘laundered’ by the hacker. They publicly warned the hacker that this much money stolen would gain the attention of law enforcement worldwide and that they should return it. Surprisingly, they returned USD 342 Million outright.
The platform also promised to grant the hacker a $500,000 bounty for identifying their system's flaws and even offered them the chief security advisor position.
BitMart - $200m
Crypto exchange Bitmart lost nearly $200 million in a hot wallet compromise hosted over the Ethereum and Binance Smart Chain blockchains in December.
The hackers made away with a mix of over 20 tokens that includes altcoins such as Binance Coin (BNB), Safemoon, BSC-USD and BNBBPay (BPay). Sizable amounts of meme coins such as BabyDoge, Floki and Moonshot were also compromised in the hack.
Upon further investigation, BitMart CEO Sheldon Xia confirmed that a “large-scale security breach” occurred and that funds were stolen. Little is still known about the cause of the exploit.
Vulcan Forged - $140m
In December, the play-to-earn NFT game Vulcan Forged had a total of $140m of PYR tokens stolen from compromised wallets.
Hackers reportedly accessed the keys of 96 wallets, stealing 23.7% of the project's circulating supply of tokens. The gaming ecosystem provides players with these crypto wallets built on Ethereum, Polygon, and VeChain blockchains and manages the key to these wallets. A majority of the assets were taken from users' wallets, which were linked to an integrated wallet service called Venly.
The team reimbursed users from its treasury.
Cream Finance - $130m
Hackers stole an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations.
It’s the third time Cream Finance has been hacked last year after the company lost $37 million in February and another $29 million in August.
All attacks were flash loan exploits, a common way through which most DeFi platforms have been hacked over the past two years.
In total, the hacker managed to get away with a massive trough of assets including 2,760 ETH, 76 BTC and more than $10m in stablecoins.
Badger Finance $120m
In December when BadgerDAO faced a ‘front-end’ attack that saw more than $120m in ETH and BTC stolen from the platform. It was caused by “a maliciously injected snippet” from Cloudflare, an application platform that runs on Badger’s cloud network.
The hacker used a compromised API key that was created without the knowledge or authorization of Badger engineers to periodically inject the malicious code that affected a subset of its customers.
The hacker ultimately stole $130 million in funds, but approximately $9 million of that was recoverable since those funds were transferred by the hacker but not yet withdrawn from Badger’s vaults.
Badger has since patched the Cloudflare exploit, updated Cloudfare’s account password and deleted or freshened API keys where possible. Badger hired cybersecurity firm Mandiant and blockchain analysis firm Chainalysis to investigate the exploit, and is working with both companies, as well as authorities in the U.S. and Canada, to recover any funds possible.
In connection to this attack, the popular crypto platform Celsius was also affected, reportedly losing 896 Bitcoin ($50m) due to the exploit.
How to prevent it from happening to you?
- Double-checking the contract - If you don’t know how to read a contract, it’s a good time to start learning to.
- Spreading assets across several wallets - Don’t put your eggs in one basket.
- Do approvals cleanse - People on Twitter shared services like revoke.cash to revoke approvals you confirmed in the past
- Keeping secrets - Anonymity is your best ally. If you are not known to hold crypto, you probably will be less targeted by hackers specializing in crypto-assets theft.