Web3 is off to a rip-roaring start. The theoretical transformation of digital society via the blockchain is supposed to usher in a bold new decentralized internet powered by cryptocurrency. The revolution has begun, the crypto ads tell us! The world is changing. Get your Slurp Juice now!
Another thing the revolution doesn’t seem to have cured is crime — specifically cybercrime. Just like in web2, the blockchain is ultimately still governed by software, and, last time I checked, software can get hacked. Shockingly, that’s what’s been happening. Exchanges, NFTs, DAOs, decentralized credit based stablecoin protocols — if you can name it, it’s been hacked. Since January, a little over a billion dollars is out the door already. Pretty good Q1 for the criminals!
The year isn’t even close to being over yet, but there’s been so many crypto heists we figured we’d throw together a quick rundown. Idk, maybe we’ll do one of these every four months or every billion stolen dollars. We’ll see how things go.
The Ronin Heist [$868 Million]
March saw one the largest cryptocurrency heists of all time target Axie Infinity, a blockchain-based online game that sees players gather and mint NFTs. Cybercriminals compromised the Ronin blockchain, upon which the Axie project is built, thieving a whopping $US625 ($868) million in tokens. The FBI has said that the North Korean hacking group “Lazarus” is responsible for the heist.
Rari Capital and the Fei Protocol Get Hacked [$111 Million]
On April 30, two decentralized finance (DeFi) platforms, Rari Capital and the Fei protocol, were robbed by a cybercriminal who used a “reentrancy vulnerability” to pilfer over $US80 ($111) million worth of cryptocurrency from Rari’s Fuse lending protocol.
Wormhole Gets Its Funds Sucked Out [$451 Million]
Wormhole is a DeFi cross-chain protocol, meaning it facilitates the secure transfer of tokens from one crypto ecosystem to another. Unfortunately, Wormhole’s “secure” asset transfers aren’t always so secure. In February, cybercriminals exploited a vulnerability in Wormhole’s smart contract code to suck out 120,000 wETH, a variant of Ethereum, which was equivalent to some $US325 ($451) million at the time of the theft.
The Qubit Protocol Gets Hacked [$111 Million]
The DeFi protocol Qubit Finance is an Ethereum-BSC (Binance Smart Chain) “bridge” designed to allow for the exchange of assets between different crypto ecosystems. Bridges are somewhat notorious for having security flaws that can get them hacked, however. At the end of January, Qubit was compromised by a cybercriminal, who stole 206,809 Binance coins, equivalent to $US80 ($111) million.
IRA Financial Trust’s Crypto Gambit Proves Not so Trustworthy [$50 Million]
IRA Financial, which is supposed to be a reputable company and not a free-wheeling Web3 startup, recently had the bright idea to partner with the crypto exchange Gemini to allow users to invest in cryptocurrency via their retirement accounts. A cybercriminal exploited a vulnerability in Gemini’s platform to pilfer $US36 ($50) million in cryptocurrency tied to clients’ funds. The two companies are now facing a proposed class action lawsuit over the incident. The heist hasn’t stopped Fidelity from allowing its 401k account holders to invest in cryptocurrency, though.
Jack Robs the Beanstalk [$253 Million]
In April, hackers descended upon crypto company Beanstalk, which describes itself as a “decentralized credit-based stablecoin protocol.” Whatever the hell that means, it sure didn’t stop a cybercriminal from conducting a “flash loan” attack that drained approximately $US182 ($253) million in crypto from its coffers. The hacker then transferred the funds into a private wallet, absconding with the digital cash. “We are fucked,” commented one of the project’s developers following the hack. Sounds about right!
Hackers Crack into Cashio [$72 Million]
Cashio is a stablecoin project from the Solana blockchain that issues the token CASH. A hacker used what’s known as an “infinite mint” exploit, which took advantage of a vulnerability inside of the project’s tech. The cybercriminal ultimately made off with $US52 ($72) million in CASH, which sent the value of the token plummeting till it reached $US0.00005. The hacker later claimed he would give the money to charity, but investors would probably have preferred to have the money back themselves.
Deus Finance Gets Hacked Twice in Two Months [$4 Million, Then $18 Million]
As the great American orator George W. Bush once said, “Fool me once, shame on you…Ya fooled me we can’t get fooled again!” Deus Finance, a DeFi infrastructure protocol, apparently never learned that lesson. The unfortunate platform was hacked twice in as many months earlier this year — first in March, when a cybercriminal used a “flashloan” attack to hijack some $US3 ($4) million in crypto, and again at the end of April, when another criminal used a practically identical attack to abscond with approximately $US13 ($18).4 million in cryptocurrencies. We’ll look for the third heist next month!
Ape Theft Via Instagram [134 NFTs]
Bored Ape Yacht Club is that ubiquitous NFT collection from Yuga Labs that involves images of unenthused monkeys wearing various ever-shifting articles of clothing. The instagram account for BAYC was hacked in late April, allowing a cybercriminal to conduct phishing scams that netted some 134 non-fungibles from BAYC account followers worth millions — including a dozen ape assets.
Crypto.com Gets Hacked [$49 Million]
Crypto.com, the popular cryptocurrency exchange that somehow convinced Matt Damon to appear in its ads and a stadium to take its name (answer: wads of money), admitted in January that it had been hacked by cybercriminals. Hackers outsmarted the exchange’s 2-factor authentication, managing to pilfer nearly $US35 ($49) million in cryptocurrency from the platform. As Damon once said on its behalf, “How da ya like them apples?”