The Top 5 Cryptocurrency and DeFi Hacks of All Time

In the exciting yet risky world of cryptocurrencies, the quest for financial freedom has not been without its fair share of challenges. As digital currencies continue to gain prominence (and higher prices), they’ve also become a prime target for malicious actors seeking to exploit vulnerabilities for financial gain. In this exploration, we will delve into the worst crypto hacks of all time, from Mt. Gox to more recent years (until 2023).

Besides, we will also venture into the realm of DAG-based cryptocurrencies and examine instances where these innovative, Directed Acyclic Graph-based networks faced their own unique set of security challenges. Brace yourself for a journey through the highs and lows of the crypto world, where innovation meets vulnerability, and where the stakes are higher than ever before.

Mt. Gox

Strictly speaking, in theory, there have been attacks that took a higher bounty since this one in 2014. But the whole crypto world that year was, basically, just Bitcoin (BTC); and Mt. Gox was the world’s leading Bitcoin exchange. The platform was handling over 70% of total transactions globally amid very volatile prices. Then, after numerous issues and hidden hacks, serious solvency problems were revealed in February 2014.

All withdrawals were halted with feeble excuses on February 7. On February 23, the CEO, Mark Karpelès, resigned from the board of the Bitcoin Foundation and deleted all Mt. Gox tweets. The next day, the website went offline and leaked documents indicated the loss of 744.408 BTC (around $473 million at the time). That’d be over $19.1 billion in today’s prices [CMC].

As read on the leaked documents, the hackers were siphoning Bitcoin from Mt. Gox for several years, unbeknownst to the company. According to WizSec’s research, somehow, hackers managed to steal the private key from the Bitcoin hot (online) wallet of Mt. Gox, which allowed them to handle the exchange funds at their will. We must say that their security wasn’t the best, since Bitcoin as a ledger wasn’t hacked, but only the exchange.

Due to the still small size of the crypto community in those years, the hit was devastating. Bitcoin lost over 43% since February and until December. It wouldn’t show improvement signs until late 2015. The victims of the Mt. Gox hack, for their part, had to wait for years to receive some kind of hope for reimbursements. After a huge legal battle, the Mt. Gox trustee is set to finally repay the exchange’s creditors by the end of October 2023.

Coincheck

In January 2018, Coincheck, a prominent Japanese cryptocurrency exchange, fell victim to one of the largest cryptocurrency hacks in history. Hackers exploited vulnerabilities in the exchange's security systems, gaining access to Coincheck's hot wallet (online). They stole approximately 523 million NEM (XEM) tokens, valued at nearly $530 million at the time.

As reported by some sources, the breach was executed by sending malware-infected emails to Coincheck employees, allowing the attackers to gain control of internal systems. Once inside, they swiftly transferred the stolen XEM tokens to various addresses, making it challenging to trace the funds.

In the aftermath, Coincheck faced intense scrutiny from regulators, leading to improved security measures and a massive reimbursement effort. The exchange vowed to compensate affected users by returning their stolen XEM tokens at a rate of 88.549 JPY per coin, significantly below the market value at the time. They did it with their own funds.

Despite the reimbursement efforts, this hack left a significant impact on both Coincheck and the broader cryptocurrency community. It served as a stark reminder of the security risks associated with centralized cryptocurrency exchanges and the importance of robust security protocols. Coincheck's handling of the incident raised questions about the safety of funds entrusted to exchanges and prompted regulatory authorities worldwide to tighten their oversight of cryptocurrency platforms to protect investors and prevent future breaches.

BSC Token Hub

The Binance brand hasn’t been exempted from issues, either. On October 7, 2022, the BNB Smart Chain's native cross-chain bridge between BNB Beacon Chain and BNB Smart Chain fell victim to a hack. The exploit resulted in the temporary suspension of the Binance Smart Chain to contain the damage. The attacker illicitly minted 2 million BNB tokens, valued at approximately $566 million at the time. Most of it was quickly frozen by the team, but the hacker managed to move roughly $137 million to other chains.

The breach began with the attacker receiving 100 BNB from a ChangeNOW wallet on October 5, 2022. This allowed them to register as a Relayer for BSC Token Hub, which facilitates cross-chain transactions between BNB Beacon Chain (BEP2) and Binance Smart Chain (BEP20). The attacker exploited a vulnerability in the way BSC Token Hub verified proofs, forging arbitrary messages and initiating the creation and withdrawal of 2 million BNB in two transactions.

Rather than immediately off-ramping the stolen funds to exchanges, the attacker used Venus, a popular lending protocol on BNB Chain. They collateralized 900k BNB to borrow stablecoins like USDT, USDC, and BUSD in five transactions, worth over $250 million. These stablecoins were then routed to multiple chains using bridges, and various DeFi products were employed to avoid detection.

After the hack, BSC halted the chain due to irregular activity, preventing further fund movements. The attacker's balances across chains were closely monitored. BNB Chain implemented a hardfork (update) to address vulnerabilities and introduced a new on-chain governance mechanism to fight against future attacks.

Poly Network

The Poly Network, an interoperability protocol facilitating trading between different chains, was a victim of an exploit on August 10, 2021. It was orchestrated by anonymous hackers, resulting in the transfer of more than $610 million in cryptocurrencies to their control. They stole ETH, USDC, DAI, UNI, SHIB, FEI, MATIC, and several BSC tokens; all of them from general community members. Notably, this was one of the largest security incidents in the history of decentralized finance (DeFi).

The hackers moved the pilfered funds to addresses they controlled on Ethereum, Binance Smart Chain, and Polygon. Following the attack, the Poly team called upon exchanges and miners to monitor the stolen tokens' flow and urged a halt to the hacker's transactions. Tether froze $33 million worth of USDT.

In a surprising turn of events, the hackers announced on August 11, 2021, their intention to return the tokens, claiming the theft aimed to expose vulnerabilities and enhance Poly Network's security. They used embedded messages in transactions to communicate publicly.

The protocol team, in response, initiated the recovery process and referred to the hackers as "Mr. White Hat." They offered a $500,000 bug bounty and the role of "chief security advisor" to ensure the safe return of the remaining assets. The last portion of the stolen funds was returned on August 23.

The incident sparked some controversy over the use of the term "white hat" for the hackers, with concerns that it could set a precedent for criminal hackers to sanitize their actions. However, Poly Network launched a bug bounty program to improve security, inviting security agencies and white hat organizations to audit its core functions. Rewards of up to $100,000 were offered for critical vulnerabilities.

Ronin (Axie Infinity)

This is considered the largest-ever hack in the crypto world. On March 23, 2022, the Ronin Network, an Ethereum sidechain for the game Axie Infinity, fell victim to a massive attack. The hackers made off with 173,600 ETH and 25.5 million USDC, totaling over $625 million, surpassing previous record-breaking crypto heists.

The hack exploited the Ronin bridge, a crucial component for asset transfers between Ronin and other ecosystems. The attackers gained control of four Ronin validator keys hosted on Sky Mavis (the company behind Axie Infinity). It is common for blockchains that this small number of keys is enough to gain control of the network. To complete their scheme, they leveraged a backdoor through a gas-free RPC node, obtaining the signature for the Axie DAO validator. This granted them control of all necessary keys to carry out fake withdrawals.

Sky Mavis detected the breach after a user reported withdrawal issues, six days post-attack. While a significant portion of the stolen funds remained with the hackers, they attempted to withdraw smaller amounts through centralized crypto exchanges. At least, Sky Mavis compromised to reimburse its users.

The incident caused Ronin's token price to plummet by over 20%, exacerbating concerns within the DeFi space, already grappling with a string of high-profile attacks. Crypto exchanges Binance and Huobi pledged to assist in tracking and returning stolen funds to Axie Infinity users, while Sky Mavis is cooperating with government agencies to bring the hackers to justice.

Is all this possible in a DAG like Obyte?

Directed Acyclic Graph (DAG) ledgers like Obyte have their own unique structure and consensus mechanisms, which can offer certain advantages in terms of decentralization compared to blockchain systems. However, they’re not totally immune to security vulnerabilities and potential hacks.

The specific attack vectors and potential exploits may differ from those of blockchains, but DAG-based systems can still be susceptible to various types of attacks. Some possible concerns, depending on the platform involved, include:

• Sybil Attacks:Perpetrators create numerous fake identities or nodes to control a network, compromising its trust, security, and consensus mechanisms through artificial influence and manipulation. Only some naively designed DAGs are vulnerable to this issue, and they usually solve it through centralization (e.g. IOTA).
  

• Smart Contract Vulnerabilities:Exploiting coding flaws to execute unauthorized actions, siphon assets, or disrupt decentralized applications, often leading to financial losses.
  

• Double Spending:A fraudulent act where a user duplicates a cryptocurrency transaction, enabling them to spend the same digital assets multiple times, undermining the integrity of the ledger. Like in blockchains, this issue occurs only if the user accepts a payment without waiting for its finality (or without waiting long enough if there is no deterministic finality).
  

• Potential Centralization: Some DAGs have the risk of excessive control or influence by a few entities in a network (like companies, miners, or validators), eroding its decentralization, and potentially compromising its security, immutability, and trustworthiness. This isn’t the case with Order Providersin Obyte, though.
  

• Failures of External Exchanges: Vulnerabilities in external cryptocurrency exchanges can result in security breaches, hacking incidents, or exchange insolvency, causing substantial financial losses and interruptions in trading activities.

  
  

Not every DAG is susceptible to all these issues, and they have their own methods to avoid them. So, while DAGs offer their own set of advantages, they’re not immune to security concerns. The specific nature of potential attacks may differ, but the fundamental principles of securing a decentralized ledger still apply. It's essential to continuously assess and address security vulnerabilities in any blockchain or DAG-based system.

That’s why Obyte has a bug bounty program on Immunefi, where anyone can report a bug —if they found it. We’re offering up to $50,000 per critical bug. So far, Obyte has paid around 5,000 USD to white hats through Immunefi –and around 10,000 USD for bug reports before this program. Security is always essential for any kind of crypto platform!

Featured Vector Image by Freepik