Incentivised by the money inflows in crypto assets, malicious actors and groups have found ways to steal funds of blockchain ecosystem participants through hacks and exploits. Besides the loss of assets of individual users and companies, these hacks have also diminished the trust in the blockchain technology and its applications, especially DeFi.
Learn in this article about the what, why, and how of crypto hacks and exploits.
What & Why— an introduction
Put simply, the main question that arises is: Isn’t the blockchain ecosystem built with cryptographic tools and hence secure and unhackable? The short answer to this is: Yes, cryptographic tools are used, but a blockchain ecosystem is still hackable. Let’s have a look at why this is the case. First of all, it’s crucial to note that blockchain ecosystems are generally built around three value propositions, namely decentralization, scalability, and security. These three value propositions stand in conflict with each other (also known as the blockchain trilemma). Consequently, concessions have to be made, which may affect security aspects. Another way is that hackers find and exploit flaws in the code — around 0.3 errors are made in every 1’000 lines of code — of the platform itself or third-party provider software. Moreover, in blockchain ecosystems various security responsibilities are placed on the ecosystem participants, leading to a set of security risks beyond the technology itself. For example, malicious actors may drain the funds of a wallet by getting access to the private key through phishing.
Also important to note is that blockchain transactions are irreversible. Hence, if hackers are able to gain access to a wallet and transfer funds, it is very unlikely that the wallet owner will regain them— unlike in the traditional financial industry where, for example, funds from a credit card exploit may get returned.
How — Examples of crypto hacks & exploits
When looking closely at how malicious actors get access to funds, available literature typically distinguishes between the hacks targeting the underlaying blockchain protocol and the ones targeting applications built on top, including wallets, marketplaces, exchanges, cross-chain bridges and other DeFi applications. Since it’s relatively difficult to attack a blockchain protocol itself, most hackers focus on the latter.
In the following paragraphs, we will have a look at some hacks as examples, however, many more have occurred till date:
Blockchain protocol: One way to hack a blockchain protocol to gain access to funds is the so-called ‘51% attack’: Malicious actors undertake efforts to gain control over more than half (i.e., 51%) of a network’s hashing power, which allows them to alter the blockchain in their favour. For instance, they now have the possibility to reverse transactions and then spend the same coins again (called double spending). 51% attacks are, however, only lucrative on smaller scale blockchains, as the larger a network is the more difficult — and expensive — it gets to gain majority control over it.
Another way is to exploit vulnerabilities in the protocol’s code that hackers detect and gear individual offences towards.
Exchanges: In 2011, the first major successful hack of an exchange occurred: The attackers gained access to the hot wallet of the crypto exchange Mt. Gox and drained it by 25’000 Bitcoins (worth around USD 400’000 at that time). The exchange’s hot wallet was attacked again in 2014 and another 650’000 Bitcoins of its customers and 100’000 Bitcoins of its own were stolen (worth USD 473 million). Since then, various exchanges got hacked, including Coincheck (2018, USD 534 million), Binance (2022, USD 570 million), and Crypto.com (2022, USD 34 million).
One of the many possibilities to gain access to funds held by or on an exchange is by exploiting smart contract vulnerabilities. One example of this is the so-called ‘reentrancy attacks’. During this form of attack, a smart contract’s recursive call mechanism gets exploited, allowing repeated withdraws of funds before the contract can update balances.
Another way is through a ‘Cross-Site Scripting attack (XSS)’. During this attack, malicious scripts (code) are injected into a website or web application and then unknowingly executed by the victim. Through that the attacker may get access to login credentials and other sensitive data or the ability to perform malicious actions on behalf of the victim.
A last one that we present here is social engineering: Attackers pretend to be persons authorised to access an employees’ computer. Once access is granted, they obtain the private keys of wallets held by the exchange.
Cross-chain bridges: Cross-chain bridges are used to move digital assets from one blockchain to another. To achieve this, they are often designed to lock the asset in a contract on the origin chain and then mint an equivalent asset on the target chain. This process can be exploited by finding flaws in the code or compromising the private keys of the validators. Prominent examples of cross-chain bridge exploits are the Solana-to-Ethereum Wormhole bridge attack (2022, USD 325 million) and the Harmony bridge exploit (2022, USD 100 million).
Proceeds of crypto hacks and exploits typically get laundered trough on-chain channels. Read in our previous articles more about money laundering risks related to cryptocurrencies as well as measures to detect and prevent money laundering involving digital assets.
Stay tuned for further articles about other financial crime schemes and illicit finance involving digital assets and cryptocurrencies.
Would you like to stay up-to-date?
Subscribe to our Medium page. Follow us on Twitter and connect on LinkedIn.