Web3 is off to a rip-roaring start. The theoretical transformation of digital society via the blockchain is supposed to usher in a bold new decentralized internet powered by cryptocurrency. The revolution has begun, the crypto ads tell us! The world is changing. Get your Slurp Juice now!
And yet…the world somehow remains strangely the same. Even in web3, the wealthy monopolize the resources, cops are watching your every move, and people are still dicks.
Another thing the revolution doesn’t seem to have cured is crime—specifically cybercrime. Just like in web2, the blockchain is ultimately still governed by software, and, last time I checked, software can get hacked. Shockingly, that’s what’s been happening. Exchanges, NFTs, DAOs, decentralized credit based stablecoin protocols—if you can name it, it’s been hacked. Since January, a little over a billion dollars is out the door already. Pretty good Q1 for the criminals!
The year isn’t even close to being over yet, but there’s been so many crypto heists we figured we’d throw together a quick rundown. Idk, maybe we’ll do one of these every four months or every billion stolen dollars. We’ll see how things go.
March saw one the largest cryptocurrency heists of all time target Axie Infinity, a blockchain-based online game that sees players gather and mint NFTs. Cybercriminals compromised the Ronin blockchain, upon which the Axie project is built, thieving a whopping $625 million in tokens. The FBI has said that the North Korean hacking group “Lazarus” is responsible for the heist.
On April 30, two decentralized finance (DeFi) platforms, Rari Capital and the Fei protocol, were robbed by a cybercriminal who used a “reentrancy vulnerability” to pilfer over $80 million worth of cryptocurrency from Rari’s Fuse lending protocol.
Wormhole is a DeFi cross-chain protocol, meaning it facilitates the secure transfer of tokens from one crypto ecosystem to another. Unfortunately, Wormhole’s “secure” asset transfers aren’t always so secure. In February, cybercriminals exploited a vulnerability in Wormhole’s smart contract code to suck out 120,000 wETH, a variant of Ethereum, which was equivalent to some $325 million at the time of the theft.
The DeFi protocol Qubit Finance is an Ethereum-BSC (Binance Smart Chain) “bridge” designed to allow for the exchange of assets between different crypto ecosystems. Bridges are somewhat notorious for having security flaws that can get them hacked, however. At the end of January, Qubit was compromised by a cybercriminal, who stole 206,809 Binance coins, equivalent to $80 million.
IRA Financial recently had the bright idea to partner with the crypto exchange Gemini to allow users to invest in cryptocurrency via their retirement accounts. A cybercriminal somehow managed to pilfer $36 million in cryptocurrency tied to clients’ funds from IRA Financial. The two companies are now facing a proposed class action lawsuit over the incident. The heist hasn’t stopped Fidelity from allowing its 401k account holders to invest in cryptocurrency, though.
This slide has been updated to clarify that Gemini was not the vector through which the cryptocurrency was stolen.
In April, hackers descended upon crypto company Beanstalk, which describes itself as a “decentralized credit-based stablecoin protocol.” Whatever the hell that means, it sure didn’t stop a cybercriminal from conducting a “flash loan” attack that drained approximately $182 million in crypto from its coffers. The hacker then transferred the funds into a private wallet, absconding with the digital cash. “We are fucked,” commented one of the project’s developers following the hack. Sounds about right!
Cashio is a stablecoin project from the Solana blockchain that issues the token CASH. A hacker used what’s known as an “infinite mint” exploit, which took advantage of a vulnerability inside of the project’s tech. The cybercriminal ultimately made off with $52 million in CASH, which sent the value of the token plummeting till it reached $0.00005. The hacker later claimed he would give the money to charity, but investors would probably have preferred to have the money back themselves.
As the great American orator George W. Bush once said, “Fool me once, shame on you…Ya fooled me we can’t get fooled again!” Deus Finance, a DeFi infrastructure protocol, apparently never learned that lesson. The unfortunate platform was hacked twice in as many months earlier this year—first in March, when a cybercriminal used a “flashloan” attack to hijack some $3 million in crypto, and again at the end of April, when another criminal used a practically identical attack to abscond with approximately $13.4 million in cryptocurrencies. We’ll look for the third heist next month!
Bored Ape Yacht Club is that ubiquitous NFT collection from Yuga Labs that involves images of unenthused monkeys wearing various ever-shifting articles of clothing. The instagram account for BAYC was hacked in late April, allowing a cybercriminal to conduct phishing scams that netted some 134 non-fungibles from BAYC account followers worth millions—including a dozen ape assets.
Crypto.com, the popular cryptocurrency exchange that somehow convinced Matt Damon to appear in its ads and a stadium to take its name (answer: wads of money), admitted in January that it had been hacked by cybercriminals. Hackers outsmarted the exchange’s 2-factor authentication, managing to pilfer nearly $35 million in cryptocurrency from the platform. As Damon once said, “How da ya like them apples?”