While overall adoption into crypto and Web3 is on the up, hacks remain one of the most pressing problems that the crypto industry faces today. While hacks happen to nearly everyone who stores data in an online database — yes we’re looking at you Optus and Medibank — crypto has had a particularly rough go of it. Already this year, attackers have made off with more than US$3 billion, according to recent data from blockchain intelligence firm Chainalysis.
While blockchains are typically quite secure, advanced hackers are continually finding new ways to exploit weak links in crypto infrastructure, particularly when it comes to some of the newer technology. In fact, October of this year was officially the worst month on record for crypto hacks, with more than US$800 million dollars being looted.
These are the biggest crypto hacks of all time, with some added tips on how best to stay safe.
1. Ronin Network hack: $620 million
The worst attack on record was the Ronin Network exploit, where a group of hackers managed to steal roughly US$620 million dollars worth of Ethereum (ETH) and the US-dollar stablecoin USDC from the blockchain bridge that supported the once wildly popular play-to-earn game Axie Infinity.
US Authorities later tied the attack to the ominous-sounding ‘Lazarus Group’, a consortium of hackers sponsored by North Korea. While the team at Binance managed to recover nearly US$6 million of the stolen funds, unfortunately the hackers managed to successfully take off with all the rest.
The hackers found a vulnerability in the Ronin “bridge” which is a mechanism that sends tokens from one major blockchain network to another. These so-called ‘bridge attacks’ appear quite often on this list, and they remain one of the most critical flaws in crypto technology today.
How to avoid
To the regular crypto user, cross-chain bridges are a piece of blockchain infrastructure that are hidden beneath the surface of everyday interaction and required to send assets from one chain to another.
As developers strengthen infrastructure and do more rigorous auditing and testing, the only way to completely avoid a cross-chain bridge hack is to not transfer your assets from one chain to another. If you do need to, just be aware that you’re using at your own risk.
2. Poly Network exploit: $610 million
The decentralised exchange ‘Poly Network’ takes out the title of the second-worst crypto hack of all time after a single attacker exploited a vulnerability to the tune of an eye-watering US$610 million.
In a bizarre twist just two days later, the hacker returned approximately US$300 million of the stolen funds claiming that they conducted the exploit because it was a good “challenge”.
How to avoid
Poly Network is a decentralised exchange (DEX) — meaning that there’s no central authority to help recover funds — so always be extra cautious when trading on a DEX.
3. Coincheck hack: $534 million
Japanese crypto exchange Coincheck suffered a $534.8 million dollar exploit in January 2018. The attackers found a vulnerability in the exchange’s ‘hot wallet’ and stole $523 NEM tokens. This refers to a wallet address that is connected to the internet, as opposed to a ‘cold wallet’ which is offline.
At the time, the Coincheck hack easily topped the charts of biggest crypto hacks of all time, exceeding the amount stolen in the Mt Gox hack by more than US$120 million.
How to avoid
You should always take your assets off-chain to a cold wallet for maximum safety.
4. Mt Gox Bitcoin hack: $460 million
This is one from the archives. Back in 2014 hackers exploited the Tokyo-based Mt. Gox exchange in what was then deemed to be the largest crypto hack of all time. The hackers managed to steal a total of 740,000 Bitcoin (BTC) from the platform’s users and another 100,000 in BTC from the company itself. The total amount was worth US$460 million at the time.
How to avoid
The key takeaway from the Mt Gox and Coincheck hacks as a crypto investor is to always use a major exchange that conducts audits and stores the bulk of their funds in an offline cold wallet. Currently, the prominent exchanges that do this include Binance, Coinbase and Crypto.com.
5. Wormhole Portal attack: $320 million
In February of this year, the popular Decentralised Finance (DeFi) bridging platform Wormhole witnessed a brutal attack where hackers stole roughly US$320 million. The attack occurred because of an “upgrade” that was made to the bridge’s code, which had not yet been integrated properly with the platform.
How to avoid
When assets go from one chain to another, the original asset is locked in a vault and then represented by a duplicated copy of the asset on the other blockchain. When users redeem the original token, the duplicated or “wrapped” asset gets removed from existence. You can avoid this by not trying to transfer assets across different chains.
6. Bitmart hack: $210 million
Taking out the sixth spot on the list is formerly-popular exchange Bitmart, which suffered a US$210 million hack. Much like Coincheck the attackers exploited Bitmart’s less-secure ‘hot wallet’ with US$90 million being withdrawn on the Ethereum blockchain and another US$120 million exiting through the Binance Smart Chain.
How to avoid
Once again, always use a reputable centralised exchange, as lesser-known exchanges often do not invest in the sorts of security protocols that larger, more established exchanges do.
7. Nomad Bridge exploit: $190 million
On August 2, 2022 the Nomad Bridge suffered an attack that saw approximately US$190 million disappear. The Nomad Bridge exploit once again brought more attention to the security concerns with blockchain network infrastructure known as ‘cross-chain bridges’. It’s worth noting that white hat hackers — the good kind of hackers — helped recover nearly US$36 million of the stolen funds.
8. Beanstalk DeFi hack: $182 million
In April 2022, a DeFi protocol called Beanstalk was exploited after hackers created a “flash loan” of US$182 million from the protocol. The hacker used that loan to take a controlling position in the automated processing of the protocol and transferred US$76 million to their wallet before repaying the rest of the flash loan. Incredibly, the entire hack was completed in less than 20 seconds.
How to avoid
Messing around in the complex world of DeFi protocols can become very risky, very quickly. Unless you have a good deal of experience in DeFi and you know what to look for it might be best to use secondary ‘Earn’ services offered by major exchanges like Binance and Coinbase before delving into DeFi yourself.
9. Wintermute $160 million
In September 2022, Wintermute, a leading ‘market maker’ got hacked for a total of $160 million. The weakness was linked to an old tool used to give a wallet a name (known as a vanity address) instead of a 42-digit string of letters and numbers. There was a bug in the name generator that allowed hackers to access private keys.
How to avoid
Never use a third party service to generate a “vanity address”. Always use your original ETH address.
Honourable mention. The Binance Smart Chain hack: $110 million
On October 7 this year, world-leading crypto exchange Binance alerted the community that the Binance Smart Chain (BSC) had been temporarily paused following an attack.While this didn’t make the cut, it was worth mentioning because it’s yet another example of a bridge attack.
While the attacker initially managed to secure 2 million Binance Coin (BNB) tokens worth roughly US$560 million from the BSC Token Hub, they only managed to successfully make off with a total of US$110 million. The majority of the funds couldn’t be transferred out after Binance validators shut down the Binance Smart Chain.
Final verdict on crypto hacks
The cryptocurrency industry has matured significantly over the past few years. Exchange hacks that were frequent between 2014 and 2019 have become increasingly less common with new, world-leading exchanges like Binance and Coinbase continually updating their security protocols.
However, blockchain bridges like Ronin, Wormhole and Nomad continue to be a focal point for security concerns. Additionally, flaws in DeFi protocols have also become a growing issue, with many hackers coming up with new ways to attack them.
Coding expert Jay Freeman told The Chainsaw that blockchain developers must continue their work in upping security across the board, by implementing industry-wide code auditing standards, formal models (rigorous mathematical processes for verifying code) and code-checking software known as proof assistants.