More than $14.5 billion in crypto has been lost to hacks and scams since 2011, and DeFi (decentralized finance) is attackers’ new favorite target, says analytics firm Crystal Blockchain.
In the past 11 years, there have been 167 hacks of DeFi protocols and 123 security breaches on centralized exchanges, according to Crystal's new report. While breaching centralized platforms accounted for over $3.2 billion in crypto stolen, more than $4 billion was funneled out of exploited DeFi projects. The remaining billions were lost to scammers.
Since 2021, hackers’ attention has shifted notably toward decentralized protocols. This year, decentralized projects have been hacked 20 times more often than centralized ones, the report says, and funds stolen from the top 10 DeFi attacks exceeded $2.5 billion.
The main reason for the acceleration of attacks on DeFi projects is the sector’s growth, Nick Smart, Crystal’s director of blockchain intelligence and data, told CoinDesk. While projects are rushing to market with insufficient testing, centralized exchanges are improving their security, he said, bowing to user demand and heightened attention from regulators.
“There is a saying that nothing is unhackable – all you need is enough time, talent and creativity and you'll get there,” Smart said. “And some illegal hacking groups, like nation-state backed ones such as North Korea's Lazarus, are very effective and very focused on exploiting such opportunities.”
“The most popular method of crypto-theft until 2021 was the infiltration of crypto-exchange security systems – currently the tendency has moved to DeFi hacks,” the report says. “CEX hacks are currently causing the least amount of financial damage.” The largest-ever hack of a CEX (centralized exchange) is the 2018 Coincheck breach in which $535 million of NEM tokens were stolen.
The largest DeFi attack was March’s Ronin network hack, when more than $650 million's worth of crypto was funneled from the popular Axie Infinity NFT (non-fungible token) game and laundered through the Tornado Cash mixer. The service received around 350,000 ether (ETH) in the first half of 2022, which is more than half of all ETH that ever went through Tornado Cash, according to Crystal.
In addition to hacks, the crypto market has seen some 74 fraudulent schemes blow up since 2011, leading to more than $7.3 billion going to scammers, according to the report.
Another surging kind of crypto crime comes in the form of so-called rug pulls, whereby a project’s founders either run away with users’ money or dump the token they created on the community. Rug pulls became the most popular kind of fraud in 2022, Crystal said. Out of 36 cases of fraud, 34 were associated with rug pulls, mostly on Binance Smart Chain (BSC), a blockchain network run by major global centralized exchange Binance. Twenty-three rug pulls out of 34 happened on BSC, Crystal said.
But in dollar terms, the most money has been stolen on the Ethereum blockchain – probably because it’s the most popular DeFi platform overall. It’s followed by Solana, Binance Smart Chain, Fantom and Polygon, Crystal said.
On Ethereum, $31 million's worth of crypto had been stolen through scams and rug pulls, along with $26 million on Binance Smart Chain, $10 million on Solana and $2 million on Fantom.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.