Crypto Hacks Are Down and Hackers Tend to Return Stolen Money: TRM Labs Report

The sanctions against Tornado Cash, as well as last year's arrest of the Mango Markets infiltrator, motivate hackers to return their loot, researchers believe.

AccessTimeIconMay 22, 2023 at 9:41 p.m. UTC
Updated May 26, 2023 at 2:53 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Hacker stole around $400 million from crypto projects during 40 attacks in the first three months of 2023, blockchain intel firm TRM Labs said in a new report.

This is a 70% decline from the Q1 of 2022.

The average hack size also got smaller, according to TRM, from $30 million in 2022 to $10.5 million for the same period in 2023.

Hackers also increasingly return the money they steal, settling for a “white hat” reward from the exploited projects. Hack victims got almost half of the stollen funds back in 2023, TRM Labs estimates.

For example, an attacker who exploited the TenderFi protocol returned half of the $1.6 million he got out of the attack (TenderFi paid $850,000 bounty in return). Similarly, the hacker behind the Euler lending protocol exploit also agreed to return all the $200 million worth of crypto he ran away with. Both hacks happened in March. In April, the hacker who drained the Safemoon protocol returned $7.1 million of crypto, keeping the rest of his $9 million loot.

A possible explanation might be increasing regulatory attention to the crypto hacks and a number of high-profile enforcement cases, TRM Labs suggests. First of all, crypto exchanges are ramping up their KYC/AML policies, making it harder to cash out stolen coins. At the same time, the ETH mixing protocol Tornado Cash, which has been one the most popular money laundering tool for Ethereum so far, has been under the U.S. sanctions since August 2022, which automatically backlisted all Tornado-related funds for any regulated exchange.

Also, the case of Avraham Eisenberg, who became the first person known to be arrested for a DeFi exploit, might be serving as a warning sign. Eisenberg exploited the Mango Markets protocol and publicly admitted it, revealing the protocol’s vulnerability. He was arrested in Puerto Rico in December.

“The ability to trace and track stolen funds has just gotten better and better – not just by investigators using blockchain intelligence like TRM, but by sleuths on Twitter using open source tools – and has created an environment where hacked funds are being tracked publicly in real time,” TRM Labs’ head of legal and government affairs Ari Redbord.

“Malicious hackers are increasingly having difficulty off-ramping funds and are therefore settling for bug bounties. We are also seeing so-called ‘white hat’ hackers become more and more a part of the ecosystem and could be a helpful way for DeFi services to harden cyber controls," Redbord added.

DeFi hackers returned stolen funds before, examples include the Defrost Finance and Nomad Bridge hackers in 2022, Poly Network in 2021 and dForce in 2020.

In March, Crystal Blockchain estimated the overall hacks and scams toll at $119 million. DeFi protocols remain attackers’ favorite target, as complex smart contracts often turn prone to manipulation. According to Chainalysis, DeFi exploits account for 82% of all crypto stollen in 2022.

Edited by Ben Schiller.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Anna Baydakova

Anna Baydakova was CoinDesk's investigative reporter with a special focus on Eastern Europe and Russia. Anna owns BTC and an NFT.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.