Almost as many cryptocurrencies have been stolen this year as in all of 2021, according to a new analysis.
According to blockchain market analysts at Chainalysis, thieves and fraudsters stole $3200 billion in various cryptocurrencies last year. But in the first four months of 2022, €2.9 billion worth of crypto was already stolen, with roughly one major theft every week.
The volume of crypto heists has not necessarily changed, but the attacks are becoming more devastating, in part due to the growing popularity of decentralized finance (DeFi) projects and the amount of money invested in these projects.
Target emerging projects
DeFi describes an ecosystem of financial applications that are based on the blockchain. They offer services similar to those available in traditional banks, but are based on peer-to-peer systems. With DeFi, people can apply for loans or earn a return on their investments.
However, since many of these projects are yet to be fully tested and approved, they are quickly becoming a playground for cybercriminals and scammers.
The latest attack hit Beanstalk, an Ethereum-based stablecoin algorithmic protocol launched in August. The scammer managed to siphon off €182 million in digital assets.
Incidents like this highlight the importance of code checking and audits. Even projects whose code has been audited by third parties can end up being abused.
Speaking to The Wall Street Journal, Max Galka, CEO of crypto-forensics firm Elementus, said the hacker was following the rules established by Beanstalk.
“Everything this guy did was up to code,” Galka said.
However, the attacker managed to find a flaw in the code. With the help of a flash loan from another DeFi service (a flash loan is similar to a "normal" loan, but the whole process happens almost instantly), he managed to buy enough native Beanstalk governance token to gain absolute voting power.
With that power, he voted to withdraw all the funds found in the protocol and, after repaying the quick loan, walked away with the difference. Whether or not affected customers will be refunded remains to be seen.
If criminals don't look for loopholes in the code, they try to trick people into revealing their passwords, secret keys, and other credentials, or install keyloggers or other malicious software. By assuming the identity of a trusted third party, they often try to trick people into thinking that they urgently need to fix the problem so as not to lose their funds.
Via The Wall Street Journal