The year 2020 changed the world. After the initial shock from the pandemic and the ensuing market crash, people adapted to a new ‘isolation reality’. One of the most significant changes in daily life was the widespread shift to remote work.
Against this backdrop, cybercrime rose significantly. As researchers forecast, the number of attacks will continue to rise.
The cryptocurrency community and companies have long been in hackers’ crosshairs. analysts’ data, as of October the blockchain industry had lost more than $13.6 billion to attacks since 2012.
Unfortunately, hacks of Bitcoin exchanges and wallets are far from new for the industry. CipherTrace estimates, by November attackers had stolen almost $100 million from DeFi protocols.
We recount the major hacks of 2020, in which users lost millions of dollars, and some firms even shut down.
- The largest hack of the year was the attack on the cryptocurrency exchange KuCoin.
- Most often in 2020, DeFi protocols faced attacks, with several subjected to flash loan exploits.
- Beyond protocol and platform hacks, cybercriminals actively traded user data.
KuCoin — one of the biggest hacks in industry history (loss — $280 million)
The September attack on the KuCoin cryptocurrency exchange was one of the biggest hacks in industry history
Initially the loss was estimated at $150 million, but analysts later revised it to $280 million. The KuCoin hackers laundered funds through mixers through mixers and the decentralized exchange Uniswap.
By November KuCoin had returned a large portion of the stolen funds to users and restored deposits and withdrawals of assets.
The ill‑fated hacker and dForce (loss — $25 million)
In April, a hacker attacked the DeFi protocol dForce. At the time of the theft, the amount stood at almost $25 million.
It turned out he exploited a vulnerability in the imBTC token of the ERC-777 standard and a critical vulnerability in the Lendf.me smart contracts responsible for updating user balances. In addition to the damage to dForce, the hacker drained all tokens from Lendf.me (291 imBTC or $2 million at the time of the attack).
However, the attacker made a fatal (for him) mistake — carelessly exposing his identifying details by directly contacting decentralized exchanges without using IPFS.
As a result, Singaporean authorities took an interest in the hacker, and he had to return all the stolen funds.
Harvest Finance: “engineering error” costing almost $20 million (loss — $19.8 million)
In October, the attacker stole $19.8 million from Harvest Finance. It took seven minutes to move the funds. The hacker later returned $2.47 million. The developers pledged to distribute them among users and offered a $1 million reward for help recovering the funds.
The project representatives attributed the attack to an “engineering error.”
The end of Pickle Finance’s standalone life (loss — $19.7 million)
A major loss resulted from an attack on another DeFi project, Pickle Finance. Hackers stole more than $19 million. The project’s token collapsed and shortly after the hack Pickle Finance announced a merger with yEarn.Finance.
Eminence: another André Cronje project in the spotlight (loss — $15 million)
In September, a hacker withdrew $15 million from the unfinished DeFi project Eminence. Its launch was led by the well-known DeFi developer André Cronje.
Subsequently the hacker returned $8 million to Cronje.
Serial attacks on bZx (loss — $11.6 million)
The DeFi platform bZx suffered multiple hacks over the year. In February, attackers withdrew 1193 ETH. A few days later, bZx was hacked again and another 2388 ETH was stolen.
Another attack occurred in September. The total damage amounted to more than $11.6 million at the time of writing.
EXMO loses 6% of funds (loss — $10.5 million)
In late December, hackers breached the cryptocurrency exchange EXMO. Initially it was reported that about 5% of total assets were lost, but the exchange later clarified that 6% had been lost.
Estimated losses totaled $10.5 million.
Hacker-blackmailer and Nexus Mutual founder Hugh Karp (loss — $8 million)
Beyond exchanges and DeFi projects, individuals also attracted hackers’ attention. In December, the attacker drained more than $8 million in NXM tokens from the personal wallet of Nexus Mutual founder Hugh Karp.
Karp reached out to the hacker via Twitter offering a $300 000 reward and a stop to the investigation in exchange for the return of funds. The latter replied. However, he did not agree to return the funds for nothing. The hacker said he would not sell the tokens until the price rose or until Karp transferred 4500 ETH to his address.
“Black Thursday” for MakerDAO (loss — $8 million)
Against the backdrop of the March market crash, attackers drained more than $8 million from MakerDAO.
Investors filed a class action lawsuit against Maker Foundation and several affiliated entities. The Maker Foundation published a report on the incident, but MKR holders declined to compensate losses to collateral holders in MakerDAO.
In September, the class action was forwarded to arbitration.
Origin Dollar attack (loss — $7 million)
In the night of 17 November, the hacker breached the Origin Dollar stablecoin network and moved more than $7 million.
To launder and move the funds he used the Tornado Cash mixer and renBTC.
By December, the Origin Protocol team presented a plan to compensate users for losses.
Here’s our detailed compensation plan for $OUSD holders. We appreciate everyone’s patience as we worked to develop a detailed plan for providing compensation equal to 100% of the value deposited to OUSD at the time of the exploit.
👉 https://t.co/x0NLrBduFP pic.twitter.com/64tcRUcnk2
— Origin Protocol (@OriginProtocol) December 12, 2020
Value DeFi and the conscientious hacker (loss — $6 million)
As a result of the attack on MultiStables storage, an unknown person withdrew $6 million in stablecoins DAI and USDC from Value DeFi. He used a flash loan. Attacks of this kind affected DeFi projects Akropolis, Cheese Bank and warp.finance this year.
Developers proposed that the hacker keep $1 million and return the rest. The attacker ignored the offer, but partially reimbursed users.
For instance, the hacker returned 50,000 DAI to a nurse who said she had lost all her savings.
Hacked Eterbase (loss — $5.3 million)
In early September, hackers breached the Slovak cryptocurrency exchange Eterbase. The platform reported losses of user funds in BTC, Ethereum, Tron, XRP, Tezos and Algorand totaling more than $5.3 million.
Most of the funds were transferred to Binance, Huobi and HitBTC.
Bitcoin wallets under threat — attack on Cashaa (loss — $3.1 million)
One of Cashaa’s bitcoin wallets was hacked in July. The hacker withdrew 336 BTC. At the time of the breach the loss was estimated at $3.1 million, which by December 2020 stood at more than $7.5 million.
***
This is not a complete list of hacks that occurred in 2020.
In February, the cryptocurrency exchange Altsbit was hacked. And although the stated loss seems relatively small ($285,000), the exchange was forced to shut down.
In the summer, Balancer and Opyn were subjected to hacks. Hackers also attacked crypto platforms hosted on GoDaddy, stole 1400 BTC from an investor, using an old version of the Electrum wallet and, according to media reports, hacked 2000 accounts of a Robinhood-friendly platform.
The attackers actively traded user data — by year-end, data on millions of Ledger wallet users was publicly exposed. Before that, Ledger users had suffered phishing attacks.
Will cybercriminals intensify attacks on the crypto industry in 2021? Experts say yes. Yet leading crypto projects are not waiting passively for hacks — they are devoting more time to security, and researchers publish reports and recommendations on protection and countermeasures.
Ultimately, those that prioritise protecting funds and user data will capture a larger market share.
Subscribe to ForkLog’s news on Telegram: ForkLog Feed — the full news stream, ForkLog — the most important news and polls.