Hackers eyeing the blockchain with a loss of more than $20 billion in ten years

Technology does not understand right and wrong, and blockchain hacking incidents have never ceased.

In the blockchain world in 2021, the bright side is thriving, and the dark side is also developing steadily.

According to incomplete statistics from SlowMist Hacked, there will be frequent security incidents in the blockchain world in 2021, far exceeding previous years in terms of quantity, danger, amount of money involved, and impact scale. Among them, there will also be rare “white hat hacking” incidents, giving people The safety alarm bell was sounded.

The so-called “white hat hacker” refers to a group of people who maintain network security by using the hacker’s usual method of sabotage and attack, as opposed to “black hat hackers”. However, the most famous “white hat hacker” in 2021 did not obtain permission before the attack, and the amount involved was as high as 600 million US dollars, but in the end, the hacker returned the stolen assets in full, and Poly Network also gave up its legal responsibility. .

Technology does not understand right and wrong, and blockchain hacking incidents have never ceased. Exchanges, wallets, public chains, various ecological DApps, DeFi projects… Which one is the core of hackers’ attention? 

$600 million in assets stolen and returned, hackers said “just want to remind”

In August 2021, an anonymous hacker attacked Poly Network (heterogeneous cross-chain protocol), adding $250 million, $270 million, and $8500 to Ethereum, BSC (Binance Smart Chain), and Polygon (Ethereum side chain). Ten thousand dollars of encrypted assets were quietly transferred, with a total amount of up to 610 million dollars, and the whole process took 34 minutes.

However, with the containment of all parties, the hackers returned most of the stolen assets within the next 12 days, claiming that they were not interested in money, and the label “white hat hacker” was born.

610 million US dollars, this is not only the largest hacking incident in the history of DeFi, but also the largest hacking incident involving the entire cryptocurrency history, surpassing the famous Mt. case (523 million XEM, about $534 million at the time).

In the face of such a large-scale security incident, the “parties” did not dare to slack off. Poly Network distributed a document at 8:38 p.m. that day, announcing its attack to the outside world, posting the specific address of the hacker on different chains, calling on miners and trading Any help to stop the transactions initiated by the hacker address.

Hackers eyeing the blockchain with a loss of more than  billion in ten years

(Image sourced from Poly Network Twitter screenshot)

Changpeng Zhao, CEO of Binance, Jay, CEO of OKex, and others have successively expressed their support. Paolo Ardoino, CTO of Tether, the issuer of stable currency USDT, also stated that Tether has frozen the hacker’s address of 33 million USDT.

Despite the siege, the hackers still used various means to quickly mix the currency (that is, a transaction included a large number of inputs and outputs, and the connection between the input and output was actually separated and difficult to trace), and on the same day, they exchanged USD 97.06 million USDC through Curve. For DAI, he used the Curve fork project Ellipsis Finance to mix nearly 120 million US dollars on BSC.

According to the situation news report, on the day of the incident, the Poly operator team worked all night. In addition to the pressure of the huge amount of assets being stolen, the endless conjectures in the encryption community also made it thorn in the back. Security researchers Mudit Gupta, founder of Primitive Ventures Partner Dovey Wan and others have successively issued articles suggesting the possibility of an “internal attack”, and some even speculated that Poly “directed and acted”.

On the day of the incident, a “good person” sent a transaction to the hacker’s address, leaving a message to remind him that USDT had been blacklisted, and the hacker returned a gift of 13.5ETH (about 42,495.84 US dollars). ).

The “Road to Get Rich” started, and a large number of “melon-eating people” flocked here. Some talked about projects and investments, some talked about dreams, and asked for tuition fees. Some people let hackers “pull” their own coins, and even more Those who directly worship the teacher and recognize the big brother.

Hackers eyeing the blockchain with a loss of more than  billion in ten years

But just as the onlookers watched the excitement, the event reversed.

The day after the incident, the hacker who attacked the Poly Network took the initiative to show up on Etherscan, expressing his willingness to return the stolen assets through the on-chain transaction remarks, and asking the Poly project to provide him with a multi-signature wallet.

“Why refund?”

“I’m not very interested in money,” replied the hacker. “Acquiring so much wealth is a legend, and saving the world is an eternal legend.”

On August 11, 2021, the hackers returned $4.7 million worth of assets, including $1 million in UCDC, $1.1 million in BTCB, and $2.6 million in other assets. Later on the same day, the hacker returned nearly 120 million BUSD, 26,600 ETH, and 1,000 BTCB to the collection address left by the Poly Network team on the Binance Smart Chain, with a total value of about $250 million.

In the next 12 days, the hackers gradually returned all the stolen encrypted assets on BSC, Ploygon, and Ethereum. The public opinion on this matter also changed from shock and criticism of the stolen incident to the blockchain. Cybersecurity concerns.

On August 13, 2021, F2Pool co-founder, Cobo co-founder and CEO Shenyu published a blog post, calling Poly Network’s attackers the guardians of network security – “white hat hackers”, and also said that they would build in Cryptovoxels Regarding the monument commemorating the Poly Network event, thanks to all participants. Then, Poly Network also announced the main network upgrade, and invited the previous attacker to be the chief security consultant of Poly Network.

Where there is money, there are hackers

Looking back, the “white hat hacker” incident occurred on the basis of the breach of the cross-chain protocol, and the follow-up loopholes also involved the Ethereum public chain, Polygon ecology, stable currency USDT, etc. Under the blockade and siege of leading companies, they can quickly mix coins and transfer stolen assets. The security risks presented in this are worthy of the vigilance of the encryption world.

According to incomplete statistics from SlowMist Hacked, there will be 236 blockchain security incidents that will be disclosed in the entire blockchain ecosystem in 2021, with losses exceeding $9.886 billion. Among them, there were 127 security incidents such as ecological DApp and DeFi, accounting for the vast majority. In addition, there were 14 exchange security incidents, 8 public chain security incidents, 3 wallet security incidents, and 84 other types of security incidents (the project party ran road, etc.).

Hackers eyeing the blockchain with a loss of more than  billion in ten years

It can be seen from the above data that the DApps, DeFi projects, and exchanges of various ecosystems are the hardest hit areas for hacker security incidents in the blockchain world in 2021.

A senior industry security person told Lianxin that a large amount of funds are gathered in cryptocurrency exchanges, with complex personnel and fragile defenses. Users lack sufficient security awareness and are prone to security loopholes, whether from the point of view of weakness or profit. From the above, they are all “sweet pastries” that hackers cannot ignore, and stealing coins in the form of attacking exchanges’ cold/hot wallets will be a significant feature in 2021.

In February 2021, hackers stole about $1.96 million in Xtake through access to a cold wallet controlled by New Zealand exchange Cryptopia liquidator Grant Thornton, which had been dormant since January 2019. On August 19 of the same year, the Japanese crypto trading platform Liquid also had its hot wallet stolen, with a total loss of about $91.35 million.

In addition to exchanges, wallets that pool funds are also attractive to hackers, which leads to an endless stream of wallet leak security incidents in 2021. According to AML’s November report, tens of thousands of fake wallet apps have been stolen, with losses of up to $1.3 billion.

In addition to exchanges, it is worth mentioning that there are public chain attacks. Starting from August 2021, BSV was attacked by 51%, nearly 100 blocks were reorganized, and then the ETC mainnet suffered a fork due to the Ethereum client Geth vulnerability, and then the Solana mainnet beta version also suffered a denial of service attack. , the network is offline for 17 hours.

But whether it is a public chain, a wallet, or an exchange, they cannot compare to DeFi, DApp, NFT and cross-chain parts in terms of the amount involved, the number of attacks, and the scope of influence, and this part was also the most frequent hacker attack last year. field.

Since the birth of DeFi, it has been accompanied by countless risks. In recent years, the value of many DeFi projects has been exponentially doubling, and hacking incidents have intensified. Flash loan attacks, contract loopholes, compatibility or architectural problems, private key leaks or front-end attacks, internal crimes… There are many kinds of routines in DeFi, which are astounding.

In 2021, the ETH ecosystem SushiSwap was attacked twice, and a high-risk vulnerability appeared in the SIL.Finance contract. In the BSC ecosystem, Cream Finance was attacked by flash loans three times, with a cumulative loss of more than 187 million US dollars. The EOS ecological flash.sx flash loan smart contract suffered a “re-entry” attack. In the Polygon ecosystem, the income farming protocol PolyYeld Finance project contract is used. In addition, DDEX code backdoor incidents have also occurred in the HECO ecosystem.

Security incidents frequently occur in the “DeFi, DApp, NFT and cross-chain” section. This phenomenon will not only occur in 2021. According to the observation of “Lianxin”, this law has appeared since the number of security incidents soared in 2018, and even continued to 2022.

$23.9 billion in losses over ten years

From 2008 to 2022, hacking incidents such as maggots attached to bones followed the development of the blockchain and grew stronger day by day.

According to SlowMist Hacked data, since 2012, there have been 610 public blockchain security incidents in the global blockchain ecosystem, with a total loss of approximately US$23.878 billion. Divided by age, there have been obvious periodic changes after 2018, and both the number and the amount involved have doubled compared to the previous period.

Hackers eyeing the blockchain with a loss of more than  billion in ten years

According to the survey data of blockchain security companies PeckShield and BCSEC, in 2018, the number of blockchain security incidents was as high as 138, resulting in economic losses of 2.238 billion US dollars, of which the Ethereum public chain and EOS public chain bear the brunt, followed by Exchanges, wallets.

Among them, there were more than 54 incidents on the Ethereum public chain, such as “BEC US chain was attacked by hackers, evaporating 900 million US dollars in one day”; there were more than 49 security incidents on the EOS public chain, most of which originated from the DApp ecological outbreak (August-November). ) caused by random numbers, false notifications, transaction rollbacks and other attacks, the direct economic loss was as high as 747,000 EOS.

In contrast, although there have been more than ten exchange attacks, only two cases of “theft of Japan’s Coincheck exchange” on January 26, 2018 and “Binance exchange by hackers and phishing” on March 7 of the same year were affected. larger. There were only 3 BTC accidents, similar to the “BTC over-issue vulnerability” in September, which was fixed before causing harm.

On this basis, “Chain New” found that among the nine major security accident sites represented by public chains, exchanges, wallets, ETH ecology, BSC ecology, TRON ecology, EOS ecology, Ploygon ecology, and HECO ecology, EOS The ecology and ETH ecology are especially concerned by hackers, and the number of attacks on exchanges is relatively large. There were more than 356 security incidents in these three areas, and the amount involved exceeded 12.5 billion US dollars, accounting for more than 52.35% of the total.

Hackers eyeing the blockchain with a loss of more than  billion in ten years

The same pattern is also reflected in the “2020 Blockchain Hacking” series of reports released by the Atlas VPN team. The Atlas VPN team noted 47 successful attacks against ETH DApps in 2020, as well as 28 breaches on cryptocurrency exchanges.

The phenomenon of hacker attacks focusing on DeFi, DApp ecosystems, and exchanges will continue until 2022.

As of January 18, 2022, according to the statistics of SlowMist Hacked, there are 16 blockchain security incidents in 2022 disclosed by the global blockchain ecosystem, of which, except for 6 running events, all of them are security incidents of DeFi and DApp ecosystems. Exchange security incidents.

Under such circumstances, many authoritative organizations have issued reports to remind the cryptographic world to guard against hacker attacks and strengthen blockchain security. McAfee has previously issued the “Blockchain Threat Report”, stating that “blockchain is a revolutionary basis for decentralized online transactions, but there are security risks”. In March 2021, the China Academy of Information and Communications Technology also released the “Blockchain Security Capability Evaluation and Analysis Report”, pointing out the existing “ten security risks” in the blockchain, and repeatedly reminding the outside world to establish a sense of prevention.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/hackers-eyeing-the-blockchain-with-a-loss-of-more-than-20-billion-in-ten-years/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-01-18 23:03
Next 2022-01-18 23:06

Related articles