Crypto Crimes — Summer 2023 Report
While the crypto market slumbered away this summer, crypto crime activity was at its highest this year!
No less than 171 crimes were reported in 3 months, resulting in a total loss of $1.08 billion, of which $128.3 million were retrieved.
110 of these cases involved fraudulent activities, scam projects, exit scams, or Ponzi schemes, totaling half a billion in losses and further draining an already liquidated and bone-weary Web3 community.
Almost 100 rug pulls — exit scams took place, once again proving that summer is indeed the season for rug-pulling, as scammers capitalize on the community’s absence as they enjoy life and “touch grass”, to execute their rug pulls in near silence and indifference.
While some dreamt of a “DeFi Summer”, they were instead served with a Hack-filled DeFi meltdown. This summer saw DeFi protocols and actors fell victim to smart contract exploits, flash loan attacks, reentrancy attacks, and private key exploits every other day.
The three biggest summer hacks — Multichain, Atomic Wallet, and Vyper X Curve Finance — alone resulted in an initial loss of $425.5 million, of which $121.4 million were thankfully retrieved.
These three hacks stood out due to the circumstances surrounding them!
Multichain I
At the beginning of July, in less than a week, Multichain fell victim to two undisclosed hacks that siphoned $130 million and $107 million, respectively.
A few days later, on July 14, developers of the $1.5-billion Chinese cross-chain protocol, Multichain, announced that the protocol’s CEO, “Zhaojun He,” was arrested by Chinese authorities during an anti-money laundering operation back in May. Although Multichain had repeatedly denied this rumor in the past, which was then classified as “FUD,” the Multichain’s core team was also arrested.
Unfortunately for Multichain users, the decentralization claims were just that. It was found that the protocol’s multi-party computation servers and private keys were all under the exclusive control of Zhaojun, who allegedly used a fake ID to register Multichain’s operations. With the CEO and team behind bars, the protocol had to shut down.
Today, $1.5 billion in total value locked on the Multichain bridge remains inaccessible.
The Multichain debacle forced the shutdown of multiple Web3 actors, including Geist Finance, Hector Network, and SpiritSwap.
Also of note, in their Multichain hack analysis, Rekt News theorized that “plausible methods of gaining access include a back-end breach, obtaining private keys via spear phishing, or the actions of a malicious insider.”
Atomic Wallet I
On June 3rd, Atomic Wallet, a multichain DeFi wallet, lost $115 million to an undisclosed exploit, which resulted in its users having their funds siphoned away from their wallets.
What makes this hack stand out is not the lack of a post-mortem report three months after the incident, although it should be noted, but rather that Atomic Wallet was actually the latest victim of the North Korea State-sponsored crypto hacking group, Lazarus!
The Lazarus Group has become the crypto boogeyman, having wiped out almost $1 billion from the crypto space since the beginning of their activities. In addition to Atomic Wallet, they decided to have a blast this summer and successfully targeted the crypto payment processor Alphapo for $60 million, as well as the crypto payment platform CoinsPaid for $37.3 million!
Lazarus Group’s involvement or not, 50 of these victims have announced their intention to take Atomic Wallet to court. They are alleging that Atomic Wallet failed to adequately share information about the hack both during and after the crisis, with some openly accusing the company of not reporting the hack to the police.
Vyper X Curve I
On July 31, Curve Finance suffered a $73.5 million hack, as reported by Peckshield. These funds were drawn from several DeFi protocols that rely on Curve for the liquidity of their ETH-pegged assets, such as Alchemix and JPEG’D.
The root cause of this hack can be traced to a flaw in Vyper, a smart contract programming language. It had improperly implemented a reentrancy guard, leaving those who used it susceptible to reentrancy attacks.
In the aftermath of this breach, DeFiLlama data revealed that at least $3.21 billion in total value locked (TVL) across all assets deposited in DeFi protocols was wiped out during the week following the hack, shaking the entire DeFi ecosystem.
The damage inflicted by this hack was partially mitigated through a $5.4 million front-running ethical attack orchestrated by “c0ffeebabe,” and negotiations with the hacker(s) resulted in the return of $52.3 million in stolen funds.
However, the story doesn’t end here.
Fingers have been pointed by members of the web3 community, as well as Curve founder Michael Egorov, at the security firm BlockSec.
Four hours after the hacker(s) drained three liquidity pools on Curve during the initial exploit, BlockSec discovered that the previous exploit was due to a Vyper vulnerability and that much larger CRV/ETH liquidity pools were at risk due to the same vulnerability.
Despite their efforts to alert Curve through various means, they were unsuccessful.
BlockSec’s CEO mentioned that they decided to share on X (Twitter) what they knew about the previous hack and the risk of a more significant impending exploit to warn potential future victims.
Two hours after their Twitter post, the hacker(s) struck again, using the same modus operandi. Critics of BlockSec accuse the firm of inadvertently providing information that copycat hackers could exploit, ultimately resulting in Curve’s substantial losses.
The two sides are going back and forth with their own set of rather sound arguments about what took place that day.
However, stepping away from the blame game, it becomes evident that this situation could have been prevented if blockchain security firms and DeFi actors had established effective communication channels during crises — a web3 equivalent of a red phone, so to speak.
The necessity for BlockSec to turn to Twitter in an attempt to notify Curve about a multi-million-dollar vulnerability falls short of the security standards that the web3 ecosystem rightfully demands.
Rather than a subject of controvery and dispute, this unfortunate state of affairs should become an opportunity for the whole ecosystem to sit together and create tools to protect, together, web3 users and actors.
While there are numerous topics on which we could initiate a conversation regarding the ecstatic levels of criminal activity witnessed this summer, there is one particular subject we’d like to address before concluding this report.
It may appear to be the least impactful and noteworthy story among all that has transpired. However, since it not only concerns the most vulnerable web3 users but also represents a wholly avoidable crypto ailment that should have no place in continuously afflicting the entire community in 2023, it is indeed worth mentioning.
This rather lengthy introduction leads us to the topic of Sim Swapping.
Yes, you heard that correctly!
Crypto investigator ZachXBT has reported that in the last four months, at the very least, more than $13.3 million has been lost due to 60 crypto Twitter hacks linked to compromised accounts through Twitter SMS 2FA.
SMS 2FA enabled sim swap hackers to gain control of Twitter accounts belonging to prominent figures in the crypto world, as well as companies, allowing them to post links that drained wallets.
This issue has been known for years, and it has been quite frustrating for web3 users and blockchain security experts who have tirelessly warned members of the community about the risks of using SMS 2FA.
These past months have been particularly absurd in this regard.
Every few days, a SIM swap-Twitter hack occurred, prompting the entire community to call for the end of SMS 2FA. A few days later, yet another Twitter hack took place, and the cycle repeated, as evidenced by ZachXBT’s records.
It was frankly half farcical and half depressing.
So, dear web3 actors and companies that rely on SMS 2FA, please cease its use. Let’s protect web3 users from scammers!
See you all next month for another crypto crime report.
Until then, stay safe!
About us
Nefture is a Blockchain Security Company that secures crypto transactions!
With Nefture Security, you can get your Wallet security audit for free. Plus, enjoy the added peace of mind that comes with immediate alerts on new wallet approvals, as well as a monthly security report!
Check if your wallet is compromised now ⚡https://www.app.nefture.com/
