Hacks and breaches happen almost daily and undoubtedly, 2020, among many other things, was the year for cryptocurrency and exchange hacks. As if the coronavirus pandemic didn’t do enough, the crypto world suffered the creative wrath of hackers as well. 2020 saw more hacks than any other year.
One would hope that as we move further, cryptocurrency exchanges would become more secure. But the unfortunate reality is that more exchanges are hacked every year. As cryptocurrency and exchanges remain largely unregulated, it is unclear who has jurisdiction over cryptocurrency markets.
The 5 names that top the list are:
The chart of the events compares the different hacks in terms of money lost. KuCoin tops the list with $275M lost, followed by Harvest Finance with $25M.
So if you are an investor or are simply curious to know about the scenario of crypto attacks that troubled the community in 2020, we have compiled them for you. There’s also a timeline of events to make it easier.
- Bitcoin Gold
Bitcoin hard fork, Bitcoin Gold (BTG) aims to be GPU-mineable by using the Equihash algorithm also known as “Zhash” which suffered a 51 attack. $70,000 worth of Bitcoin Gold double-spent in the attack on Jan.
On Jan 23, 14 blocks were removed and 13 were added where 1,900 BTG worth about $19,000 was double-spent. Following that, on Jan 24, 15 blocks were removed and 16 blocks were added where 5,267 BTG worth approximately $53,000 was double-spent.
On Feb 12, Iota (MIOTA) suffered an attack targeting its official desktop wallet. The network went offline the very day and has remained down since. The founder of Iota, David Sønstebø, later stated that he will personally repay all 46 victims of the hack to the tune of 8.52 million MIOTA — worth roughly $1.97 million at the time of writing.
Feb 5 saw another crypto hack after which the Italian crypto exchange Altsbit announced that it will shut down in May 2020, after losing about $70,000.
According to the official statement, the hack caused Altsbit to have lost 6.929 Bitcoin (BTC) and 23 Ether (ETH), among losses in other cryptocurrencies such as Pirate Chain (ARRR), VerusCoin (VRSC), and Komodo (KMD).
- OKEx and Bitfinex
On Feb 27, OKEx suffered a distributed denial of service (DDoS) attack at around 11:30 AM EST. The next day, at 4:30 AM EST, the DDoS resumed, taking Bitfinex in the wave as well. The attack routed 200 GBps of traffic and then increased it to 400 GB per second during the second wave. Fortunately, no funds were stolen during these attacks.
Feb 14, a bug in bZx’s project was exploited leading to a loss of $8.1 million. The attack focused on the interest-earning iToken of the protocol that users obtain and redeem for crypto deposited into lending pools. As per the information, the hacker was able to take away 1.76 million USDT, 1.4 million USDC, 4507 ETH, 220k LINK tokens, and 670k DAI.
bZx was exploited yet again on Feb 18 with an estimated loss of 2,388 ether (ETH), i.e. nearly $645,000. The attack was an oracle manipulation attack, explained the co-founder Kyle Kistner.
- The YouTube Scam
Mar 30, a hacker hijacked multiple YouTube accounts, renamed them to various Microsoft brands, and broadcasted a cryptocurrency Ponzi scam to tens of thousands of users, posing as a message from the company’s former CEO Bill Gates.
On 19 April at 08:45 am, Chinese DeFi protocol dForce was exploited in a $24.95M hack that has resulted in its Lendf. My lending platform going offline. It has been estimated that DForce lost over 99.95% of locked funds in the attack.
April 18, 8:58 SGT, an attacker exploited a vulnerability with Uniswap and ERC777– a token of Uniswap Exchange, to perform a re-entrancy attack, stealing $300,000 and $1.1 million in imBTC tokens. 12:12 on April 18th, the Tokenlon team studied the discrepancy, defined the incident as a P0-level security issue, and established an emergency response team.
- Hegic Exchange
Hegic made its debut on the mainnet on 23rd April 2020, hours after going live, they claimed to have a bug in the smart contract. The bug locked user funds into expired options contracts, rendering them permanently inaccessible. Up to $48,000 worth of funds were forever locked up in the platform’s smart contract.
The Tokyo-based company, in an official statement, stated that attackers gained access to DNS records for the coincheck.com domain at the firm’s third-party domain registrar, and are found to have altered the records to forward incoming emails to them. Coincheck stated that compromised emails could have exposed email addresses listed in the recipient and the information exchanged via the customer’s email.
On June 29, the Balancer automated market maker protocol was hacked for over $500,000 in a single ETH transaction, facilitated once again by a dYdX flash loan.
Upon analysis, it was observed that a few hours after the incident, a carefully crafted transaction taking more than 8 million gas, or about two-thirds of an Ethereum block, stole over $500,000 in Ether, Wrapped Bitcoin (WBTC), Chainlink (LINK) and Synthetix (SNX) tokens.
On July 11, fraudsters hacked into U.K.-based cryptocurrency exchange Cashaa’s digital payment platform which serves Indian customers, and stole 336 Bitcoin (BTC), worth approximately $3.1million. Following the attack, the company stopped all crypto-related transactions.
Cashaa suspects a piece of malware was installed onto the system that facilitated exchange transfers, such as user withdrawals. The malware notified the hacker when an employee logged into the account on July 10 and made two transfers from the wallet.
- The Twitter Scam
On 15 July, Twitter suffered a major breach, allowing hackers to post fraudulent tweets through 130 compromised accounts owned by a range of well-known individuals and corporations. Utilizing a common fraud technique known as a “giveaway scam“, these accounts were used to defraud around 400 victims of a total of $121,000 in bitcoin.
On July 31, a European cryptocurrency trading platform called 2gether was targeted by an unknown group of hackers. These hackers stole over 1.183 million Euros ($1.39M) from the service’s investment accounts in a cyberattack. As compensation for the stolen funds, the company offered customers its native 2GT token at a price equivalent to 5 cents each.
- Ethereum Classic
On August 1, a 51% attack impacted Ethereum Classic (ETC), resulting in approximately $5.6 million worth of the cryptocurrency being double-spent. A report published on August 5 revealed the extent of the incident, estimating that the attacker made off with 807,260 ETC.
5 Aug, DeFi risk-management platform Opyn was hacked via a “double-exercise” attack to the tune of roughly $371,000 USDC. The attacker took advantage of a bug in the oETH smart contract code and by exploiting this, the attacker extracted multiple payouts of USDC for the sale of only one batch of ETH.
- Yam Finance
August 13, Yam Finance saw its token price crash down to zero within minutes as developers revealed the presence of a bug in the code. More than $500 million were already locked up in the first 24 hours of the launch. Soon after the revelation of the bug, the token crashed, leaving a yearning hope for developers to come back with the next version. $750,000 yCRV tokens are believed to be stuck in the platform indefinitely.
On September 8, Eterbase was hacked for $5.4 million. Cyber-criminals broke into six hot wallets containing bitcoin, Ethereum, Algo, Ripple, Tezos, and Tron, draining everything. Following the exploit, Eterbase suspended all deposits and withdrawals, including any trading, until Sept.10.
On September 25, 2020, the cryptocurrency exchange KuCoin was hacked. The stolen cryptocurrency amounted to more than $275 million in various cryptocurrencies. On their official website, the KuCoin team explained that the hack was due to a leak of the KuCoin hot wallet’s private keys.
- Yearn Finance
On September 28, Eminence, an unfinished NFT gaming ecosystem of Yearn Finance being developed by Andre Cronje was discovered by DeFi speculators when he retweeted several pictures of the venture. Traders rushed to farm EMN, estimating roughly $15M.
Soon the EMN protocol was exploited and the hacker stole $15M. However, he refunded 50% of the money i.e. $8M back into Andre Cronje’s Yearn: deployer account, unprompted.
Not a great year for bZx as after 7 months a bug in bZx’s project was exploited again leading to a loss of $8.1 million, as per prices on the spot. The attack focused on the interest-earning iToken of the protocol that users obtain and redeem for crypto deposited into lending pools. As per the information, the hacker was able to take away 1.76 million USDT, 1.4 million USDC, 4507 ETH, 220k LINK tokens, and 670k DAI.
The WLEO contract was hacked on October 11, resulting in $42,000 worth of stolen funds. The hacker stole Ethereum (ETH) from the decentralized exchange Uniswap’s pool by minting WLEO to himself and swapping it for Ethereum.
- Harvest Finance
26th October saw the crash of Harvest Finance and its token FARM drop by 70% in less than an hour. It was then reported that an anonymous hacker swapped $25M from Harvest Finance pools for renBTC (rBTC) and sold off of it. Following the claims of attack, investors took down $350 million.
- Percent Finance
On Nov 5, Percent Finance, a community-owned fork of Compound Finance declared that some trouble in the platform might cause locking up of user funds. According to the reports, almost $1M was stuck in money market smart contracts. Further explanation reveals that the markets were frozen as they used an old style of CToken.
- Origin Dollar
On 9 Nov, Origin Protocol co-founder Matthew Liu confirmed an attack on the Origin Dollar (OUSD) vault. Though the exact exploit—some form of flash attack—is yet to be known, the Origin team estimated $7 million—a combination of ETH and DAI stablecoin had been taken.
12 Nov, Gibraltar-based DeFi protocol Akropolis, was hacked. Reportedly, the hackers were able to exploit savings pools at getting away with more than $2 million in stablecoins. Ethereum blockchain records show the hackers got away with more than 2,030,850 Dai.
- Value DeFi
On 16 Nov, “a complex attack” on Value DeFi’s MultiStables vault caused a net loss of $6 million, according to a tweet by them. The exploit appears to be a flash loan attack, according to data from Etherscan, after an attacker or attackers borrowed 80,000 ether from the DeFi lending platform Aave.
- Pickle Finance
24 Nov, Pickle Finance was attacked, draining $19.7 million in DAI, a decentralized stablecoin pegged to the USD, from a Pickle wallet. Succeeding the attack, the price of Pickle Finance’s token, PICKLE, plummeted by 43.8%.
- Compounder Finance
Dec 3 saw an exit scam, performed by Compounder Finance developers, leaving its investors $11 million out of pocket. The project’s website, Twitter, Medium, and Discord pages appear to have been deleted.
- Warp Finance
18 Dec saw a major flash loan attack on Warp protocol. The attacker took the edge of the flash loan scheme and withdrew much more than the collateral limit. The stolen amount was in DAI and USDC vaults through multiple transactions, estimated to be a hefty sum of $7.7 million.
That’s all folks!
And that’s a lot.
The number of hacks and breaches that happened that year knocked our socks off. This year, hackers are going to get more creative, that’s one thing for sure. It’s your job to not be fooled and fall into the trap. With regular audits of your smart contracts, you have a way to ensure that. We’re happy to help and connect with our team to get an audit for your blockchain project.