Almost as much cryptocurrency has been stolen this year as in all of 2021, according to a new analysis.
According to blockchain market analysts at Chainalysis, thieves and fraudsters stole $3.2 billion in various cryptocurrencies last year. But in the first four months of 2022, $2.9 billion worth of crypto has already been stolen, with roughly one major theft occurring every week.
The volume of crypto heists hasn’t necessarily changed, but the attacks are becoming more and more devastating, in part due to the growing popularity of decentralized finance (DeFi) projects and the amount of money poured into these projects.
Target emerging projects
DeFi describes an ecosystem of financial applications that are built on the blockchain. They offer services similar to those available in traditional banks, but rely on peer-to-peer systems. With DeFi, people can take out loans or earn a return on their investments.
However, since many of these projects are not yet fully tested and approved, they are quickly becoming a playground for cybercriminals and fraudsters.
The latest attack hit Beanstalk, an Ethereum-based algorithmic stablecoin protocol launched in August. The fraudster managed to siphon off $182 million worth of digital assets.
Incidents like this highlight the importance of code verification and audits. Even projects whose code has been audited by third parties can still end up being abused.
Addressing the the wall street journalMax Galka, CEO of crypto-crime firm Elementus, said the hacker was following the rules laid out by Beanstalk.
“Everything this guy did was up to code,” Galka said.
However, the attacker managed to find a flaw in the code. With the help of a flash loan from another DeFi service (a flash loan is similar to a “normal” loan, but the whole process happens almost instantly), he managed to buy enough governance token Beanstalk native to gain absolute voting power.
With that power, he voted to withdraw all funds found on the protocol, and after returning the flash loan, walked away with the difference. It remains to be seen whether the customers concerned will be reimbursed or not.
If crooks aren’t looking for loopholes in the code, then they try to scam people into giving up their passwords, secret keys, and other credentials, or installing keyloggers or other software malicious. By assuming the identity of a trusted third party, they often try to trick people into believing that they need to fix the problem urgently, so as not to lose their funds.
Via The Wall Street Journal