10 - Kronos Research

Losses: $26.2 million

Exploit type: API Exploit

Date: On November 18, 2023

Kronos Research, is a proprietary trading firm with an emphasis on quantitative research and machine learning, primarily focused on the cryptocurrency and financial sectors. As a key liquidity provider in both centralized and decentralized finance, it also functions as a venture capital firm, investing in blockchain and technology ventures.

API exploit is a cyberattack that targets vulnerabilities in an application programming interface (API), which is a system that lets different software applications from different companies to communicate with each other. Hackers exploit this weak spot in the company’s API (with oftentimes excess permission), enabling them to illegally access and take cryptocurrency from users' accounts.

How the hack happened: The hack, which occurred on November 18, 2023, resulted in a significant financial loss due to a unique type of exploit. The attackers gained unauthorized access to the company's API, leading to the loss of 12,800 ETH (approximately $26 million). This incident was classified as a private key compromise, but it was distinct from typical cases where a victim's wallet private key is compromised. Instead, the API private key was compromised, an attacker with access to these API keys could also access the company’s blockchain wallets and perform transactions on its behalf. The attackers made multiple transactions from the Kronos Ethereum wallet, involving withdrawals from Binance and transfers to an EOA (externally owned account).

Response from the company: After Kronos Research was hacked, resulting in a loss of approximately $25 million, the company took a unique approach to resolve the issue. They offered a deal to the hacker: return 90% of the stolen funds, and the company would consider the matter closed, effectively allowing the hacker to keep 10% as a bounty. This offer was part of their efforts to recover the stolen cryptocurrency, which primarily consisted of stablecoins.

9 - CoinsPaid

Losses: $37 million

Exploit type: Social Engineering

Date: On June 20, 2023

CoinsPaid is a cryptocurrency payment service that enables businesses to accept payments in cryptocurrencies such as Bitcoin and Ethereum. Businesses can choose to keep these payments as crypto or convert them into regular currencies like dollars or euros.

Social engineering is a cyberattack strategy that exploits human vulnerabilities or deceptive tactics to access confidential information or systems The cybercriminals often use social engineering tactics to direct employees into downloading malware, thereby intruding into the company's systems.

How the hack happened: The North Korean hacker group Lazarus successful fooled employees at CoinsPaid into downloading harmful software by posing as potential recruiter, asking employees to install software from legitimate company JumpCloud - which was also unknowingly hacked by Lazarus beforehand as preparation for the CoinsPaid hack. As a result, they stole $37 million worth of cryptocurrency.

Response from the company: After the hacking incident, CoinsPaid took steps to compensate for customer losses by using its own funds. Additionally, the company put in place stronger security practices, including required training for all employees on how to handle such situations and better methods for multi-factor authentication procedures.

8 - Stake.com

Losses: $41.3 million

Exploit type: Hot Wallet Compromise

Date: On September 4, 2023

Stake.com is a leading platform in the crypto gambling industry, providing both casino and sports betting services. Company is offering a wide range of casino games, including slots, table games, live dealer games, and unique online experiences. This innovative approach to online gambling, leveraging the use of cryptocurrencies, has contributed to its rapid growth and popularity in the digital betting world.

How the hack happened: The hackers used an API exploit to steal $41.3 million in cryptocurrency. The hack primarily involved the suspected compromise of the hot wallet private keys, a critical security breach. This compromise gave the attackers unauthorized access to Stake.com's digital assets. They executed the transfer() function across multiple blockchain networks, allowing them to illicitly move substantial amounts of cryptocurrency, including Ethereum (ETH), Polygon's MATIC, and Binance Coin (BNB), from Stake’s wallets to their own. The precision and speed of the attack indicate a targeted breach. The total loss from this hack amounted to $41 million, highlighting the vulnerability of hot wallets, which are internet-connected and more susceptible to such security breaches.

Response from the company: Stake.com addressed the security breach by reimbursing customers who were impacted and enhancing their protective measures. Additionally, the company initiated an inquiry into the incident and is collaborating with the authorities to track down and capture the hackers.

7 - KyberSwap (Newest!)

Losses: $47 million

Exploit type: Reentrancy Attack

Date: On November 23, 2023

KyberSwap is a decentralized exchange (DEX) aggregator that operates across multiple blockchain networks. It allows users to trade a variety of cryptocurrencies efficiently by aggregating liquidity from different sources, providing optimized trading rates and reduced slippage.

Reentrancy Attack in blockchain occurs when an attacker exploits the ability to recursively call a smart contract function, allowing them to repeatedly execute code before the contract's state is updated from the first call. This type of attack can lead to the unauthorized withdrawal of funds multiple times, exploiting the contract in a manner not intended by its original logic.

How the hack happened: The KyberSwap hack, which occurred on November 23, 2023, involved a smart contract reentrancy attack on the multi-chain decentralized exchange (DEX) aggregator. This exploit resulted in a loss of approximately $47 million across multiple networks, causing a 90% drop in the Total Value Locked (TVL) from $84.9M to $8.28M. The attack's impact varied across networks, with losses of $20M on Arbitrum, $15M on Optimism, $7.5M on Kyber Mainnet, $2M on Polygon, and $315K on Base. The root cause was likely a vulnerability in the mint function of KyberSwap’s new v2 reinvestment token (KS2-RT), which contained a mint callback potentially creating a loophole for reentrancy attacks.

Response from the company: Following the hack, KyberSwap took several measures in response. They pledged ongoing support to both users and law enforcement. The platform recognized the hardships faced by many and promised to provide grants to those affected. KyberSwap committed to supporting law enforcement efforts to track the hacker and recover the funds, and to assist users who faced challenges during this period. They also planned to provide treasury grants up to the USD value lost by each user at the time of the breach and focused on recovering assets and supporting those affected by the hack.

6 - Curve Finance

Losses: $61.7 million

Exploit type: Flash Loan Attack

Date: On July 30, 2023

Curve Finance is a decentralized exchange platform that use AMM system. An Automated Market Maker (AMM) is a decentralized finance system that uses liquidity pools for trading assets, replacing traditional buyers and sellers with a formula-based pricing mechanism. Users can swap their tokens with low fees and minimal price differences between the currencies being traded thanks to stablecoins aren’t volatile.

A flash loan attack is when attackers take advantage of the ability to reverse cryptocurrency transactions that haven't been confirmed by the network. The attackers took a flash loan, which they then used to manipulate the value of specific assets on the platform, enabling them to steal cryptocurrency from users who were trying to trade those assets.

How the hack happened: In this case, $69 million in losses due to a vulnerability in the Vyper programming language used in Ethereum smart contracts. This vulnerability caused a malfunction in the reentry guard, which the attackers exploited to drain funds from liquidity pools. Because of the stablecoins aren’t volatile, a handicap appears which allows hackers grab a chance to hack AMM functions to drain funds from liquidity pool. Unfortunately, Curve Finance was hacked on July 30, 2023. The hackers used a flash loan attack to steal $61.7 million in cryptocurrency.

Response from the company: Curve Finance responded to the hack by compensating affected users and implementing new security measures. The company also launched an investigation into the hack and works closely with the authorities. Through investigations almost 80% of the funds were recovered.

5 - CoinEx

Losses: $70 million

Exploit type: Hot Wallet Compromise

Date: On April 8, 2023

CoinEx is a global cryptocurrency exchange where users can buy, sell, and trade a variety of digital currencies. Established in December 2017, it offers a platform for trading various cryptocurrencies such as Bitcoin, Ethereum, and many others. Known for its user-friendly interface and global accessibility, CoinEx provides services including spot trading, futures trading, and other financial products.

Hot Wallet is a cryptocurrency wallet that is connected to the Internet. These wallets have efficient features like accesibility, easy to use, integration of exchanges but hot wallets are much more vulnerable than cold wallets which are not connected with Internet.

How the hack happened: The incident at CoinEx was marked by unauthorized fund transfers from the exchange's hot wallets, a clear sign of a significant security compromise. Early signs indicated that the breach may have involved the hot wallets' private keys being exposed. The attack was notably complex, employing several addresses and attacking a range of blockchain networks including ETH, TRON, BSC, BTC, and MATIC. This strategy not only demonstrated the attackers' extensive understanding of various blockchain systems but also significantly complicated the efforts to track and recover the stolen assets. During this incident, the attackers compromised CoinEx's online wallets and stole $70 million worth of digital currency. It is said that the CoinEx attack was organized by Lazarus Group, a North-Korea related group also behind other attacks of this Top 10.

Response from the company: After detecting unusual withdrawals on September 12, 2023, CoinEx quickly formed a team to investigate, suspecting a leak of their hot wallet's private key. They shut down the affected servers and moved assets to secure locations, while also working with other exchanges to freeze relevant accounts. CoinEx kept users informed and promised that their main wallet assets were safe and that the company would cover the financial losses. By September 21, they had reconstructed their wallet system and resumed services for major cryptocurrencies, ensuring enhanced security for their users' assets.

4 - Atomic Wallet

Losses: $100 million

Exploit type: Supply Chain Attack

Date: On June 3, 2023

Atomic Wallet is a decentralized, multi-currency wallet supporting over 300 coins and tokens. It offers users full control of their private keys, in-wallet atomic swaps, a built-in exchange, and staking features. The wallet offers features like in-wallet atomic swaps, a built-in exchange service, and support for staking certain cryptocurrencies directly within the wallet

How the hack happened: On June 3, 2023, Atomic Wallet, a cryptocurrency wallet, was hacked. The hackers employed a supply chain strategy to breach the software development tools (SDK) of Atomic Wallet, subsequently embedding harmful code within the company's applications. As a result of this intrusion, the attackers were able to steal $100 million in cryptocurrency holdings from users of Atomic Wallet.

Supply Chain Attack is a method of cyber attack that focuses on a business's third-party partners or providers to access the business's systems or information. In the incident involving Atomic Wallet, the assailants managed to compromise the company's software development kit. They did this by inserting malicious code into the software of one of Atomic Wallet's third-party contributors.

Response from the company: After discovering the hack, Atomic Wallet quickly responded by investigating how the breach happened and improving their security to prevent future attacks. They focused on making their use of third-party software more secure. The company also kept their users informed about the situation, offering guidance on how to protect their assets. Efforts were made to work with law enforcement to find those responsible and to try to get back the stolen money. Atomic Wallet's main goals were to fix the issue, keep their users safe, and regain their trust.

3 - Multichain

Losses: $126 million

Exploit: Cross-chain Bridge Exploit

Date: On July 7, 2023

Atomic Multichain is a platform enabling developers to build and manage decentralized applications and smart contracts across various blockchain networks. It focuses on interoperability and scalability, allowing dApps to function seamlessly across different blockchains. This approach provides flexibility and efficiency, leveraging the strengths of multiple blockchains for more robust and user-friendly dApps.

How the hack happened: The hackers found a vulnerability that causes Cross-chain Bridge exploit in the smart contract code of Multichain, leading to the theft of $126 million in various cryptocurrencies. Cross-chain Bridge Exploit in blockchain refers to the manipulation of vulnerabilities in cross-chain bridges, which are mechanisms allowing asset transfers between different blockchain networks. These exploits can arise from vulnerabilities in smart contract code, cryptographic processes, or operational management of the bridge. Hackers can use these weaknesses to illicitly transfer or duplicate assets, often leading to significant financial losses.

Common methods include exploiting smart contract vulnerabilities, manipulating asset locking and minting mechanisms, intercepting relayed information, or gaining control over part of the bridge's validation system. The growing cross-chain activity in blockchain makes securing these bridges against such exploits a critical concern.

Response from the company: Following the June 3, 2023 hack, Atomic Wallet didn't disclose specific details about the theft, which Elliptic estimated at over $100 million. They suggested possible causes like virus attacks or breaches but confirmed none. The company emphasized their non-custodial nature, noting they don't access users' private keys. They are working with investigators and legal authorities to assist affected users and updated their security infrastructure post-incident.

2 - Euler Finance

Losses: $197 million

Exploit: Flash Loan Attack

Date: On March 13, 2023

Euler Finance is a decentralized finance (DeFi) platform on the Ethereum blockchain, allowing users to lend and borrow various cryptocurrencies. It offers advanced features like under-collateralized loans and risk management tools, catering to users seeking sophisticated yield strategies and borrowing options.

How the hack happened: The hackers used a flash loan attack to steal $197 million in cryptocurrency. As we mentioned above Flash Loans are unique to DeFi and allow users to borrow funds without collateral, with the condition that the loan must be repaid within the same transaction. The hackers exploited this feature, along with specific vulnerabilities in Euler Finance's smart contracts, to execute the attack. They manipulated adonate function, creating discrepancies between Euler's debt and equity tokens.

Response from the company: Fortunately, Euler Finance quickly traced the actors behind the hack. Subsequently, all the stolen funds were recovered, enabling the company to reimburse all affected customers.

1 - Mixin Network

Losses: $200 million

Exploit: Cloud Service Provider Exploit

Date: On September 23, 2023

Mixin Network is a decentralized platform that connects different blockchain networks, enabling fast and secure cross-chain cryptocurrency transactions. It supports multiple cryptocurrencies and offers features like end-to-end encryption and integrated wallet functionality within its messaging app, facilitating easy asset management and transfer.

How the hack happened: A cloud service provider (CSP) is an organization that offers resources such as computing power, storage, and network capabilities via the internet. In this incident, the hackers managed to exploit a flaw in the CSP used by Mixin Network, leading to the unauthorized withdrawal of cryptocurrencies from its users. The attackers took advantage of a vulnerability in the cloud services used by Mixin Network, resulting in the theft of $200 million in various cryptocurrencies.

Response from the company: Mixin Network is currently conducting an investigation into the breach and is actively working on compensating the users who were impacted. Additionally, the company has introduced new security protocols to enhance protection against similar attacks in the future.

Seems scary right? Pretty much. But remember, there is no perfect system and no silver bullet for blockchain security. However, from top-level managers to developers every employee needs to know their responsibility whenever the topic is security. As you realized in the previous incidents, sometimes an email is enough to let the malicious actors in.

Over the past years, the industry gained many lessons from these incidents. Several actions are running in the companies for specifying security risks and finding ways to disable harmful activities that originate from these risks. For those who is looking for a more in depth guide on how to prevent cyber attacks, have a technical article in which we dive in depth with each of these above-mentioned hacks & provide countermeasures.

Sources

• https://www.immunebytes.com/blog/stake-com-exploit-sep-4-2023-detailed-hack-analysis/
• https://dailyhodl.com/2023/06/28/atomic-wallet-faces-backlash-after-updating-security-infrastructure-without-revealing-cause-of-100000000-hack/
• https://milkroad.com/news/kyberswap-pledges-treasury-grants-in-response-to-48m-hack/
• https://announcement.coinex.com/hc/en-us/articles/19187420867348-Latest-Progress-of-the-Hacking-Attack-on-Sep-12-2023-Updated-on-Sep-22-
• https://cointelegraph.com/news/kyberswap-hacker-demands-complete-control-over-kyber-company