Decentralized finance (DeFi) has had a challenging year – losing 75% of its total value locked up over the past 11 months. However, while the cryptocurrency crash may have hit investors hard, it hasn’t deterred criminals. Bug exploits, logic errors, private key compromises, and social engineering attacks broke records in 2022, stealing a record $2.7 billion from the DeFi protocol. That’s more than half of the total $5.1 billion stolen from DeFi since 2020. Furthermore, the four worst DeFi hacks of 2022 secured their place on the list of the top ten crypto heists of all time.
From North Korean robberies to US sanctions against Tornado Cash, DeFi-related crime – or “DeCrime” – showed new trends and behaviors during 2022. In this blog, Elliptic analyzes these trends and the five most important insights observed during the year. could shed light on the biggest security risks facing DeFi in 2023.
Cumulative USD Crypto Asset Loss Due to DeFi Theft, 2020-2022.
1. Thefts netted an average of $32.6 million per hack – almost double the amount in 2021.
In 2020, the average DeFi theft netted its perpetrators around $6.4 million. In 2021, that figure has grown to $17 million. In 2022, that last figure nearly doubled — with an average of $32.6 million stolen in each hack. The biggest loss was suffered by BSC Token Hub in October 2022, when it lost $569 million worth of cryptoassets.
Still, no hack in 2022 managed to top the record-breaking $611 million Poly Network bridge theft in August 2021. In another somewhat conciliatory development, the number of DeFi hacks over the years actually declined in 2022 — with fewer than 90 occurring in compared to more than 120 recorded in 2021. One hack occurred on average every four days – down from one every three days last year.
Top 10 DeFi Hacks of 2022 by USD Amount Stolen
However, given the severe nature of many of these hacks, the daily average amount taken from the DeFi protocol exceeded a record $7.6 million. The BSC Token Hub hack, the Ronin Bridge attack ($540 million stolen), the Wormhole Bridge hack ($325 million stolen), and the Wintermute exploit ($162 million stolen) all made the top ten for the most cryptocurrency thefts. BSC Token Hub and Ronin are second and third, respectively.
2022 DeFi Hacks Top 10 Cryptocurrency Thefts of All Time
2. BSC has overtaken Ethereum as the most hacked blockchain
Being the second largest blockchain in operation and accounting for the lion’s share of DeFi trading, Ethereum has long been the dominant chain for DeFi. Excluding hacks involving multiple blockchains, Ethereum accounted for 56% of the funds stolen in 2021. In 2022, that figure dropped to 22.4%, although this does not include the $540 million taken from the Ethereum sidechain Ronin (19.6%) during Ronin bridge incident.
Meanwhile, Binance Smart Chain (BSC) narrowly took the lead, accounting for 25% of funds lost due to single-chain hacks. Solana also became a frequent target, with 18.6% of stolen funds. As new blockchain ventures seek to challenge Ethereum’s dominance through faster transaction speeds and scalability, DeFi projects testing their capabilities have surged. In many cases, issues of security and protection from crime have been slow to catch up. For hackers – minus Ronin – the exploit arena seems to be dominated by these three chains heading into 2023.
DeFi exploits by blockchain by % of amount stolen per year in USD, 2020-2022
Note: Most of the “multi-block” hack revenue in 2021 came from the $611 million PolyNetwork hack, which stole funds from Ethereum, BSC, and Polygon.
3. Cross bridges were the biggest victims this year
Perhaps one of the clearest and most clearly observed trends in 2022 was the poor placement of crossed chain bridges. These are services that allow users to exchange cryptoassets between blockchains – otherwise known as “chain hopping”. Bridges have become popular due to the lack of ID verification required to exchange assets, which often occurs via lock-and-ride smart contracts. When a user decides to convert an asset, these smart contracts lock them on the originating blockchain and issue the converted asset amount to the destination blockchain. This leads to a large amount of liquidity being locked up in these smart contracts.
For criminals, a liquid smart contract is lucrative. Three of the four hacks described above – namely BSC Token Hub, Ronin, and Wormhole – are cross-bridges. Notable hacks also targeted the Qubit, Harmony and Nomad bridges. Over $1.85 billion was stolen from these services in 2022 – nearly 70% of all thefts this year. This is twice as much as in 2021, when bridge attacks stole $640 million.
Hacking Cross Bridges 2022
Another vulnerability of bridges is their existence – given the nature of their service – on smaller blockchains with relatively untested security and audit cultures. On these chains, the smart contracts managed by these bridges may therefore be more vulnerable to attack compared to more mainstream blockchains such as Ethereum.
4. North Korea stole at least $640 million this year, resulting in heavy sanctions
One of the main perpetrators of DeFi theft is the infamous “Lazarus Group” – a North Korean state hacking organization. It has been involved in many exchange and DeFi hacks in the past and 2022 was no different.
North Korea has been credited with at least two DeFi hacks in 2022 – Ronin and Harmony. As shown above, both were chain bridges. After crediting Lazarus with the Ronin Bridge hack, the US Treasury Department sanctioned the perpetrator’s address.
Following this, the popular decentralized mixer Tornado Cash announced that it will implement a smart contract sanction checker to prevent Lazarus from using its tool to pay out stolen funds. To avoid these measures, the Lazarus group generated new intermediary addresses to send funds indirectly through Tornado Cash – leading to new sanctions on those addresses by the United States in an attempt to prevent them from reaching Tornado Cash.
On August 8, Tornado Cash itself was sanctioned for facilitating the laundering of nearly all of the Ronin assets stolen by the Lazarus Group. According to Elliptic’s internal estimates, North Korean money laundering accounted for 6.5% of the ETH and USDC processed in the mixer. Elliptic also credited Lazarus with the smaller $100 million Harmony Horizon Bridge hack in June 2022 – based in part on the similarity of its post-hack Tornado Cash laundering patterns.
The Lazarus group sends their stolen ETH from Ronin to Tornado Cash via intermediary wallets to avoid sanctions checks.
5. Post-Tornado money laundering goes cross-chain and cross-asset
Arguably the most significant development in 2022 sanctions related to DeFi – namely the sanctioning of Tornado Cash – has done little to stop DeFi hacks. In fact, October 2022 was the costliest month in history for hacks, with losses of over $735 million. Instead, most hackers have switched to cross-chain and cross-asset capabilities for subsequent money laundering. This is a classic illustration of the “crime displacement” theory at work – that criminals who are faced with a deterrent measure will seek to commit their crimes in alternative ways unaffected by the intervention.
Based on the $305.8 million in Ethereum and BSC-based DeFi theft proceeds stolen and laundered from sanctions, over 96% ($295.0 million) was sent through decentralized exchanges. These are services that allow users to convert between cryptoassets on the same blockchain. A further $2.7 million was sent directly through cross-bridges to be laundered on different blockchains. Only $6.6 million – 2.1% of observed theft proceeds – was sent through Tornado Cash.
The initial destination of DeFi theft continues on Ethereum and BSC after Tornado Cash sanctions
Along with DEXs and bridges, cross-chain and cross-asset crime accounts for more than 97% of money laundering for DeFi following the Tornado Cash sanctions. High-profile regulators such as the Financial Action Task Force (FATF) have recognized the importance and increasing urgency for virtual asset services to be equipped with cross-chain monitoring capabilities. Indeed, in its target update for June 2022, it identified “chain jumping” as a growing area of concern.
Elliptic has conducted extensive research on chain crime and found that over $4.1 billion is being laundered through DEXs, cross-bridges, and current “coin” exchanges. This figure is projected to reach $6.5 billion by 2023 and $10.5 billion by 2025. Crackdowns on traditional laundering methods – including Tornado Cash – are one of the key drivers of this trend.
How can Elliptic help?
To help virtual asset services manage and mitigate the risk of cross-crime, Elliptic launched Holistic Screening. This first-to-market solution allows entities to seamlessly review addresses and transactions across assets and blocks.
Holistic screening eliminates the need for cumbersome manual monitoring via DEXs or bridges, ensuring that services are not accidentally exposed to chains or criminal assets. In light of the sanctions imposed on Ronin Hack and Tornado Cash perpetrators, Holistic Screening has also become a key solution from a sanctions compliance perspective.
Elliptic is also taking immediate measures to ensure that the addresses of DeFi hackers are flagged on its internal platform, allowing virtual asset services to inspect wallets and monitor transactions related to the proceeds of DeFi theft. This ensures that compliant services can appropriately manage and mitigate the risks of inadvertent processing of stolen funds, while reducing the ability of hackers to monetize their proceeds. After all, the high risks of being discovered when trying to cash out is probably one of the reasons why the PolyNetwork hacker returned all $611 million from the record-breaking hack in August 2021.
Learn more about Holistic Screening here or contact us for a demo.
DeFi Crypto Crime Law Enforcement