Cryptocurrency heists are getting more ambitious — and costlier to investors – CBS News
Watch CBS News
By Khristopher J. Brooks
While 2022 has been a typically roller-coaster year for cryptocurrency buyers, it’s shaping up to be exceptional for one group of virtual money enthusiasts: thieves. Criminals have already stolen more than $1 billion in crypto this year.
Attacks on , and Ronin Network last month each resulted in multimillion-dollar losses. Cybersecurity experts say hackers often target decentralized finance, or DeFi, platforms with weak security. DeFi services are typically built on public blockchains, allowing users to exchange crypto back and forth without the need for an established financial institution like a bank or credit union.
“We should expect these types of [sophisticated] attacks to continue to increase, as more and more criminal organizations build DeFi-hacking skills in-house,” Mitchell Amador, CEO at cybersecurity auditing firm Immunefi, told Yahoo Finance earlier this month. “Furthermore, as DeFi gets bigger and bigger, these kinds of attacks become more and more lucrative.”
The most recent attack came last week when an unknown hacker stole $182 million from Beanstalk Farms — the fourth-largest hack on a DeFi service to date. PeckShield, a blockchain security company in China, said thieves used a “flash loan” to exploit security weaknesses in Beanstalk. A flash loan is an unsecured loan that bypasses the need for collateral from the borrower by using smart contracts requiring repayment by the the end of a transaction — usually within seconds or minutes.
A large portion of the $182 million that was drained went toward fees on exchange platforms, such as Uniswap and Aave, used to carry out the attack. In the end, the culprit took home 24,830 in ether and 36 million BEAN tokens. Beanstalk officials said in a blog post that the hackers made out with roughly $76 million of users’ crypto holdings. It’s unclear if Beanstalk, which launched last August, has been able to recover the stolen crypto.
PeckShield said the hacker laundered the stolen cryptocurrency using Tornado Cash, a service that lets users transfer crypto tokens anonymously.
1/ The @BeanstalkFarms was exploited in a flurry of txs (https://t.co/PMsdP5dnJG and https://t.co/wyHe3ARZgU),
leading to the gain of $80+M for the hacker (The protocol loss may be larger), including 24,830 ETH and 36M BEAN.
Since the attack, users have contacted Beanstalk with their suggestions on how to tighten security. Beanstalk said in its blog post that it is taking those thoughts into consideration and “is preparing a strategy to safely re-launch a more secure Beanstalk with a path forward.”
Another cyber criminal stole more than $3 million worth of Bored Ape Yacht Club, a popular series of non-fungible tokens, after hacking into the brand’s Instagram account. Owners of BAYC lost four Bored Apes, six Mutant Apes and three Bored Ape Kennel Club NFTs, Bloomberg News reported in late April. It’s unclear if parent company Yuga Labs has been able to retrieve the stolen digital assets.
Hackers have already snatched more than $1.2 billion in crypto from DeFi platforms this year, according to Immunefi, compared $154 million in the first quarter of 2021. In all of 2020, hackers stole a total of $162 million in crypto from DeFi platforms, according to data from blockchain analytics firm Chainalysis.
“We’ve also seen significant growth in the usage of DeFi protocols for laundering illicit funds, a practice we saw scattered examples of in 2020 and that became more prevalent in 2021,” Chainalysis said in a report. “DeFi protocols saw the most growth by far in usage for money laundering at 1,964%.”
Khristopher J. Brooks is a reporter for CBS MoneyWatch covering business, consumer and financial stories that range from economic inequality and housing issues to bankruptcies and the business of sports.
First published on April 25, 2022 / 7:33 AM
© 2022 CBS Interactive Inc. All Rights Reserved.
Copyright ©2022 CBS Interactive Inc. All rights reserved.
Quotes delayed at least 15 minutes.
Market data provided by ICE Data Services. ICE Limitations. Powered and implemented by FactSet. News provided by The Associated Press. Legal Statement.