A look at the top 10 cryptocurrency hacks and exploits in 2023

Author: Vishal Chawla, The Block; Compiler: Songxue, Golden Finance

For many years, the encryption industry has been facing challenges from hackers and protocol vulnerabilities.

This trend continues into 2023. There's good news, though:The number of hackers is down more than 50% year-over-year.

The amount of cryptocurrency funds stolen by hackers this year is estimated at $1.7 billion, less than half of the $4 billion recorded in 2022, according to TRM Labs. Although overall losses have decreased, large sums of money are still stolen from individual projects.

There have been a number of high-profile hacks this year, affecting well-known entities such as Multichain, Euler Finance, Mixin Network, and Atomic Wallet.

Then in November, three crypto projects linked to Tron founder Justin Sun — Poloniex, HTX, and Heco Bridge — collectively lost more than $200 million in a series of breaches.

A recurring issue in many of these incidents involves private key vulnerabilities that allow criminals to gain access to user funds. Throughout the year, the North Korean hacker group Lazarus conducted multiple attacks, causing a total of more than $300 million in losses.

This article delves into the largest cryptocurrency thefts of the year, examining the projects affected and the factors that led to each attack.

Mixin Network – US$200 million

Hong Kong-based crypto project Mixin Network suffered its largest loss of the year Encryption vulnerability attacks.

The company had to abruptly cease operations on September 23 after hackers stole a staggering $200 million from users’ hot wallets.

Mixin reports that "its cloud service provider's database was hacked." While the company did not provide further explanation, analysts believe the affected database may hold the private keys to users' accounts - mnemonic phrases that unlock the cryptocurrencies they hold.

Euler Finance — $197 million

Few events have demonstrated the audacity and vulnerability of DeFi as vividly as the March 2023 attack on lending protocol Euler. That’s when $197 million worth of cryptocurrency disappeared due to a strange ploy.

Who is the culprit? A hacker exploited a vulnerability in the lending protocol by manipulating the exchange rate between eDAI and dDAI, the stablecoins issued by Euler. An attacker is able to inflate eDAI/dDAI rates by repeatedly calling the "donateToReserves" function with DAI.

They used flash loans, a type of loan that is repaid in the same Ethereum transaction, to disrupt the balance of liquidity pools holding both tokens. This triggered the liquidation of borrowers’ positions denominated in dDAI to siphon funds from the protocol.

But the story does not end there. The attacker later returned the stolen funds in a move known as a "white hat" move. With the exception of a small portion of the loot, nearly all of the bounty is returned to the team, providing relief to the victims.

Multichain – $125 million

In July, it was reported that cross-chain bridge Multichain was exploited on the different blockchains it supports, and $125 million worth of cryptocurrencies were Exploit, among which Fantom received the largest amount of funds. This happened shortly after the bridge was suspended due to "multiple issues due to unforeseen circumstances."

To date, the exact cause of the hack remains unclear as a conclusive post-mortem report has not yet been provided.

As security firm Halborn explains, one possible factor suggests that the private keys to the bridge’s smart contracts were compromised by hackers exploiting a bug in its code.

There are concerns that the team itself may be responsible for the incident, concerns heightened by the disappearance of Multichain CEO Jun Zhao before the hack.

Prior to this event, he was arrested by Chinese authorities and it was revealed that he had exclusive control over the protocol’s funds, contradicting Multichain’s previous decentralization claims. Multichain is currently no longer running.

Poloniex – $120 million

In November 2023, hackers suspected of North Korea’s Lazarus Group obtained funds from Poloniex A staggering $120 million was stolen from a hot wallet, most likely by obtaining private keys.

The immediate consequences are predictable: trading and withdrawals cease. The exchange said it would compensate affected users. Poloniex has been operating as a centralized exchange since 2014. Tron founder Justin Sun acquired the exchange in 2019.

In June 2023, user wallet accounts of crypto wallet app Atomic were wiped out. Hackers stole more than $100 million worth of assets from approximately 5,500 users. The main reason behind the incident remains unclear as Atomic has yet to provide an explanation.

It is suspected that the vulnerability may have been caused by a code vulnerability flagged by security analysts at Least Authority a year before the incident. Analysts at SlowMist also discovered potential problems.

On-chain analytics firm Elliptic tracked more than 5,500 targeted wallets and said North Korean hacker association Lazarus Group was behind the attack.

In August, a group of victims in Russia filed a class-action lawsuit against the company behind Atomic, saying it failed to protect user assets. Months later, the company responded to a motion asking a U.S. court to dismiss the lawsuit.

Heco Bridge, HTX — $99 million

In November, Heco (the district established by HTX Exchange A major cross-chain bridge on the blockchain has suffered a large-scale vulnerability. Criminals took control of key smart contracts or operator accounts across the bridge, resulting in the theft of over $86 million in various cryptocurrencies.

Preliminary analysis shows that the intruders manipulated the cross-chain bridge’s smart contract code and circumvented its security protocols. This manipulation allowed hackers to mint unauthorized tokens (via the bridge contract), which were then exchanged for Ethereum and subsequently transferred out of the cross-chain bridge.

HTX (formerly Huobi) also lost $12 million in its hot wallet. HTX advisor and Tron founder Justin Sun said white hat bounty rewards have been offered to the attackers. The offer appears to have been accepted, with the platform recovering $8 million (of the $12 million stolen).

Curve - $73 million

In July, Curve Finance, one of the largest decentralized exchanges in DeFi, was attacked. Due to a vulnerability in the Vyper programming language it uses, multiple liquidity pools on the platform were exploited, allowing hackers to steal approximately $73 million in various crypto assets.

Security vulnerabilities allow attackers to exploit its smart contract logic to maliciously drain funds. This involves a re-entrancy attack, where hackers manipulate smart contracts to withdraw funds in rapid succession.

The attack was facilitated by a malfunctioning re-entry protection device within Vyper. Projects built on top of the Curve factory pool, including JPEG’d, Metronome, and Alchemix, are affected.

The Curve team quickly fixed the vulnerability and ultimately recovered approximately $50 million (70% of the stolen funds), allaying the concerns of many users and stakeholders. Recovered funds are either returned directly by the ethical hackers involved or kept with the help of MEV bot operators such as c0ffeebabe.eth.

CoinEx – $55 million

Hong Kong-based centralized cryptocurrency exchange in September CoinEx reports a massive hack. Hackers infiltrated the exchange's hot wallet, which was designed for instant trading use, and absconded with more than $55 million in various cryptocurrencies.

The North Korean group Lazarus is once again suspected of being involved in this incident. Investigators have found a link between the CoinEx hack and another theft from gambling platform Stake.com, which the FBI says is linked to the Lazarus hacking group. Analysis shows that the wallet address that received the stolen funds from Stake.com had direct interactions with the CoinEx hacker’s wallet.

KyberSwap — $54 million

Decentralized exchange (DEX) aggregator KyberSwap raised $54 million via its An attack on the Elastic platform resulted in the theft of approximately $54 million in cryptocurrency.

The November 22 attack stemmed from a vulnerability in the tick interval boundaries of Kyber’s centralized liquidity pool, allowing perpetrators to artificially double liquidity and deplete its value.

In an attempt at negotiation, Kyber offered the hacker 10% of the white hat bounty in exchange for returning the funds. However, the hacker had no interest in accepting the bounty and made other demands in a strange on-chain message, including asking the team to take full control of the project.

The team alone recovered $4.7 million in funds misappropriated by third-party MEV robots.

Stake.com — $41 million

Cryptocurrency-based betting platform Stake.com becomes its wallet Possible victims of private key exploitation. On September 4, 2023, an estimated $41 million worth of cryptocurrency was stolen from the platform.

The FBI blamed the attack on Lazarus in a report based on an analysis of addresses on the Ethereum, BNB Chain and Polygon networks that received stolen funds from Stake.com.