Concept of cyber rogue hacker

‘Crypto’ hackers target DeFi, Binance’s vulnerable BNB Chain

Getting your Trinity Audio player ready...

Digital asset-based scams and hacks are surging this year, following a year in which crypto-based fraudsters inflicted unprecedented levels of damage on their victims.

On Monday, the U.S. Department of Justice (DOJ) announced the seizure of six ‘virtual currency accounts’ containing over $112 million in digital assets linked to investment scams. The accounts were allegedly used to launder the proceeds of “cryptocurrency confidence scams” in which fraudsters “cultivate long-term relationships with victims met online, eventually enticing them to make investments in fraudulent cryptocurrency trading platforms.”

Assistant Attorney General Kenneth Polite Jr. said the DOJ hoped to “swiftly return” the purloined funds to victims. Polite described the perpetrators as “transnational criminal organizations” that combine “confidence scams with technological savvy to swindle Americans.”

Eun Young Choi, director of the DOJ’s National Cryptocurrency Enforcement Team (NCET), said “depriving scam organizations of their ill-gotten gains is an important part of our strategy to combat these ruthless schemes.” The seizures “demonstrate the value of early notification by victims to law enforcement,” and Choi thanked the unfortunate wretches who were bold enough to come forward and admit being duped in this fashion.

The DOJ’s efforts got an assist from the Federal Bureau of Investigation (FBI), which operates an Internet Crimes Complaint Center (IC3) that reported a total of $2.57 billion in crypto-related losses in 2022. That not only represented the bulk of the $3.31 billion in total losses reported to the IC3 last year, but the digital asset portion was also up 183% from 2021.

The FBI said most online fraud cases involved so-called ‘pig butchering’ rings that establish relationships with their marks, building trust over time before directing victims to digital asset investments run by other members of the ring. These ‘investments’ often initially show significant gains, after which the victims are urged to up their investment ante. Once they do, the noose is tightened, and the money is gone.

The FBI noted that many of these scams involve “malicious smart contracts accessed through cryptocurrency wallet software.” That dovetails with other reports regarding ‘fish farming’ rings that utilize malicious multi-sig wallets to deprive victims of deposited virtual assets.

The South China Morning Post recently reported the sad story of an Italian ex-pat in Hong Kong who lost $1.8 million over five weeks after falling prey to a romance scammer he met on Tinder. Hong Kong authorities said that while the number of such cases fell 7% from 2021 to 2022, the total amount scammed last year rose 16% to HKD697 million (US$88.8 million).

Hacks and rug pulls more frequent, less valuable

Immunefi, a ‘whitehat’ hacker group that describes itself as the ‘leading bug bounty platform for Web3,’ recently released its Crypto Losses in Q1 2023 report. The report shows a significant rise in the number of ‘blackhat’ hacks in the first three months of the year but a dramatic fall in the value of funds lost to these hacks.

Using publicly available data, Immunefi reported 73 hacks in the three months ending March 31, up from just 25 in the same period last year. However, the $437.5 million lost in these hacks was down 64.4% year-on-year, partly due to the dramatic decline in the fiat value of most tokens since Q1 2022.

So-called decentralized finance (DeFi) platforms appear irresistibly tempting to hackers, accounting for 99.6% of Q1 losses, versus just 0.4% for centralized finance (CeFi) platforms such as digital asset exchanges. Total CeFi losses in Q1 were $1.8 million from two incidents, a significant decline from the $76.4 million losses in Q1 2022.

Hacks of two DeFi projects—lender Euler Finance and ‘self-sovereign finance solution’ Bongdao—together accounted for 72.5% of all Q1 financial losses. Euler Finance had $197 million worth of various tokens stolen last month, but following what Euler Labs called “successful negotiations” with the hacker(s), the funds were recently returned. Only 40.5% of the overall funds stolen in Q1 have so far been recovered (although the last $20 million of the Euler funds weren’t returned until this week, so the real percentage figure will be slightly higher).

The usual suspects

Hacks accounted for 95.7% of crypto-focused financial losses due to criminal activity in Q1, with rug pulls representing a mere 4.3% of this criminal pie. Interestingly, nearly three-quarters of these rug pulls took place on BNB Chain, the proprietary network operated by controversial digital asset exchange Binance. BNB Chain also accounted for over 41% of total sums lost to hacks and rug pulls in Q1.

Immunefi’s report quoted triaging team lead Adrian Hetman saying BNB Chain “has a serious issue with developers using forked code. Its community lacks a security-first approach and attracts many users looking for a quick way to earn money.”

BNB Chain suffered 33 notable thieving incidents in Q1, dethroning the previous champ Ethereum, which endured only 22 such exploits. Arbitrum, the new ‘layer 2’ effort to alleviate Ethereum’s notorious scaling challenges, charged out of the gate with eight negative incidents, beating out rival Ethereum scaling ‘solutions’ Polygon (5) and Optimism (3).

BNB was also the most targeted blockchain in 2022, experiencing 65 negative incidents, representing 36% of all chain attacks. That was up sharply from the 43 attacks BNB endured in 2021. It’s worth noting that BNB’s Q1 total is already more than half the number of incidents it recorded during all of 2022.

Previous record-holder Ethereum suffered 49 attacks in 2022, only four more than in 2021. The perpetually problematic Solana chain ranked third with 12 incidents last year, while Avalanche (8) and Polygon (4) rounded out the top five.

In terms of dollar value, BNB ranked third on 2022’s overall money list with $570 million lost, behind only Ronin ($625 million) and FTX ($650 million). BNB’s losses occurred last October after a hacker reportedly uncovered a ‘critical bug’ in the software that allowed them to mint millions of new BNB.

The man in the white hat

Immunefi also released its latest report on the motivations behind a hacker’s decision to don a white hat rather than the black Stetsons of the malicious hacking fraternity. The Hacker Ecosystem Survey found that 77% of whitehat respondents were interested in solving technical challenges, slightly more than those seeking financial rewards for exposing software vulnerabilities (69%). Other motivating factors included boosting career opportunities (62%) and something to do with ‘community’ (38%).

More than half of whitehats are between 20-29 years old. Around 8% are precocious teenagers, while a mere 1.8% can claim to have been breathing for over half a century. And yes, they’re almost overwhelmingly male (95.5%), although the number of females did rise one whole percentage point from the previous survey.

Nearly 54% of whitehats view hacking as their primary vocation, a decrease from 60.2% in the previous survey. Two-thirds identified bounty size as the primary factor in choosing which bounty program to hunt on. Interestingly, bounty size ranked third (36.3%) in whitehats’ decision to dismiss a bounty program, behind inefficient communication (49.6%) and lack of trust in a project or program (62.8%).

The single greatest vulnerability identified by whitehats is reentrancy (43.2%), well ahead of access control (18.2%). Somewhat paradoxically, strong majorities of whitehats reported increases in attack surfaces (76.1%) but also saw increased security measures by projects (88.5%). And the circle of life continues…

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.