Jumping into cryptocurrencies sounds fun until hackers wipe out your funds.
Every few months or so, we’re seeing reports of hackers robbing the crypto world at lightning speed and getting away with millions of dollars worth of cryptocurrencies. While many of us can attest to the high level of security that blockchain technology promises, there is no denying that hackers can continue to exploit its vulnerabilities.
Hackers usually take advantage of vulnerable networks, poorly protected protocols, and human error. They enable them to steal private keys, conduct flash loan attacks, and pull off sophisticated phishing scams.
Let’s look back at the topmost damaging crypto heists since the rapid rise of decentralised finance in 2021 and explore the lessons we can learn. (*coughs* use a hardware wallet *coughs*).
Liquid is a Japanese cryptocurrency exchange that got hacked in August. According to blockchain analytics firm Elliptic, the hacker transferred $97 million worth of cryptocurrencies out of compromised wallets. A portion of that amount turned into Ethereum tokens to escape asset freezing, Elliptic said.
BadgerDAO is a decentralised autonomous organisation that enables Bitcoin as collateral on DeFi applications. In late 2021, a hacker exploited a third party application running on Badger’s cloud network. The attacker used a compromised API key to inject malicious codes to phish Badger’s customers. The thief managed to steal $130 million worth of funds, of which only $9 million was recoverable.
Cream Finance is a decentralised lending protocol that lost millions of dollars worth of cryptocurrencies in three separate attacks. The most recent one happened in October and involved the hacker stealing all of Cream’s Ethereum tokens and assets through flash loaning. The attacker netted roughly $130 million worth of cryptocurrencies.
It is interesting to note that flash loan attacks usually involve complex transactions and market manipulation. The initial analysis of Cream Finance’s attack by the BlockSec security ecosystem shows a snapshot of how extensive and coordinated the ploy can be:
Vulcan Forged is the firm behind six blockchain games, a decentralised exchange, and an NFT marketplace on the Polygon Network. In December, hackers accessed private keys to 96 hot wallets and stole 4.5 million PYR, worth $140 million at the time.
Vulcan Forged said that it has since refunded the lost assets to its investors.
Pancake Bunny is a DeFi yield aggregator associated with PancakeSwap, a decentralised exchange on the Binance Smart Chain. In May 2021, hackers pulled off a flash loan attack on PancakeBunny and got away with $200 million via PancakeSwap.
The hacker obtained a large amount of BUNNY through a loan and then dumped the BUNNY coins onto the market to reduce the price. After which, the hacker used Pancake Swap to pay off the Binance Coin loan that the hacker first took out to launch the attack on the BUNNY/BNB market.
The latest heist to make headlines was the attack on the Ronin sidechain.
Ronin is an Ethereum sidechain used in the major gaming platform Axie Infinity. The chain provides a bridge for users to move crypto in and out of the gaming platform. Unfortunately, the hacker exploited this bridge and stole private keys, wiping out roughly $615 million worth of cryptocurrencies.
There’s a pattern across all of the above case studies – online storage of private keys.
Storing private keys online puts users at risk of theft, while keeping them offline makes them inaccessible to hackers. The cryptocurrencies affected by the abovementioned heists mostly had private keys kept online.
Private keys are like the passwords to your crypto accounts. They act as digital signatures that provide proof of ownership and are used to authorise transactions. Once stolen, the thief has authority over your assets.
Keeping your private keys offline is one of the most secure ways of protecting your assets. That way, hackers will not be able to get ahold of your keys and your cryptocurrencies. A hardware wallet protects private keys in a physical device and away from public networks. UKISS Hugware is one example of a hardware wallet. It also comes with a rescue device for hassle-free wallet recovery in the case of loss or theft. There is no need to keep recovery phrases.
Still prefer to keep your private keys online? Make sure you utilise as many security features as possible. One commonly available feature is two-factor authentication, which provides an additional barrier against hackers attempting access to your assets.
Research goes a long way in helping you gauge the level of security of some hot wallets, NFT marketplaces and various DeFi platforms. Before jumping into cryptocurrencies, NFTs, and DeFi platforms, do a security background check on the platforms you wish to use. If it was attacked multiple times, there’s a chance that it is vulnerable and unsafe.
