A year of headline-grabbing hacks and scandals made 2022 a tough year when it comes to securing digital assets.
Victims lost $3 billion to crypto hacks in 2022, according to Chainalysis, a spike from $2 billion lost in 2021.
Another estimate shows that victims of major hacks and scandals have lost a total of $4.3 billion, according to data security firm Privacy Affairs. The same report shows that Americans lost $329 million in just the first quarter of 2022, long before the collapse of crypto exchange FTX, during which hackers allegedly drained wallets after it filed for bankruptcy.
Here’s a list of many of the major and noteworthy hacks of 2022, and how they occurred, listed in chronological order:
Wormhole Crypto Bridge – $320 million
In February, Wormhole, the name of a protocol that helped facilitate the movement of digital assets from one blockchain to another blockchain network (a blockchain is digital database underpinning cryptocurrencies), was hacked for crypto worth over $320 million. The hacker found a vulnerability in Wormhole’s smart contract, which allowed the attacker to fraudulently mint a large number of crypto tokens.
Jump Crypto, a trading and VC firm, eventually replaced the stolen 120,000 ETH
to support Wormhole.
Axie Infinity – $625 million
In March, hackers stole $625 million worth of crypto assets from gaming-focused Ronin Network, which hosted a game called Axie Infinity. At its peak in 2021, Axie Infinity’s play-to-earn game model allowed gamers in Southeast Asia to earn a living simply by playing the game.
But Sky Mavis, the team behind Axie Infinity, noted in a blog post that hackers were able to steal validator keys, which allowed them to take control of the Ronin network. They stole around 173,000 ether, or about $597 million at the time, and $25 million worth of stablecoin USDC, a total of around $625 million, in what is considered the largest decentralized finance exploit to date.
Beanstalk Farms – $182 million
In April, blockchain analytics company Peck Shield, noticed a hack on Beanstalk Farms, a decentralized finance protocol that aimed at balancing supply and demand of cryptocurrency assets.
The hacker exploited the project’s governance system, which like most DeFi projects works by majority vote. The creators of Beanstalk made it so that participants can vote to make changes to the code. Participants got voting rights based on the proportion to the value of the tokens they held, creating an opportunity for the hackers.
The attack was facilitated using a DeFi product called a “flash loan” which lets people borrow a large amount of crypto for a short period of time, sometimes mere minutes or seconds. Usually, these are meant to provide liquidity for price arbitrage opportunities, but in the case of Beanstalk, it was used to gain majority voting rights and approve the execution of code that transferred assets to their own wallet. The hacker instantly repaid the flash loan, netting around $80 million in profit. In PeckShield’s analysis, the firm found that Beanstalk Farms had lost $182 million in total from the hack.
In October, a flash loan was also used in another attack on Solana-based lending platform called Mango Markets to funnel over $100 million in customer deposits off the platform. Avraham Eisenberg was arrested in Puerto Rico and faces charges of commodities fraud and manipulation, according to a filing made public on Tuesday.
Eisenberg argued as recently as October, via Twitter, that his actions were legal:
Nomad Bridge Attack – $190 million
In August, Nomad, a bridge that connected various blockchain networks, was hacked for $190 million worth of crypto assets, in the second-largest cross-chain bridge attack of the year, and the fourth largest DeFi hack at the time. The hack was the result of an error in Nomad’s smart contract, in which attackers found a vulnerability. Just a few days before the incident, Nomad had revealed in a blog post that big name investors like Coinbase Ventures, OpenSea, and Crypto.com Capital, had taken part in an April funding round for $22 million to help develop a security-first solution.
Wintermute Hack – $160 million
In September, crypto market maker Wintermute was hacked for $160 million in its DeFi operations, and the news was tweeted out by Evgeny Gaevoy, founder and CEO of Wintermute.
“We are solvent with twice over that amount in equity left,” he said at the time.
Later, Gaevoy explained to Forbes that the hack had likely originated with a service called Profanity, which generates “vanity addresses” for accounts to make them easier to access (otherwise, crypto accounts are normally accessed through a long string of varied letters and numbers). There was a security vulnerability with Profanity’s code, which may have allowed a hacker with enough computing power to hack possible keys and passwords.
After crypto exchange FTX filed for bankruptcy in November, on-chain data showed that the exchange’s wallets were losing funds that ranged anywhere between $370 million to $400 million. Sam Bankman-Fried, former chief executive of FTX, said in an interview that a former employee or bad actor, who likely stole private keys to FTX’s crypto wallets, was behind the draining of the funds. It was later revealed by new FTX chief executive John J. Ray III that FTX had stored private keys that weren’t encrypted, and overall lacked security.
In congressional testimony in December, Ray said, “never in my career have I seen such an utter failure of corporate controls at every level of an organization, from the lack of financial statements to a complete failure of any internal controls or governance whatsoever.”
Overall, $1 billion to $2 billion of FTX clients’ funds continue to be unaccounted for. Bankman-Fried has been charged with eight criminal accounts including fraud, money laundering, and campaign finance offenses.
Ray, in his testimony, said that although the investigation is ongoing and detailed findings will take time, “the FTX Group’s collapse appears to stem from the absolute concentration of control in the hands of a very small group of grossly inexperienced and unsophisticated individuals who failed to implement virtually any of the systems or controls that are necessary for a company that
is entrusted with other people’s money or assets.”