The FBI said on Thursday that the Lazarus Group, a prolific hacking team run by the North Korean government, is responsible for the March 2022 hack of a cryptocurrency platform called Ronin Network.
The hackers stole $620 million in the cryptocurrency Ethereum. That’s an eye-catching number in almost any context. But in the Wild West environment of crypto, the Ronin hack is just one of eight megaheists in the past year in which hackers have stolen more than $100 million in cryptocurrency.
“Things are going too fast for people to keep up with,” says Kim Grauer, director of research at the blockchain analysis firm Chainalysis. “People bake into their investment strategy a kind of acceptance of the risk that you might get hacked or it all might go to zero.”
In 2021, criminal hackers stole approximately $3.2 billion in cryptocurrency, six times more than they made off with in 2020, according to Chainalysis. That year included six hacks of at least $100 million stolen and dozens of smaller hacks involving tens of millions.
Now 2022 is off to its own headline-grabbing start. The year in heists began when Qubit Finance, a new decentralized finance protocol, lost $80 million to hackers in January. When the anonymous crypto blog rekt.news chronicled the incident, the writer captured the strange feeling around the blistering pace of these enormous hacks: “But will anyone remember this next week?”
It was a prescient question. Before that week was out, the cryptocurrency platform Wormhole was hacked for $325 million when attackers exploited an improperly applied security fix.
Why does this keep happening? In the cryptocurrency industry, businesses are spun up quickly, security is often an afterthought, scams are prevalent, and investors often don’t truly analyze the risk across a wide range of novel investments.
“This industry is growing so fast,” Grauer says. “There are so many opportunities for new businesses to come online that people are investing at unprecedented rates and are investing in platforms that are not super well structured or managed. It’s a common investment strategy to maybe invest in 50 different protocols and tokens and hope that one of them goes to the moon. But how are you going to do proper due diligence on all 50?”
The normal answer: You do not.
Poorly managed teams running open-source code are common in crypto (and elsewhere). Hackers know it, and they take advantage to the tune of enormous sums.
In February’s hack of Wormhole, a decentralized finance (known as “DeFi”) platform that provides a “bridge” between blockchains, a hacker struck after open-source code to fix a critical vulnerability was not applied to the main project. Weeks after it was initially written, the code was finally uploaded to the public GitHub page. But the project was not updated right away, and the hacker found the security code first. The vulnerability was exploited within hours.
The biggest crypto thefts used to involve funds stolen from centralized exchanges. That type of crime still totals approximately $500 million per year, according to Chainalysis, but pales in comparison to how much now gets stolen from DeFi platforms, which totaled nearly $2.5 billion last year.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
DeFi—an idea similar to smart contracts—is all about transparency and open-source code as an ideology. Unfortunately, in practice that too often means rickety multimillion-dollar projects held together with tape and gum.
“There are a few things that make DeFi more vulnerable to hacking,” Grauer explains. “The code is open. Anyone can go over it looking for bugs. This is a major problem we’ve seen that does not happen to centralized exchanges.”
Bug bounty programs—in which companies pay hackers to find and report security vulnerabilities—are one tool in the industry’s arsenal. There’s also a cottage industry of crypto audit firms that will swoop in and give your project a seal of approval. However, a cursory glance at the worst crypto hacks of all time shows that an audit is no silver bullet—and there is often little to no accountability for either the auditor or the projects when hacks happen. Wormhole had been audited by the security firm Neodyme just a few months before the theft.
Many of these hacks are organized. North Korea has long used hackers to steal money to fund a regime that is largely cut off from the world’s traditional economy. Cryptocurrency in particular has been a goldmine for Pyongyang. The country’s hackers have stolen billions in recent years.
Most hackers targeting cryptocurrency are not funding a rogue state, though. Instead, the already robust cybercriminal ecosystem is simply taking opportunistic shots at weak targets.
For the budding cybercrime kingpin, the more difficult challenge is successfully laundering all the stolen money and turning it from code into something useful—cash, for example, or in North Korea’s case, weapons. This is where law enforcement comes in. Over the last few years, police around the world have been investing heavily in blockchain analysis tools to track and, in some cases, even recover stolen funds.
The proof is the recent Ronin hack. Two weeks after the heist, the crypto wallet holding the stolen currency was added to a US sanctions list because the FBI was able to connect the wallet to North Korea. That will make it harder to make use of the bounty—but certainly not impossible. And while new tracing tools have started to shed light on some hacks, law enforcement’s ability to recover and return funds to investors is still limited.
“The laundering is more sophisticated than the hacks themselves,” Christopher Janczewski, who was formerly lead case agent at the IRS specializing in cryptocurrency cases, told MIT Technology Review.
For now, at least, the big risk remains part of the crypto game.