Known for its market upheavals and vast scams, leaving millions of investors on the hook, the crypto world is less known for its large-scale hacks. That could change. Crypto-asset thefts reached a record $3.8 billion last year (+500 million compared to 2021), according to the report “CryptoCrime“ recently published by the American economic analysis company Chainalysis. October 2022 was the most significant month with 32 attacks having stolen more than 775 million dollars. Korean Lazarus stole the equivalent of $1.7 billion in assets.
This growing interest on the part of hackers is primarily explained by the growth of the community. The valuations of cryptocurrencies – currently around 1000 billion dollars – but also of NFTs have exploded since the Covid-19 crisis. The first gateway is therefore in the “wallets, these new consumer digital wallets”, indicates Laurent Leloup, director of the strategy consulting firm Leloup Partners, specialist in crypto subjects. Simple phishing – tricking the user into disclosing his own secret codes – can be enough to reach a target. But bigger fish have appeared and with them new and even more lucrative ways to do business. Vincent Maret, cybersecurity expert at KPMG, talks about the recent boom in DeFi, “this bubbling ecosystem offering financial services (credits, loans, etc.) and in which tens of thousands of dollars have been placed by investors” . This sector, which represents more than 80% of flights in 2022 according to Chainalysis, is subject to numerous manipulations. “The ‘flash loans’ allow attackers to borrow, for the time of a transaction, very large sums which allow them to manipulate the prices of crypto-assets”, continues Vincent Maret. And it also has major technical flaws. “A single bug can put millions of euros at risk.”
Not so smart contracts?
By “bugs”, the expert points more specifically to “smart contracts”, these smart contracts developed to automate transactions on blockchains (or blockchains), such as Bitcoin, Ethereum, Cardano, Solana or again Tezos. These programs, whose use has exploded in recent years, are sometimes used to transfer funds between two public blockchains. “If this contract is badly coded, it’s a disaster…”, warns Laurent Leloup. Hackers are crazy about these breaches, known in the industry as “inter-chain bridge”: two billion dollars evaporated in this way in 2022.
Initiatives are multiplying in order to stop the bleeding. “Specialized companies audit the source code of smart contracts to declare flaws. Automatic analysis tools are also developed. DeFi projects also use the “bug bounty” approach, which assigns rewards to auditors who find flaws. The biggest bounty is currently $10 million. Finally, others offer monitoring services that analyze transactions executed on blockchains to spot attacks or the premises of attacks”, Vincent list Market. They are not the only ones. “The crypto world simply lacks cybersecurity professionals”, pinpoints Laurent Leloup. Cybercriminals like the Lazarus Group, for now, are rubbing their hands.