2020 was an incredible year for crypto but it came with bumps. Users were again robbed and conned out of hundreds of millions of dollars in valuable virtual assets. We review the five worst crypto hacks of 2020 and divulge some essential security lessons for 2021.
2020 was a banner year for cryptocurrency, with Bitcoin gaining 224% and other coins like Ethereum also taking great strides forward. There warranted optimism that this upward trend will be continuing in 2021, thanks to growing institutional investment, multiplying retail broker options and new technological highs thanks to innovations like DeFi.
Despite positive market trends, however, a series of audacious hacks have cast a shadow over the crypto industry, just as in 2019’s record year for virtual asset theft. With that in mind, let’s take a look at the worst hacks and scandals of 2020, and the lessons that we can draw from them.
Dishonorable Mention: Ledger Data Hack
Let’s get this out the way first out. It’s been a brutal 2020 for pretty much everyone (well unless you’re one of these guys) and leading hardware wallet maker Ledger had it as bad as anyone.
Ledger made headlines when it was revealed that their user database was hacked in July 2020. In December 2020, a data dump indicated that 1 million email addresses and the personal information of 270,000 Ledger users were exposed. Ledger also announced that over 20,000 users’ details were hacked due to an inside job at Shopify. The company has since announced new measures to deal with the crisis.
The data leak has resulted in a prolonged phishing campaign where many Ledger users have been tricked through emails and their crypto holdings stolen after they reveal their recovery seed in order to “update” their device. Other cases of SIM swapping and even threats of home invasions and physical violence were reported by users.
We’d like to let Ledger’s troubles reinforce this message to our users: It doesn’t matter how strong your crypto fortress is when you let an invader in through the front door. You are ultimately your own best security. Please take these measures:
- Demand accountability from companies in how they handle and use your personal data
- Be diligent against sophisticated phishing and tampering techniques
- Familiarize yourself with the most popular Ledger phishing tactics here.
Ok, on to the Top 5 hacks of 2020!
5. The KuCoin Caper
Exchange hacks are par for the course in crypto and 2020 was no exception. There were a string of high-profile hacks, including the $5.4 million hack of Eterbase, but the most infamous is the KuCoin hack.
In late September, KuCoin users awoke to the news that hackers had made off with more than $281 million in assets. The hackers had obtained the private keys to a number of the exchange’s hot wallets and used them to make massive withdrawals of cryptocurrency. The exchange discovered and moved to freeze the funds before more damage could be done.
Exactly how the attackers gained the private key is still unknown. But given that 84% of hacks are based on social engineering (the act of deceiving someone into exposing sensitive information or taking action, usually via technology) like phishing, it seems likely this one was too.
Once the hackers had the funds, they proceeded to mask the transactions using coin-mixers and sell them on DeFi exchanges, such as UniSwap.
What followed was an extended scavenger hunt. Tether (controversially) froze around $33 million in funds and KuCoin has been able to successfully track down around $204 million in funds. The remainder of the missing funds are supposed to be covered by the exchange’s insurance.
The Lesson: This is said so often that it sounds like a broken record at this point, but… Don’t store your crypto in exchange wallets unless you’re planning to trade it.
4. Smart Contract and DeFi Rug Pull Mayhem
DeFi contracts have become something of a nightmare for crypto enthusiasts. On the one hand, they open the door to some incredible financial innovation and insane rewards for early investors who back the right projects. On the other hand, they’re coded by people, and people make big mistakes or sometimes, they steal outright.
A study in 2018 found that around 45% of smart contracts have some kind of vulnerability. This problem is exacerbated by the fact that a smart contract cannot be altered once it is deployed, so any bugs are there to stay.
This has been a recurring problem for the DeFi community and there were multiple major breaches in 2020. The first major attack occured in February when a hacker leveraged a vulnerability to hack DeFi lending platform bZx not once, but twice! They acquired nearly $1 million in crypto assets, and forced the platform to close the contract.
While that’s impressive, it is nothing compared to the attack on Chinese DeFi exchange DForce. The hacker exploited the re-entrancy vulnerability in the ERC-777 token standard. This enabled them to drain the liquidity pool of almost $25 million in a single night. There were scores of similar other attacks on DeFi platforms throughout 2020.
One specific yet very high-risk DeFi field called yield farming, also known as liquidity mining, has skyrocketed in 2020 and pulled in many risk-immune investors looking to get in early on the next possible YFI success story. Many of these projects push out their protocols early to ensure they beat the competition, and their code is often buggy and almost always unaudited. This puts them right in the crosshairs of hackers, unfortunately, Soon enough this leads to a notorious new type of criminal activity that combines hacking and scamming.
Liquidity mining usually rewards crypto users who stake their tokens (e.g. SUSHI, YAM, WBTC, UNI) very handsomely. It provides compound interest yield as well as incentives such the governance token of a new protocol. After the success of projects like YFI, Compound, Curve, Yam and the series of DeFi food and meme coins, many bad actors moved into the scene, copying and altering their code and passing it off as the hottest new DeFi yield farming project, with promised annual percentage yield (APY) running into thousands of percentages.
Once enough investors have flocked to a liquidity pool of what would appear to be a legitimate project and staked enough of their assets, the usually anonymous developer simply drains the funds and absconds with them, leaving investors high and dry.
The Lesson: Smart contracts are not infallible, and are often not what they appear to be. There is always a risk that you will lose all your capital if you use them. This doesn’t mean that DeFi is inherently dangerous, but it does mean that you should exercise caution. If you are to interact with smart-contract-based protocols and projects, make sure that they have a strong security team, and importantly that their projects have been AUDITED.
3. DeFi Mutual Founder Tricked Out of Millions
It’s not just companies or individuals getting scammed. In December 2020 the founder of DeFi Mutual was conned out of $8 million in assets. The attack involved a relatively sophisticated form of social engineering that allowed the hacker to install a compromised version of MetaMask on Karp’s device. This tricked Karp into sending $8.2 million in NXM to the hacker’s address.
The attack was particularly interesting because Karp was using a hardware wallet. These wallets typically prevent man-in-the-middle attacks by requiring confirmation of a transaction on the device itself. Theoretically the device’s screen can’t be tampered with.
The hacker got around this by replacing a legitimate transaction with his own, so Karp mistakenly approved it. The founder of DeFi Mutual complimented the hacker, and has offered to drop charges and give him/her a $300,000 bounty if they return the funds.
The Lesson: Social engineering attacks are dangerous. If a hacker is able to take control of your browser or metamask, they can compromise your wallet. If it can happen to the founder of a major blockchain project, it can happen to you.
2. The Yearn.Finance Scandal
Even DeFi darling Yearn.Finance ran into problems in 2020. On September 28th, Yearn founder and DeFi darling Andre Cronje tweeted a teaser about an upcoming “economy for the gaming multiverse.” Some DeFi enthusiasts were able to use the tweets to uncover the unfinished and unaudited contract named Eminence.
This, naturally, led to utter chaos as the DeFi community was consumed with FOMO. Within hours “investors” had poured $15 million into an unfinished contract. A hacker then promptly drained the contract of $15 million. However before he made off, this digital pirate sent half of his haul to Yearn.Finance’s deployer account, unfairly leading to conspiracy claims that the South African founder was complicit in the hack.
Despite being foolish enough to deposit $15 million into, once again, an unfinished contract still in production, traders were outraged. This culminated in an attempt to fork the Yearn.Finance ecosystem and to sue Cronje. The scandal forced Yearn’s founder to take a step away from Twitter amidst death threats.
The Lesson: Don’t “invest” in unaudited smart contracts. If you insist on doing so, prepare to lose it all faster than you expected.
Bonus Lesson for Developers: Maybe “test in prod” isn’t the best approach?
1. The Twitter Puppeteering Act
One of the more ingenious attempts at scamming crypto traders was the infamous Twitter hack in July. Some hackers, particularly skilled at phishing attacks, were able to trick a handful of Twitter employees into handing over their credentials. The attackers were then able to compromise a number of one word, so-called “OG” twitter handles and have fun.
This was just the beginning. Shortly after this, Binance tweeted that it was giving crypto back to the community. All users had to do was send BTC to a wallet address (controlled by the hackers). Soon similar tweets were popping up from crypto accounts, but also a number of celebrities.
Fortunately for Twitter, the hackers proved to be less than skilled. Their approach resembled the classic Nigerian Prince scam and they were only able to net around $121,000 in Bitcoin for their efforts. In July, three teenagers were arrested for perpetrating the hack.
Unfortunately for Twitter, they don’t seem to have resolved the problem and there was another hack on January 15th 2021. This time they focused on an Elon Musk themed scam and at the time of writing the hackers had captured around $500,000 in cryptocurrency assets.
The Lesson: If it sounds like a scam, it’s a scam. Don’t send money to unverified wallets and don’t just assume that your favorite twitter celebrity has decided to throw cryptocurrency your way.
Crypto Security Lessons for 2021
There are a few lessons that can be drawn from these hacks. The first is the most obvious: Good cybersecurity hygiene is important for everyone but essential for cryptocurrency traders or companies. Many of the attacks in 2020 were only possible thanks to hackers utilizing social engineering.
Following best practices like enabling two-factor authentication, setting up proper recovery channels, and not sending transactions to strange wallet addresses promising you free Bitcoin (Seriously people!) will hold you in good stead.
The other lesson will be harder to mitigate. A common feature of most crypto hacks in 2020 was the use of DeFi exchanges to liquidate funds. This is beginning to attract the attention of regulators and could have serious consequences for DeFi exchanges in particular.
Regulators in the EU and US are beginning to consider what kind of controls are needed to protect traders (and their tax money) from disappearing into decentralized exchanges. If handled poorly, this could cripple the DeFi industry.
One thing is for certain: 2020 wasn’t the end of crypto hacks. 2021 is bound to be filled with more success stories and scandals. Stay vigilant!
Here are our pro tips to stay safe!
CoolWallet S is the most secure crypto hardware wallet for Bitcoin, Ethereum, Litecoin, Bitcoin Cash, ERC20 Tokens, and other quality crypto assets.
If you’re looking to have full control over your Bitcoin ownership, the best cold (offline) storage, while retaining complete access to buying, selling and trading features on platforms such as ChangeHero, Changelly, BitPay, Binance DEX, UniSwap (and other WalletConnect decentralized exchanges), then your choice is easy.
The CoolWallet S is a revolutionary hardware wallet first released in 2016. Its first-gen predecessor was the world’s first Bluetooth mobile hardware wallet. The CoolWallet S allows you to keep your crypto in cold storage, completely offline, in full control, and in your real-world wallet.
The CoolWallet’s EAL5+ secure element, encrypted military-grade Bluetooth protocol, and several biometric security checks ensure that you can take it with you everywhere you go, without the need to use custodial solutions like centralized exchanges.
Learn more: Here are 10 reasons why you should get a CoolWallet in 2021!
Written by Werner Vermaak
Disclaimer: CoolBitX provides these blog posts for general educational purposes only. Information on this blog expresses the opinion of the author only. It does not constitute professional legal or financial advice and should not be considered as such.
The author or company may update the information on this article at any time without prior notice and do not guarantee the work to be up to date and accurate. To the best of our knowledge, the information provided here is factual at the time of writing.