Beware: A Roundup of Recent Crypto Hacks

Crypto #cybersecurity roundup! We look at the #Stake, #Curve and #Multichain hacks.

One of the most challenging aspects of the #blockchain and #crypto industries is the risk of #cybersecurity threats, such as #hacks, #social #engineering and other forms of compromise of popular and, sometimes, central aspects of crypto infrastructure. While cybersecurity threats are universal, including in traditional industry and finance, the uneven regulatory landscape makes crypto industries a particularly tempting target to threat actors. Here’s a roundup of some recent hacks—it’s always a salient reminder to put good operational security and cybersecurity measures in place!

Stake

Popular crypto gambling platform #Stake was hit with a major hack this week resulting in losses over $41 million in digital assets. The breach was first detected Sunday when blockchain security firm Cyvers noticed suspicious transactions rapidly draining funds from Stake's hot wallet. Further investigation revealed the hackers made off with $15.7 million in Ethereum and stablecoins from the Ethereum network. Additional stolen assets totaling $25.6 million were also transferred out through Polygon and Binance Smart Chain.

Stake confirmed the hack hours later on Twitter, stating "unauthorized transactions" had occurred and they were investigating. The company temporarily suspended deposits and withdrawals during this period. It appears the attackers gained access to private keys for Stake's hot wallets, which allow speedy user payouts but increase vulnerability. While details are still emerging, Stake has said user funds remain safe, implying the stolen assets belonged to the company.

The popular online gambling site enables users to place bets and wagers with cryptocurrency. Stake gained notoriety through partnerships with celebrities like Drake and major sports teams. But crypto casinos and exchanges remain prized targets for hackers due to relatively lax security controls compared to traditional finance. Stake has since resumed operations after securing its systems, but the sizable breach demonstrates that crypto firms need to urgently prioritize shoring up security and safeguarding private keys to prevent future exploits.

In August 2023, Ilya Lichtenstein and his wife Heather pleaded guilty to money laundering conspiracy charges related to the 2016 hack of crypto exchange Bitfinex, in which Lichtenstein allegedly stole around 120,000 bitcoins. The couple were arrested in early 2022 after authorities seized 95,000 of the stolen bitcoins worth $3.6 billion, and have since recovered $475 million more. In July 2023, Lichtenstein and Morgan reached a plea deal regarding the charges, and Bitfinex announced it had recovered over $312,000 in cash and $2,000 in Bitcoin Cash from the hack with help from US authorities. The hack resulted in the loss of nearly 120,000 bitcoins from Bitfinex, though authorities have been gradually recovering portions of the stolen funds since. This means that the US government is one step closer to handing Bitfinex those bitcoins back, of which 80% which will then be distributed to LEO holders.

In other positive hack-related news, Mt. Gox creditors may finally get some relief. Mt. Gox was infamously hacked in 2014, leading to the loss of 850,000 bitcoin. Now in 2023, its trustee has opened the repayment window to creditors after receiving all claims information. This would mark major progress in reimbursing Mt. Gox users who lost funds. The trustee noted that preparations for repayments will take some time and the deadline could be extended with court approval. Mt. Gox is set to distribute an unknown portion of its remaining 142,000 BTC, 143,000 BCH, and 69 billion JPY to creditors. Payments will be made in a combination of bitcoin, bitcoin cash, and Japanese yen, with the first 200,000 yen of each claim paid in fiat. Larger claims will receive approximately 71% crypto and 29% cash after the initial yen payment. This long-awaited repayment process is an encouraging development for Mt. Gox victims who have been waiting nearly a decade to recover their lost funds.

The Department of Justice also unveiled indictments against two Russian hackers, Alexey Bilyuchenko and Aleksandr Verner, for the Mt. Gox hack and for laundering over 647,000 stolen bitcoins. The hackers allegedly stole the Bitcoin from Mt. Gox between 2011-2014, contributing to the exchange's collapse. They then tried to launder the funds through BTC-e, the notorious exchange Bilyuchenko helped set up. BTC-e enabled criminals globally to launder billions until it was shut down by U.S. authorities in 2017. Bilyuchenko was charged with conspiring with Alexander Vinnik, who operated BTC-e and was extradited to the U.S. last year. Bringing these perpetrators to justice is an important step on the road to getting funds back to victims in major crypto theft cases. As more hacks are solved, it builds confidence in the justice system’s ability to eventually make hacking victims whole.

Curve

Decentralized exchange Curve Finance suffered a major setback on July 30th when an exploit drained $73.5 million from multiple factory pools due to a reentrancy bug in old Vyper contracts. The attack sent shockwaves through DeFi as Curve's CRV token plunged 30%.

Curve founder Michael Egorov rushed to shore up his sizable loan position collateralized in CRV to avoid liquidations. He sold 72M CRV worth $28.8M in OTC deals, repaying debts and reducing risks. Meanwhile, white hats returned over 70% of stolen funds, easing liquidity issues.

The CRV price stabilized around $0.61 as funds got restored. But the incident revealed vulnerabilities in deprecated Vyper contracts powering much of DeFi. It also highlighted the sector's interconnectedness and fragility.

While the financial impact was contained thanks to white knights, concerns persist about DeFi's security and stability. However, major players like Aave, Binance and Huobi acquiring CRV in deals with Egorov signals continued confidence. As CRV’s price is now back near recent lows, the threat of liquidation for its founder’s position still looms. If that position gets liquidated, it could trigger a cascading effect across other DeFi protocols too.

Curve's swift response and coordinated efforts by ecosystem partners helped minimize contagion for now. Patching the Vyper bug and restoring funds were positive steps. But Curve's reputation has taken a hit. Only time will tell if the exchange fully recovers from this exploit.

Overall, the Curve situation highlights lingering risks and uncertainties in DeFi. Robust security is essential as the sector continues rapid growth. Events like this may slow adoption in the short term but will ultimately strengthen DeFi in the long run. The community's resilience amid crisis is a promising sign.

Multichain

The once-promising cross-chain protocol Multichain has descended into turmoil, leaving users stranded amid over $230 million in exploited funds. This analysis will dissect the anatomy of Multichain's ongoing catastrophe - from its mysterious beginnings to the massive crypto heists that may portend its downfall.

The first omens of trouble arose in May when transactions slowed to a crawl. Multichain blamed benign technical upgrades, but later admitted certain routes were down due to opaque "force majeure" events.

Around this time, Multichain revealed its CEO Zhaojun was unreachable, lending credibility to rumors he had been detained by Chinese authorities. His unexplained disappearance left Multichain rudderless during its time of crisis.

Spooked by the uncertainties, major crypto players like Fantom, Justin Sun, and HashKey withdrew millions in funds from Multichain. Their loss of faith foreshadowed the troubles to come.

In July, the exploit tsunami hit. Hackers first targeted Multichain's Fantom bridge, draining $58 million in USDC and over $30 million in wrapped BTC on July 6th. Further strikes siphoned assets from Moonriver and Dogechain.

Just a day later, Multichain halted services after $126 million in crypto vanished to unknown wallets from its Fantom and Dogechain bridges. Analysts noted the methodical transfers suggested insider betrayal rather than external breach.

On July 11th, the annihilation continued as Beosin revealed another $103 million had been extracted across Multichain's sprawling bridge ecosystem including Avalanche, Arbitrum, and Polygon. Millions in USDC, fUSDT and wrapped ether were among the casualties.

In total, over a quarter billion dollars in exploits has occurred under the watch of Multichain's absentee CEO and fractured dev team. The relentless asset hemorrhage indicates structural weaknesses at the core of Multichain's business model.

Like a creature with its spine severed, Multichain flails disconnected from its own bridges and capital. Its technology has proven too centralized and brittle to withstand multipronged assault.

While Tether and Circle managed to freeze some funds, the exploits have already resulted in the greatest bridge loss since Wormhole's $326 million attack. And with devastation still unfolding, Multichain's survival grows doubtful.

Perhaps most alarmingly, the exploits reveal the intrinsic fragility of crypto bridges hastily constructed on shaky centralized foundations. Like a wooden bridge built without pilings, they appear sturdy yet crumble at the first sign of turbulence.

The Multichain debacle may ultimately spur the industry to finally engineer the elusive "holy grail" of decentralized bridges. For visionaries, that promised land has drawn closer - but at the cost of another protocol forced to walk the crypto plank.

Yet Multichain's breakdown was avoidable. Its reliance on MPC models and trusted validators created an attack surface exploited by ill-intentioned insiders. Its failure illuminates the urgent need for deep due diligence of crypto project leadership and technology.

For now, Multichain users must anxiously await further updates as the embattled protocol balances on the brink of dissolution. But its ultimate fate may be moot as focus shifts to constructing a more antifragile crypto infrastructure guided by the virtues of transparency, decentralization and immutability.