View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
  2. Digital economy
July 8, 2022updated 11 Jul 2022 4:49pm

Web3 projects have lost $2bn to hackers and scammers so far this year

As web3 investment booms, hackers see companies working on decentralised platforms as lucrative targets.

By Ryan Morrison

Companies working on platforms underpinning web3 – the notion that the future of the internet will be decentralised – have lost more than $2bn to hacks and scams since the start of 2022, according to a new report by web3 security firm CertiK. An analyst who spoke to Tech Monitor warned these companies are under assault from criminal gangs and nation state-backed groups from countries like Russia and North Korea.

The report suggests the cryptocurrency space is particularly prone to traditional methods of exploitation including hacking, scams and phishing, alongside newer crypto-specific attacks, and the amount of money being obtained by criminals is increasing.

Since the start of this year millions have been lost to hostile takeover attacks that involve a scammer buying a majority of governing tokens (Photo: BlackSalmon/iStock)
Since the start of this year millions have been lost to hostile takeover attacks that involve a scammer buying a majority of governing tokens (Photo: BlackSalmon/iStock)

Though $2bn may seem a large sum, it is a drop in the ocean compared to the overall value of decentralised assets that underpin web3, says Jared Klee, an analyst from Futurum Research. “The market cap for crypto is about $3tn overall, so $2bn against that is a lot smaller than $2bn on its own,” he says. “That’s no consolation for those whose money was stolen but there is a lot of money in the space at the moment.”

He explains: “You have an industry that has grown up very quickly and that has had an enormous amount of money flow into it in a relatively short period of time. With that you get the smartest, best and brightest people, but alongside the ones working on new ideas, you also have the smartest, best and brightest with ulterior motives.”

On top of that, he said nation states are also targeting the web3 and crypto space in a way that was inconceivable during previous iterations of the internet. He gave the example of North Korea using a fake job application phishing scam to gain access to crypto startups, collecting information on the companies from the inside.

Web3 hacks and scams: millions lost to flash loan attacks

By far the most common type of attack to hit web3 projects this year were flash loans. This is where a scammer borrows a large amount of cryptocurrency for a short time and uses it to manipulate the value of a certain token, allowing them to then buy up all the governance tokens and vote to withdraw any money available for that project to their own wallet.

Beanstalk Farms became one of the largest victims of this type of attack in April this year. The decentralised finance project was hit by an attacker who mounted the hostile takeover by buying up enough tokens in the project to take control, then voting to transfer tokens worth $182m to themselves.

This type of governance attack is often funded using the so-called flash loans. In the case of the Beanstalk attack it involved a $1bn cryptocurrency loan via Aave, giving them enough to buy 67% of Beanstalk, release the funds, return the loaned cryptocurrency and net the profit – in 13 seconds.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

CertiK’s report revealed $308m had been lost in 27 flash loan attacks in the second quarter of 2022, significantly higher than the $14m lost to the same category of attack in the first quarter of this year.

“There is nothing inherently wrong with a flash loan,” Klee says. “There is no credit risk, you are guaranteed to get that money back. It lets people amplify the size of what they are doing and can be useful in arbitrage in increasing leverage.”

The problem, he explained, is that not only can it be used in arbitrage, but the same process can be used to give a scammer leverage to take over control of a project. “The type we are talking about is known as a 51% attack. This is where I get 50 plus 1% of voting power and rewrite the rules of the network. There is nothing inherently illegal in the fact somebody buys up 51% of the vote, the problem lies in what they do with that share.”

He expects that, in future, web3 projects will take out insurance against these types of hostile takeovers, or rules will be written into projects to make it harder to achieve. “We have rules in the public market that don’t prevent you buying 50%, they just assure that if you are going to do that the other shareholders are aware of what you are doing and I can see something like that being used in the web3 space," he adds.

Hedi Mesme, Commercial Manage and Partner, NOE Crypto Bank told Tech Monitor eradicating the issue of malicious attacks in the Web3 space involves a range of techniques. "We use institutional digital asset custody, settlement and issuance to insure the security of crypto assets, transfers and custodys under our entity. We utilize Fireblocks as our preferred software tool, and APIs to custody, and manage all digital asset operations."

Phishing attacks centred on Discord

The report also shows there was a spike in the number of phishing attacks between the first and second quarter of this year, almost trebling from 106 to 290. Most of these centred on the social networking and communications app Discord which is used widely within the crypto and NFT communities.

Klee said it wasn’t a surprise Discord was at the centre of the attacks, but that this didn't indicate a specific flaw with the platform. “It is just about where people hang out,” he says, explaining that it could just as easily have come from an email, tweet or Instagram post.

“I think Discord is making a real effort to try and help with this. Facebook has been around since 2004 and has been working against nation state actors for 15 years," Klee says. "Discord has been around since 2015 and is growing at a rapid rate, so needs time to update its systems.”

Read more: Bitcoin "not a viable option" for payments

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU