1. Home
  2. investment
  3. news
  4. Hackers stole over $4 billion in cryptocurrencies this year — Here’s a full list of the biggest crypto heists in 2021

Hackers stole over $4 billion in cryptocurrencies this year — Here’s a full list of the biggest crypto heists in 2021

Hackers stole over $4 billion in cryptocurrencies this year — Here’s a full list of the biggest crypto heists in 2021
Investment1 min read
The biggest crypto hacks of 2021    BI India
  • Hackers made off with more than $4 billion worth of cryptocurrencies in 2021, according to a report by Crystal Blockchain.
  • Decentralised finance (DeFi) saw the biggest jump in thefts — a sector that’s new and still growing, making it an attractive target for thieves.
  • The Poly Network exploit, which saw over $610 million in crypto coins siphoned off, isn’t only the biggest DeFi attack of the year, but the biggest in all of DeFi history.
Crypto markets may be the next generation of financial services but the same old risks still apply — where there’s money, there’s people trying to steal it. And, this year hackers got away with $4.25 billion. That is almost a tripling over 2020, when around $1.49 billion in crypto assets were stolen. Comparitech compiled data to show that 2021 saw six of the ten costliest crypto hacks of all time.

And, the fastest growing way to steal crypto this year was through hacking decentralised finance (DeFi) protocols with it alone accounting for $1.4 billion of the total crypto funds stolen this year, according to a report by analytics firm Crystal Blockchain. “This can be explained by the fact that the technology is new and still has a lot of vulnerabilities,” it said.

In fact, the biggest DeFi breach to date occurred in 2021 with $610 million worth of cryptocurrencies swiped from the Poly Network by a hacker who was only looking to ‘prove a point’. “DeFi attacks will continue increasing, while the DeFi industry continues building better security systems and hackers continue to do their best to break these systems,” said Crystal’s report. Attesting to the industry’s efforts, over half of such losses due to DeFi hacks could be recovered this year.

The growth in the popularity of non-fungible tokens (NFTs) has also spurred fresh activity where bad actors are finding new and innovative ways to trick people into buying fake digital assets or investing in scams.

From leaked word documents to stolen passwords, here’s a quick look at the 10 biggest cryptocurrency hacks of 2021:

Poly Network – $610 million stolen in August 2021

Poly Network – $610 million stolen in August 2021
Poly Network/BI India

A ‘white hat’ hacker pulled off the largest single cryptocurrency hack this year, claiming to have done it to expose the security hole in the ‘cross chain’ smart contracts used by the company.

The company went on to suspend transactions and fix the bug, even as it negotiated with the hacker and exchanges to freeze the stolen cryptocurrency temporarily. The entire stolen amount was retrieved over the course of a week, with no loss to customers. They offered a job and a reward of $500,000, which the hacker turned down, but later grumbled about getting no reward.

Poly Network is a decentralised finance (DeFi) platform that allows users to lend, borrow and trade cryptocurrencies at a profit. Smart contracts are built into a crypto token, with self-executing terms that define what the token should do under different circumstances, for example, sell to entity X at $17.99 if price falls below $18.

Cross chain platforms enable users to transact across completely different blockchains, but the technology is still developing, making it an attractive target to hack. A number of recent crypto hacks have targeted DeFi crypto platforms that use cross-chain technology.

BitMart – $196 million stolen in December 2021

BitMart – $196 million stolen in December 2021
BitMart/BI India

A stolen private key — the part of the cryptographic pair that is supposed to be kept top-secret — enabled hackers to breach security of two hot wallets belonging to the BitMart crypto exchange.

Announcing the discovery of this loss on Twitter, the company said $100 million of the loss was on the Ethereum blockchain, which has been targeted most frequently in the biggest hacks this year.

The exchange froze deposit and withdrawal for a couple of days, during which time they announced a security upgrade. BitMart’s CEO Sheldon Xia announced they would talk to crypto project teams to identify solutions, and use the company’s own funding to compensate affected users.

Hot wallets are used by crypto exchanges like BitMart, to store the most liquid portion of their digital assets, for faster transactions on behalf of users. A cold wallet, on the other hand, holds digital assets offline with no internet exposure, thus being less vulnerable to hackers.

Boy X Highspeed (BXH) – $139 million stolen in November 2021

Boy X Highspeed (BXH) – $139 million stolen in November 2021
Boy X Highspeed/BI India

A leaked administrator key lost BXH a large part of their holdings on the Binance Smart Chain (BSC). Withdrawals on their BSC blockchain were suspended the same day, resuming only four weeks later. Their security sweep took a week, with all security loopholes claimed to be eliminated within two weeks of the attack.

Their CEO and PeckShield, an independent blockchain security researcher, both speculated that this exploit could be an ‘inside job’. The company offered a reward of upto $10 million to identify the hackers, though no further announcement has been made regarding identification. ‘A reasonable compensation plan’ is held out for users whose digital assets were affected. BXH is a decentralised exchange, with support for trading across multiple blockchains.

Vulcan Forged – $135 million stolen in December 2021

Vulcan Forged – $135 million stolen in December 2021
Vulcan Forged/BI India

Hackers helped themselves to the crypto wallet private keys of 96 users, out of a total of 6501 at the time. They went on to steal 9% of all available PYR tokens (4.5 million PYR), leaving a loss of $135 million. Affected users have been promised reimbursement from the company’s own reserves.

The CEO Jamie Thomson has said they will use decentralised wallets, to prevent such issues in the future. The company has placed a bounty of $500,000 to identify the hacker, and also coordinated with large exchanges to try and prevent the hackers from selling the stolen tokens.

Vulcan Forged calls itself a GameFi game studio that makes play-to-earn (P2E) games such as Vulcan Verse and Vulcan Chess, that operate using their own PYR tokens and NFTs. It runs an NFT marketplace to enable players to cash out, and a decentralized exchange (DEX) to trade cryptocurrency. The studio was planning upgrades for the PYR currency, but the hack dropped its price by 26% lowered its market cap by 35%.

Private keys function like digital signatures, proving ownership of a ‘wallet address’ and permitting transactions only by the key holder.

Cream Finance – $130 million stolen in October 2021

Cream Finance – $130 million stolen in October 2021
Cream Finance/BI India

In an attack that exploited its flash loan facility, hackers managed to steal all liquid assets the platform owned on the Ethereum blockchain.

The company put out a statement that the vulnerability has been patched with the help of the community, and that their other blockchain assets weren’t affected. In less than a month, the company announced compensation for affected users from their own pockets, funded by their team’s allocation of tokens.

C.R.E.A.M. Finance, which is a DeFi lending platform, reported three other attacks this year – in September ($18.8 million), August ($29 million), and February ($37 million) – adding up to a loss of $215 million.

Badger DAO – $120 million stolen in December 2021

Badger DAO – $120 million stolen in December 2021
BadgerDAO/BI India

Hackers pilfered Bitcoin and Ethereum based assets from dozens of user wallets, in a strategically planned attack – malicious code was injected into the platform’s website front-end almost a month in advance.

PeckShield, a blockchain security firm identified the single biggest loss, of 896 Bitcoin from one wallet, which is worth $44 million at current prices. The DAO had suspended activity upon learning of the attack, but completed its investigation in a week and returned to normal operation. The Badger community is considering plans to recover lost funds, and solutions for reimbursing losses.

The crypto lending platform BadgerDAO is a decentralized autonomous organization (DAO), initially setup by Celsius Network, which is a Centralised Finance (CeFi) for loans on crypto assets.

Liquid Global – $97 million stolen in August 2021

Liquid Global – $97 million stolen in August 2021
Liquid Global/BI India

Hackers obtained access to Liquid’s hot wallet, looting Ether, Bitcoin, XRP and 66 other currencies. Ethereum-based assets accounted for over 78% of the loss.

The hackers routed a part of their loot through decentralised platforms like UniSwap, while assets transferred to other large crypto exchanges were frozen on Liquid’s request. The Japanese exchange resumed trading after transferring unaffected funds to cold wallets, and upgrading security to implement secure vaults.

By the end of August, Liquid had said there would be “no impact on user balances.” To compensate users and cover their own losses, the company raised $120 million as a loan from the FTX crypto exchange.

EasyFi – $80 million stolen in April 2021

EasyFi – $80 million stolen in April 2021
EasyFi/BI India

Showing that targeting a person works just as well as targeting a system vulnerability, a hacker targeted the founder’s computing device to get his admin keys and transfer currency to himself. The initial loss was $6 million of stablecoins and $120 million worth of EASY, a token native to the EasyFi project.

The impact upon users was limited when the EASY token’s price crashed by 50% in a low-liquidity scenario, making it difficult for the hacker to sell his tokens. Moreover, the token was upgraded to ‘EZ 2.0’ four days later, making the hacker’s holdings useless. In his blog, the founder Ankitt Gaur wrote that affected users would be compensated, 25% in the form of stablecoins and 75% as IOU tokens.

EasyFi is a DeFi lending platform for digital assets, operating across three blockchains at the time of writing.

AscendEX – $77.7 million stolen in December 2021

AscendEX – $77.7 million stolen in December 2021
AscendEX/BI India

Hackers broke into the hot wallet of AscendEX, a Singapore-based cryptocurrency exchange. According to the blockchain security firm PeckShield, almost 77% of the total loss consisted of assets based on the Ethereum blockchain.

The exchange confirmed that their cold wallets were not affected, and that any affected users will be “covered completely.” Deposit and withdrawal services were suspended for a security review, but trading services had resumed in a week. The company announced on December 23 that deposits and withdrawals had resumed for most major currencies.

bZx – $55 million stolen in November 2021

bZx – $55 million stolen in November 2021
bZx/BI India

Beginning as a simple phishing attack in a Word document, the hackers managed to access private keys of the platform and ‘upgrade’ the smart contracts to transfer funds away. Most losses were on the Polygon and Binance Smart Chain (BSC) networks, while their decentralised infrastructure saw relatively lower losses denominated in Ethereum. On finding out what was happening, the bZx platform alerted other crypto projects and exchanges to freeze the stolen cryptocurrency. The company asked the Kaspersky security firm to investigate, who believe the hackers were the Lazarus Group with links to North Korea.

Even as they continue tracking the funds and working with law enforcement agencies, the community has approved a compensation plan to help those who suffered losses as a result of the hack. The bZx DAO (decentralised autonomous organisation) calls itself a DeFi platform for margin-trading and lending.

Newsletter BI Logo

Get your weekly dose of essential news delivered right to you, plus explore a world of insights with our diverse newsletter subscription options.

  • Weekly newsletter
  • Uncover the latest in Tech, Finance, Business, and more
  • Handpicked web stories, in-depth articles, and expert analyses
Copylink BI