Hackers stole $3.8 billion from crypto investors in 2022, a 13% increase from 2021 and marking a new all time high for annual theft of digital coins.
This rise in crypto hacks is just the latest indicator to underscore how security within the digital asset market, especially Decentralized Finance (DeFi), remains a major obstacle for the industry.
According to a new report by blockchain forensics firm Chainalysis, DeFi protocols accounted for $3.1 billion, or 82%, of all crypto stolen by hackers, up 9% from 2021.
A newer part of the crypto industry, DeFi relies on programmable software known as smart contracts, which when used on a public blockchain generally offer more transparency at both the code and transaction level than the rest of crypto.
With a total $53.7 billion in capital held within DeFi protocols, this newer and less regulated side of digital finance accounts for only 5% of all the money in crypto, according to DefiLlama.
Cross-chain bridges the largest target
Hacks on software applications known as cross-chain bridges, which allow users to move digital assets from one blockchain to another, made up 64%, or $3.1 billion, of the year's stolen funds.
To enable crypto users to port assets from one blockchain to another, bridges lock a user's assets into a smart contract on one blockchain, then mint an equivalent asset on another chain in a transaction similar to a foreign currency exchange. However, this procedure also makes these moves highly vulnerable to exploits.
"Bridges are an attractive target for hackers because the smart contracts in effect become huge, centralized repositories of funds backing the assets that have been bridged to the new chain," Chainalysis said in its report.
Notable cross-chain bridge hacks last year included Nomad ($190 million) in August, Harmony ($100 million) in June, Ronin ($625 million) during March, and Wormhole ($326 million) at the beginning of February.
"If a bridge gets big enough, any error in its underlying smart contract code or other potential weak spot is almost sure to eventually be found and exploited by bad actors," Chainalysis said.
Who is stealing the most?
As for who made off with the majority of stolen funds last year, Chainalysis points to North Korea-linked hackers, such as the notorious Lazarus Group.
Through 2022, Chainalysis attributes North Korea-linked hackers as having swiped $1.7 billion, or 45% of total funds lost in crypto exploits.
In August, the U.S. Treasury Department's Office Foreign Asset Control (OFAC) sanctioned a popular crypto mixing service known as Tornado Cash. In a press conference announcing the action, Treasury officials acknowledged North Korea-linked hackers such as Larazrus are known to contribute the stolen funds to finance the rogue state's weapon's program.
“These are serious national security concerns that really stretch beyond the fact that there are millions of dollars being stolen," Eun Young Choi, director of the National Cryptocurrency Enforcement Team (NCET) said of the issue during Yahoo Finance’s All Markets Summit in October,
By Chainalysis' tracking, North Korea-linked hackers have already moved to alternative crypto mixing services to launder funds.
As the report noted, "the core issue is that DeFi developers prioritize growth over all else."
In past months, experts ranging from Kim Grauer, director of research for Chainalysis, to Binance founder and CEO Changpeng Zhao, have suggested a range of improvements in DeFi security such as standardization for how projects manage funds, more code audits by third party firms, and improved investor disclosures.
"The DeFi community generally isn't demanding better security, they want to go to protocols with high yields. But those incentives lead to trouble down the road," David Schwed, COO of blockchain cybersecurity firm, Halborn, said in the report.