Hackers so far are focusing on decentralized finance (DeFi) projects to steal crypto this year, a new report found, a reversal from 2021 when they used scams and online fraud for most of their exploits.
So far, investors have lost over $1.22 billion to hackers in the first three months of the year, nearly eight times more than the $154 million lost in the first quarter of 2021, according to crypto security firm Immunefi. Ninety-nine percent of those losses were from software exploits, the report found, specifically the hacks against Wormhole and Ronin.
This is not an anomaly, experts warn. It’s likely this kind of nefarious activity will become more common, while scamming of investors could wane.
“We should expect these types of [sophisticated] attacks to continue to increase, as more and more criminal organizations build DeFi-hacking skills in-house,” Mitchell Amador, chief executive officer and founder at Immunefi, told Yahoo Finance. “Furthermore, as DeFi gets bigger and bigger, these kinds of attacks become more and more lucrative.”
Money in DeFi has almost tripled over the past year. According to data aggregator, Defi Lama, the total value locked across different smart contracts increased from $80 billion this time last year to $227.84 billion as of Monday.
The rise of cheap, fast decentralized finance platforms also plays a critical role in the increase of costly theft this year, according to the Rug Doctor, a pseudonymous founder and CEO of the startup crypto rating firm, RugDocIO.
Over the last year, the surge in blockchain usage — thanks to growing investor interest in non-fungible tokens (NFTs) and DeFi apps — has made transaction fees on Ethereum, the largest blockchain for these segments, more expensive. Newer layer-1 blockchains like Solana, Avalanche, Polygon, Algorand, Polkadot and Cardano, have stepped in, promising cheaper transaction fees in addition to hundreds of other NFT and DeFi offerings.
But the scale of security researchers and auditors hasn’t kept pace with the innovation, the RugDocsIO founder pointed out.
“A lot of protocols also don’t invest enough in their own security. You’re also seeing more talent enter DeFi which includes benevolent and malicious programmers,” the Rug Doctor said. “The space needs to incentivize developer talent to go into security more than it has. We need grants, education and industry standards.”
The majority of funds lost so far this year occurred when hackers exploited cross-chain bridges.
A newer type of platform in the crypto ecosystem, cross-chain or blockchain bridges, allow individuals to transfer their cryptocurrency from one blockchain to another. The service is increasingly important as investors seek to shuffle their funds around the crypto sector.
Exploits against the Wormhole bridge in February and the Ronin bridge last week lost $326 million and $625 million, accounting for the lion’s share of crypto losses within the period.
Notably, both platforms have shown efforts to fully compensate investors for losses. Ronin developers said in a blog update that the network “is committed to ensuring that all of the drained funds are recovered or reimbursed,” while Wormhole backer, Jump Trading, already repaid Wormhole investors for the funds stolen.
The security risk of cross-chain bridges will limit the number of entities making these types of platforms in the near term, Alex Thorn, head of research with Galaxy Digital, told Yahoo Finance.
“Deep pocketed firms might be the only ones whose bridges people will use,” Thorn said. “For now, I know that if I was putting my funds in a bridge, it would be nice to know that there was someone like Jump Trading or Axie Infinity who have a lot of money in case of problems.”
Scamming is down
One bright spot is that fraud is playing a less significant role so far this year. Losses from the two cases reported this year amounted to $11 million and include Arbix Finance and NFT “rug pull” Frosties, which the Department of Justice announced on March 24.
Last year, scams and other cases of online fraud totaled $7.7 billion over 2021, an average of $1.925 billion in losses each quarter.
Since crypto’s bull market started in the second half of 2020, a new wave of investors entered the crypto asset market with little to no guidance on how to spot investment scams. Since the market’s peak in November 2021, the amount of newcomers entering the space has subsided.
This means investors are becoming increasingly immune to investment scams, Amador said, though scamming activity still remains far higher compared to other markets.
“We should expect scams as a percentage of criminal income in [crypto] to gradually (but not suddenly) taper down,” he wrote over email, “as the proportion of experienced users to newbies increases.”
David Hollerith covers cryptocurrency for Yahoo Finance. Follow him @dshollers.