- Mixin, Euler and Multichain lead roster of attacks.
- Overall losses are down from 2022.
- Number of hacks still running high.
The good news: assets lost to hackers dropped by more than 50% in 2023, to $1.7 billion.
The bad news: That is still an awfully big number, and the frequency of attacks — 160 major hacks — was about the same as 2022.
Smaller harvest
The smaller harvest for cybercriminals was “likely due to law enforcement action and better compliance controls than a downturn in the crypto markets,” said Ari Redbord, the global head of policy and government affairs at TRM Labs, which provided the data to DL News. (Redbord is a contributing writer at DL News.)
Despite increased efforts to thwart attackers, exploits persisted right up to the end of the year, with OKX DEX hit for $2.7 million on December 13, according to DefiLlama.
Since we published our hacks list following the $43 million Stake.com hack in September, five more big hacks occurred.
They were big enough to knock the Stake hack down five places to 10th, which shows hackers have not given up in their quest for easy, illicit loot.
Read on to see the 10 biggest crypto hacks of 2023.
Mixin Network: $200 million
In September, cyberthieves stole $200 million from Hong Kong-based exchange Mixin’s user accounts.
Following the attack, DL News reported on scrutiny from several industry players who found the attack suspicious, partly due to Mixin’s lack of a cold storage wallet to keep customer funds secure.
Mixin founder Feng Xiaodong pledged to pay back customers half of their losses. Deposits and withdrawals on some tokens have resumed, but Mixin’s recompensation plan remains unclear.
Euler Finance: $197 million
Lending protocol Euler Finance took the second-biggest hit of the year in March when an attacker drained almost $197 million.
The attacker exploited a vulnerability in Euler’s donate function contract, but has since returned most of the stolen funds.
In July, DL News interviewed a man who said he was the attacker.
Multichain: $126 million
Cross-chain bridge protocol Multichain suffered a hack or a rug pull in July when the project’s private keys were compromised.
At the time, crypto research firm Chainalysis called it “one of the biggest crypto hacks on record.”
Poloniex: $126 million
In November hackers drained $126 million from Crypto exchange Poloniex. Withdrawals were frozen after the funds were stolen.
DL News reported on Poloniex investor Justin Sun’s plans to give victims an “epic airdrop” of tokens as compensation for the hack.
Poloniex resumed deposit and withdrawal services for many assets on December 5.
Atomic Wallet: $100 million
A June hack of Atomic Wallet users caused $100 million in losses.
Analysts blamed North Korea-linked Lazarus Group, which has amassed billions in its notorious cyber crime campaign since 2007, the proceeds of which are said to fund Kim Jong Un’s nuclear missile programme.
Angered investors hit Atomic Wallet with a class-action lawsuit following the attack.
Heco Chain: $87 million
In a case similar to the Poloniex hack in November, hackers raided hot wallets on the Heco Chain.
Due to its association with HTX — which itself lost $12 million in the hack — HTX investor Justin Sun included Heco Chain in his pledge to compensate victims of the hacks.
Curve Finance: $62 million
DeFi protocol Curve Finance was hit by several exploits when hackers swiped almost $62 million from several trading pools.
The hack began with an initial exploit that led to several seemingly unconnected hackers stealing from multiple Curve trading pools.
CoinEx: $55 million
Hackers hit CoinEx $55 million in September in what the exchange called “anomalous withdrawals” from its platform.
CoinEx froze withdrawals for a few weeks and pledged to compensate customers.
The exchange later attributed the hack to private key leakage that allowed attackers to access its hot wallet.
KyberSwap Elastic: $48 million
As HTX- and Poloniex-affiliated hacks struck in November, an attacker carried out an exceptionally complex hack on multichain aggregator KyberSwap Elastic.
The exploiter then published an unhinged ultimatum on the Etherscan block explorer demanding control of the protocol. Check the link below for DL News DeFi expert Tim Craig’s take on the hacker’s possible identity.
Stake.com: $41 million
Online crypto casino and sports betting platform Stake.com was hacked in September.
“The loss of funds is by no means a trivial amount, but this attack has not materially affected Stake’s operations,” co-founder Edward Craven told DL News following the attack.
The US FBI later attributed the attack to North Korea-linked cybercrime group Lazarus.
Tyler Pearson is a researcher at DL News. He is based out of Alberta, Canada. Got a hot tip? Reach out to him at ty@dlnews.com.