2023 Data Security Incident Response Report Get the Full Report

Digital Assets:
NFTs, Crypto, Blockchain

Share this chapter

Incidents Involving Blockchain and Digital Assets

By all accounts, 2022 registered as one of the most turbulent years in crypto history. Several large centralized cryptoasset firms imploded as traditional markets floundered, unleashing a contagion¹ that reverberated around the world. Meanwhile, reports indicate that the total value stolen in cryptocurrency hacks achieved an all-time high of $3.8 billion. Crypto-related scams continued to evolve in sophistication, and the volume of illicit cryptocurrency transactions grew to a record $20.6 billion, 43% of which was tied to sanctioned persons and entities. In response to such threat actors, the U.S. government fired a warning shot in the direction of decentralized protocols by sanctioning a well-known decentralized cryptocurrency mixer, a precedential action that resulted in the first instance of software being sanctioned.

DeFi Protocol and Bridge Hacks

Decentralized finance (commonly referred to as “DeFi”) protocols, which operate autonomously through code that facilitates various types of digital asset transactions without assistance from third-party banks or other intermediaries, offer novel solutions to keyman, honey pot, and other risks inherent to centralized financial institutions. However, DeFi’s reliance on code to mediate transactions and the dearth of oversight over DeFi markets render the ecosystem vulnerable to code exploits and other malicious activity, often with little legal recourse or opportunity to remediate resulting harms. With DeFi hacks representing approximately 82% of all crypto hacks in 2022, the risks these platforms represent are a growing concern.

DeFi hacks represented approximately 82% of all crypto hacks in 2022.

Cross-Chain Bridge Hacks

Crypto “cross-chain bridges” facilitate the creation of liquid markets by allowing users to deposit one type of cryptoasset as collateral to obtain a synthetic representation of that asset on a different blockchain quickly and efficiently for easy trading in DeFi ecosystems. As such, DeFi markets rely on cross-chain bridges to provide critical infrastructure that underpins all market activity. However, by design, cross-chain bridges often store collateralized assets in a central repository, making them lucrative targets for sophisticated hackers seeking quick paydays. Additionally, their reliance on code – rather than third-party intermediaries – to facilitate asset transfers, renders them vulnerable to hackers.

¹“Contagion” as used here refers to a financial crisis that creates a ripple effect, spreading the crisis to other firms, markets, or regions.

64% of DeFi hacks were attributable to hacks or expolits of cross-chain bridges in 2022.

One of the biggest bridge hacks in 2022 manifested after a project published a code update that exposed a critical vulnerability that had not yet been remediated. The vulnerability allowed a hacker to mint approximately $325 million worth of derivative cryptoassets on a particular blockchain without depositing the requisite collateral. Such exploits, which can quickly deplete large amounts of liquidity from a given bridge, may leave founders and project backers scrambling to replenish stolen assets to prevent potential cascading effects, such as severe downward market volatility, eradication of traders’ positions, and other contagion-like effects.

Another major bridge hack in 2022 resulted in the theft of approximately $625 million worth of cryptoassets from an Ethereum sidechain bridge. Details of the event unfolded over the course of a year, exposing a complex criminal scheme the U.S. government eventually tied to a North Korean-sponsored threat group. The hack, a result of a sophisticated “spear-phishing” scheme that targeted developers with access to core infrastructure associated with the DeFi bridge, is demonstrative of several serious risks DeFi platforms pose to both consumers and national security.

The scheme involved the hackers presenting a seemingly legitimate and lucrative employment offer to the developer who downloaded materials about the “offer.” The content contained a trojan horse that granted hackers access to the developer’s device, which contained credentials the hackers stole and used to gain unauthorized access to a crypto wallet holding significant value.

Hacks have exposed various flaws in the DeFi ecosystem. One key vulnerability appears to be when purportedly “decentralized” projects use substandard protocols that result in a centralized attack vector. As demonstrated above, this can expose DeFi projects to the same types of risks faced by centralized entities.

DeFi “Flash Loan” Hacks

DeFi “flash loans” are uncollateralized digital asset lending programs deployed on a blockchain. They provide instant liquidity to borrowers and execute instant trades on their behalf. If the borrowed digital assets are not repaid, or if the executed trade is unprofitable, the underlying code of the flash loan considers the terms of the loan unsatisfied, reverses the transaction and returns the borrowed digital assets to the lender. While DeFi flash loans present a theoretically low risk of financial loss to lenders and borrowers who use them as intended, their reliance on code and underlying network governance mechanisms may present significant hacking risks.

One such risk relates to coding or design flaws in the voting mechanisms used by DeFi network participants to make collective decisions concerning network upgrades or treasury allocations. In one example, the exploitation of a majority governance system implemented by one DeFi protocol led to the loss of $182 million of the protocol’s native governance token and left the rightful owners of those tokens holding the bag. The vulnerability was exploited through use of a flash loan, which allowed the hacker to borrow nearly $1 billion in digital assets and exchange them for 67% of the DeFi protocol’s voting stake in the project. Now having acquired more than the two-third’s control required to unilaterally approve code executions, the hacker was able to access the project’s wallet and steal the funds. The theft left the project devastated for several months.

Phishing and Romance Scams

While reports indicate that crypto scam revenue fell nearly 46% in 2022, phishing scams continued to make headlines. For example, in May 2022, scammers stole approximately $4.3 million of cryptoassets by using social engineering tactics to lure victims to a fraudulent website designed to trick them into granting access to their crypto wallets. Romance scams also continued in 2022. In a crypto “romance scam,” the attacker establishes a close relationship with their victim, sometimes over the course of months. Once the victim’s trust is gained, the attacker manipulates the victim into sending them large sums of cryptoassets.

In May 2022, scammers stole approximately $4.3 million of cryptoassets

by using social engineering tactics to lure victims to a fraudulent website designed to trick them into granting access to their crypto wallets.


Crypto-jacking refers to the installation of cryptocurrency mining malware on a user’s device without the user’s consent or knowledge. The unauthorized software is typically installed after the user unwittingly visits a malicious website or falls victim to a phishing scheme. It is programmed to mine cryptocurrency (a resource-intensive activity) for the benefit of a threat actor over a long period of time without raising the suspicion of the user.

In 2022, crypto-jacking incidents increased by 30%, with the retail sector suffering from a 63% increase and the financial sector witnessing a 269% increase.

Money Laundering and Sanctions Evasion

Digital assets continue to be used by threat actors in money laundering and sanctions evasion schemes. According to one report, in 2022, a single infrastructure protocol alone facilitated the laundering of more than $540 million in cryptoassets derived from theft, fraud, ransomware, and other illicit activities during a span of approximately one-and-a-half years. In another notable event, on Aug. 8, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a well-known decentralized digital asset mixing service, alleging it was used to launder more than $7 billion worth of cryptoassets since its 2019 inception. The action marked the first instance of OFAC asserting that decentralized software (i.e., code deployed on and accessed through immutable public blockchains) can be sanctioned.