Crystal Intelligence: $19B Stolen in Crypto Exploits in 13 Years

Over the past 13 years, the crypto industry has been suffering huge losses due to hacks and exploits. Despite improved monitoring and technology, illegal activities continue to happen. SIM swap attacks and issues with two-factor authentication (2FA) have been especially troublesome for the crypto community recently. The amount of people who may be targeted by illegal activities is also growing. Meanwhile, the UK's NHS chief executive Amanda Pritchard recently shed some light on the growing addiction to crypto trading among young people.

$19B in Crypto Stolen Over 13 Years

The cryptocurrency industry has suffered major losses due to hacks and exploits. In fact, over the past 13 years, there were 785 reported incidents. According to a Crystal Intelligence report, almost $19 billion worth of digital assets have been stolen since Jun. 19, 2011, when the first known crypto hack was reported.

The largest single crypto theft case was the 2019 Plus Token fraud, which resulted in $2.9 billion worth of Bitcoin (BTC) and Ethereum (ETH) being stolen.

In recent years, the industry has seen a lot of security breaches. The largest single crypto heist in the past two years happened in February 2024, when PlayDapp suffered a $290 million breach. During the same period, the JPEX investment scam in Hong Kong became the largest single crypto fraud scheme, with $194.3 million of stolen crypto.

The first quarter of 2024 saw a 42% increase in stolen funds compared to the same period in 2023, with $542.7 million worth of digital assets being stolen. While 2023 reported the highest number of hacks, 2022 is still called the deadliest year by value. In 2023, 286 exploits were reported which resulted in more than $2.3 billion worth of assets being stolen. In total, 2022 saw $4.2 billion worth of digital assets stolen, almost double the amount in 2023, despite a lower number of incidents.

Illegal activities on the blockchain have continued to grow in 2023 and 2024, despite improved monitoring and reporting mechanisms. In 2023, there were 68 separate security breaches, leading to over $1 billion worth of digital assets being stolen. In contrast, decentralized finance (DeFi) hacks resulted in $835 million of stolen cryptocurrency in 2023, with 112 reported incidents. Although DeFi hacks happen a bit more frequently, they are generally smaller in size compared to security breaches.

Top 10 DeFi hacks 2023/24 (Source: Crystal Finance)

The past two years have seen the largest single DeFi hack involving Euler Finance, which resulted in $197 million worth of stolen ETH tokens. Meanwhile, the ten largest DeFi hacks in 2023 and 2024 accounted for around $579 million in stolen assets.

UwU Lend Hit by Second Hack

Unfortunately, it does not seem like crypto crimes will start slowing down any time soon. The UwU Lend protocol, which was previously hacked for almost $20 million on Jun. 10, is under attack yet again. On-chain data analytics platform Cyvers alerted the protocol about the new exploit. It seems like the attackers are the very same people who were responsible for the previous $20 million exploit.

So far, the still ongoing exploit has stolen $3.7 million from various asset pools, including uDAI, uWETH, uLUSD, uFRAX, uCRVUSD, and uUSDT. All of the stolen assets have been converted to ETH and are currently held at the attacker's address.

The first exploit occurred due to price manipulation. The attacker used a flash loan to swap USDe for other tokens, which led to a decrease in the price of $USDe and $sUSDe. They then deposited some tokens to UwU Lend and lent more $sUSDe than expected, driving the $USDe price higher. Similarly, they deposited sUSDe to UwU Lend and borrowed more CRV than expected, ultimately stealing nearly $20 million in tokens through price manipulation.

The latest exploit happened within just three days of the initial $20 million hack. UwU Lend was starting with the reimbursement process just hours before the second exploit.

The protocol announced on X that they repaid all bad debt for the wETH market, amounting to 481.36 wETH ($1,734,042), and reimbursed a total of $9,715,288. UwU also claimed that it identified and resolved the vulnerability that was responsible for the initial exploit, and stated it was unique to the USDe market oracle. Interestingly, the protocol stated that all other markets have been re-reviewed by industry professionals and auditors with no issues or concerns found.

OKX Investigates Multi-Million Dollar SIM Swap Attack

In a related development, OKX cryptocurrency exchange and its security partner SlowMist are investigating a multi-million dollar exploit that resulted in the theft of two user accounts on Jun. 9 through a SIM swap attack. This incident was first reported by SlowMist founder Yu Xian on X.

According to Xian, the attack involved an SMS risk notification from Hong Kong and the creation of a new API Key with withdrawal and trading permissions. While the exact amount that was stolen is still unclear, it is believed to be in the millions of dollars.

SlowMist has indicated that two-factor authentication (2FA) mechanisms may not have been the main vulnerability. SlowMist founder Xian pointed out that he did not enable a 2FA authenticator like Google Authenticator, and suggested that it might not be the critical issue.

X post from SlowMist’s founder (Source: X)

An analysis by Web3 security group Dilation Effect revealed that OKX’s 2FA mechanism allowed attackers to switch to a lower-security verification method, making it possible for them to whitelist withdrawal addresses via SMS verification.

Unfortunately, 2FA complications are becoming more common. During recent sophisticated attacks, hackers were able to bypass 2FA verification methods. Earlier in June, a Chinese trader lost $1 million to a scam involving a promotional Google Chrome plugin called Aggr, which steals user cookies to bypass passwords and 2FA authentication.

What are SIM Swap Attacks?

A SIM swap attack happens when a malicious actor transfers a victim's SIM card information from the victim's phone to their own device. While this can happen if the attacker physically steals the phone, it is more commonly executed remotely.

The attacker typically contacts the victim's phone carrier, either by phone or in person, pretending to be the victim. They may use personal information that they got from previous hacks or use an insider at the phone carrier to facilitate the transfer. Once the attacker successfully convinces the carrier to transfer the SIM card, they gain control over the victim's phone number and receive all calls and text messages intended for the victim. This also gives them access to the victim's apps, including social media and financial apps.

The relevance of SIM swap attacks to the cryptocurrency world lies in the use of two-factor authentication (2FA) for securing accounts. If an attacker gets a victim's username and password for their crypto accounts, they might still be unable to log in due to 2FA protections.

However, by taking over the victim's phone, the attacker can intercept 2FA codes sent through text messages, emails, or phone calls. They can also change the victim's email password to prevent the victim from receiving 2FA alerts.

With access to 2FA codes, the attacker can log into the victim's cryptocurrency accounts and transfer funds to their own accounts. The attackers usually use techniques such as coin mixing to make it harder to track the stolen funds.

Crypto Trading Risks

The amount of people who could fall prey to these crypto crimes seems to be increasing as well. The United Kingdom’s National Health Service (NHS) chief executive Amanda Pritchard recently urged British lawmakers to take action against the growing issue of young people becoming addicted to crypto trading.

Pritchard spoke at the ConfedExpo of NHS managers in Manchester on Jun. 12, and talked about the opening of the NHS's fifteenth specialist gambling addiction clinic earlier this year, She emphasized the "real and growing social need" for facilities like these.

Pritchard referred to the increasing opportunities for young people to become addicted to gambling, including unregulated cryptocurrency markets. She pointed out that this addictive habit involves people investing their money in assets with no fixed value, leaving the NHS to manage the fallout and potentially increasing the demand on the health service.

In June last year, King Charles enacted laws to regulate cryptocurrency under the same rules as other financial services. However, in July, the U.K. Treasury rejected a proposal to regulate crypto retail trading as gambling, opting instead to regulate it as a financial service. Economic Secretary Bim Afolami announced that forthcoming laws would bring activities like operating exchanges and taking custody of customer assets within the regulatory perimeter for the first time.

Many crypto users are specifically attracted to high-risk tokens in hopes of higher gains. Meme coins are especially popular despite being labeled as having no inherent value. Decentralized crypto exchanges also allow users to place highly leveraged bets on token price directions, leading to large liquidations when bets go wrong.

The always-on, decentralized nature of the crypto space has also given rise to crypto gambling platforms. Polymarket, for instance, has seen its value locked reach almost $29 million, offering bets on any kind of events, including sports, elections, and niche markets like whether Elon Musk will ban Apple devices at his companies.