DeFi risks and hacks on the rise

The total cryptocurrency market capitalisation fluctuated in the $1 to $3 trillion band between 1 January 2021 and 1 January 2022. During the period, the resultant market volatility and value increases attracted not only investors but also hackers.

Hackers targeted companies operating in various areas of the sector, including non-fungible token (NFT) platform providers (Vulcan Verse) digital exchanges (AcsendEX, BitMart, Boy X Highspeed, and Liquid Global), networks (EasyFi), decentralised autonomous organisations (Badger DAO), and various DeFi platforms (C.R.E.A.M. and Polygen Network). The hackers left these companies vulnerable to service disruptions, price crashes, and financial losses.

Affected companies have had to resort to different ways to mitigate and remediate the impact of such attacks. The primary concern has been to protect users´ assets and minimise losses through various means such as direct compensations, reimbursement plans, and new coin issuances. For these companies, it is important to build trust in the fledgling sector.

It is important for crypto companies to establish the hackers´ identity, whether the attacks were perpetrated by insiders, outsiders, or state-sponsored actors. Hackers use different modus operandi, including phishing, breaking into computer systems and hot wallets, as well as through ransomwares and malicious codes.

Hackers have caused an estimated $4 billion in direct losses and at least three times more in costs for networks indirectly in terms of reputation damage and loss of customers. Yet these numbers make up a fraction of the total value, an estimated $2 trillion locked in DeFi, stablecoins, NFTs, and more.

Crypto-companies attempt to fend off hackers by upgrading their security tokens, and freezing the stolen assets in instances where the hackers have been successful. Affected companies were also able to rely on the decentralised finance community to identify, track and ultimately recover the stolen assets. They offered rewards for clues about hackers, collaborated with law enforcement authorities, insurance firms, and cyber security firms. Interestingly in some cases, the hackers returned the stolen assets entirely to avoid being identified. Most notably, the $610 million heist thwarted by Poly Network. In these cases, the recovery attempts were speedy and required less involvement of the authorities but more help from the community.

In comparison, the chance of full recovery of stolen fiat assets, whether from a physical or cyber heist, is much lower. The Federal Bureau of Investigation (FBI) reported in its 2020 Internet Crime Report that the US public lost more $4.2 billion through cyber crime, $1.8 billion, $29.1 million, and $146 million from business email compromise (BEC), ransomware attacks, and technology support scams respectively. Out of which $380 million of the BEC losses were recovered/frozen.  In the last two weeks of 2021, almost 500 customers of Singapore-based OCBC were reported to have lost SGD 8.5 million ($6.3 million) to a well-orchestrated cyber scam. The bank was conspicuously silent on how customers may recover or be compensated for their losses.

Conversely, management of crypto-companies appear to have taken more seriously the responsibility to promptly address breaches and attacks, organise various resources and measures to recover assets speedily, and avoid potential losses and operational costs due to hacker attacks. An indication of the growing maturity of the industry.