In a year of bankruptcies and collapses, the top 10 cryptocurrency exploits earned malicious actors over $2 billion.
Market prices have plummeted, crypto giants have collapsed, and billions have been stolen in crypto exploits and hacks.
Chainalysis called 2022 the “biggest year ever for hacking activity” in mid-October.
The 10 biggest 2022 crypto exploits stole $2.1 billion by Dec. 29. These exploits and hacks are listed by size.
On April 18, a flash loan attacker bought governance tokens from stablecoin protocol Beanstalk Farms for $76 million. This passed two malicious smart contract proposals.
Beanstalk’s collateral was drained, but the attacker only got away with half of $182 million.
On Jan. 28, a bridge exploit stole over $80 million of BNB from Qubit Finance, a BNB Smart Chain DeFi protocol.
The attacker convinced the protocol’s smart contract they had deposited collateral to mint an asset representing bridged Ether.
They repeatedly borrowed cryptocurrencies against the unbacked bridged ETH, draining the protocol’s funds.
On April 30, Rari Capital, another DeFi protocol, was exploited for $79.3 million.
The attacker exploited a reentrancy vulnerability in the protocol’s Rar Fuse liquidity pool smart contracts to call a malicious contract to drain the pools of all crypto.
Rari Capital and other DeFi protocols, including Tribe DAO, voted to reimburse hack victims in September.
Another bridge hack drained $100 million in multiple cryptocurrencies from the Horizon Bridge, which connects Ethereum, Bitcoin, and BNB Chain to Harmony’s layer-1 blockchain.
As the funds were laundered similarly to other Lazarus Group attacks, blockchain forensics firm Elliptic linked the hack to North Korean cybercriminals.
Lazarus targeted Harmony employee login credentials, breaching the platform’s security system and taking control of the protocol before using automated laundering programs to move their illicit gains.
On Oct. 6, the BNB Chain was paused due to “irregular activity,” which turned out to be an exploit that drained $100 million from its cross-chain bridge, the BSC Token Hub.
Due to a vulnerability that allowed the creation of two million BNB, the chain’s native token, the attacker initially stole around $600 million.
The attacker had over $400 million in digital assets frozen on the blockchain and possibly more in BNB blockchain cross-chain bridges.
Wintermute, a UK crypto market-maker, had a compromised hot wallet that lost $160 million across 70 tokens.
CertiK, a blockchain cybersecurity firm, found that Profanity, an app that generates vanity crypto addresses, generated a vulnerable private key that was attacked.
CertiK reported that the attacker used a function with the private key to change the platform’s swap contract to their own.
Blockchain security firm BlockSec dismissed claims that the hack was a “inside job” due to its execution as “not convincing enough.”
Multiple attackers stole $190 million from the Nomad token bridge on August 2.
The smart contract vulnerability that failed to validate transaction inputs caused the exploit.
Multiple users, both malicious and benevolent, copied the original attacker to steal funds. A report found “copycats” in 88% of exploit addresses.
White-hat hackers only intercepted and returned $32.6 million.
On Feb. 2, the Wormhole token bridge was exploited, losing 120,000 Wrapped Ether (wETH) tokens worth $321 million.
Wormhole allows crypto transfers between blockchains. An attacker exploited a smart contract vulnerability to mint 120,000 wETH on Solana without collateral and exchange it for ETH.
It was 2022’s largest exploit and third-largest protocol loss.
Elliptic estimates that $477 million in crypto was stolen from FTX during its bankruptcy proceedings on Nov. 11 and 12.
Sam Bankman-Fried said in a Nov. 16 interview that he believed it was “either an ex-employee or somewhere someone installed malware on an ex-computer” employee’s and had narrowed the perpetrator down to eight people before he was shut out of the company’s systems.
On Dec. 27, the US Department of Justice began investigating the whereabouts of $372 million in missing crypto.
The Ronin bridge was exploited for $612 million—173,600 ETH and 25.5 million USD—on March 23, 2022. Coin Axie Infinity, a play-to-earn NFT game, uses Ronin, an Ethereum sidechain. Sky Mavis, Axie Infinity’s developers, said the hackers stole private keys, compromised validator nodes, and authorized bridge-funding transactions.
On April 14, the U.S. Treasury Department updated its Specially Designated Nationals and Blocked Persons (SDN) list to include Lazarus Group as a possible bridge exploiter.
Ronin bridge was the biggest cryptocurrency hack.