According to a recent Financial Times article, the amount of crypto sent to addresses with known criminal associations shot to a record $14 billion in 2021, more than doubling from 2020. This is according to research from data company Chainalysis. Scams, ransomware and theft rose 79% in dollar terms last year. This is perhaps unsurprising when you look at our aggregator table below of the notable scams, hacks and thefts of 2021.

The key takeaways from last year’s hacks and scams can be distilled down to the following:

  • Hot wallets are hackable. Hackers stole the private keys from hot wallets of many different crypto exchanges last year. Each exchange did typically admit to the hack and that they were limited to hot wallets;
  • Cold wallets are not hackable while being offline (unless of course, the private key is written down somewhere that is accessible). Cold wallets keep private keys from being accessible by hackers by not being connected to the internet. However, to place a cryptocurrency transaction each user must connect to the internet. Once connected, the cold wallet may then become vulnerable to attack;
  • Cryptocurrency exchanges may be a weak link in the cryptocurrency transaction process. Hackers have specifically targeted exchanges due to their facilitation of crypto transactions. Hackers typically either gained control of exchanges themselves or the hot wallets and private keys held by the exchanges. Until security of the exchanges increases, this will continue to be a vulnerability; and
  • New hacks and scams are being devised all the time. Recent examples include the rug pull of the ‘Squid Game’ cryptocurrency where crypto developers abandoned the project and ran away with investors' funds (see Penningtons recent article on this here), or Symbio Energy’s alleged encouragement to invest in a crypto trading company, Carbonyte (owned by Symbio’s owners) just before it went into administration. Carbonyte claimed to let customers manage unregulated investments through a 'secured hard wallet' as well as encouraging them to earn quick money by mining the digital currency. Whilst more and more companies are expanding into the crypto asset market, for example through the acceptance of payments in cryptocurrency, we can’t help but wonder if this venture proposed by Symbio went beyond this. Had the company not gone into administration it would have been likely that the FCA, the Advertising Standards Authority (ASA) or other regulators may have had and may still have something to say about Symbio’s actions. If you have been impacted by Symbio’s involvement in Carbonyte, please do reach out to us.

Aggregator: Notable Crypto Scams Heists and Hacks in 2021

Date

Value

Summary

Outcome

Link

1 February 2021

USD $45,000.

Liquidated New Zealand cryptocurrency exchange Cryptopia was hacked in February. This followed on from the $30 million stolen in 2019.

-

Link

15 February 2021

-

London-based crypto currency exchange Exmo suffered a distributed denial-of-service attack. The attack came two months after the crypto exchange reported that hackers had stolen $10.5 million in Bitcoin, Ether, XRP, Bitcoin Cash, Tether and Zcash.

-

Link

28 April 2021

USD $50 million

A Binance Smart Chain Uniswap clone, Uranium Finance, lost $50 million in tokens due to an exploit.

Money lost.

Link

29 April 2021

-

On 29 April 2021, the exchange Hotbit announced that it had suspended all services to investigate a cyber-attack on its systems. The hackers attempted to access the exchange’s hot wallets that store a small portion of customers’ funds but were denied access by internal systems. No funds were stolen but the hackers were able to compromise an internal database which included users’ information such as phone numbers, email addresses and portfolio information on assets.

-

Link

10 July 2021

USD $4.4 million

An attacker managed to take control of ChainSwap’s platform. The attacker minted tokens directly to their address, then sold them on Binance Smart Chain’s most popular decentralized exchange, PancakeSwap.

ChainSwap worked with the police and OKEx to identify the attackers, and managed to negotiate the recovery of Corra and Rai tokens. An initial email with the attackers suggested the attackers returned $1 million.

Link

12 July 2021

6 billion yen (c. USD $55 million)

Four men were arrested in Japan's Aichi Prefecture for running an allegedly fraudulent crypto investment scheme that persuaded investors they could reap returns on the basis of an artificial intelligence-led trading system.

-

Link

10 August 2021

USD $600 million

Hackers breached blockchain-based platform Poly Network and extracted more than $600 million in cryptocurrencies.

All $600 million returned (link)

Link

19 August 2021

USD $97 million

Japan-based Liquid, a cryptocurrency exchange, announced that they suffered a major hack and a resulting loss of funds. Just over $97 million in crypto assets have been received by the accounts identified by Liquid as belonging to the thief.

Funds still outstanding.

Link

1 October 2021

-

The founders of an energy company, Symbio Energy, that owed the regulator hundreds of thousands of pounds used the company Twitter account to promote a new cryptocurrency venture as their firm collapsed.

Symbio Energy, which had 48,000 customers, went into administration on 1 October 2021.

-

Link

5 October 2021

Undisclosed

In the rather under reported case, Coinbase admitted that client accounts were emptied.

-

Link

27 October 2021

USD $130million

Cream Finance was exploited by a flash loan for more than$260 million in depositor assets.

-

Link

29 October 2021

USD $139 million

Boy X Highspeed (BXH), a decentralised cross-chain exchange, was hacked in October in a hack that drained $139 million of funds. This was probably the result of a leaked administrator key, and possibly an inside job. With the private key, the attacker was able to digitally sign a transaction transferring  $139 million in tokens from BXH’s account on BSC to their own account.

BXH’s CEO stated that an investigation was underway to identify the hacker. If the hacker is not found, BXH has said that it will devise a user repayment plan and is offering $1 million to teams able to help retrieve the funds.

Link

29 October 2021

-

A CryptoPunk NFT appeared to sell for $530 million after an on-chain transaction in this scam. While CryptoPunks have sold for as much as 4,200 ETH in the past, the fake sale would have been the largest by orders of magnitude. As reported above, it appears that the owner used a flash loan to make the fake purchase of the Punk, borrowing and repaying 124,000 ETH. The move was likely a marketing stunt.

-

Link

1 November 2021

Unknown.

Squid Game Cryptocurrency went to zero and the associated Twitter accounts were frozen in the rug pull scam. Players were unable to take crypto out of the game.

Likely all funds lost.

Link

3 November 2021

c. €4bn

A money-laundering trial in Germany shone a light on the purchase of a luxury London penthouse by cryptocurrency scammer Dr Ruja Ignatova. Charges were brought in connection to the siphoning of millions of Euros from Dr Ruja's €4 billion scam - which consisted of selling a fake cryptocurrency called OneCoin.

-

Link

3 November 2021

7 million users

A Robinhood data breach allowed a hacker to steal the personal information of about 7 million users. Robinhood is a mobile app which allows commission-free trades of stocks, exchange-traded funds and cryptocurrencies introduced in March 2015.

-

Link

2 December 2021

USD $120 million

Hackers stole an estimated $120 million worth of BTC and ETH assets from Badger, a decentralised finance platform.

Investigation launched.

Link

 

 

5 December 2021

USD $196 million

Crypto exchange BitMart lost an estimated $196 million of crypto in a large scale DeFi hack. The $196 million in losses makes this one of the most devastating centralised exchange hacks to date.

The exchange’s CEO said the company will compensate affected users out of its own funds.

Link