This year has been a busy one for crypto thieves. Major scams followed one another so quickly that it all became a blur. We thought it’d be useful to cast our gaze back through 2022 to look at the biggest heists of the year and how they happened.
You might be thinking that Sam Bankman-Fried has to top our 2022 list, but we’re not talking about that kind of fraud here (though FTX does make an appearance, since their accounts were hacked hours before the company declared bankruptcy). We’ll save discussion of alleged Ponzi schemes like FTX and Celsius for another time. Yes, that means currencies that imploded, such as the Spring 2022 collapse of Terra’s LUNA and UST tokens, also don’t make our list.
We’re keeping our list focused on the common types of crypto theft that impact web3 users–phishing, hacks of platforms where you’ve stashed your crypto, rug pulls, and the like.
Thefts that may have been exquisitely painful to one or a few individuals but didn’t rack up high-dollar losses–say, the theft of the Bored Ape NFT that Seth Green was developing a TV show about and then had to ransom back for almost $300,000 so production could continue–again, not on our list. Also, scams that happened in previous years but only saw the thieves prosecuted in 2022, such as Bitconnect’s 2016-18 saga…sorry, still not making the list.
Our listings are all scams that occurred in 2022, ranked based on the dollar value of the theft.
Why is this a top 11 list instead of a top 10? Because we’ve included all the scams that resulted in more than $100 million in losses–and there turn out to be eleven of those. Boggles the mind a bit, doesn’t it?
Here’s our list of the biggest crypto scams of 2022:
1. $600+M Disappears as FTX files for bankruptcy
When once-lauded crypto exchange FTX came up $8 billion short during a run of rapid user withdrawals from its exchange in November, an odd thing happened: In the final hours before the now-notorious, Bahamas-based company filed for bankruptcy on November 11, over $600 million in users’ crypto mysteriously vanished.
The company first told users of the hack on Telegram, warning them to avoid their apps and website. Later, some FTX staffers indicated the massive token drain was a deliberate move to try to limit an attacker’s access to funds. But it soon became clear the losses were due to simple theft. As of this writing, the culprit has yet to be positively identified.
But hack experts who’ve examined the moves behind the theft have indicated it’s likely the work of someone at FTX. A fact less widely reported is that two other FTX executives are also under arrest, have pleaded guilty, and are now cooperating with authorities. So we may know more soon.
Does the thief really have ties to FTX? Is the thief SBF himself, as some suspect? Hopefully, we’ll learn the truth as U.S. agencies extradite SBF to the U.S. and continue to investigate the company’s implosion.
2. $552M Stolen from Ronin Network
The blockchain that hosts the world’s most popular play-to-earn game, Axie Infinity, was the victim of one of the year’s most devastating hacks. Groundwork for the theft on Ronin Network was laid in 2021, when attackers quietly gained access to the systems of Ronin’s developer team.
Then, at the end of March 2022, the thieves struck, stealing more than 170,000 ETH and $25.5 million of the stablecoin USDC. At the time of the theft, the purloined coins’ total value was $552 million, though shortly afterwards the coins’ value grew, so by the time the theft became public knowledge, it was valued at $615 million. One of the reasons the theft grew so large is that the unauthorized transfers went on for six days before the Ronin team noticed the problem.
As a result of this huge theft, transactions on Ronin’s bridge were shut down for nearly three months. Established users were able to make withdrawals during that time through another bridge provided by Binance.
The company announced on June 28 that the Ronin Bridge was successfully rebuilt and could be used again, now sporting a number of new security controls. While Ronin reimbursed network users who lost tokens, the company’s own hoard of 56,000 stolen ETH wasn’t recovered.
Postscript: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) later sanctioned North Korea’s notorious Lazarus Group over the incident, claiming proof they are the culprit. It’s believed funds stolen by North Korean hackers are helping to fund long-range missile production in the nation.
3. Wormhole bridge sees $321M drained
Wormhole’s popular bridge enables users to move coins between several different chains including Ethereum, Polygon, and Solana. In February, an attacker found a vulnerability in Wormhole’s smart contract on the Solana side that enabled them to nab 120,000 wrapped ether (wETH) tokens worth $321 million.
Despite making a white-hat contract offer that would have let the thief retain $10 million and evade prosecution in return for information on how the hack was executed and the return of the remaining funds, Wormhole had no immediate luck. Shortly, developer Jump Trading Group–which has a stake in Wormhole’s success–replaced users’ coins.
To its credit, Wormhole was able to limit the damage to wETH with some fast action–no other coin types were affected by the hack.
4. $190M Nomad bridge ‘free for all’ exploit
Most crypto thefts involve a single attacker or a group of attackers working in concert. Nomad bridge was special because, after the attack was under way, scores of copycats jumped in to direct free coins to their own wallets.
The problem occurred because Nomad developers pushed a software update live that accidentally included a “0x00” default root hash, instead of a unique root that would help validate each transaction. In essence, it enabled all transactions to be approved, without the user’s staking the usually required collateral.
Once an attacker noticed the flaw and began initiating large transactions, others quickly caught on, copying the original transaction and simply substituting their own wallet addresses as the destination. The hack became notorious as one based on an error so glaring that thieves didn’t even need to know how to code to make off with coins.
Before it was fixed, Web3 security firm PeckShield reported 41 different addresses took advantage of the Nomad bridge flaw, which enabled thieves to steal Ethereum-based ERC-20 tokens. The massive theft was a major black eye for Nomad’s reputation, since the platform claimed it had a “security first” mission.
5. $182M Lost in Beanstalk Farms flash loan attack
Talk about a fall out of the clouds. Beanstalk Farms was founded with a noble ideal: To create a trusted new stablecoin to meet growing demand for reliable on-chain tokens. Unfortunately, that dream came crashing down in mid-April, when an attacker exploited loan contracts to briefly obtain majority voting rights on the blockchain. They then approved a malicious proposal that greenlit the “emergency” transfer of assets to their own wallet–a classic “flash loan” attack.
After this maneuver, the loan is then repaid–but the transferred assets the loan secured are gone. While Beanstalk’s losses were said to total $182 million, the thief is believed to only have ended up with $80 million net. The rest went to fees and other related costs of the transaction.
In a crazy twist, the attacker also took the opportunity to divert $250,000 of the ill-gotten lucre toward a Ukrainian relief charity. Guess they wanted to show they’re not all bad.
The project’s native BEAN coin lost its peg due to the attack, and to date has never recovered in value.
6. $160M Wintermute vanity wallet address generator hack
A “market maker” in DeFi that helps keep crypto markets liquid by holding a large inventory of tokens, Wintermute got hacked in September. Wintermute CEO Evgeny Gaevoy said the thief was able to make off with $160 million in 90 different tokens due to a “critical bug” in an Ethereum vanity address-generating tool on their platform, charmingly named Profanity.
Vanity address tools allow users to create personalized, human-readable addresses for their wallets. This can make transfers easier, but in this case apparently made transfers a little too easy. Wintermute has been pretty quiet since the hack occurred–its most recent press release is dated six months prior.
Rumors circulated that the Wintermute hack was an inside job, but the company seemed to shake off those allegations and the perpetrator hasn’t been identified to date. Wintermute managed to reassure the crypto ecosystem by making a $92.5 million loan payment due to TrueFi on time, shortly after the attack (though some speculated the funds came from the stolen $160M).
7. $127M Binance Smart Chain bridge attack
A known vulnerability in the legacy Binance Beacon Chain was exploited in this October attack, which involved the attacker submitting falsified proof of deposit credentials. With these false credentials, the attacker was able to convince the Binance Bridge to send its wallet 1 million coins–twice.
This is one of those incidents that could have been a whole lot worse. Those 2 million Binance coins (BNB) were worth $580 million–but thanks to fast action by the Binance community to shut down BNB Smart Chain, the attacker only managed to get away with $127 million of the stolen coin.
Binance seems to have bounced back quickly from this incident, continuing to be considered a major player in crypto. Company CEO Changpeng Zhao recently contemplated buying FTX shortly before that exchange’s collapse–before canceling the deal, a move that exposed the growing problems at FTX.
8. $116M Mango Markets loan scam
In October, Solana-based DeFi project Mango Markets fell victim to a scammer who managed to manipulate the value of their collateral on the platform. The attacker then was able to cause a spike in the value of Mango’s native token (MNGO) of roughly 1,000 percent. They then quickly took profits and wiped out all liquidity, leaving the token’s value to collapse.
In the end, Mango elected to pay a controversially high bug bounty to the hacker in exchange for the return of some of the funds. The attacker avoided prosecution and kept $47 million of the ill-gotten gains in a deal that returned the remainder to Mango. While some in the Mango community found that large sum appalling, it was a big improvement on the attacker’s original offer, which had them keeping $70 million worth of their stolen coins.
9. $113M Maiar DEX bug exploit
Back in June, decentralized exchange Maiar–which operates on the Elrond blockchain–saw an attacker exploit a bug in their software that enabled the theft of 1.65 million of their coin, EGLD. At the time, the stolen crypto was valued at $113 million. One analyst indicated the thief was able to deploy a smart contract that enabled the theft.
When the attacker sold about 800,000 EGLD on the platform, it caused the value of EGLD to crash from $70 to $5. Other tranches of the thief’s loot were sold elsewhere. Unlike many cryptos that have seen a major theft, EGLD has since recovered to about half its previous value.
10. $100+M Freeway rug pull
This one is a classic case of the rule “If it sounds too good to be true, it probably is.” This financial project promised participants 43 percent annual returns if they used Freeway’s “superchargers,” crypto simulations that promise rewards.
In October, the project’s founders suddenly disappeared with over $100 million in users’ funds, in a classic rug pull maneuver. Observers who spotted the move urged participants to quickly withdraw their funds if they could, noting that team members’ names had mysteriously vanished from Freeway’s website.
Months later, Freeway’s tweets continue to promise the future release of their investigative findings, most recently on December 19. Meanwhile, the site has still not resumed selling its superchargers, due to “unprecedented volatility in Foreign Exchange and Cryptocurrency markets in recent times.”
11. $100M Harmony’s Horizon Bridge hack
The Layer 1 blockchain Harmony offered its Horizon Bridge as a convenient way to transfer crypto assets between platforms. However, its use of a 2 of 5 multisig validation scheme for transactions left it open to attack.
In June, a hacker was able to exploit this vulnerability to steal close to $100 million in a variety of different cryptocurrencies. To its credit, the Harmony team hopped on the problem and kept users posted on Twitter. Sadly, most of the crypto was quickly laundered through Tornado Cash.
Harmony has since switched to requiring 4 of 5 validators.
Learn how to protect yourself from crypto scams
This cavalcade of scams provides a primer on the variety of ways that attackers can steal crypto. Add it all up, and over $2.56 billion in crypto was stolen in just these largest 11 scams of 2022.
In some cases, it would be hard for users to spot the problem, but in others crypto users or outside analysts were first to blow the whistle. It takes education about how scams work, and a whole community watching for suspicious transactions, to keep crypto owners safe.
To learn more about keeping your tokens safe, check out our Essential Web3 Security Guide.