A look back at the major cryptocurrency hacks and breaches in 2023 resulting in over $2 billion in losses.
As 2023 draws to a close, it will go on record as the year Bitcoin and the crypto market staged a remarkable recovery from the brutal bear market. However, cryptocurrency hacks are still prevalent — with almost $2.4 billion stolen this year alone.
Many of these platforms are built on open-source software, which, while promoting transparency and community collaboration, also potentially exposes vulnerabilities that can be exploited by those with deleterious intent.
Unfortunately, this has painted a red target on the back of insecure cryptocurrency exchanges, platforms, protocols, and the users who have ultimately borne the brunt of these attacks. Indeed, most of the funds lost due to the hacks listed below will likely never be recovered.
Let's dive into the worst hacks of 2023.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
Kyber Network: $54.7 Million
November 2023 marked the date of a security incident affecting Kyber Network, as an attacker took advantage of a vulnerability linked to liquidity and managed to steal approximately $54.7 million from KyberSwap Elastic.
In an unusual turn of events, the hacker offered to return the stolen funds if a list of demands were met. Among the demands, the attacker requested full control of the Kyber Network company and a complete surrender of all on-chain and off-chain company assets.
Source: Etherscan
It appears the team behind Kyber did not bend the knee to the attacker and is instead moving forward with a compensation plan that involves offering treasury grants to affected users.
Curve: $73.5 Million
No stranger to hacks, Curve was once again exploited in July 2023 after an attacker took advantage of a faulty recursive lock in several of its Vyper 0.02.15 stablecoin pools to drain their funds.
The main protocols and pools affected by the attack were the Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and CRV/ETH pools.
In a positive turn of events, a large proportion of the stolen funds were returned to Curve Finance after the hacker accepted a 10% retroactive whitehat bounty. Meanwhile, Metronome and Alchemix recovered $6 million and $13 million respectively thanks to the efforts of multiple whitehat hackers.
Almost two weeks after the hack, Curve pledged to make whole those still affected after evaluating their losses to ensure resources are fairly distributed.
Euler Finance: $197 Million
Movement of stolen funds mapped by Chainalysis
In perhaps one of the most bizarre events this year, Euler Finance was subject to a $197 hack back in March 2023.
However, the company behind Euler Finance was able to trace the attacker and open a line of communication. This seemingly spooked the attacker into doing the right thing, as the hacker promptly returned “all recoverable funds” to the Euler treasury.
Since then, the Euler team has opened redemptions to the public, allowing them to reclaim the funds they initially lost in the attack. The Euler Protocol has remained disabled, but the team has hinted that a new modular open lending solution is on the way.
Mixin Network: $200 Million
In September 2023, it was hit by a catastrophic cloud service-based attack which led to around $200 million worth of customer assets being stolen. Shortly after the attack, the Mixin network was suspended.
According to the official announcement, the Mixin team plans to do its best to minimize these losses.
In a later live stream, Mixin Network founder Feng Xiaodong stated that the platform would only be able to refund up to 50% of the stolen assets and that the rest would be eventually covered by "tokenized liability claims" which Mixin will attempt to pay with its future profits.
Multichain Bridge: $126 Million
At the time one of the most popular cross-chain bridge protocols, Multichain was hacked on July 7, 2023, leading to the exfiltration of $126 million worth of various cryptocurrencies.
As one of the largest crypto hacks on record, the attack involved multiple blockchain networks including Fantom, Moonriver, and Dogechain as well as a wide variety of crypto assets.
This suspicion arose partly due to the disappearance of Multichain’s CEO, known as Zhaojun, in May 2023, and the subsequent inability of the team to perform necessary technical maintenance on the platform.
Surprisingly, the Multichain front end is still up and running to this day. Users can initialize a bridge for their assets but this transfer will never complete. The team behind the platform publicly noted that they are unable to bring down the website or service since they do not have access to the Multichain domain account and warned against using the service.
Atomic Wallet: $100 Million+
In June 2023, Atomic Wallet — then one of the more popular crypto self-custody wallets — suffered a major breach which led to over $100 million in losses across approximately 0.1% of its userbase.
The attack, reportedly perpetrated by the infamous North Korean hacking group known as Lazarus was one of the most unexpected security incidents this year — since self-custody is generally considered safer than third-party custody.
In the aftermath of the hack, at least 3 lawsuits are progressing against Atomic Wallet, its development company Atomic Systems and its owner Konstantin Gladych. The company has remained tight-lipped on its plan to help affected users, and has described the investigation of the root cause as “complex”.
Stake: $41 Million
In September 2023, the prominent crypto gambling platform Stake suffered a "sophisticated breach" which led to the loss of $41 million across Ethereum, Polygon and BNB Smart Chain assets.
The funds stolen during the attack included 6,001 ETH, 3.9 million USDT, 1.1 million USDC and 900k DAI. Shortly after the hack, the attacker began moving the funds across chains, with a large chunk eventually swapped to native BTC.
The hack, again potentially perpetrated by Lazarus, is unusual in that it did not involve a breach of Stake’s hot wallet private keys. Instead, according to Stake founder Edward Craven, the hackers accessed Stake’s internal transaction approval system, allowing them to process unauthorized transactions.
Unlike many of the other attacks on this list, the Stake hack did not affect customer funds. Instead, the hacker breached a hot wallet designated for paying out large wins.
How To Stay Safe
As an alternative financial industry without a centralized entity enforcing fiscal responsibility, crypto users are heavily reliant on self-custody solutions and up-to-date knowledge of crypto security practices.
Unfortunately, a startling number of cryptocurrency users, including those who are extremely technically savvy, still fall victim to hacks and scams.
With that in mind, we have prepared some resources below to help you maximize the security of your funds.
- How to Protect Your Crypto From Hacks in 2022 and 2023
- Self-Custody: Where and How to Store your Crypto Safely
- Five Tips for Managing Your Risks in DeFi
Stay safe as we head into 2024!