A $620 million hack? Just another day in crypto

To support MIT Technology Review’s journalism, please consider becoming a subscriber.

DeFi—an idea similar to smart contracts—is all about transparency and open-source code as an ideology. Unfortunately, in practice that too often means rickety multimillion-dollar projects held together with tape and gum.

“There are a few things that make DeFi more vulnerable to hacking,” Grauer explains. “The code is open. Anyone can go over it looking for bugs. This is a major problem we’ve seen that does not happen to centralized exchanges.”

Bug bounty programs—in which companies pay hackers to find and report security vulnerabilities—are one tool in the industry’s arsenal. There’s also a cottage industry of crypto audit firms that will swoop in and give your project a seal of approval. However, a cursory glance at the worst crypto hacks of all time shows that an audit is no silver bullet—and there is often little to no accountability for either the auditor or the projects when hacks happen. Wormhole had been audited by the security firm Neodyme just a few months before the theft.  

Many of these hacks are organized. North Korea has long used hackers to steal money to fund a regime that is largely cut off from the world’s traditional economy. Cryptocurrency in particular has been a goldmine for Pyongyang. The country’s hackers have stolen billions in recent years.

Most hackers targeting cryptocurrency are not funding a rogue state, though. Instead, the already robust cybercriminal ecosystem is simply taking opportunistic shots at weak targets.

For the budding cybercrime kingpin, the more difficult challenge is successfully laundering all the stolen money and turning it from code into something useful—cash, for example, or in North Korea’s case, weapons. This is where law enforcement comes in. Over the last few years, police around the world have been investing heavily in blockchain analysis tools to track and, in some cases, even recover stolen funds. 

The proof is the recent Ronin hack. Two weeks after the heist, the crypto wallet holding the stolen currency was added to a US sanctions list because the FBI was able to connect the wallet to North Korea. That will make it harder to make use of the bounty—but certainly not impossible. And while new tracing tools have started to shed light on some hacks, law enforcement’s ability to recover and return funds to investors is still limited.

“The laundering is more sophisticated than the hacks themselves,” Christopher Janczewski, who was formerly lead case agent at the IRS specializing in cryptocurrency cases, told MIT Technology Review. 

For now, at least, the big risk remains part of the crypto game.