BlockThreat - 2020: A Year in Review

The Good, the Bad and the Ugly

Welcome to the special edition of the Blockchain Threat Intelligence newsletter where we will explore blockchain security incidents and events from the year 2020. In case you never heard of Blockchain Security, or just blocksec, it is a new security field with the mission of securing and defending the cryptocurrency ecosystem. It encompasses security of blockchain protocols, consensus mechanisms, smart contracts, key storage, exchange security practices, blockchain investigations, and other related topics.

The Good, the Bad and the Ugly

The current state of the blockchain industry resembles the California Gold Rush of the middle 19th century America. There is a similar rush of folks venturing into the unknown frontier of cryptocurrency trading and DeFi investing often leaving their livelihoods and previous jobs behind. My home town, San Francisco, has plenty of reminders of that era such as signs of abandoned and buried ships left by crews eager to try their luck at striking it rich with gold.

Unfortunately, that same spirit attracted not only the hard working folks, but also criminals, scammers, and other miscreants. But not all is bad in this new frontier. Just like in the old west, new blockchain security companies and whitehat hackers are joining the fight to bring law and order to the new and vulnerable industry.

In this edition of the newsletter, I will expose the bad, celebrate the good, and explore the evolving battlefield which is the Blockchain Security.

But first a quick note from friends and sponsors at Immunefi:

Last year more than $200M were stolen in DeFi incidents. Immunefi protects you against smart contract hacks by helping create, run, and promote best practice bug bounty programs. Immunefi has the world’s biggest bug bounties, with $5m in smart contract bounties available now. 

If you run a smart contract or Defi application, go to and see how Immunefi can help protect your application today.

The Bad

The year 2020 was filled with almost weekly news of DeFi exploits, occasional exchange and blockchain hacks, user account compromises with a total monetary loss of around $500M. This amount quickly explodes into billions when considering damage caused by various Ponzi schemes, ransomware and cryptojacking malware; however, these will be considered out of scope for this section as there is great coverage elsewhere. Instead I will focus on incidents unique to blocksec as opposed to criminals simply using cryptocurrencies in more traditional schemes.

Let’s begin our review of “the bad” by looking at the breakdown of various incident categories and the amount of monetary damage that they’ve caused:

If you needed any further evidence of just how popular DeFi applications got relative to their centralized counterparts, then looking at the total funds stolen last year should give you a pretty solid signal. Unfortunately, this means that this popularity was coupled with massive hacks which I will cover in detail. Blockchain protocol incidents such as 51% attacks are still present; however, they are dwarfed by the higher level smart contract incidents. Monetary loss caused by vulnerabilities in node and wallet software is even smaller in comparison; however, I will discuss why this may change in the future. And with that let’s dive into our first category which for years remained a persistent target for attackers:

Exchange and other Crypto Business Incidents

Just as in the past years, cryptocurrency business hacks continue to dominate the total monetary loss especially as the market continues to grow. In 2020 about $300M were stolen across 21 incidents mostly from exchanges. This is an increase from $175M stolen in 11 incidents in 2019.

Of all exchange-related hacks, the massive KuCoin attack dwarfs all others with its $281M theft. Interestingly, the exchange claims it has recovered 84% of the lost assets by working with token issuers. Many smart contracts include centralized features which allow superuser accounts to blacklist attacker accounts or burn/confiscate stolen funds. Alternatively, token issuers may be able to redeploy their smart contracts with stolen funds removed from account snapshots. KuCoin was able to convince many projects to take these recovery actions, a precedent which is likely to repeat in future exchange incidents.

Another pattern emerged in 2020 where attackers are not necessarily interested in just stealing funds. In the cases of BlockFi, Coincheck, Coinsquare, Liquid Exchange, and Poloniex obtaining PII (Personally Identifiable Information) was just as useful or at the very least good enough of a reward. Stolen data was likely used to facilitate more direct user attacks such as phishing and SIM swapping.

Below is a complete list of exchange and other cryptocurrency business incidents:

Timing of the hacks continues to show careful planning and sophistication where four different exchanges were hit within days of each other. These attacks also coincided with winter holidays when many engineers were on vacations.

Post-mortem reports indicate that many of the hacks could have been easily avoided. For example, BlockFi’s employee was SIM swapped and Cashaa’s employee was infected with malware on an unmanaged personal laptop that was used for work. Other businesses such as Ledger failed to fully communicate the impact of a compromise resulting in an unexpected surge of phishing attacks.

There are still no industry-wide standards or regulations to guide and require exchanges to follow minimum secure practices such as PCI. Unfortunately, this led to cryptocurrency businesses having a wide range of security controls which may not always be sufficient.

DeFi and Smart Contract Incidents

Next in our list of incidents with the highest monetary impact is DeFi with a seemingly endless stream of hacks. The year 2020 had an unprecedented growth in both the number of DeFi projects and the value locked in them. Consumers rushed to take advantage of new ways to earn profits. Attackers soon followed with new classes of smart contract exploits involving flash loans, arbitrage, oracles, and others. Complex interactions between DeFi components have exposed vulnerabilities never expected by developers or sometimes audit firms reviewing them.

When the dust settled in 2020 about $230M+ were stolen across 60 incidents. Some projects like bZx were repeatedly hacked with ever increasing amounts reaching about $9M of total stolen assets in 2020. It was staggering to watch not only the amounts involved but the sheer frequency with which these hacks happen. For example, in a single month of November $76M worth of tokens were stolen with hacks reported almost every other day:

Below is a list of DeFi incidents which resulted in a monetary loss:

On the more optimistic side, only half of the total incidents involved monetary loss. The other half were asset issuers scrambling to shut down, upgrade, or in multiple cases hack themselves after a vulnerability was responsibly disclosed by white hat hackers. Scroll through Vulnerability sections in earlier editions of the newsletter for a more complete list of these near misses.

Not all DeFi projects were exploited using sophisticated hacks involving dozens of transactions. Some were good old scams which attracted hungry investors and quickly relieved them of their tokens. Below is a list of DeFi incidents which scammed users using backdoors:

Other DeFi projects have simply rug pulled on their projects after they got them sufficiently pumped. Here are just a few examples:

These are the signs of an industry that still needs to mature. Internet Commerce of the late 90s/early 2000s was similarly butchered until educational projects like OWASP, tools like Burp proxy, and a multitude of web security consulting shops, bug bounty programs, conferences, and trainings have sprung up. DeFi space will also need to go through a similar painful growth period. Until then we are likely going to see 2021 set new records in both the number and value lost due to DeFi hacks and scams.

Blockchain Incidents

Beneath all the flashy DeFi apps and exchange platforms sit good old layer one blockchains with their own issues. This section is divided into different components involved in operation of blockchains such as Nodes, Wallets, and consensus protocols guiding them.

Consensus Protocol Incidents

About $20M were stolen across 11 different incidents exploiting blockchain protocols. Most of the attacks involved PoW chains that were 51% attacked after sufficient hash power was rented on miner rental platforms such as NiceHash:

An emerging trend in these attacks is the massive increase in the number of orphaned (aka “reorged”) blocks involved in double spends. In the past years, attacks such as Vertcoin were reorged with 400-700 blocks. The latest attacks against Ethereum Classic involved a massive 7000 block reorg. Another trend is how PoS blockchains learned to defend themselves using both dynamic and hard-coded checkpoints. Such was the case with Bitcoin Gold which was notified of an impeding attack by a NiceHash rental miner which in turn coordinated a secret node version bump to invalidate attacker’s blocks.

Traditionally 51% attacks involve a double spend to compensate attackers for their mining effort and net them some profit. For example, one of the Ethereum Classic attacks cost perpetrators around $200K. However, in the case of Bitcoin Cash ABC attackers simply wanted to cause as much grief to the chain as possible even at a personal loss. With more central banks getting involved in cryptocurrencies, could the next cyberwarfare campaign target country’s blockchain infrastructure?

As more unique blockchain projects come online, the year 2020 has also brought us several attack classes which were previously only theorized:

The first incident is particularly interesting as the first instance of a PoS (Proof of Stake) attack in the wild. SteemIt’s governance system was successfully subverted not by a mining pool with a dominant hash power, but by a group of exchanges which pooled together a dominant staking power. The attack was also made unique by the DPoS (Delegated Proof of Stake) mechanism which allowed perpetrators to force a hard fork in order to gain a complete and permanent control of the network.

The mempool manipulation on Ethereum was also interesting due to attackers targeting a higher level MakerDAO collateral liquidation mechanism as opposed to the underlying blockchain. Finally, the Monero Sybil attack is likely connected to the recent bounty put out by U.S. Treasury to help deanonymize Monero. If that’s true this would be the first confirmed state sponsored attack on the blockchain.

One common theme with successful 51% attacks was that target blockchains were either relying on commodity mining hardware such as GPUs or in the case of ASICs were not the largest users of the hashing algorithm. This allowed miners to retarget or simply rent hashing capacity to attack these networks. Even with various defenses being put in place, it is likely that PoW 51% attacks are going to continue next year. This brings us to Proof of Stake blockchains. Now that the Pandora’s box has been opened, we may see another PoS 51% attack especially in lower market cap chains where staking funds could be easily borrowed.

Node Software Incidents

Blockchain node software is a crucial element of the blockchain network as the key component which enforces and validates its rules. Unlike protocol incidents where risks are understood and expected such as with the 51% attacks, node software incidents result from vulnerabilities found in the actual implementation. There were 10 different incidents which resulted in the loss of $5.4M in 2020:

RavenCoin incident was particularly nasty as it involved a malicious PR which introduced the minting vulnerability. What is concerning is that the vulnerability and the ongoing exploitation were only discovered 6 months later. Supply chain attacks are a real threat in other open source software projects and blockchains are no different.

The Solana vulnerability was also insane as it identified missing transaction signature validation allowing anyone to steal funds from any account. Luckily the issue was found in the Testnet so no real funds were stolen.

Wallet and Client Software Incidents

Things were not much more different on the wallet software side. There were 7 different incidents affecting wallets with one resulting in a massive $1.6M loss:

Similarly to node software, wallets are also vulnerable to supply chain attacks. In fact, one such attack targeting IOTA’s Trinity Wallet caused so much disruption that the entire network had to be halted while developers were investigating.

What is concerning in both node and wallet software bugs is just how rare they are. Both of the major software incidents were caused by supply chain attacks. What’s missing are critical vulnerabilities in nodes and wallets similar to the one found in Solana. It could be that these flaws are silently patched like the one in Geth. However, what keeps me up at night is that it’s just as likely that there are not enough eyes on these projects beyond a few well established ones. If there is something we could learn from traditional security is that even the most secure operating system, web server, mobile, and other software gets compromised. So is it just the matter of time before a major blockchain node vulnerability gets exploited?

User Incidents

Everyday users have been under a constant onslaught from scammers, phishing and malware campaigns. In this report, I will focus on the more technical attacks with incidents involving multi-billion Ponzi scams considered out of scope. Below is a list of just a few sample incidents representative of the year:

This year continued the trend of crypto pyramid schemes, celebrity giveaway and crypto-flipping scams, and fake crypto stealing software. It was interesting to observe the first Web3 scam site which posed as a legitimate MakerDAO project. Another example of scam artists increasing their sophistication is through the use of asset specific features like XRP Memo fields, targeting telco switches, Tor exit nodes, and anything else that would get them closer to users’ crypto.

However, nothing matched the massive Twitter hack which took over hundreds of cryptocurrency, celebrity, corporate, and other accounts all to advertise a simple Bitcoin giveaway scam. These scams have slowly gained in popularity with fake ads popping up on Youtube, Twitter, Google Ads, and other media sources purporting to be coming from Bill Gates, Elon Musk, and other celebrities. However, the July 15th attack was different since it took over verified individual, corporate, or any other account on the Twitter platform. In the end it netted attackers a relatively small $120K profit and resulted in multiple arrests shortly after:

The last notable user incident was an attack against Nexus Mutual’s founder which netted hackers an $8M profit worth of NXM tokens. Unlike mass “fake wallet” campaigns popular on Google Play Store, this one was highly targeted. It involved both a compromise of the user’s machine and a specially modified wallet software.

With cryptocurrency prices going through a mass rally, it is likely that both the frequency and the size of attacks on individuals is going to increase. While traditional mass phishing campaigns are going to remain, the ability to target specific high profile users is particularly worrying. The Ledger database leak has identified a small group of individuals and their PII data which makes both online and physical attacks highly probable and dangerous.

The Ugly

In the previous section we explored some of the baddest incidents that blocksec has ever seen. But who are the actors behind these acts?

Advanced Persistent Threat (APT) groups have been a familiar enemy to financial, government, and other institutions for decades. Over the years, reports of Lazarus (APT38), a North Korean hacking group, targeting cryptocurrency businesses have significantly upped the stakes for exchanges after multiple incidents were attributed to them:

Other state sponsored APT groups such as Vietnamese Ocean Lotus (APT32) and Chinese Wicked Panda (APT41) have been caught using more indirect tactics to accumulate cryptocurrency by installing mining malware on victim’s computers:

Non-state sponsored APTs appear to be primarily focused on highly profitable ransomware campaigns which often involve cryptocurrencies as the preferred method of payment:

Previously mentioned APT groups use or target cryptocurrency assets as just one of their activities. However, a report by ClearSky has revealed a new APT dedicated to attacking cryptocurrency exchanges:

On the not so advanced but persistent side the actors behind both the massive Twitter hack and the more targeted SIM swapping attacks turned out to be a groups of young adults in their early 20s:

While the investigators were focused on actors behind exchange and individual attacks there appears to be almost nothing revealing about folks behind all of the DeFi hacks. The closest we got was with the dForce incident where an attacker was allegedly identified and forced to return all of the stolen assets:

In other incidents, hackers sent back stolen funds with snarky remarks:

Based on the lack of opsec following the hacks and the highly specialized skill-set involved in executing these attacks, DeFi hackers are more likely to be individual developers who decided to cross the line rather than organized criminal or nation state groups looking for new sources of revenue.

The Good

The story of Blockchain Security would not be complete without talking about the good folks and there were so many this year! What they do is what makes working in blocksec so exciting and inspiring at the same time.

A common occurrence across a number of DeFi incidents this year was the mention of whitehat hackers who reached out to developers to not only give them a heads up about a vulnerability, but actively assist them in patching their code. The whitehat behind many of these responsible disclosures was samczsun. Here are just a few projects out of at least 18 that he helped lock down this year:

Another sheriff in the lawless crypto frontier is Harry Danley from MyCrypto. As you can see from his twitter and blog posts he worked tirelessly for years to identify and shut down a barrage of phishing and malware campaigns targeting cryptocurrency users. Hunting down scammers usually involves take downs and possibly law enforcement reports which rarely result in a punitive action. In 2020 Harry took matters into his own hands and was able to steal back and return stolen funds from scammers by exploiting their badly protected infrastructure:

There are also so many dedicated teams which make the field more secure every day. One such team is Consensys Dilligence. The group is well known for its smart contract security audits; however, their biggest contribution to the community this year was a number of free tools and papers which developers can use to secure their projects. Here are just a few of them released this year:

There are many more heroes out there who I quietly watched from the pages of this newsletter in awe. You know who you are and it has been a privilege to share your victories and struggles in the past year.

The dream of bringing the open financial system to the world is not easy. It will require work of thousands entrepreneurs, developers, security engineers to make blockchains not only functional but secure. The blockchain security field is still just as young and barely explored as the cryptocurrency ecosystem it is trying to protect. I hope that reading this newsletter was both informative and inspiring to you to walk this journey with so many of us. Consider joining the good fight as a security engineer, bounty hunter, smart contract developer, blockchain investigator, or just as a curious explorer on the new frontier. If you are not sure how to get started, subscribe to this newsletter where I often post educational materials or just feel free to reach out to me directly.

Help support BlockThreat in 2021!

Over the past two years, BlockThreat has gained hundreds of followers including exchanges, asset issuers, DeFi projects, engineers, investigators, law enforcement, and many others. This newsletter is a labor of love which takes many hours weekly to prepare. If you found BlockThreat valuable consider supporting its future growth:

1) Make an individual contribution.
2) Sponsor an edition where you can place an advertisement.
3) Share your job postings in the next edition.
4) Share the newsletter with a friend or a colleague.

Thanks for joining me in this special edition of Blockchain Threat Intelligence and looking forward to seeing you all in 2021!

- Peter Kacherginsky (iphelix)