< Back to all articles

The Most Infamous Hacker Attacks: Part 3

July 3, 2024

During the crypto sector's relatively short history, many dishonest individuals have tried to take advantage of weaknesses in the crypto ecosystem, resulting in some of the most notorious hacker attacks in the industry's past. Let's keep investigating the most well-known hacker attacks in the cryptocurrency realm, analyzing how they were carried out, the errors made by individuals, and the important lessons learned by the crypto community. The first and second parts can be found here and here.

Poly Network Exploit (2021)

The Poly Network exploit occurred in August 2021, when the DeFi platform Poly Network was exploited for $610 million, making it one of the most audacious hacker attacks in the crypto space. Poly Network is a China-based cross-chain platform that focuses on promoting blockchain interoperability and building Web3 infrastructure, enabling users to swap tokens from one chain to another easily. This hack was remembered by users globally due to the unsettling negotiations between the hacker and the platform and the unexpected outcome.

The attacker exploited a vulnerability in Poly Network's smart contracts, allowing them to access various wallets and drain funds across multiple blockchains (Ethereum, Binance Smart Chain, and Polygon). The attackers' original funds were in Monero (XMR), a privacy-focused cryptocurrency, and were subsequently traded for BNB, ETH, MATIC, and several other tokens. After the security breach was found, Poly Network directed all cryptocurrency miners and exchanges to block the stolen funds, essentially rendering them inaccessible to the hacker. Less than a day later, an unidentified individual claiming to be the hacker announced their willingness to give back the funds. The identity of this hacker remains undisclosed to this day. 

Poly Network asked the hacker to move the funds to three different cryptocurrency wallets. Soon after, the hacker returned $342 million, which represents about half of the stolen amount. The remaining $268 million in assets were placed in an account requiring an input of passwords from both Poly Network and the hacker for access. Poly Network appealed to the hacker to provide the "private key" needed to retrieve the funds and even offered a $500,000 "bug bounty" and the position of the company's chief security advisor to the hacker, but both offers were turned down.

Thirteen days following the incident, Poly Network announced that the hacker had shared the private key needed to regain control of the remaining assets through an on-chain message. The update confirmed that Poly Network successfully recovered all the user assets that were transferred out during the attack. According to the announcement, some speculate that the hacker returned the funds because it was challenging to launder the money and cash it out due to the public recording of the coins on the blockchain. However, the hacker denied this claim in a message within a crypto transaction, stating that they were "quitting the show" and acknowledging that their actions caused discomfort. Still, they believed they were contributing to the security of the Poly Network.

After the incident, Poly Network announced in a blog post its intention to initiate a bug bounty program worth $500,000. The program aims to incentivize researchers to discover and responsibly report any other weaknesses in its software. But this initiative was not sufficient as, unfortunately, this case was not Poly Network's last. In July 2023, it experienced another major hack. The attacker exploited a vulnerability in the project's smart contracts to mint tokens worth an estimated $43 billion utilizing 57 different crypto assets spread across ten blockchains. However, having this equilibrium did not ensure that the hacker could cash it out. Due to restricted liquidity, the hacker could only withdraw approximately $10 million from the system. Despite this relatively positive outcome, this hack once again emphasized the importance of thoroughly audited codes, especially for projects of such great size and following.  

Multichain Exploit (2023) 

The downfall of Multichain (formerly known as AnySwap) is arguably one of the most infamous hacks of recent times. Multichain was a platform created to enable cross-chain communication among various blockchains. It was compatible with more than 25 chains and 1100 tokens before discontinuing its operations because of a string of hacker breaches and the sudden abduction of its CEO, Zhaojun.

Multichain had implemented a multi-party computation (MPC) system to protect its smart contracts. In simple terms, MPC is a method that allows multiple parties to perform a computation without revealing their private data. It is similar to a multi-signature wallet, where the private key is divided among several parties who work together to carry out transactions. This system allows participants to share information and get the necessary results without revealing who contributed which data or relying on an external third party. Unfortunately, the MPC system can still be vulnerable if an attacker manages to obtain enough MPC keys, which may have been the case with Multichain.

The Multichain hack resulted in the loss of more than $125 million in cryptocurrency. The majority of this, approximately $120 million, was taken from the Fantom bridge. The perpetrator exploited the protocol and made off with a variety of assets, including wrapped Ether (wETH), wrapped Bitcoin (wBTC), and USDC. The Dogecoin bridge was also targeted, with $666,000 being siphoned off, leading to an 85% loss of total deposits. Lastly, the Moon River bridge saw $6.8 million in funds, including USDC and Tether, being siphoned.

The Multichain team announced their discontinuation of operations a week following a hack due to their inability to access the platform and the presence of suspicious activities. The MPC node servers were being operated under Zhaojun's personal cloud server account, with no other team members having access, making it impossible to log in. Rumors also suggested Zhaojun's sister transferred the remaining funds to her own addresses before being apprehended by Chinese authorities, adding to the complexity of the situation. It has been over a year now, and things have not gotten any clearer, as users are still unable to get answers or access their assets. This hack once again reminded the community that even the most popular and trusted projects can have inherent security problems, not to mention the possibility of force majeure. 

Final Thoughts

The cryptocurrency industry has been marred by a series of prominent cyber attacks that have significantly disrupted investor confidence, weakened trust, and raised serious doubts about the safety and protection of digital assets. These events have undeniably had a far-reaching impact on the cryptocurrency sphere, prompting industry participants to place an even greater emphasis on security. They have also led to the adoption of more effective methods and the development of innovative measures to safeguard against future risks.

Kinetex Network: Website | Kinetex dApp