$17 Billion Stolen From Crypto in a Decade — Here's Where All That Money Actually Went

Seventeen billion dollars is a staggering amount of money stolen from the cryptocurrency industry by hackers over a ten-year period, as reported by DefiLlama's reporting on the stolen amount in the cryptocurrency industry since 2010. Every time I read this statistic, I take a moment to let it sink in before I put it into perspective. Seventeen billion dollars is a large amount. The number "lost" through all the different ways to steal from cryptocurrencies such as exploit hacks, bridge attacks, drain protocols and exchange hacks (some much more complex than others) reinforces that this industry has a problem with security. What has changed is that these incidents have increased exponentially.

How the Number Breaks Down

A service named DefiLlama aggregates hacks across many aspects of the cryptocurrency world as a tool to help create awareness about this relevant industry topic. Based on data analyzed by DefiLlama, $17 billion has been hacked in different aspects of cryptocurrency over the past ten years. However, those dollar amounts are not evenly dispersed over those 10 years; there were significant hacking events that occurred in the three year range from 2021 through 2023 when the total value locked in decentralized finance (DeFi) skyrocketed, and just as quickly hack attempts increased as attackers recognized that there was a lot of money being placed in DeFi with only a few months of security auditing and testing.

The pattern of attacks is similar. New sector of crypto attracts large flows of capital quickly- faster than money can be secured through formal code security audits, faster than secure technology can be produced and tested, and faster than anyone can fully complete stress tests to see what happens when $100 million of an individual's assets are stored inside of a contract that is only three weeks old. Attackers watch those quick influxes of money and begin to find opportunities to work to figure out how they can breach that money.

Cross-chain bridges have a record of being a focus for large-scale attacks. In 2022, the Ronin bridge exploit resulted in the loss of $625 million. The Wormhole exploit resulted in $320 million in losses and Nomad suffered $190 million in losses. One of the main reasons that cross-chain bridges are such an attractive target for would-be attackers is that they store multiple large pools of assets on both sides of the two hosted chains in them - thus cross-chain bridges can be understood to function as a vault that is at the intersection of two systems; thus securing that intersection is very difficult.

The Anatomy of a Crypto Hack

There are many different ways that hackers can steal cryptocurrency, and lumping them all together makes it harder to understand what is actually happening.

Some of these hacks happen at the smart contract level. In these types of hacks, an attacker takes advantage of some flaw in how a smart contract is coded and uses that flaw to perform a financial transaction that the smart contract would allow. A flash loan attack is one example of this type of hack. In this case, an attacker can borrow a large amount of money and then, within the same transaction, manipulate a price oracle or a liquidity pool, take value from the transaction, and return the lent funds. All of this will occur in the span of a few seconds – without there being any stolen password or unauthorized use of a server; the only thing that happened was that math was used against itself.

Another example of an attack is when someone gains access to a private key that allows them to control a protocol's treasury or sign for a bridge. A prime illustration of this is the Ronin hack, in which North Korean state-sponsored hackers targeted individual employees of Sky Mavis (the creator of Axie Infinity) to gain enough access to keys to drain the bridge of funds without being noticed for six days.

This detail should be contemplated: it took a full week for the largest single hack in the history of cryptocurrency to be detected.

Then there are the hacks of centralized exchanges, such as those that hold customers' money. The FTX collapse was not due to a hack in the traditional sense, but the $400 million withdrawn from its wallets hours after it filed for bankruptcy was almost certainly due to a hack. Mt. Gox lost 850,000 Bitcoin over the course of several years, and Mt. Gox was never able to identify what was happening while the hack was in progress.

Who's Doing the Stealing

Many of the most significant hacks out there are not random opportunism. The Lazarus Group of North Korea has been assigned billions of dollars in stolen cryptocurrency from several operations. The U.S. government has sanctioned different wallet addresses associated with them, and a number of blockchain analytics companies have tracked the movement of the assets within a series of increasingly complicated money laundering systems (mixers, chain hops, and through brokers located in poorly regulated jurisdictions).

Cryptocurrency theft at this level has become a source of revenue for an officially sanctioned nation-state. That's a strange thing to say, but there is a lot of evidence backing this up, from numerous independent research organizations.

The other hacks usually have less sophisticated hackers perpetrating them (e.g., developers who found any non-audited protocol, teams trying to out compete each other, people who are phishing individual users).

What the Industry Has and Hasn't Fixed

In today's world, security audits are now performed on every serious protocol launch as standard practice. Bug bounty programs are a way for researchers to have an avenue to get a legitimate payout for discovering vulnerabilities before the hackers do. Many bridges now utilize more decentralized validator set-ups to mitigate the risk of one point of failure.

Despite these efforts, hacks continue to happen at an unprecedented frequency. While there has been some effort to slow the frequency of truly disastrous single incidents, total cumulative losses continue to grow.

The reality is that many of the pieces of crypto infrastructure started as hastily built, small team products, done in competitive haste to put money into circulation without having time to fully thoughtfully through what if scenarios from the perspective of the attacker who has limitless time to attack, as well as endless financial means at his disposal.

This environment cost the industry over $17 billion to build over the past decade. The outcome of the next decade is contingent upon whether the industry has successfully learned from those mistakes, or simply become better at recording their post-mortems.