The biggest crypto hacks of 2022

In 2022, cryptocurrency-based projects experienced a series of devastating hacks and exploits in what’s considered the worst year ever when it comes to securing digital assets.  

Overall, the frequency of crypto hacks accelerated rapidly this year, topping at $3 billion in total funds lost, according to a Chainalysis report.

The year showed us how blackhat or malicious hackers are using increasingly advanced tactics to exploit weaknesses in decentralized apps that may have bugs, like every other piece of software.

Among the major crypto heists of 2022, security incidents involving cross-chain bridges and decentralized finance protocols stood out for suffering damages to the tune of hundreds of millions of dollars in individual exploits. During such exploits, hackers accessed and stole crypto assets without authorization by taking advantage of vulnerabilities in smart contracts.

This exclusive article from The Block explores the largest crypto hacks of 2022 and went wrong leading up to each attack.

Ronin Network — $625 million

On Mar. 29, Ronin, a sidechain that hosts Sky Mavis’ Axie Infinity game was exploited for $625 million in various crypto assets, making it the largest crypto heist to date. Sky Mavis developed Ronin to host its popular blockchain game Axie Infinity. But things took a turn for the worst when the team failed to secure the Ronin network from perpetrators, later identified to be North Korea's Lazarus hacking group. 

Through an email-based phishing attack on a former employee, the hacking group gained access to Sky Mavis’ IT infrastructure. There, the hackers located and stole private keys to Ronin blockchain validator nodes, which the firm stored on its internal servers. When the hackers had access to validator keys, they took control over the entire Ronin network and transferred more than 173,600 ether (ETH) and 25.5 million USDC stablecoin, totaling over $625 million. 

Fortunately for users who had their funds taken during this incident, most were fully reimbursed, the firm claimed. A week after the hack, SkyMavis raised $150 million in a funding round led by Binance and combined this with its own assets to pay back everyone who was affected by the exploit.

FTX — $370-$400 million 

Unlike other major security heists during the year — such as those affecting decentralized blockchain apps operating on smart contracts — the now-collapsed centralized exchange FTX fell for one of the largest hacks of 2022. Taking place in November, the FTX hack came to light after the exchange’s official Telegram admins reported “unauthorized access.” 

Onchain data showed that the exchange's wallets lost funds anywhere between $370 million to $400 million shortly after its former CEO Sam Bankman-Fried filed for Chapter 11 bankruptcy protection. 

A few media outlets conflated the hack with another suspicious transfer of $400 million made from FTX on the order of the Securities Commission of the Bahamas for safekeeping the assets, which caused confusion. However, the two were separate incidents.

The new FTX chief John J. Ray III testified the hack and another large asset transfer ordered by the Bahamian regulators were separate. This is verified by analytics firm Chainalysis, which is working with FTX to track down the assets.

“The $400 million stolen and hacked from FTX is completely separate from the $400 million held by the Securities Commission of the Bahamas. It's totally understandable that people were confused by this, though,” a spokesperson from Chainalysis told The Block.

While the identity of the hacker remains unknown, Bankman-Fried spoke in an interview of an insider, likely a “ former employee” or bad actor, who may have stolen private keys to FTX's crypto wallets.

Ray also revealed in a prepared testimony document that FTX stored private keys to its wallets in an unencrypted manner, and had adopted very poor security controls — factors that could have easily allowed the hack to have taken place.

Wormhole — $325 million 

In February, Wormhole, a cross-chain bridge protocol, was hacked in this year’s biggest bridge exploit. Wormhole allows users to lock their ETH and receive a pegged asset called Wormhole ETH (wETH) on the Solana network. 

On Feb. 2, Wormhole fell to a hacker who spoofed certain security signatures on the bridge and minted 120,000 wETH worth $325 million out of thin air. The hacker swapped the illicitly minted wETH for actual ETH on the Ethereum network, thereby draining all of the assets held on Wormhole. 

The incident halted the bridge operations and for some time it appeared the end for Wormhole was near. It would have been incredibly challenging to recover the losses but to everyone's surprise, a few days after the hack, Wormhole said it replaced all of the stolen ETH and opened the bridge.

Jump Crypto, a trading and venture capital firm that incubated Wormhole, confirmed that it replenished the stolen 120,000 ETH from its own funds to help sustain the bridge.

Nomad — $190 million 

On Aug. 7, Nomad — a bridge connecting Ethereum, Avalanche, Moonbeam and Evmos blockchains — suffered the second largest cross-chain bridge hack of the year with $190 million worth of assets lost. The hack resulted from a faulty update in which Nomad developers erroneously designated 0x00 (the zero address) as the trusted root. 

This function meant that anyone could withdraw funds from the bridge without going through the trust contract check and could easily bypass its security. As the update issue became public, over 300 addresses rushed in to grab money from Nomad in a free-for-all exploit. Luckily, some of the addresses belonged to ethical hackers who later returned $22 million back to Nomad. 

Beanstalk Farms — $182 million

Beanstalk Farms, a stablecoin protocol, was attacked in April of 2022 in the year’s largest governance hack.

An unknown hacker took advantage of a security loophole in Beanstalk's decentralized autonomous organization (DAO), which oversees the decision-making for the stablecoin project. On Beanstalk, anyone could submit a proposal and get it passed in a day if it received the majority votes from holders of Beanstalk’s native governance called bean. 

A malicious actor submitted a proposal asking the community to send crypto assets from Beanstalk treasury to the hacker’s crypto address. When the vote passed, the transfer was automatically made.

The attacker took a flash loan, a loan that can be taken without any collateral, if it’s returned within the same transaction. With this, the hacker purchased millions of dollars in bean tokens to ensure they had enough tokens to get the vote approved. 

With this trick, the hacker was able to funnel some $80 million in bean tokens from the project’s treasury unbeknownst to Beanstalk core developers. After this, the hacker sold off those bean tokens on the platform, the final loss ended up being significantly higher for Beanstalk. Security firm PeckShield estimated the incident cost Beanstalk $182 million in protocol losses.

Mango Markets — $114 million

Though not technically a hack, Solana-based lending platform suffered a massive market manipulation exploit in October.

The attacker — later alleged to be a DeFi trader Avraham Eisenberg — led a team to attack Mango Markets to funnel $114 million in customer deposits from the platform. He later admitted his involvement.

The attack was twofold. First, Eisenberg allegedly bought tens of millions of illiquid Mango tokens — which he deposited into the protocol as lending collateral.

Second, with about $5 million in the USDC stablecoin, he allegedly drove up the price of Mango tokens several times — thereby artificially growing the dollar value of his lending collateral deposits on Mango. He was able to do this because Mango tokens have very thin liquidity across many exchanges.

The increased market value of Mango tokens spoofed data oracles into thinking the assets deposited by Eisenberg were worth more than $400 million.

With the pumped-up collateral value, he borrowed $114 million in crypto assets with the intention of not paying it back — netting himself a giant profit. A day later, he forced Mango's governance to pass a vote, agreeing to return $47 million as a white hat negotiation deal. By this time, the identity of the attacker was unknown.

On-chain sleuths traced the attack to Eisenberg. He admitted his involvement but he refuted doing anything illegal, arguing he was "using the protocol as designed." Clearly the authorities didn't buy the “code is law” argument made by Eisenberg. 

In December, Eisenberg was taken into custody and charged with crimes related to market manipulation by the United States Department of Justice. The DoJ arrested him on charges of commodities fraud and commodities manipulation in Puerto Rico.

BNB Token Hub — $120 million 

On Oct. 6, an unknown entity carried out a large-scale attack on BNB Token Hub, a bridge service that runs between BNB Chain — a blockchain founded by crypto exchange Binance — and Ethereum.

Exploiting a bug in the bridge’s cryptographic proof system, a hacker was able to take control over 2 million BNB tokens locked on the bridge and valued at $550 million at the time.

The hacker only managed to transfer anywhere between $120 million-$130 million worth off BNB Chain to other chains before the network was halted. As soon as the attack was detected, BNB Chain validators agreed to freeze the network to take over $430 million held in the hacker's address. The network was down for several hours but was back up and running a day later.

Horizon — $100 million

Another protocol that fell victim to a massive hack was Horizon, a bridge that connects Ethereum to the Harmony blockchain. In June, an attacker stole $100 million locked on Horizon after compromising a couple of private keys owned by security admin accounts that controlled the bridge.

The process of transferring assets from Horizon’s deployer contract to Ethereum involved a multi-signature scheme that needed approval from only two of the five admin accounts. This meant a malicious actor had to steal two private keys to approve unauthorized transfers, which is precisely what happened, as noted by security firm Halborn. 

After gaining access to two of the bridge’s admin private keys, possibly via phishing attacks on the admins. Then the hacker was able to approve a transaction that extracted $100 million into their control.

Qubit — $80 million 

Qubit, a BNB Chain lending and bridge protocol, was the target of the first large scale crypto hack of the year in January. On Qubit, users could deposit ether (ETH) from Ethereum and the bridge issued a pegged asset “xETH” on BNC Chain. xETH could be used as collateral on Qubit’s lending platform.

On Jan. 27, a hacker exploited a software logic vulnerability in Qubit which made xETH available for use on BNB Chain without having deposited ETH on Ethereum. The nature of the vulnerability was such that it allowed the attacker to mint a large amount of xETH without depositing any real assets.

After the hacker was able to mint lots of xETH, they took several loans from Qubit with those tokens as collateral. In the end, the attacker drained all of the 206,000 BNB staked on Qubit Finance by taking loans in a loop, worth about $80 million at the time.