As it would happen, December has been a really active month for crypto thieves. Indeed, the ripping off of BadgerDAO, a decentralized finance platform, just happened a few weeks ago. According to a blog post published by the platform, an unknown party managed to break into a number of different user accounts on Dec. 2. The damage? About $120 million in stolen funds. Afterward, Badger explained that it would appear that the hacker injected a malicious script into its website that allowed the criminal to intercept active users’ transactions and redirect their funds to the hacker’s wallet.
Only a few days after BadgerDAO got robbed, $150 million disappeared in a plume of digital smoke from the coffers of the popular crypto exchange BitMart. On the day in question, the platform issued a statement in which it said it would be “temporarily suspending withdrawals until further notice” after discovering a “large-scale security breach” connected to two “hot wallets”—digital crypto accounts connected to the internet. Peckshield, the cybersecurity firm that initially drew attention to the incident, described the hack as a “pretty straightforward: transfer-out, swap, and wash” operation. Unfortunately, BitMart’s former slogan (“The most trusted cryptocurrency trading platform”) will probably be a hard sell for current and future customers.
One of the largest and weirdest cryptocurrency heists of all time is the story of Poly Network. On August 10, the exchange was reportedly hacked, leading to a loss of approximately $600 million of investors’ money—one of the biggest windfall thefts in crypto history. Poly’s leadership frantically put together an online missive in which they begged the hacker for their money back. “Dear Hacker,” the letter hilariously began—and went on to plead with the anonymous token robber for a safe “return [of] the hacked assets.”
The letter was largely greeted with derision and bemused sympathy online, and nobody actually believed that the stolen money would ever be seen again. However, Poly’s tactic worked! The hacker, whoever the hell they are, began returning the stolen funds—later claiming in blockchain-inscribed memos that they had only ever hacked the exchange “for fun” and to reveal a glaring security hole in Poly’s system. By the end of August, the thief had reportedly returned the entirety of the massive haul.
In August, the Japanese cryptocurrency exchange Liquid lost a reported $97 million after someone hacked into its systems and targeted its multiparty computation (MPC) system of custody—a supposedly secure cryptographic digital asset mechanism. Blockchain analysts watched as the money was subsequently funneled through a series of wallets and mixers to obscure its trail and ultimately allow the anonymous bandit (or bandits) to make off with the loot. For now, at least.
Another unfortunate victim is Vulcan Forged. The company manages a number of different crypto services and products, including a DeFi platform, an NFT market, and several play-to-earn token-based video games. Anyway, Vulcan reportedly got robbed of $140 million earlier this month, when a hacker somehow managed to get ahold of the private keys to 96 of the platform’s wallets and made off with every last cent inside of them. According to estimates, the hacker stole an average of $1.46 million per wallet. Unlike a lot of crypto platforms, Vulcan actually refunded the money that had been lost to investors—a very charitable move that probably helped it save face.
Then there’s the unfortunate tale of Thodex, a Turkish crypto exchange whose young, weasel-like CEO allegedly made off with around $2.7 billion of investors money this past spring. After seeing tremendous investment since its launch in 2017, Thodex unexpectedly went offline in April and Faruk Fatih Ozer, the platform’s 27-year-old founder, caught a quick flight to Albania. One of the last known photographs of the dude is him hustling through Istanbul airport, after which he jetted off to God knows where. The exchange’s collapse led to significant trouble in Turkey, where authorities rounded up and detained 83 people, including Ozer’s family members. Not Ozer though! Has anybody seen this guy lately? If you do, there are about 400,000 people who’d like to get a copy of his current address.