FBI: Hackers Are Exploiting DeFi Bugs to Steal Funds

  • Cyber-criminals are increasingly exploiting bugs in decentralized finance (DeFi) platforms to steal investor funds, the FBI has warned.

    In a Public Service Announcement (PSA) yesterday, the Feds claimed that vulnerabilities in smart contract code have been targeted in several ways, including:

    • By initiating a flash loan, triggering an exploit to cause investors and developers to lose around $3m in cryptocurrency
    • By exploiting a signature verification vulnerability in a DeFi platform’s token bridge, resulting in $320m in losses
    • Manipulating cryptocurrency price pairs through vulnerability exploitation, to conduct leveraged trades which stole roughly $35m in cryptocurrencies

    The FBI cited data from blockchain analytics firm Chainalysis which revealed that hackers managed to steal $1.3bn in crypto in just the first three months of this year. Some 97% of these funds were stolen from DeFi platforms, up from 72% in 2021 and 30% in 2020, it claimed.

    Many of the raids on cryptocurrency in recent years have been tied back to state-sponsored actors, most notably North Korean operatives.

    In fact, it is claimed that Pyongyang stole $400m in crypto assets in 2021 alone. The FBI also linked the $618m heist at Ronin Network in March – the biggest theft of cryptocurrency in history – to North Korean actors.

    The FBI recommended investors to do their research before putting money into DeFi. Among the things they should look for are platforms that have conducted one or more code audits, run real-time analytics and monitoring tools, and have an incident response plan in place.

    The Feds also warned investors to avoid DeFi investment pools with limited joining timeframes and rapid deployment of smart contracts, as well as those that use open source code.

    Back in July, the US State Department increased its reward for information on North Korean state-backed hackers to $10m. Pyongyang has also been blamed for the theft of $281m from Singapore-headquartered cryptocurrency exchange KuCoin in 2020.

    In 2019, a UN report claimed that the Kim Jong-un regime had stolen $2bn from banks and crypto-exchanges to fund its weapons of mass destruction programs.