Cryptocurrency Scams & Statistics in 2023

13 Worst Cryptocurrency Scams in 2023

1. Mixin Network

https://www.cryptoninjas.net/2021/05/11/mixin-integrates-solana-sol-blockchain-into-crypto-transfer-network/

• When: September 23rd, 2023
• What: $200 million stolen in crypto
• How: Compromise in the company’s cloud service provider’s database

On September 23rd, 2023, Mixin Network suspended all the withdrawal and deposit operations after losing $200 million in a crypto scam. They made this announcement on X (formerly Twitter).

https://twitter.com/MixinKernel/status/1706139175018529139

According to blockchain security firm SlowMist, the security breach was caused by a compromise with Mixin’s cloud service provider. Their database was hacked by the threat actors, which gave them access to Mixin’s internal network.

This supply-chain attack led to a sizeable loss of $200 million in crypto assets. Currently, the company hasn’t resumed normal operations since they need to patch the vulnerability exploited by the hackers.

They also haven’t made any announcements about recovering the lost funds or provide more details about the data breach to their users.

2. Euler Finance

https://medium.com/@numencyberlabs/a-detailed-analysis-of-euler-finances-196-million-flash-loan-attack-81cdef370024

• When: March 13th, 2023
• What: $196 million stolen in crypto (USDC, Staked Ether, DAI, and Wrapped Bitcoin)
• How: Vulnerability in the company’s Etoken liquidity checks

On March 13th, 2023, Euler Finance had $196 million stolen in USDC, Staked Ether, DAI, and Wrapped Bitcoin.

The attacker made multiple transactions and took advantage of the lack of liquidity checks in the company’s Etokens (more details here).

The Numen Cyber cybersecurity company has been able to reproduce the attack using the same technical vulnerability discovered by the attacker.

https://medium.com/@numencyberlabs/a-detailed-analysis-of-euler-finances-196-million-flash-loan-attack-81cdef370024

Euler Finance posted on X about the attack, saying that they’re currently working on investigation it.

They’ve also mentioned in another post that they’ve managed to stop the attack and notified the US and UK law enforcement to enlist their aid. They also contacted the hackers to try and negotiate.

So far, we have no information as to the success of the negotiations but we can safely assume that the funds have not been recovered.

3. MultiChain

https://www.linkedin.com/pulse/multichain-blockchain-platform-recent-features-2016-gideon-greenspan/

• When: July 2023
• What: $125 million stolen in crypto (+$103 million more that were moved later on)
• How: Compromised project administrator keys, suspected evidence of a rug pull

In July 2023, MultiChain reported a theft of $125 million via a cross-chain bridge. Most blockchain analysts and security experts are claiming that this was an inside job, aka a rug pull.

The platform’s CEO, Zhaojun, was arrested in China soon after the $125 million was withdrawn through multiple transactions. He was in possession of the private key to the pools where several transactions had been blocked ever since late May.

The blockchain security firm PeckShield managed to track the stolen funds and identify them:

• Wrapped Bitcoin
• Chainlink
• USDC
• USDT
• DAI

A total of $126 million, which were sent to 6 fresh Ethereum addresses.

A couple of days layer, another $103 million was moved to several blockchain addresses, according to security firm Beosin Alert.

While only the $125 million has been officially confirmed as a hack theft, it might be safe to assume that the $103 million move could also be part of the same scheme.

According to most observers and analysts, the entire sum of $228 million are part of a rug pull strategy, where the company CEO abandoned the project and defrauded the investors.

4. Atomic Wallet

https://www.techopedia.com/cryptocurrency/atomic-wallet-review

• When: June 2023
• What: $100 million crypto stolen, affecting over 5,500 crypto accounts and leading to a class action lawsuit against Atomic Wallet
• How: Four probable causes: a man-in-the-middle attack, infrastructure breach, a virus on user devices, or malware code injection

Back in June 2023, noncustodial cryptocurrency wallet Atomic Wallet suffered a $100 million exploit that affected more than 5,500 users.

The North-Korean hacker group Lazarus Group was linked to this breach initially but new data suggests that someone else might be the actual culprit.

While Atomic Wallet didn’t specify how the attack took place, they did mention that less than 0.1% of their userbase was affected by the scam.

They named four probable causes as the origin of the attack:

• A virus infecting the users’ devices
• An infrastructure breach that exploited a vulnerability in the systems
• A man-in-the-middle attack
• A malware code injection

Several cryptocurrency investors decided to launch a massive class action lawsuit against Atomic Wallet. Most of them are investors from the Commonwealth of Independent States and Russia.

At this point, Atomic Wallet hasn’t been able to recover any of the stolen funds, nor have they given a definitive answer as to how the scam actually took place.

Nor have they offered to reimburse the affected users. In fact, German lawyer Max Gutbrod, who’s coordinating the lawsuit alongside Boris Feldman, said that “They didn’t even give our clients any information about the hack or go to the police to report it.”

5. Curve Finance

https://academy.binance.com/en/articles/what-is-curve-finance-in-defi

• When: July 30th, 2023
• What: $60 million stolen in cryptocurrency
• How: Hackers targeted the liquidity pools of stablecoins and exploited key vulnerabilities

On July 30th, 2023, Curve Finance reported a theft of over $60 million in cryptocurrency. Later analyses showed that the hackers exploited vulnerabilities in the coding language (Vyper) of the stablecoin liquidity pools and drained them.

Curve Finance’s native token, CRV, suffered a significant drop (-22.18%) in the week of the attack, further worrying clients.

However, a week after the attack, the hacker returned around $12.7 million in Ethereum and aIETH.

He also left a note, saying “I saw some ridiculous views, so I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you…”

Since not all of the funds have been returned, Curve Finance extended the bounty of $1.85 million to whoever could find out the hacker’s identity.

The good news is that Curve Finance also vowed to reimburse every affected user, and considering that they’ve recovered 79% of the funds, that shouldn’t be hard to accomplish.

6. CoinEx

https://technext24.com/2023/09/13/coinex-disables-deposits-hackers/

• When: September 2023
• What: $55 million stolen in multiple cryptocurrencies
• How: Suspicious cryptocurrency transfer from one hot wallet to a previously-unknown receiving address

In September, CoinEx noticed a suspicious event – a hot wallet was sending large amounts of tokens to an unknown address that had no prior transactions.

All in all, it sent 408,741 DAI, 2.7 million GRT tokens, 24,158 Uniswap tokens, and a host of other tokens.

By the time the transactions stopped, the Ether reserves on the platform were “basically zero“. However, CoinEx assured their clients that they would cover the losses out of pocket if they couldn’t recover the funds.

The good news is that the affected funds were only a small part of the company’s total assets.

CertiK Alert provided a document detailing all the transactions making up the $55 million theft:

• 231 Bitcoins – $5,987,520
• 12,625,364 XRP – $6,060,174.72
• 11,546.0872 ETH – $18,470,421.4
• 204,315 BKK – $53,956
• 137,127,867 TRX – $11,083,442
• 12,870,584 KLV – $32,271
• 559,908 MATIC – $285,385.11
• 70 BNB + other tokens – $120,000
• 29,552.05 BNB – $6,243,725.77
• 141,541 SOL – $2,541,462.41
• 2,220 BCH – $440,492.40
• 229,291,485 XDAG – $1,788,473
• 2,214,700 KDA – $1,129,497
• 327 ETH + other tokens – $8,099.11
• 4,321,978 XLM – $519,043.10

This data is accurate as of September 13th, so it might not be up-to-date at the time of writing this article.

7. Stake

https://watcher.guru/news/crypto-casino-stake-reportedly-hacked-for-41-3-million

• When: September 2023
• What: $41 million stolen in Ethereum from the Polygon and BSC wallets
• How: Private key leak

In September 2023, Stake, the largest crypto betting platform, was hacked. Over $41 million was stolen in Ethereum from the company’s Polygon and BSC wallets following a private key leak.

The hacker converted all the USDT and USDC into ETH, BNB, and MATIC. As of the time of writing this article, nothing else has happened to the funds.

Stake hasn’t recovered them, nor has the hacker made any other moves. Cyvers, the blockchain security company who first announced the hack, claimed that this might be a rug pull or an access control violation.

That’s because the most likely cause of the hack was a leak of a private key, which is always a point of contention among crypto enthusiasts.

Stake denied any private key leak on any of its wallets, while the company’s co-founder, Edward Craven, said that the attack must have been a sophisticated breach that attacked a service used to confirm Polygon, BNB Chain, and Ethereum transactions.

The hot wallet that was hacked was mostly used for customer deposits and withdrawals, and it could handle 50,000 transactions per day.

8. CoinsPaid

https://cryptopsps.com/white-label-crypto-payment-gateways/

• When: July 22nd, 2023
• What: $37.3 million stolen in cryptocurrency
• How: 6-month social engineering tactic against one of the company’s employees who eventually installed malware on their work device, under the assumption that they were taking a test for a fake employment process

In August-July 2023, a 6-month-long social engineering campaign culminated with the theft of $37.3 million from CoinsPaid, one of the most popular crypto payment processors.

The hackers needed that much time to convince one of the company’s employees that they will be taking part in a test for employment purposes.

Eventually, the employee installed an infected malware on their work device, which led to the data breach responsible for the loss of $37.3 million in crypto funds.

The responsible party, identified as the Lazarus Group, had begun testing and attacking CoinsPaid since March 2023:

• Launching DDoS and Brute Force attacks against the company
• Impersonating a Ukrainian crypto processing start-up and sending CoinsPaid engineers questions about the technical infrastructure of the company
• Sending 4 major spam and phishing attacks against CoinsPaid customers and employees in order to gain access to their accounts
• Tried bribing and fake-hiring several critical personnel within the company

Finally, the hackers managed to successfully hack CoinsPaid on July 22nd, 2023, when they convinced an employee to install infected malware on a work computer.

You can read more about the step-by-step strategy employed by the hackers here.

9. Bitrue

https://zycrypto.com/bitrue-exchange-is-leading-the-way-with-crypto-investment-support/

• When: April 14th, 2023
• What: $23 million stolen from the company’s hot wallets in multiple cryptocurrencies
• How: Unclear how the hackers managed to take control over the company’s hot wallets

On April 14th, 2023, the crypto trading platform Bitrue reported that one of its wallets had been hacked. The perpetrators had managed to steal $23 million in multiple cryptocurrencies, including:

• Ethereum
• Polygon
• Shiba Inu
• Quant
• GALA
• Holo

They further claimed that “the affected hot wallet only contained less than 5% of Bitrue’s overall funds. The rest of our wallets continue to remain secure and have not been compromised. We are conducting a thorough security review and will update you as we make progress.”

They did not mention how many of its wallets were hot or cold, though, which might worry some customers.

The good news is that Bitrue assured all affected users that they will be compensated in full for their losses. This should set some minds at ease.

PeckShield, a blockchain security firm, has tracked the stolen funds and discovered that the attacker had converted some of the crypto coins into Ethereum.

It’s unclear as of yet whether the attack used social engineering or if the hackers exploited a vulnerability with the hot wallets. However, this isn’t the first time Bitrue was hacked.

In June 2019, a threat actor stole $5 million after exploiting a technical vulnerability in the Bitrue platform but the company reimbursed the customers fully.

10. GDAC

https://docs.gdac.com/#introduction

• When: April 9th, 2023
• What: $13.9 million stolen from the company’s hot wallets, accounting for 23% of the exchange’s total holdings
• How: Unclear how the attack took place

On April 9th, 2023, South Korean exchange GDAC became the victim of a crypto scam, losing $13.9 million in Bitcoin (60.8), Ethereum (350), Wemix tokens (10 million), and USDT (220,000).

All in all, this was approximately 23% of GDAC’s total holdings. The company alerted the authorities immediately and suspended all wallet services to mitigate further damage.

BlockSec, a blockchain analytics platform, discovered that the hacker converted the 220,000 USDT into Ethereum and then used Tornado Cash to launder it. He also converted the WEMIX tokens into Ethereum.

A private investigator on X rejected the hypothesis of private key leaks as the cause of GDAC’s crypto scam. In short, “The withdrawal of the BTC chain did not directly go to the attacker’s address, but part of it went to the change address of the GDAC. If the attacker has the private key, he can withdraw all funds to his own address.”

So far, GDAC has not recovered any of the stolen funds and there isn’t much of a chance for that. Blockchain transactions are irreversible, so unless the hacker decides to return the crypto willingly, there isn’t much anyone can do.

11. Yearn Finance

https://thedefiant.io/what-is-yearn-finance

• When: April 13th, 2023
• What:$11.5 million stolen
• How: Exploitation of a vulnerability with Yearn Finance’s yUSD protocol

On April 13th, the DeFi protocol Yearn Finance experienced a breach that led to the loss of over $11 million spread across multiple stablecoins like DAI, USDT, UDC, BYSD, and TUSD.

Initially, PeckSheild, the cypto security firm who first found the breach, explained that the hackers likely used the Aave version (1).

However, the Aave developers chimed in and clarified that the Aave protocol was only used for the swapping of tokens stolen during the exploit, and not to gain access into Yearn’s systems.

PeckShield further noted that the hackers minted more than 1.2 quadrillion yUSDT with only a $10,000 deposit. They managed to trick the Yearn Finance protocol to cash out millions of dollars in stablecoins using this method.

The vulnerability hidden in the uSDT token contract had been lying dormant for three years, according to Halborn. The “copy-paste bug” miscalculated the pool ratio and tricked the contract into valuing the share prices of yUSDT tokens using different metrics.

Long-story short, the hackers stole $10 million using a crypto zero-day vulnerability in Yearn Finance’s token contract, and the Aave protocol wasn’t at fault.

12. MyAlgo

https://www.linkedin.com/pulse/examining-implications-myalgo-hack-lessons-learned-community-beach/

• When: February 27th, 2023
• What: $9.2 million stolen
• How: Man-in-the-middle attack that exploited the content delivery platform to devise a malicious proxy

In February 2023, MyAlgo, the Algorand wallet provider, took to X (former Twitter) to warn its users to withdraw all their funds from the Mnemonic wallets in the take of a $9.2 million hack on some Algorand users.

The most vulnerable victims were using mnemonic wallets created on an internet browser, and according to Algorand’s Chief Technology Officer John Wood, 25 accounts had been affected.

He further stated that the hack wasn’t caused by a particular vulnerability within the Algorand protocol. Most likely, a social engineering phishing attack targeting the users or MyAlgo’s website being compromises were the likeliest causes.

However, MyAlgo released a more detailed report a month later, saying that the attack was caused by a man-in-the-middle attack against the content delivery platform. They set up a malicious proxy between the official myalgo wallet web app and the user.

MyAlgo claimed that users who had encrypted their wallets using Ledger (hardware wallet) were outside of danger and encouraged users to change their MyAlgo passwords.

According to ZachXBT, an on-chain sleuth, the crypto exchange ChangeNOW managed to freeze $1.5 million of the total $9.2 million stolen

13. LastPass

https://www.malwarebytes.com/blog/news/2023/01/lastpass-updates-security-notice-with-information-about-a-recent-incident

• When: October 25th, 2023
• What: $9.2 million stolen (possible $35 million)
• How: Theft enabled with source code, customer data, and production backups stolen during two breaches in 2022

On October 25th, 2023, 25+ LastPass users came forward claiming that they’d lost $4.4 million in cryptocurrency. Internet sleuth ZachXBT identified all of them as being LastPass users.

In 2022, LastPass was hacked twice, with the threat actors stealing the customer data, source code, and production backups that contained encrypted password vaults.

Users who had weaker master passwords were in danger, and their worst fears is becoming reality as we speak. Ever since those two data breaches, LastPass users were attacked month after month, with this October’s $4.4 million being one of the biggest thefts.

Research conducted by ZachXBT and Metamask developer Monahan shows that the hackers are slowly cracking the password vaults to gain access to the cryptocurrency private keys, passphrases, and credentials.

All in all, Monahan and ZachXBT tied $35 million in crypto thefts to the LastPass data breaches from a year ago. If this is true, then the LastPass data breaches will turn out to be among the largest crypto scams ever.

Cryptocurrency Scam Statistics 2023

Cryptocurrency scams are significantly less financially crippling in 2023 compared to 2022. After all, you can’t have FTX scams all the time.

But even if we compare this year’s top 12 worst crypto scams with last year’s, we notice a clear decrease in the amount of money lost.

This year, the biggest crypto scam is Mixin Network with a loss of $200 million. However, if we placed the Mixin scam in last year’s roster, it would barely reach 6th place.

Here’s the top 5 from last year’s crypto scams:

1. FTX – Between $1 and $2 billion (currently estimated at $8 billion)
2. Axie Infinity’s Ronin Network – $615 million
3. Wormhole Crypto Bridge – $320 million
4. JuicyFields.io – $273 million
5. Unique-Exchange.co/PARAIBA – $267 million

2022 was one of the worst years for crypto scams in history, that much is clear. Here are other 2023 statistics about crypto scams (Source 1, Source 2, Source 3, Source 4):

• There were around 57 crypto thefts in Q1 2023 (equivalent to 228 crypto thefts per year, if we followed this trend)
• As of Q2 2023, crypto scam revenue had dropped by about $3.3 billion compared to 2022
• Ransomware-based crypto scams have grown to $449.1 million in the first half of 2023 compared to $175.8 million during the first half of 2022
• June 2023’s crypto revenue has dropped by around 77% compared to June 2022
• The biggest crypto scam so far is Mixin Network with a loss of $200 million, followed by Euler Finance ($197 million), and MultiChain ($125 million)
• This year’s worst crypto scam led to losses ($200 million) that are at least 10 times less than FTX in 2023 ($2 billion). That’s a 90% decrease. And if FTX’s losses are around $8 billion, then this year’s Mixin Network scam is a drop in the bucket

While it’s looking better than last year from a quantity point of view ($200 million vs. $1-2 billion worst scams), it’s not all looking good.

Cryptocurrency Scam Stats on DeFi, Exchanges, and CeFi

2023 is no different than 2022 when it comes to the origin of most crypto scams – vulnerabilities with DeFi protocols and the crypto exchanges themselves (Source 1, Source 2, Source 3):

• Cybercrime has cost DeFi protocols and exchanges more than $875 million in 2023, throughout 69 hacks
• The total loss attributed to flash loan attacks was $255.26 million in the January-July 2023 period
• The total loss attributed to exit scam attacks was $94.8 million in the January-July 2023 period
• The total loss attributed to exploit attacks was $569.7 million in the January-July 2023 period
• The biggest crypto losses in a given month were in July, $8.6 million in exit scams, $8.7 million in flash loans, and $285 million in exploits
• $130 million in crypto funds stolen were recovered in Q1 2023, with a recovery rate of 28.7% across the crypto scams in that period
• Flash loans are becoming increasingly severe, with $205.5 million lost in Q1 2023 alone, making Ethereum the chain with the highest losses in Q1
• The BNB Smart Chain is the most common target of hackers, with 18 attacks in Q1, almost double that of the Ethereum chain
• So far, around $215 million of stolen crypto were recovered in Q1+Q2 2023, accounting for around 45.5% recovery rate. Compared to 8% recovery rate in 2022, this is quite a leap and a good sign
• Most of the crypto scams (56%) were caused by smart contact vulnerabilities in Q1 and Q2
• DeFi was the most targeted protocol, in terms of losses, at 72.9% compared to CeFi at 27.1%

All in all, both DeFi and crypto exchanges have received a lot of attention from cybercriminals this year. A lot less than last year, but still.

Crypto Rug Pull Statistics in 2023

The Rug Pull – an age-old con that still applies to day in the crypto world. It refers to an intentional scam by the project founder or team abandoning the project and taking all the investor’s money with them, disappearing entirely.

Rug pulls are some of the most common crypto scams, even in 2023. Here are some statistics about rug pulls or suspected rug pulls (Source 1, Source 2)

• Approximately $319 million were stolen across 6 access control attacks (bypassing the access control mechanisms)
• 15% of all the projects involving rug pull schemes had passed security audits
• Rug pull scammers only managed to steal $49.8 million of crypto assets with their projects, which is one of the lowest we’ve seen in recent years
• According to experts, the 2023 MultiChain scam of $125 million seems to be a rug pull because the project administrator private keys have been compromised and the CEO, Zhaojun, has disappeared and was later arrested by Chinese authorities
• In July 2023, the BALD token, launched on Base, which is Coinbase’s Layer 2 testnet, launched a rug pull on its investors, stealing $5.9 million and costing investors around $23 million. The token had shot up in value by 4,000,000% in 24 hours, reaching a mind-boggling $68 million
• According to Beosin Alert, there were 110 rug pulls in the first half of 2023, accounting for $75,867,250 million in losses

While significantly less damaging than in 2022, rug pulls are still quite common in 2023, with one of the biggest crypto scams of the year being a suspected rug pull.

To Conclude...

Crypto scams have significantly decreased in terms of quantitative losses since 2023 but that’s only because 2023 was an outlier, with FTX as the linchpin of the entire crypto scam wave. Just from the 13 crypto attacks on this list, the total dollar value loss is somewhere north of $875 million but those are just the largest scams.

There have been hundreds of micro-scams throughout the year, so the actual total loss is upward of a billion dollars.

To better protect yourself against crypto scams, make sure to:

• Always opt for cold crypto storage. If the wallet is not connected to the internet, then a threat actor will find it significantly more difficult to breach it
• Try to avoid storing your cryptocurrencies on exchanges. Why put your trust in something you can’t control when you can store your crypto in a personal wallet that only you can access?
• Avoid FOMO in the crypto industry. It’s one of the most common mistakes people make, and scammers capitalize on the immense attraction of the “get rich quick” mindset behind cryptocurrency to trick you. This is how rug pulls are born
• Use a hardware wallet like Ledger to better protect your cryptocurrency. There’s no better safety standard than cold storage, especially if it’s a physical wallet
• Practice common cybersecurity awareness, especially with regard to phishing, malware, and social engineering tactics
• Avoid getting investment advice from untrustworthy sources and always corroborate your information

Stay safe and always protect your crypto investments!

Sources

Statista – Total Value of Cryptocurrency Lost to and Recovered from Theft and Other Attacks Between March 2020 and February 2022
Medium – A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack
MakeUseOf – Cross-Chain Bridges and Atomic Swaps Explained Simply
Twitter – Beosin Alert About the MultiChain Scam
AtomicWallet – June 3rd Event Statement
Coin Telegraph – Atomic Wallet faces Lawsuit Over $100M Crypto Hack Losses: Report
Chain Analysis – Vulnerability in Curve Finance Vyper Code Leads to Multi-Million Dollar Hack Affecting Several Liquidity Pools [UPDATED 8/8/23]
SlashDot – Hackers Steal $53 Million Worth of Cryptocurrency From CoinEx
Medium – 0xScope Research: Tracking the Stake.com Hack
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
CoinsPaid – The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD
The Record – Crypto Platform Bitrue has $23 Million Stolen in Cyberattack
CoinGeek – South Korea’s GDAC Exchange Loses $13 Million in Hack
Halborn – EXPLAINED: THE YEARN FINANCE HACK (APRIL 2023)
Twitter – MyAlgo X Post About the Scam
Coin Telegraph – MyAlgo Users Urged to Withdraw, as Cause of $9.2M Hack Remains Unknown
Twitter – X Post About the LastPass Hack
WithPersona – Top Cryptocurrency Theft Statistics of 2023
Chain Analysis – 2023 Crypto Crime Trends: Illicit Cryptocurrency Volumes Reach All-Time Highs Amid Surge in Sanctions Designations and Hacking
Reuters – Crypto ransom attacks rise in first half of 2023, Chainalysis says
Chain Analysis – 2022 Biggest Year Ever For Crypto Hacking with $3.8 Billion Stolen, Primarily from DeFi Protocols and by North Korea-linked Attackers
Crystal Block Chain – Crypto & DeFi Security Breaches, Fraud & Scams Report
Cryptopolitan – CRYPTO SCAMS, HACKS, AND RUG PULLS DROP DRAMATICALLY IN H1 2023
Halborn – EXPLAINED: THE BALD TOKEN RUG PULL (JULY 2023)
Twitter – Beosin Report About Rug Pulls and Other Crypto Scams
The Motley Fool   – What Is Cold Storage in Crypto?