Don’t get rugged: DeFi scams go from zero to $129 million in a year to become top financial hack

Atlas VPN’s analysis finds that theft within decentralized finance networks is taking in more money than phishing and ransomware attacks.

Computer hacker with a hood touches the touch screen binary code. Light waves on abstract binary dark background hacker silhouette. Hacking computer system, database server, data theft, vector

Image: ValeryBrozhinsky, Getty Images/iStockphoto

More about Innovation

Criminals are modernizing classic investment scam tactics and bringing them to the world of DeFi where there are no rules or regulations to protect investors. Atlas VPN analyzed financial hacks over the last two-and-a-half years and found that DeFi hacks represent 76% of all major hacks for the first half of 2021. In 2020, that type of hack represented only 25% of the total.

The problem has jumped from basically zero dollars lost to DeFi hacks in 2019 to $129 million in 2020 and $361 million in the first half of this year. In 2020, DeFi hacks took in $129 million of the $516 million lost to hacks that year. So far this year, phishing, ransomware and other cyberattacks are responsible for only 24% of money lost to these crimes and DeFi attacks have become the most common scam. Atlas VPN crunched data from the Cryptocurrency Crime and Anti-Money Laundering Report published this month by CipherTrace.

SEE: Bitcoin cheat sheet: Everything professionals need to know (TechRepublic)

DeFi is shorthand for decentralized finance, a system that makes financial products available on a public decentralized blockchain network. Individuals can get a loan through these services without having to go through a bank. DeFi uses open source technology, blockchain, proprietary software and smart contracts to facilitate these transactions. 

The Atlas VPN analyst who reviewed the data said in a blog post that “many DeFi projects get hacked because of developer incompetence which causes coding mistakes that hackers can abuse.” 

Don’t get rugged

The Atlas VPN analysis suggests that there are two types of DeFi scams: Outside agents hacking the DeFi protocol and rug pull scams. The rug pull tactic usually involves a lot of marketing and a lot of people. Scammers pump up the value of a coin, often a new one, and then disappear with investor money. A person who “got rugged” lost money to this kind of scam. 

SEE: The top 3 cryptocurrency scams of 2021 (TechRepublic)

As an article in the European Business Review notes, it’s safer to stick with established coins instead of taking a risk on a new one: “The largest gains and returns might come from some obscure new protocol or project, but that is also where all the risk lies.” These scams are a perfect fit for decentralized currency exchanges because users can list tokens for free and without audit, according to CoinMarketCap.

Cyber criminals also take out flash loans to manipulate the token price. These loans are another security risk that is navtive to DeFi systems, as Haseeb Qureshi explained in an article on Coindesk:

“In each attack, a penniless attacker instantaneously borrowed hundreds of thousands of dollars of ETH, threaded it through a chain of vulnerable on-chain protocols, extracted hundreds of thousands of dollars in stolen assets, and then paid back their massive ETH loans. All of this happened in an instant — that is, in a single ethereum transaction.”

Smart contracts make this kind of transaction possible because they execute each step serially as a batch operation. If the borrower doesn’t have enough money to pay back the loan instantly, the transaction is rolled back as if it never happened. Qureshi, a managing partner at the cross-border crypto venture fund Dragonfly Capital, sees these transactions as flash attacks, not a financial deal. 

Also see