According to a Statista survey, “the value of crypto lost to security threats grew over nine times between 2020 and 2021”.
Crypto scams have become increasingly common, dangerous, and extensive. Both the number of victims and the scope of the scams have grown at a rapid pace in recent years.
In this research, we’ve analyzed the 13 worst crypto scams in 2023 and decided to cover the following ones:
|Affected entity / scam
|Amount stolen or lost
|1. Mixin Network
|2. Euler Finance
|4. Atomic Wallet
|5. Curve Finance
|11. Yearn Finance
|$4.4 million (potentially $35 million)
This year’s crypto scams have been somewhat tame compared to last year’s hacks. The FTX scam of 2022 led to a loss of $1-$2 billion, which is 5-10 times worse than this year’s worst scam.
Here’s a quick summary of the 13 crypto scams mentioned above:
Below, I’ll go into more detail about each attack and then look at the overall cryptocurrency scam picture in 2023, with statistics.
On September 23rd, 2023, Mixin Network suspended all the withdrawal and deposit operations after losing $200 million in a crypto scam. They made this announcement on X (formerly Twitter).
According to blockchain security firm SlowMist, the security breach was caused by a compromise with Mixin’s cloud service provider. Their database was hacked by the threat actors, which gave them access to Mixin’s internal network.
This supply-chain attack led to a sizeable loss of $200 million in crypto assets. Currently, the company hasn’t resumed normal operations since they need to patch the vulnerability exploited by the hackers.
They also haven’t made any announcements about recovering the lost funds or provide more details about the data breach to their users.
On March 13th, 2023, Euler Finance had $196 million stolen in USDC, Staked Ether, DAI, and Wrapped Bitcoin.
The attacker made multiple transactions and took advantage of the lack of liquidity checks in the company’s Etokens (more details here).
The Numen Cyber cybersecurity company has been able to reproduce the attack using the same technical vulnerability discovered by the attacker.
Euler Finance posted on X about the attack, saying that they’re currently working on investigation it.
They’ve also mentioned in another post that they’ve managed to stop the attack and notified the US and UK law enforcement to enlist their aid. They also contacted the hackers to try and negotiate.
So far, we have no information as to the success of the negotiations but we can safely assume that the funds have not been recovered.
In July 2023, MultiChain reported a theft of $125 million via a cross-chain bridge. Most blockchain analysts and security experts are claiming that this was an inside job, aka a rug pull.
The platform’s CEO, Zhaojun, was arrested in China soon after the $125 million was withdrawn through multiple transactions. He was in possession of the private key to the pools where several transactions had been blocked ever since late May.
The blockchain security firm PeckShield managed to track the stolen funds and identify them:
A total of $126 million, which were sent to 6 fresh Ethereum addresses.
A couple of days layer, another $103 million was moved to several blockchain addresses, according to security firm Beosin Alert.
While only the $125 million has been officially confirmed as a hack theft, it might be safe to assume that the $103 million move could also be part of the same scheme.
According to most observers and analysts, the entire sum of $228 million are part of a rug pull strategy, where the company CEO abandoned the project and defrauded the investors.
Back in June 2023, noncustodial cryptocurrency wallet Atomic Wallet suffered a $100 million exploit that affected more than 5,500 users.
The North-Korean hacker group Lazarus Group was linked to this breach initially but new data suggests that someone else might be the actual culprit.
While Atomic Wallet didn’t specify how the attack took place, they did mention that less than 0.1% of their userbase was affected by the scam.
They named four probable causes as the origin of the attack:
Several cryptocurrency investors decided to launch a massive class action lawsuit against Atomic Wallet. Most of them are investors from the Commonwealth of Independent States and Russia.
At this point, Atomic Wallet hasn’t been able to recover any of the stolen funds, nor have they given a definitive answer as to how the scam actually took place.
Nor have they offered to reimburse the affected users. In fact, German lawyer Max Gutbrod, who’s coordinating the lawsuit alongside Boris Feldman, said that “They didn’t even give our clients any information about the hack or go to the police to report it.”
On July 30th, 2023, Curve Finance reported a theft of over $60 million in cryptocurrency. Later analyses showed that the hackers exploited vulnerabilities in the coding language (Vyper) of the stablecoin liquidity pools and drained them.
Curve Finance’s native token, CRV, suffered a significant drop (-22.18%) in the week of the attack, further worrying clients.
However, a week after the attack, the hacker returned around $12.7 million in Ethereum and aIETH.
He also left a note, saying “I saw some ridiculous views, so I want to clarify that I’m refunding you not because you can find me, it’s because I don’t want to ruin your project, maybe it’s a lot of money for a lot of people, but not for me, I’m smarter than all of you…”
Since not all of the funds have been returned, Curve Finance extended the bounty of $1.85 million to whoever could find out the hacker’s identity.
The good news is that Curve Finance also vowed to reimburse every affected user, and considering that they’ve recovered 79% of the funds, that shouldn’t be hard to accomplish.
In September, CoinEx noticed a suspicious event – a hot wallet was sending large amounts of tokens to an unknown address that had no prior transactions.
All in all, it sent 408,741 DAI, 2.7 million GRT tokens, 24,158 Uniswap tokens, and a host of other tokens.
By the time the transactions stopped, the Ether reserves on the platform were “basically zero“. However, CoinEx assured their clients that they would cover the losses out of pocket if they couldn’t recover the funds.
The good news is that the affected funds were only a small part of the company’s total assets.
CertiK Alert provided a document detailing all the transactions making up the $55 million theft:
This data is accurate as of September 13th, so it might not be up-to-date at the time of writing this article.
In September 2023, Stake, the largest crypto betting platform, was hacked. Over $41 million was stolen in Ethereum from the company’s Polygon and BSC wallets following a private key leak.
The hacker converted all the USDT and USDC into ETH, BNB, and MATIC. As of the time of writing this article, nothing else has happened to the funds.
Stake hasn’t recovered them, nor has the hacker made any other moves. Cyvers, the blockchain security company who first announced the hack, claimed that this might be a rug pull or an access control violation.
That’s because the most likely cause of the hack was a leak of a private key, which is always a point of contention among crypto enthusiasts.
Stake denied any private key leak on any of its wallets, while the company’s co-founder, Edward Craven, said that the attack must have been a sophisticated breach that attacked a service used to confirm Polygon, BNB Chain, and Ethereum transactions.
The hot wallet that was hacked was mostly used for customer deposits and withdrawals, and it could handle 50,000 transactions per day.
In August-July 2023, a 6-month-long social engineering campaign culminated with the theft of $37.3 million from CoinsPaid, one of the most popular crypto payment processors.
The hackers needed that much time to convince one of the company’s employees that they will be taking part in a test for employment purposes.
Eventually, the employee installed an infected malware on their work device, which led to the data breach responsible for the loss of $37.3 million in crypto funds.
The responsible party, identified as the Lazarus Group, had begun testing and attacking CoinsPaid since March 2023:
Finally, the hackers managed to successfully hack CoinsPaid on July 22nd, 2023, when they convinced an employee to install infected malware on a work computer.
You can read more about the step-by-step strategy employed by the hackers here.
On April 14th, 2023, the crypto trading platform Bitrue reported that one of its wallets had been hacked. The perpetrators had managed to steal $23 million in multiple cryptocurrencies, including:
They further claimed that “the affected hot wallet only contained less than 5% of Bitrue’s overall funds. The rest of our wallets continue to remain secure and have not been compromised. We are conducting a thorough security review and will update you as we make progress.”
They did not mention how many of its wallets were hot or cold, though, which might worry some customers.
The good news is that Bitrue assured all affected users that they will be compensated in full for their losses. This should set some minds at ease.
PeckShield, a blockchain security firm, has tracked the stolen funds and discovered that the attacker had converted some of the crypto coins into Ethereum.
It’s unclear as of yet whether the attack used social engineering or if the hackers exploited a vulnerability with the hot wallets. However, this isn’t the first time Bitrue was hacked.
In June 2019, a threat actor stole $5 million after exploiting a technical vulnerability in the Bitrue platform but the company reimbursed the customers fully.
On April 9th, 2023, South Korean exchange GDAC became the victim of a crypto scam, losing $13.9 million in Bitcoin (60.8), Ethereum (350), Wemix tokens (10 million), and USDT (220,000).
All in all, this was approximately 23% of GDAC’s total holdings. The company alerted the authorities immediately and suspended all wallet services to mitigate further damage.
BlockSec, a blockchain analytics platform, discovered that the hacker converted the 220,000 USDT into Ethereum and then used Tornado Cash to launder it. He also converted the WEMIX tokens into Ethereum.
A private investigator on X rejected the hypothesis of private key leaks as the cause of GDAC’s crypto scam. In short, “The withdrawal of the BTC chain did not directly go to the attacker’s address, but part of it went to the change address of the GDAC. If the attacker has the private key, he can withdraw all funds to his own address.”
So far, GDAC has not recovered any of the stolen funds and there isn’t much of a chance for that. Blockchain transactions are irreversible, so unless the hacker decides to return the crypto willingly, there isn’t much anyone can do.
On April 13th, the DeFi protocol Yearn Finance experienced a breach that led to the loss of over $11 million spread across multiple stablecoins like DAI, USDT, UDC, BYSD, and TUSD.
Initially, PeckSheild, the cypto security firm who first found the breach, explained that the hackers likely used the Aave version (1).
However, the Aave developers chimed in and clarified that the Aave protocol was only used for the swapping of tokens stolen during the exploit, and not to gain access into Yearn’s systems.
PeckShield further noted that the hackers minted more than 1.2 quadrillion yUSDT with only a $10,000 deposit. They managed to trick the Yearn Finance protocol to cash out millions of dollars in stablecoins using this method.
The vulnerability hidden in the uSDT token contract had been lying dormant for three years, according to Halborn. The “copy-paste bug” miscalculated the pool ratio and tricked the contract into valuing the share prices of yUSDT tokens using different metrics.
Long-story short, the hackers stole $10 million using a crypto zero-day vulnerability in Yearn Finance’s token contract, and the Aave protocol wasn’t at fault.
In February 2023, MyAlgo, the Algorand wallet provider, took to X (former Twitter) to warn its users to withdraw all their funds from the Mnemonic wallets in the take of a $9.2 million hack on some Algorand users.
The most vulnerable victims were using mnemonic wallets created on an internet browser, and according to Algorand’s Chief Technology Officer John Wood, 25 accounts had been affected.
He further stated that the hack wasn’t caused by a particular vulnerability within the Algorand protocol. Most likely, a social engineering phishing attack targeting the users or MyAlgo’s website being compromises were the likeliest causes.
However, MyAlgo released a more detailed report a month later, saying that the attack was caused by a man-in-the-middle attack against the content delivery platform. They set up a malicious proxy between the official myalgo wallet web app and the user.
MyAlgo claimed that users who had encrypted their wallets using Ledger (hardware wallet) were outside of danger and encouraged users to change their MyAlgo passwords.
According to ZachXBT, an on-chain sleuth, the crypto exchange ChangeNOW managed to freeze $1.5 million of the total $9.2 million stolen
On October 25th, 2023, 25+ LastPass users came forward claiming that they’d lost $4.4 million in cryptocurrency. Internet sleuth ZachXBT identified all of them as being LastPass users.
In 2022, LastPass was hacked twice, with the threat actors stealing the customer data, source code, and production backups that contained encrypted password vaults.
Users who had weaker master passwords were in danger, and their worst fears is becoming reality as we speak. Ever since those two data breaches, LastPass users were attacked month after month, with this October’s $4.4 million being one of the biggest thefts.
Research conducted by ZachXBT and Metamask developer Monahan shows that the hackers are slowly cracking the password vaults to gain access to the cryptocurrency private keys, passphrases, and credentials.
All in all, Monahan and ZachXBT tied $35 million in crypto thefts to the LastPass data breaches from a year ago. If this is true, then the LastPass data breaches will turn out to be among the largest crypto scams ever.
Cryptocurrency scams are significantly less financially crippling in 2023 compared to 2022. After all, you can’t have FTX scams all the time.
But even if we compare this year’s top 12 worst crypto scams with last year’s, we notice a clear decrease in the amount of money lost.
This year, the biggest crypto scam is Mixin Network with a loss of $200 million. However, if we placed the Mixin scam in last year’s roster, it would barely reach 6th place.
Here’s the top 5 from last year’s crypto scams:
While it’s looking better than last year from a quantity point of view ($200 million vs. $1-2 billion worst scams), it’s not all looking good.
All in all, both DeFi and crypto exchanges have received a lot of attention from cybercriminals this year. A lot less than last year, but still.
The Rug Pull – an age-old con that still applies to day in the crypto world. It refers to an intentional scam by the project founder or team abandoning the project and taking all the investor’s money with them, disappearing entirely.
While significantly less damaging than in 2022, rug pulls are still quite common in 2023, with one of the biggest crypto scams of the year being a suspected rug pull.
Crypto scams have significantly decreased in terms of quantitative losses since 2023 but that’s only because 2023 was an outlier, with FTX as the linchpin of the entire crypto scam wave. Just from the 13 crypto attacks on this list, the total dollar value loss is somewhere north of $875 million but those are just the largest scams.
There have been hundreds of micro-scams throughout the year, so the actual total loss is upward of a billion dollars.
To better protect yourself against crypto scams, make sure to:
Stay safe and always protect your crypto investments!
Statista – Total Value of Cryptocurrency Lost to and Recovered from Theft and Other Attacks Between March 2020 and February 2022
Medium – A Detailed Analysis of Euler Finance’s $196 Million Flash Loan Attack
MakeUseOf – Cross-Chain Bridges and Atomic Swaps Explained Simply
Twitter – Beosin Alert About the MultiChain Scam
AtomicWallet – June 3rd Event Statement
Coin Telegraph – Atomic Wallet faces Lawsuit Over $100M Crypto Hack Losses: Report
Chain Analysis – Vulnerability in Curve Finance Vyper Code Leads to Multi-Million Dollar Hack Affecting Several Liquidity Pools [UPDATED 8/8/23]
SlashDot – Hackers Steal $53 Million Worth of Cryptocurrency From CoinEx
Medium – 0xScope Research: Tracking the Stake.com Hack
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
CoinsPaid – The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD
The Record – Crypto Platform Bitrue has $23 Million Stolen in Cyberattack
CoinGeek – South Korea’s GDAC Exchange Loses $13 Million in Hack
Halborn – EXPLAINED: THE YEARN FINANCE HACK (APRIL 2023)
Twitter – MyAlgo X Post About the Scam
Coin Telegraph – MyAlgo Users Urged to Withdraw, as Cause of $9.2M Hack Remains Unknown
Twitter – X Post About the LastPass Hack
WithPersona – Top Cryptocurrency Theft Statistics of 2023
Chain Analysis – 2023 Crypto Crime Trends: Illicit Cryptocurrency Volumes Reach All-Time Highs Amid Surge in Sanctions Designations and Hacking
Reuters – Crypto ransom attacks rise in first half of 2023, Chainalysis says
Chain Analysis – 2022 Biggest Year Ever For Crypto Hacking with $3.8 Billion Stolen, Primarily from DeFi Protocols and by North Korea-linked Attackers
Crystal Block Chain – Crypto & DeFi Security Breaches, Fraud & Scams Report
Cryptopolitan – CRYPTO SCAMS, HACKS, AND RUG PULLS DROP DRAMATICALLY IN H1 2023
Halborn – EXPLAINED: THE BALD TOKEN RUG PULL (JULY 2023)
Twitter – Beosin Report About Rug Pulls and Other Crypto Scams
The Motley Fool – What Is Cold Storage in Crypto?