skip to Main Content

Half of 2020 Crypto Hacks are from DeFi Protocols and Exchanges

This blog is an excerpt from the upcoming CipherTrace 2020 Cryptocurrency Crime and Anti-Money Laundering Report

  • In first half of 2020 DeFi took up 45% of all thefts and hacks ($51.5M or 40% of hacked volume).
  • In second half of 2020 DeFi took up 50% of all thefts and hacks ($47.7M or 14% of hacked volume).
  • So far, in 2020 DeFi hacks make up 21% of 2020 hack and theft volume.
  • Funds from largest hack in 2020 (KuCoin $281M) were laundered through DeFi.
  • In 2019, DeFi hack volume was virtually negligible.
  • Rise in thefts likely attributed to recent DeFi boom.

The USD value locked in DeFi has grown exponentially in 2020 thus creating potential new money laundering risks as hacked DeFi protocols make up the majority of crypto thefts in 2020 and decentralized exchanges were one off-ramp of choice for 2020’s KuCoin hack.

According to CoinGecko, as of October 27, 2020, DeFi has locked up 31%—$14.2 billion USD—of Ethereum’s total market capitalization. This is an over 700% increase from the $1.7B held in DeFi at the start of 2020. This exponential boom eclipses the 70% increase from the start of 2019, when the DeFi market cap was only $1.0B, to the beginning of 2020. This boom is ultimately what attracted criminal hackers to DeFi, resulting in the most DeFi hacks in a year to date.

In first six months of 2020, 45% of all thefts were DeFi hacks, equating to about $51.5M—40% of hacked volume for that time period. So far, in second half of 2020, DeFi has dominated 50% of all thefts, equally roughly $47.7M—14% of hacked volume for this time period. This lower percentage of total hack volume in the second half of 2020 is due to the KuCoin hack, which totaled nearly $281M. Altogether, DeFi hacks have made up 21% of the 2020 theft volume, whereas in 2019 the DeFi hack volume was virtually negligible. If the KuCoin variable was removed, DeFi hacks would take over 50% of the total volume. Despite KuCoin being a centralized exchange, even this hack had been touched by DeFi as the criminals attempted to launder the stolen funds through one of the largest decentralized exchanges in the world—Uniswap.

(DeFi)cient AML

DeFi protocols are permissionless by design, meaning they often lack any clear regulatory compliance and anyone in any country is able to access them with little to no KYC information collected. As a result, DeFi can easily become a haven for money launderers.

It appears regulators are beginning to pay closer attention to DeFi and their compliance requirements. The unaudited smart contracts on which many DeFi projects rely often, unsurprisingly, have vulnerabilities that bad actors can exploit. As Olaf Carlson-Wee, the founder and CEO of Polychain Capital, said on a recent episode of Unchained, “I do think it scares me a little bit how much capital is being dumped into contracts that are unaudited. I think that getting security audits is, overall, an important part of maturing any one of these systems.” As DeFi continues to grow, it’s plausible that DeFi projects can fall under the scope of global regulators. FATF already considers decentralized exchanges VASPs and FinCEN applies the same regulatory consideration to DEXs that it does to bitcoin ATMs, regardless of whether they operate for profit.

The US Securities and Exchange Commission (SEC) has noticed DeFi projects that have been subject to vulnerabilities, hacks, attacks, fraud, and manipulation. At the September 18 Parallel Summit, the SEC’s Crypto Czar Valerie Szczepanik said “when you are running [Defi] things on code and you are putting it out in the wild you are missing a step and you may want to test the code, audit the code, you may want to have some peer review of the code; to send it out live right away without those protections is risky those. “Don’t feed into the hype that surrounded the IPO market” warned Val. “Hype leads to fraud, it can lead to bad in implementations of code, insufficient testing. If the industry takes the time to get it right and engages with regulators to help them do so, then good stuff percolate to the top and you will have the benefits that come with the promise of distributed ledger technology.”

The EU on the other hand, has introduced Markets in Crypto-Assets (MiCA), a proposed regulation which, if passed, will ban decentralized exchanges from trading with any European Union citizens if they are not incorporated as a legal entity and have their registered office in a Member State.

It’s clear that DeFi has become one of the fastest growing trends in the crypto industry, comparable to the ICO craze of 2017. As such, it is important to be vigilant to its money laundering risks. DEXs have no way of freezing funds like a centralized exchange; instead, this power lies with the individual DeFi projects themselves. However, if the proper steps aren’t taken to ensure the security of the smart contracts on which many DeFi projects rely, it is likely that DeFi will only continue to suffer from the consequences resulting from inadequate AML and security.


Back To Top