Heists continue to plague the crypto world, with news of large sums stolen from digital currency firms seemingly every month. But while crypto exchanges were once the main point of attack, hackers now appear to have a new target: blockchain bridges.
Bridges are the infrastructure that allow users to exchange assets between different blockchains, the digital database underpinning major cryptocurrencies. When a bridge service swaps one coin for another, it “wraps” the currency so that it will function on the other blockchain.
A wrapped coin does not become another currency altogether – “it just looks like it,” Tom Robinson, chief scientist at blockchain analysis firm Elliptic, told CNN Business. Instead, a “token” is issued to represent the new coin on the different blockchain. “I deposit my Bitcoin in the bridge. In return for doing that, I receive a Bitcoin token on the Ethereum blockchain, and then I can transfer that Bitcoin token, which is what is known as a wrapped asset, through the Ethereum blockchain,” explains Robinson.
To support these wrapped coins, bridge services hold large reserves of various coins. “You need to trust the bridge really has the assets that are backing those tokens,” said Robinson. “They have huge amounts of assets that back those wrapped tokens.”
These coin reserves are attracting the attention of hackers and turning blockchain bridges into prime targets for heists, according to Elliptic. “They’re just huge honeypots. They just hold huge amounts of crypto assets, and so they are very obvious targets,” said Robinson.
Some $1.83 billion has been stolen from bridges to date, with the majority of that ($1.21 billion) taking place just this year, according to Elliptic. Six major bridges have been hit in thefts so far in 2022, including California-based firm Harmony, which lost $100 million in late June, and Axie Infinity’s Ronin bridge, which suffered a $625 million theft in March.
In the latest example, hackers reportedly stole cryptocurrency valued at $190 million from cryptocurrency bridge provider Nomad, according to blockchain security and data analytics company Peckshield. (Nomad has not confirmed the total amount lost.)
“We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics,” Nomad tweeted Tuesday. “Our goal is to identify the accounts involved and to trace and recover the funds.”
Nomad is working with chain analysis firm TRM labs to help trace funds in an effort to return stolen money to users, according to a tweet posted by Nomad on Wednesday.
Nomad first tweeted late Monday addressing the incident and said that it was “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.”
According to Peckshield, Nomad’s system was drained gradually in batches, and stolen coins included ether and some stablecoins linked to the US dollar. A researcher at crypto investment firm Paradigm tweeted that the exploit was “one of the most chaotic hacks that Web3 has ever seen.”
Just days before the incident, Nomad revealed several big name investors – including Coinbase Ventures, OpenSea and Crypto.com Capital – that took part in an April funding round for $22 million to “help grow security-first cross-chain messaging solution.”
The growing number of bridge attacks only adds to security and trust concerns in the crypto industry. Several of the largest crypto thefts of all time took place just last year, amid a surge in crypto prices and usage. Cryptocurrency prices have since fallen considerably but remains a potentially lucrative target.
Crypto scams have also become popular, with scammers stealing more than $1 billion from the start of 2021 through March of this year, according to a report in June from the Federal Trade Commission.
“Certain features of cryptocurrency may explain why it’s a pet payment method for crooks and cons,” the FTC said in a release at the time. “There’s no bank or other entity to flag suspicious transactions before they happen. Crypto transfers can’t be reversed. Once the money’s gone, you can kiss your crypto buh-bye.”
Additional reporting by CNN’s Sean Lyngaas and Ramishah Maruf.