‘This is the jungle’: Law enforcement slowly waking up to the threat of DeFi exploits 

September 12, 2022, 10:30 AM UTC
Hooded hacker stealing information with a phone.
Sardine, a crypto fraud prevention service, raised a $51.5 million Series B funding round.
Photo illustration by Fortune; original photos by Getty Images

At the end of August, the FBI issued a public service announcement on the susceptibility for cybercrime in DeFi (decentralized finance), the growing crypto segment of financial applications backed by blockchain technology. Of the $1.3 billion stolen in cryptocurrencies in the first three months of 2022, 97% came from DeFi platforms. 

The warning did nothing to deter cybercriminals, who launched flash loan attacks—where someone borrows funds and then manipulates the price of the asset before quickly reselling it—on the Avalanche blockchain and the New Free DAO protocol the following week that totaled nearly $2 million. According to data from investment platform DeFiYield, $211 million was lost in decentralized finance hacks just in August.

Cybersecurity experts say the timing of the FBI warning—several years after DeFi exploits began—illustrates how slow governmental agencies and technological solutions have been to catch up to the vulnerabilities of the ecosystem.  

“Law enforcement is reactionary to what’s happening out there,” said Chris Tarbell, the co-founder of the cybersecurity firm NAXO and a former FBI special agent who was instrumental in taking down the notorious Silk Road marketplace. “It takes time because it’s such an advanced technology.”

‘Logical target’ 

As the apocryphal story goes, a reporter once asked Willie Sutton why he robbed banks. “Because that’s where the money is,” he replied.  

Michael Rosmer, cofounder of DeFiYield, said the same logic attracts cybercriminals to the world of decentralized finance, where transactions are irreversible—unlike in traditional banking—and law enforcement is still figuring out how the platforms work.  

“Where else can you go where you can steal really large amounts of money with no recourse?” Rosmer told Fortune. “That makes crypto a logical target until we can somehow turn around and come up with better systems for addressing this.” 

According to DeFiYield’s data, the $211 million lost last month still pales in comparison to August 2021, when cybercriminals stole an estimated $827 million. Rosmer clarified that the decrease does not mean there is any less of a threat, attributing the figure to the cryptocurrency industry’s vastly lower market cap, as well as the shifting nature of DeFi hacks.

Previous exploits targeted lending protocols—like Binance Smart Chain–based protocol Meerkat Finance, which lost $31 million in user funds the day after it launched in 2021—as well as other complex DeFi tools like liquidity pools and automated market makers.  

Rosmer said that the main target in 2022 has been bridges, a type of technology that connects different blockchains, allowing users to move cryptocurrencies among chains. The biggest example from 2022 was the attack on popular play-to-earn game Axie Infinity, which lost an estimated $620 million in March when cybercriminals targeted the bridge to its Ethereum-linked sidechain.

The attacks have continued. Just last month, hackers exploited the Nomad bridge—which connected blockchains such as Ethereum and Avalanche—for $190 million.  

“This is a challenging technical problem,” Rosmer told Fortune. “The more value that is being exchanged between two chains, the more attractive the pot exists to make it so that you would want to attack it.” 

Potential ‘hell-state’ 

Ryan Kalember, an executive vice president at cybersecurity firm Proofpoint, said that DeFi is in a tricky position where it’s attractive for cybercriminals to target, but not necessarily valuable enough for companies to develop sufficient defenses. 

“You could end up with this hell-state where it’s not worth enough to secure, but it’s still worth enough for cybercriminals to go after it,” he said.

The problem is exacerbated by the international nature of cybercrime, which makes it difficult for U.S.-based law enforcement to act. “If you can’t get Edward Snowden in Russia,” said Rosmer, “how are you going to get some guy who just stole $10 million from a DeFi protocol in Russia?”  

Governmental agencies are starting to figure out new strategies, such as the U.S. Department of the Treasury sanctioning the open-source cryptocurrency mixer Tornado Cash, which cybercriminal organizations like North Korea’s Lazarus Group have used to launder hundreds of millions of dollars, including from August’s Nomad heist. 

Even so, officials are just starting to wake up to the threat. “It’s complicated, it’s new, and it’s poorly understood, especially by law enforcement,” Kalember said.  

While Rosmer said that the FBI warning was a step in the right direction, he was skeptical it would have much of an impact. For him, the onus is on technology companies like DeFiYield to ramp up security. 

“This is like the jungle,” he told Fortune. “We are working on trying to make the jungle safe and turn it into a zoo.”

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.