The sanctions against Tornado Cash, as well as last year's arrest of the Mango Markets infiltrator, motivate hackers to return their loot, researchers believe.

Hacker stole around $400 million from crypto projects during 40 attacks in the first three months of 2023, blockchain intel firm TRM Labs said in a new report.

This is a 70% decline from the Q1 of 2022.

The average hack size also got smaller, according to TRM, from $30 million in 2022 to $10.5 million for the same period in 2023.

Hackers also increasingly return the money they steal, settling for a “white hat” reward from the exploited projects. Hack victims got almost half of the stollen funds back in 2023, TRM Labs estimates.

For example, an attacker who exploited the TenderFi protocol returned half of the $1.6 million he got out of the attack (TenderFi paid $850,000 bounty in return). Similarly, the hacker behind the Euler lending protocol exploit also agreed to return all the $200 million worth of crypto he ran away with. Both hacks happened in March. In April, the hacker who drained the Safemoon protocol returned $7.1 million of crypto, keeping the rest of his $9 million loot.

A possible explanation might be increasing regulatory attention to the crypto hacks and a number of high-profile enforcement cases, TRM Labs suggests. First of all, crypto exchanges are ramping up their KYC/AML policies, making it harder to cash out stolen coins. At the same time, the ETH mixing protocol Tornado Cash, which has been one the most popular money laundering tool for Ethereum so far, has been under the U.S. sanctions since August 2022, which automatically backlisted all Tornado-related funds for any regulated exchange.

Also, the case of Avraham Eisenberg, who became the first person known to be arrested for a DeFi exploit, might be serving as a warning sign. Eisenberg exploited the Mango Markets protocol and publicly admitted it, revealing the protocol’s vulnerability. He was arrested in Puerto Rico in December.

“The ability to trace and track stolen funds has just gotten better and better – not just by investigators using blockchain intelligence like TRM, but by sleuths on Twitter using open source tools – and has created an environment where hacked funds are being tracked publicly in real time,” TRM Labs’ head of legal and government affairs Ari Redbord.

“Malicious hackers are increasingly having difficulty off-ramping funds and are therefore settling for bug bounties. We are also seeing so-called ‘white hat’ hackers become more and more a part of the ecosystem and could be a helpful way for DeFi services to harden cyber controls," Redbord added.

DeFi hackers returned stolen funds before, examples include the Defrost Finance and Nomad Bridge hackers in 2022, Poly Network in 2021 and dForce in 2020.

In March, Crystal Blockchain estimated the overall hacks and scams toll at $119 million. DeFi protocols remain attackers’ favorite target, as complex smart contracts often turn prone to manipulation. According to Chainalysis, DeFi exploits account for 82% of all crypto stollen in 2022.




BY Anna Baydakova | Original Article