Posted January 2, 2025 at 7:45 am EST.
Those in the crypto ecosystem have witnessed an extraordinary level of wealth creation since Satoshi Nakamoto first introduced Bitcoin in 2009; just this year, the overall capitalization of digital assets has soared to $3.5 trillion from under $1.8 trillion at the start of the year. On the flip side, there are a lot of ways to lose.
In 2024, crypto users have seen a loss of roughly $1.5 billion, according to a report published by blockchain security firm Immunefi.
Instead of providing examples of how people have pocketed money, this article goes straight for the safety-first approach, or rather the learn-from-the-mistakes-of-others strategy — highlighting the countless ways people have seen funds leave their wallets and not return. Striving to be comprehensive, we enumerated 39 here. There’s probably way more.
1. Accosted at Gunpoint
A number of people, especially public figures and in-person conference attendees, have been the target of malicious actors wielding guns and seeking to steal crypto. In September, Nick Drakon, founder of crypto research platform Revelo Intel, shared on X how a “highly sophisticated group” targeted, surveilled, and robbed him of his crypto assets. “I was forced, at gunpoint, to log into a number of crypto accounts and transfer funds out,” Drakon wrote on Sept. 5.
2. Honeypot Scams
A honeypot scam exploits a crypto user’s greed by enticing people with either substantial returns or a pot of tokens. A scammer deploys a smart contract, loaded with large amounts of valuable tokens. The scammer pretends to be a newbie and inexperienced, asking their intended victim for help in cashing out tokens from the smart contract, promising a portion of them in exchange for assistance.
In order to cash out, scammers request that the unwitting users transfer funds into the smart contract to cover transaction costs. The users become victims when their assets are deposited into the smart contract, typically designed to prevent the users from withdrawing the tokens. Exploiters have coded the smart contract in a way where only the scammer can transfer out the tokens, leaving the victim empty-handed.
3. SIM Swap
A SIM swap occurs when a scammer manages to take control of a crypto user’s phone number by tricking their mobile service provider. The scammer gathers personal information through methods like phishing emails, data breaches, or social engineering. They then impersonate the victim and request a SIM card replacement from the mobile provider, often claiming their phone has been damaged, but insisting on keeping the same number.
Once the number is acquired, the scammers can access text messages and bypass two-factor authentication setups on various accounts, including financial applications such as Coinbase and Wells Fargo.
SIM swapping is a powerful technique because the acquisition of another’s phone number without their consent or knowledge yields many financial opportunities, such as private information and social media content.
Ethereum co-founder Vitalik Buterin shared on Farcaster one year ago his SIM swap experience, saying one of his main takeaways was how “a phone number is sufficient to password reset a Twitter account.” Often, a scammer trained in SIM swapping will use a phone number to gain access to a person’s X account and post scam projects that end with victims empty-handed. Scammers have posted blockchain links with promises of a digital asset, such as memecoins and non-fungible tokens (NFTs).
Exploiters who use SIM hijacking also use crypto as their method of payment. Five years ago, one now-deleted user posted to the subreddit r/btc titled, “$30M BCH sim hack.” ZachXBT connected the BCH SIM hacker to the SWAPD username @antihero, who, in order to attract customers, said in one post that crypto is the only form of payment for his services of unlocking verified and normal Twitter accounts.
A SIM card is a physical chip that operates within a phone that allows the mobile device to connect to a cellular network. On Amazon, a T-Mobile prepaid SIM card with unlimited talk, text, and data in the U.S. for 30 days fetches nearly $26.
4. Rug Pulls
Rug pulls are a prevalent scam in the crypto ecosystem, where developers of a project suddenly withdraw all liquidity, often including substantial investor funds. This causes the project’s token value to plummet, making it impossible for investors to sell their tokens without heavy losses.
A notable example occurred with the Squid Game Token in 2021. A content creator who goes by @SimonZawa on X livestreamed on Twitch the real-time rug pull of the Squid Game Token, where the cryptocurrency had gained more than 230,000% in a week to reach $2,963 per coin. Shortly after, the token’s price collapsed to $0.007, leaving holders with scant value.
In a poll conducted by X user @DrNickA in 2022 asking, “How many times have you been rugged?” some 21.8% of 840 participating votes said “loads of times,” while 28.7% said two to five times.
5. North Korean Exploits
According to a study from the United Nations Security Council published in March, North Korea has taken roughly $3 billion from crypto-related companies, “which reportedly help to fund the country’s development of weapons of mass destruction.”
Per the study, North Korean “actors posed as employers to lure software developers, many linked to the cryptocurrency industry, into installing malware hosted on a GitHub repository through a job interview process.”
“Do you work in the crypto industry? If so, you are a target of North Korean actors who use convincing, personalized social engineering tactics to access networks and steal company crypto,” the FBI wrote on X in September.
One “unironically best practice” for technical folk who have suspicions about an online identity being North Korean is asking the suspicious person to say something negative about Kim Jong Un, the supreme leader of North Korea, according to Laurence Day, an advisor at Euler Finance.
6. Reentrancy Attacks
A reentrancy attack is a type of vulnerability that has led to long-outstanding impacts throughout the crypto space, specifically the Ethereum community. The attack occurs when a malicious party exploits a system’s code logic by making several requests such as withdrawing tokens before the smart contract properly updates its internal state to reflect the first request.
This lag in record upkeeping allows an exploiter to continuously drain a smart contract’s tokens because the contract doesn’t update and reflect changes from token withdrawals.
As a result, the exploiter can make another withdrawal request until fixes are implemented. Perhaps the most famous reentrancy attack was the one that led to the DAO Hack in 2016, which caused philosophical debates about whether Ethereum should hard fork and split into two chains. The attacker responsible at one point was siphoning off anywhere between $12.6 million to $19.8 million from the DAO per hour.
7. Government Seizure
Another way to lose money in crypto is through government seizure. According to a November 2022 press release from the U.S. Attorney’s Office in the Southern District of New York, law enforcement officers seized more than 50,676 bitcoins, worth nearly $2.9 billion at current prices from James Zhong, who pled guilty to committing wire fraud in 2012 for stealing about 50,000 BTC tokens from Silk Road, the dark web internet marketplace. In 2024, the German police also confiscated roughly 50,000 bitcoins from the now-shuttered film privacy platform Movie2K.
8. Buying High, Selling Low
A frequent way crypto users lose money stems from adopting an unprofitable trading strategy, namely buying a token on the open market and selling it at a lower price. One address (0xD21) had accumulated SHIB from Binance around October and November 2021 when the memecoin’s market cap was around $35 billion, but then offloaded its SHIB holdings in August and October 2022, after its market cap dropped to roughly $6 billion, data from blockchain explorer Etherscan shows.
The memecoin trader, who is still a token millionaire, had lost $2.55 million in SHIB, per crypto analytics firm Lookonchain.
9. Buying a Token Where Transfers Are Disabled
Also unprofitable is buying a token that has transfers disabled. In this scam, fraudsters deploy a token and enable people to purchase the token, but they conceal how the smart contract prohibits token transfers. While unwitting users can purchase the tokens, they cannot sell or trade them, creating a one-sided marketplace where only buy orders exist. Once the scammer decides they acquired enough funds from token sales, they’ll disappear with invested funds.
10. Fat-Fingering
Often a joke among crypto natives, fat-fingering refers to a user introducing a typing error during the transaction process, sometimes affecting the destination address, the amount of money to transfer out, the selling price of a digital asset, or the parameters that determine how much gas one needs to pay. Unchained reported in August how an anonymous Ethereum user spent $88,000 in fees to send a transaction worth $2,200, 40 times less than the cost.
11. Dying Without a Transfer Plan
A problem every crypto user faces is adopting an inheritance plan for their self-custodied crypto when they die. Wallets could be lost for good, or there might be an opportunity for scammers to get hold of assets. The family of Ripple billionaire Matthew Mellon, who died in 2018, has yet to gain access to his crypto holdings, estimated to be roughly $500 million.
Read More: What Happens To Your Crypto When You Die? Casa Inheritance Has a New Solution
12. Losing Seedphrase/Private Key
A seedphrase is a sequence of random words that acts as a recovery phrase to give a person access to a wallet’s private key, which is then used to sign and authorize transactions. If a person’s hardware device is damaged or lost, they can use their seed phrases to generate their private key and regain control over funds. But losing a seed phrase could mean permanently losing access to the private key of a wallet. Osmosis Labs co-founder Sunny Aggarwal indicated most crypto losses stemmed from losing these seed phrases.
13. Holding a Stablecoin That Loses Its Peg
This is a variation on the buy-high, sell-low method of losing. “By the magnitude of money loss, the people in my network, I think the maximum was from Terra,” Aggarwal told Unchained. Holders of UST, the now-defunct stablecoin from the Terra project, saw their worth plummet as a result of UST dropping from its supposed stable value of $1 in May 2022. “If you’re buying high [and] selling low, you know you’re trading risky assets. I think Terra was especially bad because people were holding their life savings and non-risk assets in UST and then they lost that,” Aggarwal said.
14. Sandwich Attacks
Sandwich attacks, which tend to occur in DeFi markets, refer to people and bots manipulating the price of an asset, though bots are more likely to conduct such attacks by virtue of the speed needed to carry out such a strategy. The exploit typically involves three transactions. An exploiter places one transaction before and another after a target transaction, creating a sandwich composed of three transactions. The profit generated from manipulating the order of transactions is often referred to as maximum extractive value.
Read More: MEV Sandwich Attacks Made $1 Million in Single Day Profit
An attacker can place a buy order on an asset in an effort to increase the price before the middle transaction, leading to the victim paying an inflated price. Immediately afterward, the attacker can place a sell order at this higher price, allowing them to profit the difference between the two transactions, while the victim receives less than what they would have gotten if they weren’t sandwiched.
All of this is done in tiny increments of time, typically by automated trading bots, and the practice is sometimes compared with Wall Street front-running.
15. Liquidations
Liquidations occur when a crypto user on a trading platform does not have enough collateral to meet margin calls on a leveraged trading bet. The platform forcibly closes a trader’s position in the market by selling a user’s assets, to protect the exchange from accruing more losses. “Getting liquidated onchain is painful. They don’t even tell you that your position is liquidated. It just disappears lol,” wrote one X user who goes by @icebergy_ in 2022.
16. SEC Penalties
The U.S. Securities and Exchange Commission has been responsible for some firms losing money. For example, the SEC announced on Sept. 3 settled charges against crypto investment Galois Capital, which agreed to pay a civil penalty of $225,000. According to the press release, however, the civil penalty will be distributed to the fund’s harmed investors.
Read More: Trump Officially Nominates Paul Atkins for SEC Chair
In August 2024, District Judge Analisa Torres granted in part the SEC’s request for a civil monetary penalty against Ripple Labs. Per the court filing, the Court imposed a penalty of more than $125 million. In this case, the financial loss might be seen as recompense for a risky regulatory strategy.
17. CFTC Penalties
The U.S. Commodity Futures Trading Commission is another government agency that has played a role in some firms seeing money leaving their pockets. On Sept. 4, “as part of its continuing enforcement focus in the digital asset decentralized finance (DeFi) space,” the CFTC announced it had settled charges against Uniswap Labs for offering illegal leveraged and margined commodities transactions. Uniswap Labs was ordered to pay a $175,000 civil monetary penalty.
18. Lending to Untrustworthy Firms
Some crypto users want to earn yield on idle tokens, leading them to companies and protocols that advertise borrowing and lending services. While some survived, a number of these entities failed and went bankrupt. Customers could see their funds back eventually as a result of bankruptcy proceedings, but the process often takes years. Even if recovery is an option, creditors don’t always receive 100% of their deposits — and maybe not in the cryptocurrencies they originally held.
For instance, 250,000 people had their assets frozen on Celsius, a lending firm that went bankrupt in 2022. More than two years ago, some 251,000 creditors received their payouts from Celsius’ bankruptcy administrator, according to a court filing from Aug. 26.
19. Hacked Bridges
Bridges, channels by which crypto users can move assets between various blockchains, have been targeted because of their role in facilitating cross-chain transactions, where a lot of money is moving around and often parked in vault-like smart contracts. To bridge, users usually send their assets to the protocol where those assets are locked in a smart contract. In return, users receive an equivalent amount of another asset on a different network representing the initial principal. As such, hackers can attack either of the two points, potentially causing users of the bridging service to lose money.
Bridge attacks made up 69% of total stolen funds in 2022, making these types of vulnerabilities a top security risk, according to Chainalysis. Wormhole, a popular protocol known for its bridging services, suffered an exploit in 2022 when a hacker minted 120,000 wrapped ETH worth about $320 million at that time on Solana without sending the Wormhole the necessary collateral of ETH first.
“If users think their crypto could be unbacked after a hack, we could see something akin to a bank run, creating major price declines and possibly causing protocols to become insolvent, all of which could affect the other interconnected protocols,” according to a 2022 Chainalysis blog post.
20. Transacting Based on Compromised Social Accounts
Hackers often take control over the social media accounts of public figures and large entities, such as an X profile or Discord chatroom. When in control, hackers post malicious links intended to deceive those paying attention. By taking advantage of the trust held between followers and high-profile accounts, scammers use these links to lead their victims to sites that reveal sensitive information or distribute malware. The ultimate goal in taking control of a social media account is to steal funds from a person’s crypto wallet.
We have regained access and secured the Polygon community discord server.
All external bots and integrations have been disabled while we perform a security review of each of them to avoid this from happening again. Some features may be limited for a while, but you are free to… https://t.co/TuP9XOLWFf
— Polygon (※,※) (@0xPolygon) August 24, 2024
21. Compromised Private Keys
A multi-signature wallet requires multiple key signers to execute a single transaction, providing an added level of security. However, crypto users suffer from compromised private keys.
In 2020, Lazarus Group, a North Korean cybercriminal syndicate, stole about $275 million of cryptocurrencies from KuCoin “due to the leakage of the private key of KuCoin hot wallets,” said the exchange’s CEO Johnny Lyu in a livestream.
WazirX, a prominent crypto exchange based in India, saw $230 million worth of tokens drained from its platform in 2024. Mudit Gupta, the chief information security officer at Polygon Labs, said the hack came as a result of their multisig getting compromised. “The attackers likely compromised two out of four private keys directly, and the remaining two were signature phished via a UI/Wallet compromise,” wrote Gupta on X in July 2024. “It’s a very methodical and organized attack, pointing towards DPRK as the hacker.” DPRK refers to North Korea.
“Private key compromises accounted for the largest share of stolen crypto in 2024, at 43.8% [out of $2.2 billion],” wrote blockchain tracing firm Chainalysis in a December 2024 report. “For centralized services, ensuring the security of private keys is critical, as they control access to users’ assets.”
22. Pig Butchering
Pig Butchering is a reference to the practice of getting a pig fat before slaughter. It’s a long con of the worst kind: The exploiter gains the trust of their victim — sometimes holding out the possibility of romantic interest or appealing to lonely people — to make increasingly bigger “investments” in hopes of lucrative returns. According to the Department of Financial Protection & Innovation (DFPI), its complainants, who have incurred losses, have identified pig butchering scams as part of fraudulent operations.
One example is a California victim who was contacted on WhatsApp about a crypto asset trading opportunity connected with a platform called Pnecoin. The victim “after researching” Pnecoin sent an initial $300 and followed the platform’s provided trading advice. The victim believed the advice was generating profits and invested more capital. DFPI’s crypto scam tracker says the victim not only shared the opportunity with friends, who invested, but also took out a loan after the platform offered a new program for accounts holding $50,000. The victim can’t access their capital and the platform is not operational.
23. Impostor Websites
Impostor websites are a common crypto scam. “The companies or websites listed may sound similar to the names of other companies or websites that also operate in the marketplace. When companies or websites (fake or not) have look- or sound-alike names, the potential confusion created for consumers is real,” states the DFPI’s crypto scams webpage. By exploiting this confusion, scammers can and have profited from unknowing users.
In July, hackers hijacked the front-end domains of Compound Finance and Celer Network. For the former, when users visited the website, they were redirected to a dangerous site, which without Google’s red warning notification, looks like an interface of a crypto protocol.
24. Flash Loan Attacks
Flash loans enable people, bots, and entities to borrow assets without putting up collateral as long as the loan is repaid within the same transaction. If the assets are not returned by the end of the transaction, both the loan and transaction are reversed.
Flash loan attacks refer to when exploiters use flash loans to manipulate the prices of certain assets and various functions of a protocol as a means to profit and drain capital from a protocol’s smart contracts.
While some praise flash loans as a financial innovation, some in the space have suffered such as Euler Finance, a protocol that became a victim of a flash loan attack in 2023, losing about $200 million. Attackers, who deploy flash loan attacks, can manipulate token prices by trading high volumes of tokens with thin supply levels, as did the Euler Finance exploiter, per Chainalysis in a blog post.
“Flash loans aren’t inherently the problem, since all they do is provide a source of capital,” stated Chainlink’s Education Hub. “The real issue at hand is existing vulnerabilities in a protocol that may be revealed through a flash loan-funded attack.”
Whether the exploiter is to blame, or the protocol’s lack of security precautions, the users could end up getting the worst of it.
25. Memecoin Presale Scams
Memecoin presales typically entail an X account creating posts to build hype and excitement about an upcoming token launch. In these presales, token creators enable people to pre-purchase an allocation of the token’s supply before the rollout.
However, an exploiter takes advantage of people’s fear of missing out by posting an address where people can send tokens with the expectation they’ll receive an allocation of the upcoming memecoin.
In reality, victims either don’t receive tokens or the token’s team members disappear with the funds, ditching the project. Blockchain sleuth ZachXBT noted how 12 Solana presale memecoins “have been completely abandoned after raising >180,650 SOL ($26.7M).”
26. Phishing
Phishing involves scammers using deception to trick people into revealing sensitive information or downloading harmful software. As a result, phishing takes many forms, applying to emails, malicious advertisements, fake customer support representatives, and even QR codes.
Sometimes scammers use low-effort phishing such as generic, mass-mailed emails that do not target specific individuals. On the other hand, phishing tactics can be extremely thoughtful and strategic where multiple people coordinate using advanced malware to compromise a system, steal data, and spy on a user’s activity.
Read More: Phishing Ads Appear on Etherscan as Hackers Target ‘Trusted Institutions’
Examples of malware used by North Koreans include fake applications for virtual meetings, fake extensions that replace the front-end interface, and fake coding tests under the guise of a necessary step in the hiring process.
27. Address Poisoning
Another deceptive strategy scammers use to steal money is address poisoning. Scammers will identify wallet addresses and spoof the address by sending a small amount of tokens through many transactions from a different address that looks nearly identical to the target address.
Often, the fraudulent address has the same beginning and end characters, making it similar to the victim’s address. Scammers exploit crypto users’ carelessness by increasing the probability that unwitting people copy the fraudulent address and send tokens to it.
28. Unauthorized Token Mints
One vulnerability that has led to people losing money is unauthorized token mints, such as the one that led to Gala Games’ $200 million exploit in May. Unauthorized token mints occur when a rogue party gains control over a smart contract and creates new tokens, bypassing the initial and intended minting pathways. The CEO of Gala, Eric Schiermeyer who goes by the screenname @Benefactor0101, attributed the mass mint exploit to a lapse in “internal controls.”
“A compromised or rogue Gala Games admin address minted 5 billion $GALA ($200M [at the time]) and has been systematically selling the tokens for the past two hours,” wrote a developer who goes by @0xQuit on X, in May 2024. Onchain data from blockchain explorer Etherscan also reflects the transaction mint.
29. Holding a Depegged Liquid Staking Token
Liquid staking tokens (LSTs) represent a user’s initial amount of staked tokens in addition to accrued rewards for helping maintain a blockchain’s security. LSTs, such as stETH, are not expected to deviate dramatically from their base asset like ETH.
However, stETH, which is redeemable 1:1 with ETH, depegged in mid-2022 in light of the various large holders selling the liquid staking token.
At press time, the price difference between ETH and stETH is about $7. People can lose money when an LST varies dramatically from their base asset because an LST’s depegging impacts liquidations and redemption processes.
30. Drainers
Scammers, who use drainers, want unsuspecting users to connect their crypto wallet to their website and approve transactions that grant operating controls of a wallet to transfer out assets. The drainers can directly steal anything within the wallet, such as memecoins or NFTs, if their draining strategy is successful.
Read More: Wallet Drainers Stole $58 Million Through Malicious Ads
31. Token Supply Inflation by Dilution
An asset’s price is a function of demand and supply. If the supply increases, but demand remains constant, the price of the asset tends to decrease. A token’s inflation rate directly corresponds to the token’s purchasing power, i.e. how many goods and services can be acquired through the token. As new tokens are minted or unlocked, causing the supply to increase, the value of each token is diluted — so the price drops.
32. Early-Stage Investing
Investing in early-stage crypto companies has proven to cause substantial financial loss. For example, venture firm Paradigm invested roughly $278 million into FTX, and according to the firm’s co-founder Matt Huang during Sam-Bankman-Fried’s criminal trial, Paradigm’s FTX investments have since been marked to zero. Of course, that’s sort of the whole point of early-stage investing — big rewards, with big risks. Losers would have a hard time complaining they were victims; with all startups, a lot can go wrong.
33. Impermanent Loss
Impermanent loss refers to the difference between the dollar value of outright holding assets versus providing liquidity to a trading pool on a decentralized exchange. This means that the profit from providing liquidity is less than if a user were to hold the assets idly.
Liquidity providers supply a pair of tokens into a trading pool, earning fees from each trade, but sometimes the price of the deposited assets moves. These price fluctuations change the ratio of the assets within a pool. As a result, when liquidity providers decide to withdraw their funds, the ratio change can lead to a situation where the withdrawn assets are worth less than the initial principal.
34. Oracle Price Manipulation
Oracle price manipulation occurs when a person or bot manipulates the data provided by oracles, services known for supplying external data from the real world to smart contracts living in blockchains. With distorted price data, smart contracts may execute actions leading to both serious financial losses and gains.
Read More: What Are Blockchain Oracles?
One such example was the 2022 Mango Markets exploit. Crypto trader Avraham Eisenberg, who is now in prison, extracted around $110 million, according to a press release from the Office of Public Affairs for the U.S. Department of Justice “The Mango Markets exploit by Avi Eisenberg exposed critical Oracle vulnerabilities,” wrote Omer Goldberg the founder and CEO of risk management firm Chaos Labs, on X. “Weak pricing venue criteria and the absence of a risk engine—like price smoothing for thin liquidity markets—were weaponized, demonstrating that network reliability and simple price reporting are woefully insufficient,” Goldberg noted.
35. Governance Attacks
Holders of governance tokens make up the body of a decentralized autonomous organization and shape the direction of the associated crypto protocol. This is an attack vector, because if a single entity acquires a large percentage of tokens, this party gains outsized power during voting processes. A malicious entity with a large voting power can not only propose self-serving changes to the protocol but also push proposals that lead to unfair distribution of resources.
Crypto observers have noted that the lending protocol Compound was a recent victim of a governance attack in which a party with substantial voting power influenced the outcome of a proposal. In July, a proposal was passed to allocate $24 million worth of COMP from the protocol’s treasury and into a yield-bearing strategy run by a group called Golden Boys.
Read More: DAO Delegate Group Accused of ‘Governance Attack’ on Compound Finance
Compound governance delegate and OpenZeppelin security solutions architect Michael Lewellen said, “Their attempt to push through a proposal to take a large chunk of the Compound treasury without adequate protections appears to be a malicious attempt to steal funds from the protocol.”
By acquiring a substantial amount of voting power, an exploiter can manipulate governance votes for personal gain by transferring assets in the DAO’s treasury and into the exploiter’s wallet address.
36. Sponsored Advertisements
Sometimes scammers are able to successfully have a malicious link get listed as a sponsored search result at the top of a Google search for a legit project. Exploiting people’s carelessness and confusion about what’s legitimate, scammers through sponsored listings get people to reveal sensitive information such as their passphrase.
37. Pump-and-Dump Schemes
Pump-and-dump schemes refer to groups of people building hype around a project to increase both the demand and price for a token. These schemers build hype in a variety of ways such as paying influencers, sharing misinformation, and even buying physical billboards. After the token’s price goes up, these scammers sell their massive holdings and take profit, causing the shilled token’s price to crash. Those who bought the hype and tokens are now left with worthless cryptocurrencies.
One characteristic of a pump-and-dump scheme is whether the entity is both an active trading firm and a marketing service provider. These types of schemes are patently illegal in traditional markets such as U.S. stocks; in crypto, where regulations are murky and enforcement is uneven, any traders hoping for serious investor protection are likely to be disappointed.
38. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of security vulnerability that occurs when attackers inject malicious scripts into the input fields or URLs of web pages, which are later executed in the victim’s browser. The vulnerability can pretend to be the legitimate website’s frontend, propose transactions, and change what the user sees, Luna Tong, the co-founder and CEO of vulnerability research firm Zellic, told Unchained over Telegram. For example, an exploiter can use XSS to put a drainer on a website.
In a blog post detailing its bug bounty program policy, Kraken has labeled cross-site scripting vulnerabilities as high and medium-severity issues. “High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access,” the post states.
Zellic looks at the likelihood of cross-site scripting in its audits on crypto projects. For example, Zellic published a security assessment of Bitcoin staking protocol Babylon in June 2024, noting that while the protocol had a small probability of a vulnerability from cross-site scripting, it is important to exercise caution in adding new code to front-end components because an XSS vulnerability could have severe consequences.
“In the event of an XSS attack, an attacker could modify the API endpoint or pollute the transaction data, redirecting the user’s UTXO to their own address, conducting an arbitrary transfer of funds,” Zellic’s report stated.
39. Remote Access
Exploiters can gain remote access to people’s computers in several ways such as placing viruses on websites, hiding malware in documents, and introducing spyware through software downloads.
One crypto user who goes by the handle @Jef_Nft revealed on X in December 2024 how he lost $100,000 in cryptocurrencies and NFTs, because his computer had several viruses allowing the exploiter full control of the device. “Because of the nature of these viruses it was also possible to get them without even downloading anything,” @Jef_Nft wrote.
In response to such threats, one crypto user @MetaVersig commented how they will take extra precautions and acquire a second laptop strictly for transacting, independent of applications and websites, exempting a few decentralized exchanges.
