• In 2019, a technical manager at the BitGo exchange had $100,000 stolen from Coinbase via SIM swapping: the SMS code for 2FA was sent to the criminals' device, giving them access to his exchange account.
• In 2023, the OpenSea technical director was tricked into signing a malicious signature, resulting in the loss of 40 NFTs.
• In 2023, the Allbridge cross-chain bridge lost digital assets worth around $570,000 in a hack related to price swap manipulation.
• In 2023, hackers stole $500,000 during the Arbitrum airdrop, creating counterfeit vanity addresses of legitimate token recipients
• In 2023, there was an attack on a General Bytes ATM, resulting in the theft of around $1.8 million. The attacker remotely loaded their own Java application through the terminal's master service interface used for video loading and executed it using batm user privileges.

According to a reportby Slowmist in 2022, most attacks on projects were caused by flaws in the program's design or vulnerabilities in contracts. The most common type of attack was a flash loan attack.

Flash loan attack - is the use of smart contract flash loan functions, where an attacker borrows large sums of money without collateral. They then manipulate the price of the crypto asset on one exchange before quickly selling it on another. These attacks are the most common due to their low cost and ease of execution.

Other types of attacks targeted reentrancy issues, price manipulation, and verification issues. Key theft occurred in only 6.6% of cases. The largest losses from key theft incidents were with Ronin and Harmony, both cases related to cross-chain bridges.

Cross-chain bridge is a protocol that allows tokens or arbitrary data to be transferred from one blockchain to another.

The report by Slowmist also states that the most popular phishing attack methods include:

• Using malicious browser bookmarks to steal Discord tokens by inserting JavaScript code into bookmarks via phishing pages, attackers could potentially gain access to a user's Discord information and take over account permissions;

• «Blank Check» eth_sign: when connecting a wallet to any website, a signature request window may appear with a red warning from Metamask. From this window, it might be difficult to determine what exactly is being asked to sign. This type of signature allows scammers to use a user's private key to sign any transaction they choose. The eth_sign method can sign any hash, meaning once a scammer gets a user's address and connects to a DApp, they can create any request (such as sending funds or calling a contract) and ask to sign it via the sign.

• Using addresses similar to client addresses to send fake transactions.

Additionally, Kaspersky developed a new tool - Klipper, which can recognize mnemonic phrases from screenshots taken on Android devices.

Harmony cross-chain bridge exploit: The cross-chain bridge included a 2 out of 5 multi-signature, meaning 2 keys out of a total of 5 keys were required to verify transactions. Hackers compromised 2 addresses, likely hot wallets, to withdraw funds. It is further believed that hackers compromised servers hosting these hot wallets and gained access to keys stored in plaintext for signing legitimate transactions. When a key is stored in plaintext, it is in plain readable text and not encrypted. Thus, the hackers were able to access the key without necessarily decrypting it.

Wintermute marketplace:

Wintermute's storage allowed these transfers only by administrators, and Wintermute's hot wallet performed this role. A hacker was able to calculate the secret keys of the storage administrator's address and thus withdraw funds. They exploited a vulnerability in the Profanity tool for this purpose. The Profanity tool allowed for the convenient generation of readable Ethereum addresses (vanity addresses) containing words, names, or phrases. The storage administrator's address started with the prefix «0x0000000,» characteristic of vanity addresses.

Ronin cross-chain bridge exploit:

Ronin - a project by Sky Mavis, which develops the Axie Infinity blockchain game. Initially, the application operated on Ethereum, but Sky Mavis developed the Ronin sidechain to increase the speed of in-game operations. The communication channel between it and Ethereum was the Ronin Bridge cross-chain bridge, which allowed assets of the ERC-20 standard to be transferred in Axie Infinity.

The Ronin network operated on a 5 out of 9 signature principle.

In November 2021, Sky Mavis approached Axie DAO for help with executing free transactions. Due to the large number of Axie DAO users, Axie DAO whitelisted Sky Mavis, allowing Sky Mavis to sign various transactions on its behalf, and this process ceased in December 2021. Access to the whitelist was not revoked, and once the hackers gained access to Sky Mavis, it allowed them to sign a request to withdraw funds from an Axie DAO validator using an RPC node.

Access to Sky Mavis was gained because one of the team members fell victim to a phishing attack, allowing the hacker to access the company's infrastructure and Ronin validators. According The Block , the hackers reached out via LinkedIn on behalf of a fake company, and once employees took the bait, they conducted several rounds of fake interviews, followed by an «extremely generous» fake compensation package. Eventually, a senior engineer clicked on a PDF file, purportedly containing an official offer, after which the hackers first hacked the engineer's computer and then four out of nine nodes used to verify financial transactions in Ronin.

The Ronin Sky Mavis network consists of nine verifying nodes, each requiring at least five signatures to identify a deposit or withdrawal. Hackers found a backdoor through an ungassed RPC node, where they eventually gained control of the fifth private key of an Axie DAO third-party validator.