Bridges are the infrastructure that allows users to exchange assets between different blockchains, the digital database that underpins major cryptocurrencies. When a bridging service exchanges one coin for another, it “packages” the currency so that it will work on the other blockchain.
A wrapped coin doesn’t become another currency entirely — “it just looks like it,” Tom Robinson, chief researcher at blockchain analytics firm Elliptic, told CNN Business. Instead, a “token” is issued to represent the new coin on the different blockchain. “I deposit my Bitcoin into the bridge. In return, I receive a Bitcoin token on the Ethereum blockchain, and then I can transfer that Bitcoin token, which is what’s known as a wrapped asset, through the Ethereum blockchain.” explains Robinson.
To support these packaged coins, bridge services have large reserves of various coins. “You have to trust that the bridge really has the assets backing these tokens,” Robinson said. “They have huge amounts of assets backing the wrapped tokens.”
These coin reserves attract the attention of hackers and make blockchain bridges prime targets for heists, according to Elliptic. “They’re just huge honeypots. They just have huge amounts of crypto assets, and so they’re very obvious targets,” Robinson said.
About $1.83 billion has been stolen from bridges to date, and most of that ($1.21 billion) has happened just this year, according to Elliptic. Six major bridges have been hit by thefts so far in 2022, including California-based firm Harmony, which lost $100 million in late June, and Axie Infinity’s Ronin Bridge, which suffered a $625 million theft in March.
In the latest example, hackers allegedly stole $190 million worth of cryptocurrency from cryptocurrency bridge provider Nomad, according to blockchain security and data analytics company Peckshield. (Nomad has not confirmed the total amount lost.)
“We are working around the clock to resolve the situation and have notified the police and retained leading blockchain intelligence and investigative firms,” Nomad
tweeted Tuesday. “Our goal is to identify the accounts involved and to trace and recover the funds.”
Nomad is working with blockchain analytics firm TRM Labs to help trace funds in an effort to return stolen money to users, according to a
tweet posted by Nomad on Wednesday.
Nomad first
tweeted late Monday addressed the incident, saying it was “aware of impersonators posing as Nomad and providing false addresses to collect funds.”
In accordance
Peckshield, Nomad’s system was drained gradually in batches, and stolen coins included ether and some stablecoins pegged to the US dollar. A researcher at crypto investment firm Paradigm tweeted that the exploit was “one of those
most chaotic hacks than Web3 has ever seen.”
Just days before Nomad revealed several big name investors — including Coinbase Ventures, OpenSea and Crypto.com Capital — that participated in an April $22 million funding round to “help develop a security-based cross-chain messaging solution.”
The increasing number of bridging attacks only adds to concerns about security and trust in the crypto industry. Several of the biggest crypto thefts of all time took place last year alone, amid a surge in crypto prices and usage. Cryptocurrency prices have since fallen considerably, but remain a potentially lucrative target.
Crypto scams have also become popular, with fraudsters stealing more than $1 billion from the start of 2021 through March of this year, according to a June report from the Federal Trade Commission.
“Certain features of cryptocurrency may explain why it is a pet payment method for crooks and cons,” the FTC said in a release at the time. “There is no bank or other entity that can flag suspicious transactions before they happen. Crypto transfers cannot be reversed. When the money is gone, you can kiss your crypto goodbye.”
Additional reporting by CNN’s Sean Lyngaas and Ramishah Maruf.