Company News

Lessons from $11 Billion in Recovered Cryptocurrency: The Industry Needs Proper Incident Response

Person typing at laptop

As digital currencies grow in popularity, crypto organizations face increasing risk of stolen funds through hacks with attack vectors like code exploits and flash loan attacks, as well as scams and ransomware exploits. In February, we shared that 2022 was crypto hacking’s biggest year yet, with $3.8 billion stolen. DeFi protocols were hit particularly hard, accounting for 82% of the total value stolen.

Total value stolen in crypto hacks and number of hacks, 2016 - 2022

Given these realities, crypto businesses must be prepared, and when it comes to minimizing loss, reacting fast isn’t enough. Having a strategy in place before an incident occurs increases the odds of successful fund recovery because it ensures you can respond quickly and effectively as soon as it happens. It also provides peace of mind for customers. That’s why Chainalysis launched a retainer program called Crypto Incident Response last June. When customers subscribe to this service, they prepare themselves before crisis strikes, with our team of expert investigators standing by to help.

What is Chainalysis Crypto Incident Response?

Crypto Incident Response helps organizations prepare for the unpredictable. It’s a rapid response retainer service used by cryptocurrency businesses and large organizations that are high-risk targets for cyber attacks or unauthorized network intrusions that involve cryptocurrency theft or demand. We arm organizations with the expertise and investigative capabilities needed to recover lost funds in the event of an exploit.

When a customer who has Chainalysis on retainer alerts us to an incident, our investigative team immediately begins tracking the stolen crypto. Chainalysis investigators have the industry’s most comprehensive, authoritative, and verifiable crypto transaction dataset — one trusted by global regulators and law enforcement for digital asset recovery and prosecution — at their fingertips to track down clients’ stolen funds. The service includes:

  • Advanced tracing capabilities that combat obfuscation techniques
  • An extensive portfolio of advanced and time-sensitive cases investigated successfully, plus a history of expert witness testimony
  • Support from a wide range of crypto professionals with high profile case experience, including threat and threat actor subject matter experts, world-class investigators, and data scientists

Since its founding, Chainalysis has helped crypto organizations recover $11 billion in stolen crypto. Following the launch of last year’s program, we’ve played a role in retrieving roughly $50 million, and 80% of our customers have recovered more in stolen funds than they invested in our services.

How does it work?

Ideally, an organization puts Chainalysis on retainer before an incident even occurs. Businesses can engage us for assistance after a hack has occurred, but that protracts the timeline and decreases the odds of a full recovery — though we have had success in many of these cases despite the extra hurdles. 

When an incident happens and cryptocurrency funds are either demanded or stolen, the organization contacts the 24/7 Chainalysis Incident Response hotline. From there, Chainalysis assigns a dedicated team of experts in time zones around the world with advanced investigative capabilities and works around the clock with the victim organization. Chainalysis also helps liaise with law enforcement and asset recovery counsel if needed.

Our investigators have worked with private and public sector organizations on hundreds of incidents, helping to solve some of the most high-profile cyber criminal cases. No matter where the victim is located, the global investigative team is poised to take calls at any time and react quickly. Once an incident report comes in, Chainalysis immediately begins tracing the stolen cryptocurrency funds, and labels any addresses holding them as associated with crypto theft so that all Reactor and KYT users see the funds are illicit in nature and bad actors have a more difficult time cashing out the victim’s money.

What we’ve learned since launching this service

Most of the cases Chainalysis has worked on in the last year have involved hacks, with victims ranging from cryptocurrency exchanges to gaming platforms to institutional investors. 

Our biggest takeaway from the cases we’ve worked on over the last year is that success depends heavily on the speed of response. In a typical crypto exchange hack, stolen funds move through thousands of wallets using centralized and decentralized exchanges and multiple mixers and currencies (including privacy coins) on various blockchains. So, the longer the investigation takes to start, the bigger the lead for the thief. 

The recipe for a successful crypto incident response

Without having a plan in place before an attack, recovering stolen funds becomes more complicated. We’ve found these key components are needed to succeed:

  1. Reaction time: Being a Chainalysis Crypto Incident Response customer before crisis strikes increases the opportunity to control damage and recover funds. If you don’t have this service on retainer and an incident occurs, contact us as soon as possible so that we can get started on tracking the funds. 
  2. Technical skills: Having the knowledge and tools to trace through crypto’s obfuscation layers is crucial. 
  3. Adaptability: In the ever-evolving landscape of crypto investigations, it doesn’t necessarily matter what you know now, but what you learn in the next hour.
  4. Network: Chainalysis has a large customer base. With that comes a sizable network and strong relationships with nearly all significant crypto exchanges and services — plus, strong relationships with law enforcement agencies worldwide, which increases efficiency in communication and collaboration.
  5. Experience: Our Crypto Incident Response team has had exposure to the most significant hacking incidents in crypto history — starting with the infamous Mt. Gox hack of 2014, all the way up to more recent incidents like the $600 million Axie Infinity hack — giving it a unique ability to recognize patterns in hacker behavior. In other words, our past experience benefits current and future customers because of all the data and lessons learned from previous cases, past cooperation with law enforcement agencies, and knowing where to look. 

Crypto Incident Response: Why speed matters

If there’s one thing our Crypto Incident Response team has learned in all the cases we’ve worked on, it’s this: When a cryptocurrency platform is hacked, it’s imperative that the investigation starts right away to maximize the chances of recovery. Hackers will typically seek to move stolen assets to other platforms — typically centralized or decentralized exchanges — as quickly as possible, where they can be cashed out or swapped for other assets so as to obfuscate the original source of the funds. If our investigators can work with those platforms to freeze the funds before they’re moved off of the platform, the funds are much more likely to be recovered.

For instance, consider a hypothetical scenario in which an exchange is hacked and the attacker steals Ether, then moves it to a personal wallet. 30 minutes later, the attacker moves the stolen Ether to a new exchange, where they swap it for a privacy coin like Monero.

Reactor graph showing a hypothetical case

If the suspect is able to move that Monero to new wallets, it will be much harder to track down and recover the funds, as there’s no way to remove crypto from a personal wallet, not to mention the difficulties presented by Monero’s privacy-enhancing features. However, if the victim exchange has CIR on retainer and informs us of the hack right away, the team would likely be able to contact the second exchange and have all accounts that have received funds from the hacker’s wallet stolen. We’ve worked on several cases that have played out this way. It’s not a silver bullet — the hacker may be fast enough to move some portion of funds off the exchange before the accounts are frozen. But, think about what happens if the victim exchange doesn’t have someone to call right away. They could contact CIR, tell us what happened, and nail down an agreement for us to track the funds, but all of that added time increases the chances that the hacker moves their Monero off of the second exchange — or possibly all of it. Having worked on several cases under both sets of conditions, we can say with confidence that the chances of recovery increase the earlier we get involved, which is why we recommend putting us on retainer before a hack happens. 

Speed and experience, a winning combination

In situations like the one described above, the main reason we’re able to recover funds fast is that the customer had already engaged us to provide these services prior to the incident. Onboarding new customers takes time and it’s best to tackle that process before a crisis strikes. Doing so accelerates response times, making the odds of recovery stronger. 

In addition to speed, experience matters. DeFi projects like Morpho Labs are proactive in their approach to preparing for incidents, and work with the Chainalysis Crypto Incident Response team because of its depth of industry knowledge and experience with high-profile cases.

“Security has and will always be Morpho Labs’ first and most paramount principle,” says co-founder Merlin Egalite. “That’s why we’ve partnered with Chainalysis — to strengthen our crypto incident response plan. Its investigative team is the largest in the industry and the organization’s invaluable experience with major exploits and hacks makes it an ideal partner.” See what else Morpho Labs had to say about its partnership with Chainalysis.

Learn how Chainalysis Crypto Incident Response can help your organization prepare for the unpredictable.