Predicting crypto hacks in 2024

Hacks are back on the menu. In Chainalysis 's recent mid-year crime update, we detailed how hacking activity has increased YoY by 84.4%, amplified by the targeting of large, centralized exchanges such as the DMM, BTCTurk, and WazirX.

Hacking has been a scourge of the crypto landscape for years now. This post is about predicting crypto hacking, and in particular where 2024 might be heading given the current YTD theft of $1.58B. (For those who just want a dollar number for 2024, you can jump to the last section).

Predictions in crypto hacking

The short answer to any prediction question in crypto is that precise forecasts are incredibly hard to do. Hacking activity occurs in an inherently adversarial environment and is prone to outliers. In this kind of environment, one ‘win’ for bad actors can fundamentally change the trajectory of a year.

The longer answer to questions of prediction is that adversarial environments work both ways, often converging near equilibrium given static conditions. Defenders do their best to thwart malicious activity, while bad actors do their best to compromise systems and steal value. Bad actors do have a somewhat asymmetric advantage (they need to succeed only once versus defenders who need to succeed always). But, most of the time, concerted defense meets determined aggression—sometimes the defenders win; sometimes the attackers succeed.

From a data perspective, competition leading to a more-or-less fluid equilibrium means predictions can be made because events have a degree of regularity.

I think about prediction in the case of crypto hacking from the perspective of dollars, events, and final outcomes (i.e., where is 2024 going).

Dollars

Take the first of these—dollars stolen. Crypto thefts don’t occur in yen, pounds, or pesos. They occur in native crypto assets, which can range in value from tens of thousands of dollars for a single wholecoin (Bitcoin) to just fractions of a penny per unit. The obvious extrapolation from this point is that how much value is stolen in a given heist or time period must necessarily depend to some degree on the valuation of crypto assets at the time of the theft.

The data related derivative is that crypto asset prices should correlate with value stolen on some rolling basis. And indeed, they do. Take the chart below that shows the 3-month rolling correlation between the average monthly BTC daily close price and the sum of the total value stolen. For ease of interpretation, any correlation (y-axis) value more than +/- 0.7 is a strong correlation overall.??

This chart has a couple of interesting takeaways.

1)? ? ? The average monthly BTC daily closing price is predictive of the amount that bad actors can steal.

2)? ? ? The relationship between these variables is changing direction—quite dramatically in fact.

The prediction related point that can be taken from number 1 is that asset prices do indeed associate with value stolen—so crypto price booms will translate (with some slippage) into more hacking incidents.

Thinking about 2024, this point would imply that a big increase in crypto market prices in the remainder of the year will be met with higher amounts stolen in crypto heists.

Number 2 raises an important measurement point. The changed direction of the relationship between BTC daily close price and value stolen suggests that, alongside global adoption of cryptocurrencies, Bitcoin’s continuing integration into society and traditional financial markets might be changing the way in which this particular asset relates to the rest of the ecosystem. Crypto prices are still associated with the value stolen by bad actors, but which assets/measures are most predictive of a worsening hack landscape might be itself evolving.

Events

Value is a powerful incentive. When famously asked why he robbed banks, Willie Sutton replied: “Because that's where the money is.” While elements of crypto are about banking the bankless without a need for formal institutions, there are still points of value concentration: in DeFi, bridges, smart contracts, and DAOs, are great examples.????

At its peak, total value locked in DeFi crested $200B USD in late 2021, according to stats provided by DeFi Llama. That amount of value, while obviously distributed across chains and protocols, could well be a powerful motivator for bad action. Willie Sutton would certainly have thought so.

But a bad actor cannot move from motivation to effective action instantaneously. Especially with something as complicated as crypto hacking, there is likely a delay between becoming motivated to try to steal value because it has become tantalizing enough and being able to effectively do so.

The chart below showcases the empirical relationship between the monthly average TVL across all chains/protocols and hacking events affecting DeFi. A cross-correlation function associates two variables, in this case TVL and hacking events, both today (at 0 on the x axis) and at various lagging and leading time intervals. Negative values on X mean months before today and values outside of the grey shaded areas are suggestive of a moderately strong correlation.

The chart has one big takeaway: average monthly TVL is positively associated with the number of monthly crypto hacks affecting DeFi, but the relationship is not contemporaneous. In other words, high average TVL last month or even the month before that is strongly predictive of the occurrence of DeFi hacks this month.

Predicting final outcomes in 2022-2023

So, given some regularity to crypto hacking, can we make an effective prediction for the rest of 2024? Again, the short answer is only the future will tell and the long answer is we can certainly try.

Probably one of the simplest approaches for estimating the trend in total cumulative hacking activity would be a linear time series regression.

Imagine drawing a line from the start of the year until the end of a sample period (in this case, the end of July so it is consistent with the 2024 period). Extend that line outwards for the rest of the year (with a confidence interval, of course) and then plot the real data to see how things line up.

If you take past years (2022 and 2023) and try out this simple forecasting model, you end up with somewhat mixed performance. 2022’s cumulative hacking totals are almost spot on the linear forecast point estimate, with the actual cumulative total reaching $3.7B in value stolen that year compared to a point estimate of $3.8B.

A simple approach like this underestimates hacking in 2023, however. The final data for the year come in well above the upper boundary of the confidence interval. To the repeated warnings about outliers: the reason the simple project fails is that there are sizable outliers that fundamentally altered the trend after July of 2023.

Seeing this sort of mixed performance, a forecaster can intervene and modify the prediction equation for better accuracy, if perhaps somewhat less precision.

An approach that I would hazard works decently well is an ensemble model, consisting of both a linear trend (TLSM) and an ETS (exponential smoothing) model. The results as shown below put the final cumulative value for both 2022 and 2023 well within the confidence boundary. Because ETS models decay the relative importance of older data points compared to more current ones, the ensemble model can 1) use the linear trend to forecast the future, but 2) be more responsive to more recent data in the calculation of confidence boundaries, and 3) take on a non-linear shape.

The big takeaway is that the ensemble model works, if your goal is to be correct (in contrast, the linear trend was very precise in its prediction for 2022 but completely wrong for 2023).

2024: a good or a bad year?

Deploying this model on 2024 data gives us a sense of where we might be headed for the rest of this year. Basically, the model suggests that we are in store for a bad year for crypto hacking, with the final cumulative amount stolen ranging from about $2.04B to upwards of $3.17B. This lower boundary would clearly only come to pass in a situation of significant crypto asset price declines and remarkably good (and lucky) crypto project cyber defense. The upper boundaries would be what we should expect if crypto prices rise.??