{"id":40439,"date":"2021-04-09T07:00:00","date_gmt":"2021-04-09T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=40439"},"modified":"2025-08-30T14:08:23","modified_gmt":"2025-08-30T11:08:23","slug":"the-harvest-heist-how-hackers-obfuscated-trails-after-harvest-finance-attack","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/the-harvest-heist-how-hackers-obfuscated-trails-after-harvest-finance-attack\/","title":{"rendered":"The Harvest Heist: How Hackers Obfuscated Trails After Harvest Finance Attack"},"content":{"rendered":"<p>In 2020, DeFi projects surged in popularity. The amount of capital locked in the sector had already surpassed $100 billion, and the number of projects exceeded 200. But a fly in the ointment is often present.<\/p>\n<p><a href=\"https:\/\/u1f987.com\/en\/news\/what-is-decentralised-finance-defi\">Rapid growth of DeFi<\/a> drew the attention of attackers who exploit vulnerabilities in existing projects and create their own fraudulent schemes under the banner of decentralized finance.<\/p>\n<p>Liquidity pools on DEXs, in combination with mixers, began to be used to obscure traces for money laundering.<\/p>\n<p>For ForkLog, the analytical company Crystal Blockchain thoroughly analyzed the Harvest Finance hack, which became the largest incident in the DeFi space in late 2020.<\/p>\n<h2>Timeline of the Hack<\/h2>\n<p>Harvest Finance is a protocol enabling <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-yield-farming\">yield farming<\/a>, which aggregates yields across various lending protocols, optimizing them to extract maximum profits.<\/p>\n<p>On October 26, an unknown hacker, by arbitrage manipulation, transferred about $25 million to his address (13 million USDC and 11 million USDT).<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"2ngjE8KV6o\">\n<p><a href=\"https:\/\/u1f987.com\/en\/news\/hacker-drains-19-8m-from-harvest-finance-as-farm-price-falls-more-than-50\">The hacker withdrew $19.8 million from the Harvest Finance platform. The FARM price fell by 50%<\/a><\/p>\n<\/blockquote>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"\u201c\u0425\u0430\u043a\u0435\u0440 \u0432\u044b\u0432\u0435\u043b $19,8 \u043c\u043b\u043d \u0441 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Harvest Finance. \u041a\u0443\u0440\u0441 FARM \u0443\u043f\u0430\u043b \u043d\u0430 50%\u201d \u2014 ForkLog\" src=\"https:\/\/u1f987.com\/news\/haker-vyvel-19-8-mln-s-platformy-harvest-finance-kurs-farm-upal-na-50\/embed#?secret=2o6SCSmclW#?secret=2ngjE8KV6o\" data-secret=\"2ngjE8KV6o\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>On the very first day, the attacker sent 13 million USDC to the decentralized exchange Uniswap. As a result of the exchange, he received more than 30,377 ETH to his address.<\/p>\n<div id=\"attachment_131148\" style=\"width: 1610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-131148\" class=\"wp-image-131148 size-full\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M.png\" alt=\"\u0423\u0440\u043e\u0436\u0430\u0439\u043d\u044b\u0439 \u0432\u0437\u043b\u043e\u043c: \u043a\u0430\u043a \u0445\u0430\u043a\u0435\u0440\u044b \u0437\u0430\u043f\u0443\u0442\u044b\u0432\u0430\u043b\u0438 \u0441\u043b\u0435\u0434\u044b \u043f\u043e\u0441\u043b\u0435 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 Harvest Finance\" width=\"1600\" height=\"989\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M.png 1600w, https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M-300x185.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M-1024x633.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M-768x475.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/kdQ5wbecgX5Yity4vy61rlf-6zm9J6_QQvnpB5M24preb3Fj0dUh2qwEeETUmzT7tkSjIoNhSSUofB0U7VgnHH_LTtIUsPh7KCXH3NGOPoGEZY4J9mJqK-58fawyJqE70-0WA9M-1536x949.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/p>\n<p id=\"caption-attachment-131148\" class=\"wp-caption-text\">Data: Crystal Blockchain.<\/p>\n<\/div>\n<p>Then in 12 transactions the hacker exchanged 11 million USDT for over 26,500 ETH.<\/p>\n<p>51,315 ETH from this amount he transferred in 11 transactions into tokenized Bitcoin \u2013 Wrapped BTC (WBTC), obtaining more than 1,519 tokens in total.<\/p>\n<div id=\"attachment_131146\" style=\"width: 1610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-131146\" class=\"wp-image-131146 size-full\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8dH.png\" alt=\"\u0423\u0440\u043e\u0436\u0430\u0439\u043d\u044b\u0439 \u0432\u0437\u043b\u043e\u043c: \u043a\u0430\u043a \u0445\u0430\u043a\u0435\u0440\u044b \u0437\u0430\u043f\u0443\u0442\u044b\u0432\u0430\u043b\u0438 \u0441\u043b\u0435\u0434\u044b \u043f\u043e\u0441\u043b\u0435 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 Harvest Finance\" width=\"1600\" height=\"989\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8dH.png 1600w, https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8dH-300x185.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8d-1024x633.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8d-768x475.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/j5i-F87BATP7VJ7-QOn5aGn1RgZISSnts5sP3fLTAJiQDlDLWMtSO_xFoMK73ROJN5Cq5OWmsfzKgDgRqGHtqPZfvHZidgxEMmdruVRBAXxKWGAD__LwqTrZufKBqSc7dG_E8d-1536x949.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/p>\n<p id=\"caption-attachment-131146\" class=\"wp-caption-text\">Data: Crystal Blockchain.<\/p>\n<\/div>\n<p>Crystal Blockchain also detected a transfer of 300 ETH to the Tornado mixer.<\/p>\n<p>WBTC was sent to another DeFi protocol \u2013 Ren, through which the attacker converted the tokens into Bitcoin, distributing them across seven addresses.<\/p>\n<div id=\"attachment_131149\" style=\"width: 1610px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-131149\" class=\"wp-image-131149 size-full\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP.png\" alt=\"\u0423\u0440\u043e\u0436\u0430\u0439\u043d\u044b\u0439 \u0432\u0437\u043b\u043e\u043c: \u043a\u0430\u043a \u0445\u0430\u043a\u0435\u0440\u044b \u0437\u0430\u043f\u0443\u0442\u044b\u0432\u0430\u043b\u0438 \u0441\u043b\u0435\u0434\u044b \u043f\u043e\u0441\u043b\u0435 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 Harvest Finance\" width=\"1600\" height=\"989\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP.png 1600w, https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP-300x185.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP-1024x633.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP-768x475.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/XAEn2-ayYZ0JhCZKM1VHnpG4sB2ar_8DV-YrF0rY_iB7DClevXAoFFwOQFCXVzY__IJ1AhHHMXXeLeNOo1ydEkIzOio92GO30sI-wuOVNy2l-Pf4iq55r-OYFaAh2HZnTFST4gPP-1536x949.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/p>\n<p id=\"caption-attachment-131149\" class=\"wp-caption-text\">Data: Crystal Blockchain.<\/p>\n<\/div>\n<p>Next, half of the Bitcoin moved to Wasabi and some to centralized exchanges, including Binance and Huobi. The other half remains unmoved for now. Crystal Blockchain will continue to monitor the funds&#8217; movement.<\/p>\n<div id=\"attachment_131147\" style=\"width: 949px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-131147\" class=\"wp-image-131147 size-full\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/rR307RVH8nFWR60AA2pymg-CeKm_tPomo0wSzZf23a4KA8A7-F78NELxvL9DHVqiiv5IZxU-Qp9r5Lx91D4PpkWz7rxYQjZ0jx2p-2ZYj1VoFlXRAVUQeKeNNT28uBvTLWhe3kO8.png\" alt=\"\u0423\u0440\u043e\u0436\u0430\u0439\u043d\u044b\u0439 \u0432\u0437\u043b\u043e\u043c: \u043a\u0430\u043a \u0445\u0430\u043a\u0435\u0440\u044b \u0437\u0430\u043f\u0443\u0442\u044b\u0432\u0430\u043b\u0438 \u0441\u043b\u0435\u0434\u044b \u043f\u043e\u0441\u043b\u0435 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 Harvest Finance\" width=\"939\" height=\"636\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/rR307RVH8nFWR60AA2pymg-CeKm_tPomo0wSzZf23a4KA8A7-F78NELxvL9DHVqiiv5IZxU-Qp9r5Lx91D4PpkWz7rxYQjZ0jx2p-2ZYj1VoFlXRAVUQeKeNNT28uBvTLWhe3kO8.png 939w, https:\/\/u1f987.com\/wp-content\/uploads\/rR307RVH8nFWR60AA2pymg-CeKm_tPomo0wSzZf23a4KA8A7-F78NELxvL9DHVqiiv5IZxU-Qp9r5Lx91D4PpkWz7rxYQjZ0jx2p-2ZYj1VoFlXRAVUQeKeNNT28uBvTLWhe3kO8-300x203.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/rR307RVH8nFWR60AA2pymg-CeKm_tPomo0wSzZf23a4KA8A7-F78NELxvL9DHVqiiv5IZxU-Qp9r5Lx91D4PpkWz7rxYQjZ0jx2p-2ZYj1VoFlXRAVUQeKeNNT28uBvTLWhe3kO8-768x520.png 768w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/p>\n<p id=\"caption-attachment-131147\" class=\"wp-caption-text\">Data: Crystal Blockchain.<\/p>\n<\/div>\n<h2>How effective are DeFi protocol hacks?<\/h2>\n<p>The hacker clearly tried to confuse the investigation by moving funds through several DeFi protocols. However, given that the Uniswap protocol (including forks) and Ren provide information about the tokens involved in the swap and the final recipients\u2019 addresses, such obfuscation methods cannot be considered effective.<\/p>\n<p>The challenge in such cases lies in the need for additional resources to \u201cdeploy\u201d swap transactions.<\/p>\n<p>Crystal Blockchain marks all addresses that potentially belong to the offender, which will help virtual asset service providers (VASPs) in preventing money laundering. To truly muddy the traces, attackers have to move funds through loosely regulated exchanges and traditional mixers.<\/p>\n<p>From the current situation, one may say the DeFi sector will continue to develop, but note the key features and differences of DeFi protocols:<\/p>\n<ul>\n<li>Decentralized exchanges (DEX) do not require user verification;<\/li>\n<li>A DEX user\u2019s funds always remain under their control, whereas centralized VASPs have full control over them;<\/li>\n<li>Hackers find vulnerabilities in the decentralized protocols themselves, which is how funds are withdrawn. The weaknesses of centralized platforms are primarily in protection;<\/li>\n<li>User funds in the decentralized sector are not insured against hacks, as they remain under user control. By contrast, some centralized exchanges form insurance pools and pay out compensation;<\/li>\n<li>DEXs do not have a native fiat on-ramp. For this, users (including attackers) often have to convert tokens into popular cryptocurrencies (Bitcoin, ETH and others) and then send them to centralized exchanges.<\/li>\n<\/ul>\n<p>Subscribe to ForkLog news on Telegram: <a href=\"https:\/\/t.me\/forklogfeed\" target=\"_blank\" rel=\"nofollow noopener\">ForkLog Feed<\/a> \u2014 the full news stream, <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener\">ForkLog<\/a> \u2014 the most important news, infographics and opinions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rapid growth of DeFi attracted the attention of attackers who exploit vulnerabilities in existing projects and create their own fraudulent schemes under the banner of decentralized finance. For ForkLog, the analytical company Crystal Blockchain thoroughly analyzed the Harvest Finance hack, which became the largest incident in the DeFi space in late 2020.<\/p>\n","protected":false},"author":1,"featured_media":40440,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[1154,2024,1093,787],"class_list":["post-40439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-crimes","tag-crystal","tag-defi","tag-dex"],"aioseo_notices":[],"amp_enabled":true,"views":"47","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/40439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=40439"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/40439\/revisions"}],"predecessor-version":[{"id":40441,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/40439\/revisions\/40441"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/40440"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=40439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=40439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=40439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}