The worlds of decentralized finance (DeFi) and Web3 have become a high-stakes battlefield, with black hat hackers and scammers perpetually devising strategies to exploit the ever-growing ecosystem. The second quarter of 2023 again brought its fair share of attacks and thefts, leading to significant crypto losses for crypto investors totaling over $330 million, of which $265 million can be attributed to the Web3 sector.
This is according to the Q2 2023 findings from Immunefi, a leading bug bounty and security services platform that protects $60 billion in crypto assets, which we’ll discuss below in greater detail. In addition, we’ve also added insights from new Q2 2023 Web3 security reports by Certik and Beosin, all published in July 2023, which provide a broader perspective on the scale and type of losses in the Web3 ecosystem.
A Snapshot of Crypto Losses in Q2 2023
Immunifi reports that in Q2 2023, an unsettling $265.5 million was siphoned off from the Web3 ecosystem. However, Certik’s report indicates that over $313 million was stolen in crypto projects between April and June 2023. Most of the losses were due to hacking incidents, a stark 4 in 5 attacks worth $220.5 million, across 63 specific incidents.
According to the Beosin report, in the first half of 2023, the Web3 industry lost approximately $656 million to hackers, phishing scams, and rug pulls. Around $471 million is attributed to hacks alone, most notably March’s huge Euler hack by the hands of North Korean hackers Lazarus, who also allegedly took down Atomic Wallet in June this year.
Fraud, though less frequent, accounted for 1 in 6 cases worth roughly $45 million across 18 incidents. While these numbers are alarmingly high, it’s worth noting a silver lining – this represents a 60% decrease in losses compared to Q2 2022, suggesting that security measures are improving.
Two projects bore the brunt of these attacks – Atomic Wallet’s $100m hack, which we covered previously, and a rug pull by Fintoch, the blockchain-powered financial platform allegedly built by Morgan Stanley.
Together, they accounted for nearly half the losses, with $131.6 million vanishing into the cyber-abyss. While this could be a testament to the level of sophistication employed by the hackers, it also raises questions about the inherent vulnerabilities and security diligence in these projects.
Major Exploits: Atomic Wallet and Fintoch
The two most significant losses of Q2 2023 are worth examining closely. The decentralized Atomic Wallet lost $100 million due to an attack attributed to the Lazarus Group, a North Korean state-backed hacker group. They have previously been linked to other large-scale exploits, including the $100 million Harmony Bridge hack in June 2022.
Fintoch, on the other hand, fell victim to an alleged internal ‘rug pull’, amounting to $31.6 million. Here, the team was accused of transferring the stolen assets to other blockchains, including Tron and Ethereum, leaving users unable to access their funds.
Crypto Hacks Down, but Fraud Soars 200%
When it comes to crypto losses, hacking incidents consistently overshadow frauds, scams, and rug pulls. This trend continued in Q2 2023, with losses from hacks significantly outpacing losses from fraud.
- Certik identified about 212 cases of security breaches, with the average loss per case at $1.4 million.
- Exit scam losses doubled to over $70 million after about 98 cases were identified.
- Despite the total losses being down 60.4% from Q2 2022, the number of single incidents surged by 65.3% YoY.
DeFi Continues to be DeFiled
Decentralized Finance (DeFi) represented the lion’s share of successful exploits in Q2 2023, accounting for a staggering 86% of the total losses. In contrast, centralized finance (CeFi) accounted for a mere 14%, a welcome change after the custodial horrors of 2024 with FTX, 3AC, and Celsius losing investors billions of dollars. However, year on year CeFi losses are up $37 million.
The Beosin report showed that for the first half of 2023, contract vulnerability was the biggest hacking vector in 60 attacks draining over $53 million.
This new focus on DeFi could be due to its inherent transparency and accessibility, making it an attractive target for black hat hackers looking to capitalize on weak security measures by both projects and their users.
DELIVERED EVERY WEEK
Subscribe to our Top Crypto News weekly newsletter
BNB Chain and Ethereum Most Targeted
With so much value locked across their ecosystems, it’s no surprise that BNB Chain and Ethereum were the most targeted in Q2 2023, with BNB Chain suffering 36 incidents and Ethereum, 26. Together, they represented over 75% of all chain losses in this period. Ethereum layer-2 chain Arbitrum, which finally launched its token at the end of March 2023, came in third, with 10 incidents, after suffering none a year ago, followed by Polygon and ZKSync with two each.
And of course, scammers are also gonna keep scamming. For H1 2023 Beosin reported 80 rug pulls happened on the cheaper-to-use BNB chain followed by Ethereum, which indicates that users should be especially vigilant when dealing with DeFi protocols and do additional research on the teams.
Only 4% of Q2 Stolen Funds Recovered
The recovery of stolen funds remains a challenging task. Of the total losses, only $10.45 million was recovered across eight incidents, representing a mere 4% of total losses. Although significantly lower than the losses, every recovery victory is a step in the right direction.
In the larger context of Q2 2022 versus Q2 2023, both DeFi losses and hack-related losses have decreased by around 66%, while fraud-related losses have surged by a whopping 225%, as phishing scams become more sophisticated and target non-custodial wallet users.
Crypto Drainers On the Rise
Web3 anti-scam platform Scam Sniffer also revealed that $66 million has been stolen this year by so-called “crypto drainers’ or sweepers, smart contract-based malware that tricks the user through phishing to agree to a malicious transaction that transfers all or some of a wallet’s funds once signed. DeFi and Web3 users should be extra cautious when blind signing or approving any transaction and shouldn’t click on any suspicious links.
MEV Bot exploited and MPC under scrutiny
Certik’s report also detailed a worrying MEV bot exploit on Ethereum by a malicious validitor for $25 million (MEV refers to the rewards that an ETH validator can make) and a bounty for a multiparty computation (MPC) vulnerability on ZenGo that could have resulted in more devastating losses.
While multi-party computation security is preferred by institutional investors and has many applications in Web3, the implementation of new MPC solutions brings a new complexity to crypto wallet design that could lead to new security threats and must be carefully audited and monitored, according to Kang Li, its Chief Security Officer. It follows that ensuring that your custodian uses the best MPC security measures should be a top priority for any investor.
Final Thoughts
In conclusion, while the DeFi and web3 ecosystem continues to grow and offer unparalleled opportunities, it also remains a fertile ground for nefarious activities. As Mitchell Amador, Founder, and CEO at Immunefi aptly put it, “users must thoroughly assess projects” as “bad actors continue to expand their malicious activities and employ increasingly sophisticated scams.”
Therefore, stakeholders must be proactive, and vigilant, and adopt stringent security measures to minimize the risk of such exploits.
CoolWallet: Your Shield Against Web3 Hacks and Scams
As Web3 and DeFi projects continue to build out their ecosystems, using a reputable and battle-tested Web3 hardware wallet like CoolWallet Pro is the smart choice to navigate the dangers around smart contracts and self-custody. Its EAL6+ secure element, military-grade encrypted Bluetooth communication, and additional measures like 2+1 FA biometric verification ensure that no transaction can be authorized without your physical approval through a button press.
With CoolWallet App‘s new integration with Kekkai’s real-time Web3 blockchain analytics and smart contract assessments, you can now interact safer than ever with your favorite Dapps on your favorite chains.