Crypto users lost $494 million to phishing attacks that drained their wallets in 2024. The Web3 security company Scam Sniffer disclosed this in its latest report, noting that it represents a 67% year-over-year increase.
According to the report, which focused only on Ethereum Virtual Machine (EVM) compatible chains, 332,000 addresses were affected by the phishing attacks in 2024. This means the number of victims also increased compared to 2023, albeit by only 3.7%.
The massive rise in the amount stolen highlights how phishing attackers took advantage of the increase in the value of cryptocurrencies in 2024 to make millions of unwitting victims. Wallet drainers usually use malware to steal users’ assets by misleading them into granting approvals or signing malicious transactions.
Funds lost to phishing attacks on a monthly basis (Source: Scam Sniffer)
A closer analysis of the incidents shows that the attackers were busy all year round, even as they stole 52% of funds between July and September. The bad actors took in their highest monthly haul in March with $75 million, while the losses were in November with $9 million.
Meanwhile, the amount stolen declined quarterly, with Q1 seeing the most losses, $187.2 million from 175,000 victims. The total losses per quarter in Q2 were $167 million, Q3 saw $ 129 million, and Q4 reportedly only $51 million.
The gradual decline represents a positive sign for the industry as it indicates increasing security awareness about phishing attacks throughout the year.
Ethereum records 85% of large-scale thefts
Meanwhile, 30 large-scale phishing attacks, incidents where more than $1 million was stolen, happened in 2024. The biggest was a $55.4 million theft through a setOwner phishing exploit, a 130% on the most significant incident before that.
Interestingly, Ethereum was responsible for the majority of large losses. According to the report, 85.3% of the large losses happened on the network, accounting for $152 million, while just two happened on Arbitrum. Other EVM networks even had less, with Blast, Base, and BNB chains only having one case each.
Phishing Attacks (Source: Scam Sniffer)
The attackers also appear to target more assets than others. 40.9% of stolen funds were Staking and restaking assets, while stablecoins account for 33.5%, respectively. 10.7% of Aave Collateral assets and 9.3% of Pendle yield tokens also got stolen.
Just as they did with assets, the drainers also relied on various methods for phishing attacks. Permit remains the most common method, as it was used in 56.7% of large loss cases. However, scammers use the setOwner in 31.9% of cases, including the theft of $55.4 million DAI. Other methods employed included Transfer and increase allowance.
Wallet drainers continue to consolidate and expand
Meanwhile, the decline in phishing attacks during the last quarter of 2024 is not necessarily a sign of triumph for crypto users. As Scam Sniffer noted, it is likely because these attackers are changing strategies and using other methods.
This is evident in how the bad actors consolidated throughout 2024, with new players entering the scene towards year-end. Three major drainers dominated the market in the first two quarters, with Angel, Pink, and Inferno drainers having 42%, 28%, and 22% shares, respectively.
However, Pink Drainer exited in Q2, leaving Inferno and Angel Drainers with 43% and 25% market share by the end of Q3. Inferno itself would exit in Q4 by selling its infrastructure to Angel Drainer. At the end of the year, Inferno and Angel controlled 45% of the market share, while a new entrant, Ace Drainer, had 20%. There are still other new drainers, showing the ultra-competitive nature of draining in the service industry.
With more bad actors venturing into wallet-draining space, the level of sophistication has also been increasing to match anti-phishing security by wallet developers. Scam Sniffer highlighted several bypass methods that these bad actors use. These include trying to game the wallet normalization process, exploiting XSS vulnerabilities to bypass wallet blacklists, and using legitimate contracts with fake CAPTCHA pages or Cloudflare.
A Step-By-Step System To Launching Your Web3 Career and Landing High-Paying Crypto Jobs in 90 Days.
