The crypto industry racked up $413 million in losses due to hacks and scams during the third quarter of this year across 34 incidents so far, according to the latest report from web3 bug bounty and security services platform Immunefi.
The losses represent a 28% decrease on the $573 million worth of exploits in Q2 and a 40% decrease compared to Q3 2023 when hackers and fraudsters stole $686 million. More than $1.3 billion has been stolen via hacks and fraud year-to-date, down by 4% compared with the same period last year, per Immunefi data.
With nearly $90 billion of total value locked in web3 protocols, according to DeFiLlama data, decentralized finance remains a primary target for hackers, accounting for 31 of the 34 incidents identified by Immunefi in Q3. However, centralized finance was hit harder regarding the amounts stolen, accounting for 74.8% ($309 million) of losses during the quarter compared to 25.2% ($104 million) for DeFi.
“We're seeing a higher number of incidents targeting DeFi, while CeFi experiences fewer incidents but often with more severe consequences, with hundreds of millions in stolen funds in a single exploit,” Immunefi founder and CEO Mitchell Amador told The Block.
“In CeFi, the biggest infrastructural issue is private key management, which is essential to maintaining the self-custody of crypto assets but is not typically subject to security audits. It requires rigorous key management policies, practices and emergency plans," he added.
The majority of the losses came from two exploits alone, accounting for a combined $287 million, or 69.5%, of the total. A $235 million exploit of Indian crypto exchange WazirX on July 18 represented the largest attack, with a further $52 million stolen from the Singapore-based crypto exchange BingX on Sept. 20.
July accounted for the highest monthly losses in Q3 overall at $282 million. August losses fell dramatically to just $15 million. However, September then registered an additional $116 million in losses. In total, $14.9 million (3.6%) of the stolen funds in Q3 were recovered from two of the exploits: Ronin Network ($10 million) and ShezmuTech ($4.9 million).
Hacks continued to dominate the losses in Q3, accounting for 99.3% ($409.9 million) of the total across 31 incidents, compared to cases of fraud, scams and rug pulls at just 0.7% ($3.1 million) over three specific incidents.
Ethereum and BNB Chain were again the most targeted networks, as they were in Q2. Ethereum suffered the most individual attacks, representing 15 of the incidents and 44.1% of the losses on targeted chains, followed by BNB Chain's eight incidents, representing 23.5%. Base, Blast, Solana and Arbitrum made up the remainder of the incidents.
Immunefi claims to have paid out more than $100 million in ethical hacker and researcher bounties to date. The payouts span three years and result from over 3,000 bug bounty reports, the largest of which was a $10 million award for a vulnerability discovered in Wormhole’s cross-chain protocol.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
