Cyberattacks targeting Web3 cost organizations $1.84 billion in 2023 across 751 incidents, says Certik Hack3d: The 2023 Web3 Security Report.
The average cost per incident was $2.45 million in 2023. However, there is a wide disparity between losses incurred, with the 10 costliest attacks alone accounting for $1.11 billion.
The highest costs occurred in the third quarter, where $686.5 million was lost due to 183 hacks.
The report, which examined hacks, scams and exploits across the Web3 industry, found a 51% drop in incident losses in 2023 compared to 2022, when the total was 3.7 billion of dollars.
However, a major factor in reducing losses is the decline in the value of decentralized finance (DeFi), with the time-weighted average value falling by approximately 46% in 2023 compared to 2022.
How do attackers target Web3?
Web3 is an internet service built using decentralized blockchains, designed to put control back in the hands of users.
However, this ecosystem carries significant cyber risks, threat actors steal cryptocurrency frequently DeFi platforms.
The Certik report found that the attack vector that caused the highest losses was private key compromise, which accounted for $880.9 million in costs for just 47 incidents.
Six of the ten costliest Web3 security incidents were due to private key compromises.
The researchers said this highlights the importance of secure private key management among Web3 users, advising practices such as:
- Use multi-signature wallets to distribute control across multiple parties
- Consider hardware wallets for key storage and high-level crypto operations
- Keep backups of private keys in secure offline environments
- Set strict access control policies
- Regularly monitor and audit the use of private keys to detect any anomalies
Exit scams, when developers of a cryptocurrency withdraw their funds and abandon the project to take advantage of investors, were the most common vector used to target Web3, with 308 incidents.
Code vulnerability and phishing also caused a large number of losses on Web3, $291 million and $207 million, respectively.
The report notes that wallet drainers remained a persistent threat on Web3 throughout the year. These drainers are a type of malicious software or script that allows attackers to “drain” assets from a victim’s wallet into their own.
Security breaches affecting multiple chains accounted for $799 million in losses in just 35 incidents, which Certik says highlights the ongoing problem of cross-chain interoperability.
BNB Chain experienced the highest number of security incidents at 387, resulting in losses of $134 million. Next comes Ethereum, with 224 incidents and $686.9 million in losses.
Increased retroactive bug bounties
Another significant trend identified in 2023 is “retroactive bug bounties,” which led to the return of $219 million in stolen funds across 36 events.
The report cites the case of Euler Finance, where an exploit allowed an attacker to steal $197 million in March 2023.
After the exploit, Euler offered a $1 million bounty for information leading to the arrest of the attackers and demanded the return of the stolen funds.
The hacker ultimately returned approximately $147.8 million and expressed remorse for the attack, leading Euler to withdraw the $1 million bounty.