Crypto Security Crisis? $700M Lost in Q3: Certik Report

Summary:

• Q3 2023 saw the crypto space suffer its worst quarter, with nearly $700 million lost to security breaches, says CertiK.
• A total of 184 security incidents occurred, eclipsing Q1 and Q2 losses.
• Private key infiltrations accounted for over $204 million in losses.
• Major breaches, exit scams, and oracle manipulations contributed to the losses.
• Mixin Network and CoinEx breaches were among the significant incidents in September.
• Notable losses included $1.9 million from exit scams and $400,000 from flash loans.
• A total of $1.34 billion has been lost in 2023 to hacks, scams, and exploits.
• The Lazarus hacking group remains a dominant threat, responsible for at least $291 million in confirmed losses.
• Heightened security measures and vigilance are needed to protect digital assets in the evolving crypto landscape.

‍

Alarming Rise in Crypto Security Breaches

The third quarter of 2023 has emerged as a grim milestone, with the highest financial toll due to security breaches. According to a comprehensive quarterly study by blockchain security firm CertiK, the cryptocurrency ecosystem suffered staggering losses of nearly $700 million between July and September.

During this tumultuous period, 184 security incidents sent shockwaves through the crypto landscape. These incidents, ranging from breaches to scams and manipulations, have overshadowed the industry's efforts to safeguard digital assets.

As a result of these security breaches, Q3 suffered significantly more financial damages than Q2 and Q1. Q1 saw losses of $320 million, while Q2 reported $313 million in damages. 

Private Key Breaches: The Costliest Exploits

Among the various security incidents, private key infiltrations were the most financially detrimental. These breaches resulted in a staggering $204 million loss from 14 separate incidents. 

One notable event that contributed to Q3's financial woes was the Multichain incident, where the CEO retained exclusive control over private keys. This lapse in security led to losses amounting to a hefty $125 million.

Exit Scams and Oracle Manipulations Surge

In addition to private key breaches, Q3 also witnessed a surge in exit scams and oracle manipulations. A total of 93 exit scams siphoned off more than $55 million in digital assets, while 38 incidents of oracle manipulation resulted in losses exceeding $16 million in the crypto space.

One significant event that marred September was the exploitation of the cross-chain protocol Mixin Network. This incident led to suspending all deposits and withdrawals on September 25. It later emerged that the company's mainnet assets, valued at $200 million, had been drained. 

Persistent Threats: Lawnmowertruman and Lazarus

CertiK's quarterly report also sheds light on the persistent threats hacking groups pose. The notorious hacking group from North Korea, known as lawnmowertruman, remained a dominant threat throughout the quarter, accounting for a staggering $291 million in verified losses in 2023.

Another persistent threat actor, Lazarus, affiliated with North Korea, continued its malicious activities in the third quarter and was responsible for at least $291 million in confirmed losses for the year.

In response to BSC News' inquiry about how to stop Lazarus group attacks, Certik responded:

“Lazarus Group targets any vulnerable target, whether that vulnerability is due to a centralized point of control or a smart contract bug. The solution is to build secure platforms and to take full advantage of all that blockchain has to offer by limiting centralization risks to the greatest extent possible.”

September's Cryptocurrency Landscape: A Month of Alarming Losses

As the quarter ended, the cryptocurrency ecosystem was hit by several security incidents, setting a somber tone. Exit scams, where fraudulent projects disappear with investors' funds, contributed to approximately $1.9 million in losses. Flash loans, a relatively newer phenomenon in the crypto world, resulted in losses of around $400,000 during the month.

However, the most significant blow to the crypto community came from exploits, accounting for a staggering $329.8 million in losses during September alone. Exploits are characterized by malicious actors exploiting vulnerabilities in smart contracts, exchanges, or protocols to siphon off digital assets.

Long List of Hacks and Thefts

On September 4, stake.com, a popular platform for cryptocurrency gambling, also faced an attack that led to losses of $41 million. During this incident, various cryptocurrencies worth the same amount were received by an account before being distributed to multiple addresses.

Further, on September 12, witnessed a suspected attack on CoinEx, a cryptocurrency exchange, following a significant outflow from four of its hot wallets. This breach resulted in losses exceeding $53.1 million across the compromised hot wallets.

The Mixin Network Breach amounting to a whopping $200 million due to the compromise of the platform's cloud service provider also happened last month. 

September did not relent in its assault on the crypto community. A phishing incident further exacerbated the month's woes, resulting in losses of $24.2 million. HTX Global experienced a loss of $7.9 million during the month, adding to the litany of security breaches.

Even high-profile individuals were not spared from the crypto turmoil. Entrepreneur Mark Cuban reported a personal loss of $900,000 during September, underscoring the indiscriminate nature of crypto-related incidents.

‍

A Year of Unprecedented Losses

As September came to a close, the cumulative losses for the year reached alarming heights. In August, the crypto space suffered losses totaling $45 million in digital assets. This brought the year-to-date total to a staggering $997 million in losses due to various forms of exploitation, scams, and hacks.

July was the second-highest month for exploit-related losses, amounting to $285.8 million, further emphasizing the growing sophistication of threat actors in the crypto world.

Q3 2023 was marked by an unsettling series of incidents, resulting in significant financial losses for the cryptocurrency market. 

The Certik team believes the future of crypto is assured if and only if the industry learns from the continued hacks and scams we see. 

“Every private key exploit, every oracle manipulation attack, and every exit scam contains valuable lessons for those who want to build secure and highly functional products and services. Web3 is an intensely competitive, high-stakes game,” Certik told BSC News. “It's ruthlessly efficient, it culls the weakest and rewards the strongest. Security is a fundamental consideration for anyone building a Web3 platform, and only those who acknowledge and address this will survive.”