Authors: Beosin Research Team - Mario & Donny
1. 2023 Web3 Security Overview
According to statistics from Beosin EagleEye, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $2.02 billion in 2023. Among them, 191 major attacks resulted in a total loss of approximately $1.397 billion; 267 rug pulls with total losses of around $388 million; and total losses from phishing scams of approximately $238 million.
In 2023, hacks, phishing scams and rug pulls all saw significant declines compared to 2022, with total losses down 53.9%. Hacks saw the biggest drop, from $3.6 billion in 2022 to $1.397 billion in 2023, a decrease of about 61.2%. Phishing losses were down 33.2% from 2022, and rug pull losses were down 8.8% from 2022.
There were 4 attacks with losses over $100 million in 2023, and 17 attacks with losses between $10-100 million. The top 10 attacks accounted for total losses of about $1 billion, representing 71.5% of total losses for the year.
Compared to 2022, attacked project types were more diverse in 2023, including DeFi, CEX, DEX, public blockchains, cross-chain bridges, wallets, payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more. DeFi saw the most attacks and highest losses, with 130 DeFi attacks causing total losses of about $408 million.
Attacks occurred across more public blockchain types. Ethereum remained the chain with the highest losses - 71 attacks on Ethereum caused $766 million in losses, accounting for 54.9% of total losses for the year.
By attack types, 30 private key compromise incidents caused about $627 million in losses, representing 44.9% of total losses, making it the most damaging attack type. Contract vulnerability exploitation was the most frequent attack type - of the 191 attacks, 99 involved contract vulnerabilities, accounting for 51.8%.
About $295 million of stolen funds were recovered during the year, representing 21.1% of losses, a significant increase from 2022. About $330 million in stolen funds were sent to mixers, representing 23.6% of total stolen funds.
In contrast to the significant declines in on-chain hacks, phishing and rug pulls, 2023 saw a huge increase in offline crypto crime figures. Global crypto crime losses reached $65.68 billion in 2023, up about 377% from $13.76 billion in 2022. The top three crime types by losses were illegal gambling, money laundering and scam.
2. 2023 Web3 Top 10 Attacks
In 2023 there were 4 attacks with over $100 million in losses: Mixin Network ($200 million), Euler Finance ($197 million), Poloniex ($126 million) and HTX & Heco Bridge ($110 million). The top 10 attacks accounted for total losses of about $1 billion, 71.5% of yearly losses.
No.1 Mixin Network
Losses: $200 million
Attack type: Cloud service provider database compromise
On September 23rd, Mixin Network's cloud provider was hacked, resulting in partial mainnet asset losses of around $200 million. Mixin's founder later explained the stolen assets were mainly BTC, with minimal losses of BOX and XIN tokens. Details were withheld.
No.2 Euler Finance
Losses: $197 million
Attack type: Contract vulnerability - business logic flaw
On March 13th the Euler Finance DeFi lending protocol was hacked for around $197 million. The root cause was a failure to properly check users' actual token balances and ledger health after donations. All stolen funds have been fully returned by the attacker.
No.3 Poloniex
Losses: $126 million
Attack type: Private key compromise / APT attack
On November 10th, addresses related to Justin Sun's Poloniex exchange started transferring out large assets, indicating a hack. Sun and Poloniex soon confirmed the breach on social media. Beosin security tracked stolen assets totaling around $126 million.
No.4 HTX & Heco Bridge
Losses: $110 million
Attack type: Private key compromise
On November 22nd, Justin Sun's HTX exchange and Heco Bridge were hacked for $110 million total, with $86.6 million lost from Heco Bridge and $23.4 million from HTX.
No.5 Curve/ Vyper
Losses: $73 million
Attack type: Contract vulnerability – reentrancy
On July 31st Vyper announced a reentrancy bug in versions 0.2.15, 0.2.16 and 0.3.0. Combined with callback possibilities during ETH transfers, this enabled reentrancy attacks on linked ETH/stablecoin pools. Curve later tweeted multiple pools using flawed Vyper 0.2.15 were exploited due to reentrancy lock malfunction. Losses totaled around $73 million.
No.6 CoinEx
Losses: $70 million
Attack type: Private key compromise / APT attack
On September 12th exchange CoinEx stated risk control systems detected suspicious large withdrawals from temporary hot wallets storing platform's transaction assets. A special team was formed and losses involved assets like ETH, TRON and Polygon tokens, totaling around $70 million.
No.7 Atomic Wallet
Losses: $67 million
Attack type: Private key compromise / APT attack
Beosin’s EagleEye platform detected Atomic Wallet was hacked in early June. Based on reported on-chain victim data, Beosin estimates losses of at least $67 million.
No.8 Alphapo
Losses: $60 million
Attack type: Private key compromise / APT attack
On July 23rd payments provider Alphapo’s hot wallet was hacked for $60 million. North Korean hacker group Lazarus was behind the breach.
No.9 KyberSwap
Losses: $54.7 million
Attack type: Contract vulnerability – business logic flaw
On November 22nd, DEX KyberSwap suffered a $54.7 million exploit. Kyber said it was one of DeFi’s most complex attacks, requiring precise on-chain execution for the hacker.
No.10 Stake.com
Losses: $41.3 million
Attack type: Private key compromise / APT attack
On September 4th crypto casino site Stake.com was hacked. Stake.com stated unauthorized transactions occurred from its ETH and BSC hot wallets. The breach was attributed to North Korean APT group Lazarus.
3. Loss by Project Type
Compared to 2022, attacked project types were more diverse in 2023, and losses were more distributed across project types rather than concentrated on a few. In addition to common targets like DeFi, CEX, DEX, public blockchains, cross-chain bridges and wallets, attacks also occurred against payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more in 2023.
Of the 191 attacks in 2023, 130 targeted DeFi projects (about 68%), the most among all types. DeFi attacks resulted in about $408 million in losses, 29.2% of total losses, also the most of any type.
CEXs (centralized exchanges) ranked 2nd in losses, with 9 attacks causing $275 million in losses. There were also 16 attacks on DEXs (decentralized exchanges), resulting in $85.68 million in losses. Overall, exchange security was a major issue behind DeFi security in 2023.
Public blockchains ranked 3rd in losses at about $208 million, mainly due to the $200 million Mixin Network hack.
In 2023 cross-chain bridge losses ranked 4th, accounting for about 7% of total losses. In 2022, 12 cross-chain bridge attacks caused $1.89 billion in losses, 52.5% of the year's total. Bridge attacks significantly declined in 2023.
Crypto payment platforms ranked 5th, with 2 incidents (Alphapo and CoinsPaid) totaling $97.3 million in losses. The hackers behind both attacks pointed to North Korean APT group Lazarus.
4. Loss by Chain
Compared to 2022, blockchain types were also more diverse due to several CEX private key compromise incidents that caused losses across multiple chains. The top 5 by losses were Ethereum, Mixin, HECO, BNB Chain and TRON. The top 5 by attack incidents were BNB Chain, Ethereum, Arbitrum, Polygon, and a tie between Optimism and Avalanche for 5th.
As in 2022, Ethereum saw the most losses - 71 Ethereum attacks caused $766 million in losses, 54.9% of the yearly total.
Mixin Network ranked 2nd with a single $200 million incident. HECO chain ranked 3rd with about $92.6 million in losses.
BNB Chain saw the most attacks at 76, about 39.8% of the total. BNB Chain losses totaled about $70.81 million, with 88% of attacks under $1 million.
5. Attack Type Analysis
Compared to 2022, attack types diversified in 2023, incorporating more Web2 tactics like: database compromise, supply chain attacks, third party service provider attacks, man-in-the-middle attacks, DNS attacks, and front end attacks.
In 2023, 30 private key compromise incidents caused $627 million in losses, 44.9% of the total, making it the most damaging attack type. Major private key compromise incidents included: Poloniex ($126 million), HTX & Heco Bridge ($110 million), CoinEx ($70 million), Atomic Wallet ($67 million) and Alphapo ($60 million). Most were linked to North Korean APT group Lazarus.
Contract vulnerability exploitation was the most frequent attack type - 99 of 191 attacks (51.8%). Total losses from contract vulnerabilities ranked 2nd at $430 million.
By subtype of contract vulnerabilities, business logic vulnerabilities were the most frequent and damaging - about 72.7% of contract vulnerability losses ($313 million) stemmed from business logic flaws. Reentrancy ranked 2nd with $93.47 million in losses across 13 incidents.
6. Stolen Fund Flow Analysis
Of 2023's total stolen funds, about $723 million remained in hacker addresses (including funds bridged to other chains), 51.8% of the total. Compared to last year, hackers favored more complex money laundering via cross-chain transfers and distribution across multiple addresses. More addresses and intricate laundering paths make investigations harder for projects and regulators.
About $295 million in stolen funds were recovered, 21.1% of losses, a major improvement from just 8% recovered in 2022. Most recovery occurred via on-chain negotiation.
About $330 million in stolen funds were sent to mixers (about $71.16 million to Tornado Cash, $259 million to other mixers), accounting for 23.6% of total losses, a significant reduction from 38.7% in 2022. Since Tornado Cash was sanctioned by US OFAC in August 2022, flows to it dropped substantially, with increases to other mixers like Sinbad and FixedFloat instead. In November 2023 Sinbad was sanctioned by OFAC as "a major money laundering tool for North Korean Lazarus group.“
Additionally, some stolen funds ($12.79 million) were sent to exchanges, while a small portion ($10.9 million) was frozen.
7. Audit Analysis
Of the 191 attacks, 79 targeted unaudited projects while 101 had been audited. The audited project ratio was slightly higher than last year (roughly equal audited/unaudited in 2022).
47 of the 79 unaudited projects (59.5%) were exploited for contract vulnerabilities. This shows unaudited projects tend to have more latent risks. In comparison, 51 of 101 audited projects (50.5%) had contract exploits. This demonstrates audits improve security to some degree.
However, the lack of standards in the Web3 market leads to inconsistent audit quality, with results falling short of expectations. To effectively safeguard assets, projects are advised to seek professional security firms for auditing before launch.
As a leading global blockchain security firm devoted to ecological security, Beosin has audited over 3,000 smart contracts and public chains, including PancakeSwap, Ronin Network, OKCSwap and more. As a reputable blockchain security provider, Beosin delivers excellent audit services.
8. Rug Pull Analysis
In 2023, Beosin's EagleEye platform monitored 267 Web3 rug pulls totaling about $388 million in losses, an 8.7% decline from 2022.
By amount, 233 of 267 rug pulls (87%) involved less than $1 million, roughly even with 2022. There were 4 rug pulls above $10 million: Multichain ($210 million), Fintoch ($31.6 million), BALD ($23 million) and PEPE ($15.5 million).
92.3% of rug pulls occurred on BNB Chain (159) and Ethereum (81). Smaller quantities occurred on other chains like Arbitrum, BASE, Sui and zkSync.
9. 2023 Global Crypto Crime Data
Global 2023 crypto crime losses reached a staggering $65.68 billion, up about 377% from $13.76 billion in 2022. While on-chain hacks declined sharply, crime in other crypto areas surged dramatically. Topping the list was illegal gambling at $549 billion. Other leading categories were money laundering ($4 billion), scam ($2.05 billion), pyramid schemes ($1.43 billion) and hacks ($1.39 billion).
With improving global regulation and law enforcement crackdowns, 2023 saw police globally take down multiple billion-dollar crypto crime cases. Some major examples:
No.1 In July 2023, Hubei police in China busted the nation’s largest ever cryptocurrency case with transactions reaching 400 billion RMB ($54.9 billion). The online gambling operation involved over 50,000 people. Servers were overseas and key perpetrators like Qiu have been prosecuted.
No.2 In August 2023, Singapore authorities uncovered the state’s largest money laundering case at 2.8 billion SGD, mainly involving cryptocurrency.
No.3 In March 2023, Jiangsu police in China prosecuted Ubank’s $1.4 billion cryptocurrency pyramid scheme.
No.4 In December 2023, cryptocurrency exchange Bitzlato’s co-founder pleaded guilty to $700 million money laundering charges per New York prosecutors.
No.5 In July 2023, Brazilian federal police dismantled two drug cartels moving over $417 million in crypto money laundering.
No.6 In February 2023, US prosecutors indicted Forsage’s founders for a $340 million DeFi Ponzi fraud.
No.7 In November 2023, Himachal Pradesh police in India arrested 18 people regarding a $300 million cryptocurrency fraud.
No.8 In August 2023, Israeli police charged businessman Moshe Hogeg and partners with a $290 million cryptocurrency investment scam.
No.9 In June 2023, Thai police uncovered a potential $2.88 billion crypto fraud scheme.
No.10 In October 2023, Hong Kong SAR police cumulatively arrested 66 people regarding the $205 million JPEX crypto exchange scam.
2023 saw an explosion in crypto crime cases globally. The prevalence of fraud and pyramid schemes also greatly increased average users’ risks of losses. Thus improved regulation is imperative. While global regulators made considerable efforts this year, there is still a long way to go toward a mature, safe and developing ecosystem.
10. 2023 Web3 Security Summary
In 2023, on-chain hacks, phishing and rug pulls declined notably from 2022. Hacking losses dropped 61.3%, with top attack types shifting from contract exploits in 2022 to private key compromise in 2023. Key reasons include:
1. After last year's rampant hacking activities, the Web3 ecosystem emphasized security in 2023 across projects and security firms. Efforts are seen in areas like real-time monitoring, auditing and learning from past hacking events. Exploiting contracts became more difficult than before.
2. Strengthening global regulation and improving anti-money laundering technologies. In 2023, 21.1% of stolen funds were recovered, far higher than 8% in 2022. As mixers like Tornado Cash and Sinbad were sanctioned by the US, money laundering grew more complex for hackers. We're also seeing news of hackers being arrested by local police, all of which acts as a deterrent to hackers.
3. The crypto bear market’s impact. Lower expected profits from Web3 reduced hacking incentives. Hackers expanded beyond DeFi, cross-chain bridges and exchanges to target payment platforms, casino, crypto brokers, infrastructure, password managers, developer tools, MEV bots, TG bots and more.
In contrast to plummeting on-chain hacks, less visible offline crypto crimes like gambling, money laundering and fraud spiked heavily due to the anonymity cryptos provide. However, solely attributing surging virtual currency crimes to anonymity and oversight issues is one-sided. The root cause is increasing global crime itself, with cryptocurrencies offering hidden, hard-to-trace channels. In 2023, slowing global economy growth and political instability enabled crime levels to soar. With similar 2024 economic expectations, global crime will likely remain high, posing severe challenges for authorities and regulators.