Web3 projects lost more than $2 billion in 2023 to hacks, rug pulls and phishing scams, according to the blockchain security firm Beosin. In a new annual report, the crypto security firm notes 191 major attacks this year resulted in roughly $1.397 billion in losses, 267 rug pulls caused $388 million in losses, and phishing […]
The post Web3 Projects Lose $2,020,000,000 in 2023 to Hacks, Rug Pulls and Phishing Attacks: Crypto Security Firm appeared first on The Daily Hodl.
Web3 security company Beosin EagleEye says that there was a drastic increase in illicit crypto activities during the third quarter of 2023. In the July to September quarter, the “total losses from hacks, phishing scams, and rug pulls in Web3 reached $889.26 million” with hacks or major attacks constituting about 60% of the losses, according […]
The post $889,260,000 in Crypto Lost to Hacks, Scams and Rug Pulls in Q3 of 2023, According to Blockchain Security Firm appeared first on The Daily Hodl.
A new report from a bug bounty platform shows that the amount of crypto assets lost to hacks and frauds took a dive in August. According to Immunefi, $23,366,220 worth of digital assets were lost in August, marking a sharp decline from the $320,498,660 worth of losses recorded in July. Crypto losses from hacks and […]
The post More Than $23,000,000 Worth of Crypto Lost to Hacks and Frauds in August: Bug Bounty Platform Immunefi appeared first on The Daily Hodl.
A new report from blockchain security firm Beosin reveals that the crypto market recorded losses of over half a trillion dollars in the first half of the year from hacks and other illicit schemes. Newly released security data from the company shows that the web3 space sustained $655.61 million worth of losses from hacks, phishing […]
The post $656,000,000 in Crypto Lost in Hacks, Scams and Rug Pulls In First Half of 2023: Blockchain Security Firm appeared first on The Daily Hodl.
Over $45 million was lost to exit scams in May while exploits on DeFi protocols racked up less than half that amount over the same period.
The amount of cryptocurrency lost to "rug pull" or "exit scams" — where founders suddenly up and leave with investors’ money — had outpaced the amount stolen from decentralized finance (DeFi) projects in May, a blockchain security firm has revealed.
A June 1 report from Beosin said in May total losses from rug pulls and scams reached over $45 million across six incidents.
Meanwhile, there were 10 attacks on decentralized finance (DeFi) protocols that netted only $19.7 million. The amount is a nearly 80% decrease from April and losses from these types of exploits had been on the decline for two months, it added.
Rug Pull Outpaces Attacks: The total amount involved in #rugpull reached $45.02 million, surpassing losses from attacks
— Beosin Blockchain Security (@Beosin_com) June 1, 2023
2/5
The largest of such rug pulls was the $32 million that crypto project Fintoch is alleged to have made off with on May 24. The $7.5 million attack on the DeFi platform Jimbos protocol was the largest attack last month according to Beosin.
Related: Could Ben.eth’s PSYOP tokens face legal scrutiny? It depends, say lawyers
“Hackers and scammers are gradually shifting the target of their attacks from various project parties to ordinary users,” Beosin wrote.
It recommended crypto users “raise their anti-fraud awareness,” undertake due diligence on a project before investing and learn how to better safeguard their crypto.
Beosin also warned against using shared or public charging devices for mobile phones as these could potentially be modified to inject malicious programs that could compromise private keys.
In April, the United States Federal Bureau of Investigation (FBI) issued a similar warning the use of free charging stations such as those found at airports should be avoided.
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
— FBI Denver (@FBIDenver) April 6, 2023
“Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices,” the FBI’s Denver office tweeted on April 6. It instead advised carrying a charger and USB cord for use in an electrical outlet.
Hall of Flame: Crypto Wendy on trashing the SEC, sexism, and how underdogs can win
The month was particularly bad for exploits, with the amount lost accounting for half of the total crypto exploited so far in 2023.
Crypto exploits, exit scams, and flash loan attacks saw little signs of letting up in April, with more than $103 million of funds stolen from crypto projects and investors in the month.
On April 30, crypto security and auditing firm CertiK posted an April roundup of crypto exploits, scams, and hacks, revealing total funds lost in April was $103.7 million, bringing the year-to-date total loss to $429.7 million.
The month was particularly marred with major crypto exploits, such as $25.4 million lost due to an exploit of several MEV trading bots on April 3, $22 million stolen in a hot wallet exploit at the Bitrue exchange and the hack of South Korean GDAC exchange leading to a loss of $13 million.
The total lost to crypto and DeFi exploits in the month amounted to $74.5 million, making up around half of the total $145 million exploited in the first four months of the year, according to CertiK.
The month also saw around $20 million lost to flash loan attacks, led mainly by Yearn Finance after a hacker exploited an old smart contract on April 13.
The blockchain security firm noted that total funds lost to exit scams reached $9.4 million in the month, with the top exit scam for the month being Merlin DEX which lost $2.7 million. On April 26, CertiK reported that it was investigating a “potential private key management issue” at the exchange.
Furthermore, the exit scam occurred after the protocol was audited by CertiK which warned about centralization issues. CertiK launched a compensation plan following the attack in which it urged the rogue developer to return 80% of the stolen funds with a 20% white hat bounty offered.
Related: One crypto wallet launched 114 dodgy memecoins in two months
According to De.Fi’s Rekt Database, there were over 50 crypto exploits, scams, hacks, and rug pulls in April. Moreover, a large portion of them was memecoin rug pulls.
The most recent was the Polygon-based Ovix protocol which lost $2 million in a flash loan attack on April 28.
Magazine: US enforcement agencies are turning up the heat on crypto-related crime
Crystal Blockchain, a company that provides blockchain data and analytics, published a study covering security breaches, fraud, and scams related to cryptocurrency and decentralized finance (defi). According to the study, approximately $16.7 billion in crypto assets have been stolen since 2011. Last year, Crystal’s intelligence team documented 199 incidents resulting in the theft of $4.17 […]
SlowMist found that across 303 recorded blockchain security incidents in 2022, nearly a third were made up of phishing attacks, rug pulls and scams.
Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and trojan malware spread on messaging app Discord.
It comes after the security firm recorded a total of 303 blockchain security incidents in the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to a Jan. 9 SlowMist blockchain security report.
One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers.
SlowMist said scammers have been exploiting these to ultimately gain access to a project owner’s Discord account.
"By inserting JavaScript code into bookmarks through these phishing pages, attackers can potentially gain access to a Discord user's information and take over the permissions of a project owner's account,” the firm wrote.
After guiding victims to add the malicious bookmark through a phishing page, the scammer waits until the victim clicks on the bookmark while logged into Discord, which triggers the implanted JavaScript code and sends the victim's personal information to the scammer's Discord channel.
During this process, the scammer can steal a victim's Discord Token (encryption of a Discord username and password) and thus gain access to their account, which allows them to post fake messages and links to more phishing scams posing as the victim.
Out of 56 major NFT security breaches, 22 of those were the result of phishing attacks, added SlowMis
One of the more popular methods used by scammers would trick their victims into signing over NFTs for practically nothing through a phony sales order.
Once the victim signs the order, the scammer can then purchase the user's NFTs through a marketplace at a price determined by them.
"Unfortunately, it's not possible to deauthorize a stolen signature through sites like Revoke," the report wrote.
"However, you can deauthorize any previous pending orders that you had set up, which can help mitigate the risk of phishing attacks and prevent the attacker from using your signature."
According to SlowMist, this type of attack usually occurs through private messages on Discord where the attacker invites victims to participate in testing a new project, then sends a program in the form of a compressed file that contains an executable file of about 800 MB.
After downloading the program, it will scan for files containing key phrases like "wallet" and upload them to the attacker's server.
"The latest version of RedLine Stealer also has the ability to steal cryptocurrency, scanning for installed digital currency wallet information on the local computer and uploading it to a remote control machine,” said SlowMist.
“In addition to stealing cryptocurrency, RedLine Stealer can also upload and download files, execute commands, and send back periodic information about the infected computer."
This phishing attack allows scammers to use your private key to sign any transaction they choose. After connecting your wallet to a scam site, a signature application box may pop up with a red warning from MetaMask.
After signing, attackers gain access to your signature, allowing them to can construct any data and ask you to sign it through eth_sign.
“This type of phishing can be very confusing, especially when it comes to authorization," said the firm.
For this scam, attackers airdrop small amounts of tokens, such as .01 USDT or 0.001 USDT to victims often with a similar address, except for the last few digits in the hopes of tricking users into accidentally copying the wrong address in their transfer history.
The rest of the 2022 report covered other blockchain security incidents in the year, including contract vulnerabilities and private key leakage.
Related: DeFi-type projects received the highest number of attacks in 2022: Report
There were roughly 92 attacks using contract vulnerabilities in the year, totaling nearly $1.1 billion in losses because of flaws in smart contract design and hacked programs.
Private key theft on the other hand accounted for roughly 6.6% of attacks and saw at least $762 million in losses, the most prominent examples being the Ronin bridge and Harmony’s Horizon Bridge hacks.
Blockchain security firm Peckshield shared the stats on Halloween night, but also added the month saw $100 million in crypto returned.
The month of October has broken all records for crypto exploits and the amount of digital loot pilfered — living up to its new moniker of "Hacktober" — according to the latest figures.
On Oct. 31, blockchain security firm PeckShield tweeted some scary statistics for the month, reporting a total of $2.98 billion in stolen digital assets as of Oct. 31, 2022, which is nearly double the $1.55 billion lost in all of 2021.
"Hacktober" saw around 44 exploits affecting 53 protocols, it added. Malicious actors made off with a whopping $760 million in the month, however, $100 million had been returned.
#PeckShieldAlert ~44 exploits (53 protocols affected) grabbed ~$760.2M in Oct. 2022, and ~$100M already returned the exploited protocols (Total loss: $657.2M)
— PeckShieldAlert (@PeckShieldAlert) October 31, 2022
As of October 2022, the stolen funds (~$3B) in 2022 “doubled” last year’s loss pic.twitter.com/mKZAjVk7UU
After October, March was the second-highest month for hacked funds with just under $710 million stolen. The majority of this was from the Ronin bridge exploit which resulted in $625 million in crypto assets being pilfered.
The top exploit for October was by far the BNB Chain which lost $586 million according to PeckShield. It listed the Mango Markets DeFi protocol as second, despite it including an agreement with the exploiter to return some of the funds.
There were several other notable exploits in October according to DeFiYield’s Rekt Database. These include the Freeway crypto yield platform which it classified as a $60 million rug pull, Transit Swap which lost $29 million, Team Finance taking a $13 million hit, and Moola Market losing $9 million.
Related: Barely halfway and October’s the ‘biggest month’ in crypto hacks
DeFiYield released its own report on Nov. 1 depicting the dire state of the hackfest that took place last month.
It claims that more than $1 billion was lost to crypto scams in October though it includes what it considers as rug pulls and Ponzis in addition to direct protocol exploits. DeFiYield reported 35 total incidents for the month, 15 of which were rug pulls.
On a brighter note, the report stated that almost $890 million in crypto funds had been recovered so far in 2022.
While projects cannot wholly prevent bad actors from infiltrating the DeFi realm, security specialists say there are ways to deter such practices.
The rise of community-oriented blockchain security companies may be making it more difficult for alleged bad actors to get away without a trace.
Early Wednesday, CertiK issued a community alert regarding Flurry Finance, where its smart contracts were allegedly breached by hackers, leading to $293,000 worth of funds being stolen. Shortly after the incident, CertiK published the wallet addresses of the alleged perpetrator, the address of the malicious token contract, and a PancakeSwap pair address allegedly involved in the attack, leading to a warning issued on BscScan. While the firm audited the project's smart contracts, it appears that the exploit was the result of external dependencies.
#CommunityAlert @FlurryFi’s Vault contracts were attacked leading to around $293K worth of assets being stolen from Vault contracts
— CertiK Security Leaderboard (@CertiKCommunity) February 22, 2022
Incident Analysis
In another instance, on Feb. 20, social media users reported that Avalanche (AVAX)-based project Atom Protocol allegedly turned into a rug-pull hours after launch, with a screenshot from the project's alleged Twitter account (now deleted) stating:
"There is a problem/mistake in the contracts; we can't do anything. So we have to close the project, sorry."
In a report published Tuesday, Assure DeFi, a verification company providing Know Your Customer, or KYC, as well as checks on project developers, lists one French national on file as responsible for Atom Protocol. The firm conducts such checks and then creates publicly viewable compliance content. Through a statement to Cointelegraph, Assure DeFi explained that it's important to understand that knowing someone's name, address, nationality, etc., does not prevent them from committing a crime. But, Assure DeFi reps elaborated:
"It does, however, create an accountability path to pursue legal recourse against bad actors...which is the value that the Assure DeFi KYC Verification process provides."
The report lists $87,440 being stolen via the alleged rug pull and estimates that the number of "injured parties" surpasses 1,000. According to Assure DeFi, victims are urged to contact Binance support asking to freeze the alleged perpetrator's wallet and contact French law enforcement authorities regarding the alleged crime.
We believe that many people are still misunderstanding the role of KYC/verification.
— Assure DeFi (@AssureDefi) February 20, 2022
KYC is a deterrent and not a scam prevention and if anyone says otherwise they are misleading you.
The real value of KYC is having a validated real-world identity behind a project..
