Web3 projects witnessed $685.5 million in losses during the third quarter, with major exploits on the cross-chain protocols Mixin Network and Multichain accounting for almost half of the total losses. The third quarter losses represent a 59.9% increase on the $428.7 million lost in the second quarter, with incidents rising 153% year-on-year, according to the latest figures. report from web3 bug bounty platform Immunefi.
The losses marked the worst quarter of the year, reaching $1.4 billion in 2023 due to hacks and fraud. “Q3 witnessed the largest loss of this year, driven by large-scale attacks such as those on Mixin Network and Multichain,” Immunefi CEO Mitchell Amador said in the report. “State-backed actors played a crucial role as they were reportedly behind several cases this quarter. Their specific focus on CeFi led to a sharp increase in losses within this sector.”
Mixin Network’s $200 million exploit in September and Multichain’s $126 million stolen funds in July alone were responsible for $326 million in losses, accounting for 47.5% of the third quarter total. The North Korean regime-backed Lazarus Group, allegedly behind high-profile attacks on platforms including CoinEx ($70 million), Alphapo ($60 million), Stake ($41.3 million) and CoinsPaid ($37.3 million), stole a total $208.6 million – which amounts to $30 million. % of losses in the third quarter.
Ethereum was the most targeted network, recording 35 out of 76 incidents (42.7% of losses), while BNB Chain witnessed 25 incidents, accounting for 30.5% of losses. The Coinbase-incubated Layer 2 network Base followed and suffered losses in four projects since its launch on August 9, namely LeetSwap, SwirlLend, Magnate Finance and RocketSwap. Optimism was responsible for three of the incidents.
Crypto Losses Q3 2023. Image: Immune.
DeFi hacks lead to crypto losses in the third quarter
Approximately $662.9 million was lost to hacks across 49 exploits, accounting for 96.7% of losses – up 66.1% year-over-year. Meanwhile, $22.6 million was lost to 27 cases of fraud, scams and rug-pulling, totaling 3.3% of losses combined – down 23.9% year-on-year.
DeFi platforms remained the most attractive targets for cybercriminals, suffering $499.8 million (72.9%) in losses in the third quarter – up 18.5% year-over-year and adding to approximately $3 billion in funds raised to date have been stolen by DeFi attackers, according to The Block’s data dashboard. Centralized platforms accounted for the remaining 27.1% – worth $185.7 million – marking an eye-watering 3,400% increase compared to last year’s third quarter.
Some small consolation is the recovery of $61.2 million in stolen money from six cases, representing just 8.9% of total losses in the third quarter. Curve Finance recovered the most, recovering $5.3 million of $24 million stolen. However, recovery efforts are ongoing, with Mixin Network offering hackers a $20 million “bug bounty” last week in an on-chain message intended to incentivize the return of the stolen funds.
Immunefi says yes paid more than $80 million in premiums and saved more than $25 billion in user funds through protocols like Chainlink, The Graph, Synthetix and MakerDAO.
Last week, Immunefi launched on-chain vaults as the first milestone toward decentralizing its bug bounty platform.