01 Jan 2024 5 min read

Immunefi Crypto Losses Report 2023

Immunefi Crypto Losses Report 2023

The team at Immunefi, the leading bug bounty and security services platform for crypto, has assessed the volume of crypto funds lost by the community due to hacks and scams in 2023.

Overview

We have located 319 instances of hacks and alleged fraud in 2023, including both successful and semi-successful hacking attempts.

In total, we have seen a loss of $1,803,050,600 across the web3 ecosystem in 2023. $1,699,632,321 was lost to hacks across 247 specific incidents and $103,418,279 was lost to fraud across 110 specific incidents. Most of that sum was lost by two specific projects: Mixin Network and Euler Finance.

This number represents a 54.2% decrease compared to 2022, when hackers and fraudsters stole $3,948,856,037.

Key Takeaways in 2023

  • The two major exploits of the year, Mixin Network and Euler Finance, alone accounted for $397,000,000, representing 22% of all losses in 2023.
  • Hacks continued to be the predominant cause of losses at 94.3% compared to frauds, scams, and rug pulls at 5.7%.
  • The Lazarus Group was responsible for $308,600,000 stolen in 2023, representing 17% of total year losses. The group was allegedly behind attacks on Atomic Wallet, CoinEx, Alphapo, Stake, and CoinsPaid.
  • DeFi continued to be the main target at 77.3% compared to CeFi at 22.7%.
  • The two most targeted chains were BNB Chain (133 incidents, 41.6%) and Ethereum (95 incidents, 29.8%). Polygon came in third with 10 incidents, followed by Avalanche with 6.
  • $241,701,085 has been recovered from stolen funds in 19 specific situations — 13.4% of total losses.
  • The number of single incidents increased 89.8% YoY from 168 in 2022 to 319 in 2023, while total losses decreased by 54.2%.
  • BNB Chain surpassed Ethereum and became the most targeted chain.
  • Organized hacker groups like Lazarus have switched to primarily targeting CeFi due to outsized returns.

Top 10 Losses in 2023

Mixin Network $200,000,000;
Euler Finance $197,000,000;
Multichain $126,000,000;
Poloniex $126,000,000;
BonqDAO $120,000,000;
Atomic Wallet $100,000,000;
Heco Chain $85,400,000;
CoinEx $70,000,000;
Alphapo $60,000,000;
KyberSwap $48,300,000

Losses by Quarter in 2023

In 2023, Q3 took the lead with $685,970,444 in total losses across 75 incidents, representing 38% of total losses. In 2022, Q4 had taken the lead with $1,620,138,807.

  • Q1 2023: $437,483,543 — a 64.4% decrease vs Q1 2022. Top losses: Euler Finance and BonqDAO ($317,000,000 combined).
  • Q2 2023: $265,481,519 — a 60.4% decrease vs Q2 2022. Top losses: Atomic Wallet and Fintoch ($131,600,000 combined).
  • Q3 2023: $685,970,444 — a 56.5% increase vs Q3 2022. Top losses: Mixin Network and Multichain ($326,000,000 combined).
  • Q4 2023: $414,115,094 — a 74.4% decrease vs Q4 2022. Top losses: Poloniex and Heco Chain ($211,400,000 combined).

Major Exploits in 2023

Most of the 2023 loss sum was lost by two specific projects, Mixin Network and Euler Finance, totalling $397,000,000 — 22% of 2023 losses alone.

Mixin Network, $200 Million — On September 23rd, 2023, the decentralized Mixin network was breached, and cybercriminals took $200 million-worth of digital tokens.

Euler Finance, $197 Million — On March 13th, 2023, Euler Finance, a DeFi lending protocol, suffered a flash-loan attack. The attacker drained $136 million of stETH, $34 million of USDC, $19 million of WBTC, and $8.7 million of DAI.

Lazarus Group in Focus — The Lazarus Group, a North Korea-affiliated hacker group, was responsible for $308,600,000 stolen in 2023 — 17% of total year losses. Attacks: Atomic Wallet ($100M), CoinEx ($70M), Alphapo ($60M), Stake ($41.3M), CoinsPaid ($37.3M). See the Immunefi Lazarus Group Report (link) for more.

Hacks vs. Fraud Analysis

Hacks account for 94.3% of total losses in 2023, fraud for 5.7%.

  • Hacks: $1,699,632,321 across 219 specific incidents — a 54.9% decrease vs 2022 ($3,773,906,837).
  • Fraud: $103,418,279 across 100 specific incidents — a 40.9% decrease vs 2022 ($174,949,200).

DeFi vs. CeFi Analysis

DeFi represents 77.3% of total losses, CeFi 22.7%.

  • DeFi: $1,394,142,600 across 306 incidents — a 56.1% decrease vs 2022 ($3,180,023,103).
  • CeFi: $408,908,000 across 13 incidents — a 46.8% decrease vs 2022 ($768,832,934).

Losses by Chain

BNB Chain and Ethereum represent more than half of chain losses in 2023. Polygon came in third with 10 incidents (3.1%), followed by Avalanche with 6.

Funds Recovery

$241,701,085 has been recovered from stolen funds in 19 specific situations — 13.4% of total losses in 2023. Largest recoveries: Euler Finance ($177M of $197M), Curve/Vyper ($38M of $57.8M), HTX Exchange ($8.2M of $30M), Deus Finance ($5.5M of $6.4M), KyberSwap ($4.67M of $48.3M), Stars Arena ($2.68M of $3M).

Web3 Security in 2024

Key Trends in 2024

  • The number of new protocols and projects will likely continue to grow.
  • With the persistent rise in cryptocurrency prices, next year may see the most substantial losses in Web3 ever.
  • Project infrastructure challenges will remain a major source of vulnerabilities.
  • While DeFi may experience an increase in individual attacks, organized groups are expected to focus on CeFi due to outsized returns.

Crypto Losses in Q4 2023

IN FOCUS

In total, we have seen a loss of $414,115,094 across the web3 ecosystem in Q4 2023. $397,210,523 was lost to hacks across 50 specific incidents and $16,904,571 was lost to fraud across 40 specific incidents — a 74.4% decrease vs Q4 2022 ($1,620,138,807). Most of the sum was lost by Poloniex and Heco Chain.

Key Takeaways in Q4 2023

  • The 2 major exploits totalled $211,400,00051.1% of all Q4 losses.
  • Hacks accounted for 95.9% of losses, frauds for 4.1%.
  • DeFi was the main target at 55.5%, CeFi at 44.5%.
  • BNB Chain (39 incidents, 43.3%) surpassed Ethereum (36 incidents, 40%) as the most targeted chain. Avalanche followed with 3.
  • $15,729,077 recovered from stolen funds in 4 situations — 3.8% of Q4 losses.

Major Exploits in Q4

Poloniex, $126 Million — On October 10, 2023, the crypto exchange Poloniex saw more than $126 million worth of crypto assets exit one of its wallets due to a hack.

Heco Chain, $85.4 Million — On October 22, 2023, $85.4 million worth of cryptocurrency was stolen from Heco Chain.

Q4 2022 vs. Q4 2023

  • Hacks: down 73.5% vs previous period.
  • Fraud: down 85.9% vs previous period.
  • DeFi: down 75.4% vs previous period.
  • CeFi: down 73.1% vs previous period.

Download the full report here.

Get the full dataset here.

For questions about this study or Immunefi itself, reach out at press@immunefi.com

About Immunefi

Immunefi is the leading security platform for crypto, protecting more than $180 billion in user funds, and securing protocols across the full development lifecycle, from pre-deployment through production.

Research

You might also like

The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data

The Ecosystem Vulnerability Scoreboard: 6 Years of DeFi Loss Data

12 min read
Nearly Every Long-Running Bug Bounty Program on Immunefi Has Found a Critical Bug

Nearly Every Long-Running Bug Bounty Program on Immunefi Has Found a Critical Bug

8 min read
What an Onchain Hack Actually Costs: 2024-2025 Update

What an Onchain Hack Actually Costs: 2024-2025 Update

8 min read