Cyber security firm CertiK revealed Tuesday that despite declining hacks across the crypto sector in the previous quarter, the total value thieves made off with soared.
In its latest Web3 security report, CertiK said hackers managed to siphon away $750 million across 155 incidents, bringing the year's total losses to nearly $2 billion.
It marks an approximate 9.5% increase in the value lost despite 27 fewer incidents compared to the previous quarter.
The report identifies phishing and private key compromises as the most prevalent attack vectors, accounting for $668 million in losses. Phishing alone caused $343 million in damages across 65 incidents.
A standout case involved a Bitcoin whale who suffered a $238 million loss in August, making it the single most significant phishing attack for Q3. The attack compromised the whale's wallet, and although some funds were recovered by the community, most of the stolen amount remains unaccounted for.
Private key compromises were responsible for approximately $317 million in losses across just 10 incidents. The most notable private key attack was on WazirX, one of India’s leading crypto exchanges.
In July, hackers exploited WazirX’s private key vulnerabilities, leading to the theft of $231 million across more than 200 cryptocurrencies, including Shiba Inu (SHIB), Ethereum (ETH), and Polygon (MATIC), making it one of the most major breaches in Q3.
A target on Ethereum’s back
Ethereum continues to be the prime target for attacks, with $387.8 million stolen across 86 incidents, far surpassing any other blockchain, the cyber security firm found.
Multichain hacks were also prominent, with $89.8 million stolen across several networks, revealing the potential risks associated with cross-chain functionality.
While phishing and private key compromises led the quarter in terms of value lost, other notable attack methods included code vulnerabilities and reentrancy exploits.
Code vulnerabilities resulted in $39.6 million in losses over 44 incidents, while reentrancy attacks—which allow hackers to repeatedly withdraw funds before the system can update balances—accounted for $30.3 million in losses across five incidents.
The Q3 CertiK report reveals only 4.1% of stolen funds were recovered this quarter, a sharp decline from the 14.4% recovered in Q2. Despite fewer incidents, the average loss per hack reached $5.93 million, with the median loss at $120,529.
Immunefi, a bug bounty and security services platform, noted a major drop in crypto-related losses in August., as previously reported by Decrypt.
The report revealed total losses amounted to just $15 million across five incidents, marking the lowest monthly total year-to-date and a 94.5% decrease from July’s figures.
Edited by Sebastian Sinclair
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.