Blockchain security provider Beosin has released its Global Web3 Security Report, and the results… are not a good look, to put it mildly.
The amounts lost to hacks, phishing, and rug pulls have all increased as compared to previous quarters, marking a significant upsurge in criminal activity.
All told, almost $900 million was lost to such criminal activity over the past three months.
Hacks were by far the most damaging, with $540 million being lost by crypto companies and projects to cybercriminals.
Prominent crypto companies were not spared either, with some of the largest hacks being those of established names within the crypto industry, including the $200 million Mixin Network Hack and the $73 million Curve Finance exploit.
The Mixin Network Hack by itself accounted for 37 per cent of the total losses for the quarter.
DeFi platforms were the most frequent target, accounting for around two thirds of the total number of breaches.
Traders have also reported a loss of confidence in the DeFi sector, reflected in record low levels of TVL, in part due to the numerous hacks that have continued to plague it.
Of all the attacked projects, Beosin states that nearly half of them have never undergone security audits.
Only 10 per cent of stolen funds have been successfully recovered, and around $800 million thus far remains unrecovered.
While rug pulls did not account for the greatest amount of money lost to crypto crime over the past 3 months, they have shown a very concerning increase. The total amount lost to rug pulls showed an increase of more than 500 per cent.
In Q3, the amount lost to rug pulls was almost the same as the amount lost to hacks, phishing, and rug pulls in Q2 combined.
These rug pulls mainly occurred on Ethereum and Binance, though other chains like Base were also not spared.
Beosin also drew attention to the actions of the North Korean state-backed Lazarus Group, which they described as “very active this quarter”.
Over four different attacks incidents, the group managed to steal over $208 million.
Each time, they managed to obtain large sums, varying from $41.3 million to $70million.
The group was also persistent, spending over half a year to infiltrate one of their targets, CoinsPaid. Attempts varied from social engineering, DDoS, brute force attacks, phishing, and malware.
Compared to the first half of the year, asset recovery rate also dropped significantly. Again, Beosin points to the activity of the Lazarus Group, which was the largest single threat to Web3 security this quarter. The group is not only adept at hacking and infiltrating crypto companies, but also at laundering their proceeds.
Given the increased level of crypto crime, Beosin continues to encourage major crypto service providers to be vigilant against such attacks, and to conduct security training for employees, amongst other measures.