Crypto losses total $428M in Q3, down 36% from previous quarter

Crypto “losses” continued to decline in the third quarter, a new report shows.

Immunefi’s Crypto Losses Q3 report found $428,718,083 worth of losses in Q3, down 36% from $670,698,280 in Q2 and a drop of 62.9% from $1,155,334,775 during the year-ago quarter. Crypto losses are defined as a combination of hacks and alleged fraud incidents like rug pulls in web3 projects, Adrian Hetman, tech lead of the triaging team at Immunefi, told TechCrunch.

Want to hear from the best and brightest in crypto? Attend TechCrunch Sessions: Crypto on November 17 in Miami. Get your tickets here.

Most of those losses derived from two specific incidents involving the cross-chain messaging protocol Nomad and crypto market maker Wintermute, which lost $190 million and $160 million, respectively. These two projects represent around 80% of Q3 losses, it found.

According to the report, crypto losses have declined for the past three quarters in a row, but it’s not clear whether that trend will continue for the rest of the year.

“It’s too soon to understand if there’s a definitive trending decline in crypto losses,” Hetman said. “There are many more reasons for this decrease, such as developers getting more experienced, or bug bounties and security innovations that were brought to the market helping prevent and save the space from countless losses.”

But it’s too early to attribute a cause for the declining crypto losses, Hetman added. “The reality is that hacks are still happening, and still incredibly high-value ones such as Nomad and Wintermute, so it’s important to keep investing in security.”

The value of losses decreased substantially from the year-ago quarter to Q3, Hetman said.

“Over this period we’ve seen more well-established protocols standing the test of time and becoming safer, while poorly managed projects, often carrying low security standards, are disappearing on the back of the bear market,” Hetman said. “Such projects would have been easy attack targets, likely to suffer more losses during this period.”

As more people become crypto-curious or dive into the space, many are unable to distinguish fraud from a legitimate project, Hetman said.

“Promises being made by some of the projects or fraudsters can be appealing,” he added. “Who wouldn’t want to have 30% APY or getting rich quick, or having the NFT of the next big thing in crypto? Sadly, people are being greedy, and when there is greed, there is always a way for scammers to exploit that.”

But it’s not just greed that drives these losses.

“With more people joining the space, we’re noticing broader fraud deployed for unexpecting users who don’t know what to expect from web3 and are more willing to click on malicious links or sign a malicious transaction,” Hetman said. “That’s why crypto security education is important. As more people and developers are aware of certain social engineering techniques, the web3 space will only benefit from that.”

But fraud only accounts for 7% of losses; hacks continue to be the major cause of losses, accounting for 93% in Q3, down four percentage points from 97% in the previous quarter.

“Fraud, rug pulls and scams are taking more time, and the reward compared to smart contract hacks isn’t that high,” Hetman said. “To carry out a fraudulent activity, it’s necessary to actually create a project, make sure it looks solid and legitimate, attract users and hopefully get millions of dollars locked down first.”

Sure, fraud still accounts for millions of dollars in the crypto losses, but there are more multimillion-dollar hacks than scams, Hetman noted.

Overall, the biggest benefactor to the industry will be time and experience, Hetman said. “Blockchain is such a new field that is constantly evolving and innovating … new developers are entering the space every single day [and] deploying protocols that attract hundreds of millions of dollars.”

But while talent and money flow into the space, it’s going to take time for proper protocols for safety and security to come into play and protect those funds.

Constantly learning about new security risks, improving security knowledge and practices, getting audited and launching a bug bounty program are musts if projects want to survive and build trust with the community, Hetman noted.

“To ruin that trust, it only takes one bug, and black hats only need to be right once. Bug bounties, on one hand, can be an effective tool to incentivize hackers to responsibly disclose the bug, instead of exploiting it.”

“Web3 is a battlefield between white hats and black hats,” Hetman said. “With massive amounts of money at stake, everyone is watching this battle closely. It’s only a matter of time before a hacker of any color of the hat, black or white, will find a bug in a project’s code.”