While hackers continue to hack the crypto industry for a cash grab, the dollar amount is down substantially compared to the previous year.
The total amount “lost” during 2023 from security incidents was almost $2 billion, down 51% from 2022, according to security-focused CertiK’s annual 2023 web3 security report. The report defines losses in this context as the value of digital assets stolen by malicious actors.
During the past year, 10 incidents — including the $200 million Mixin and the $197 million Euler Finance hacks — accounted for $1.11 billion of losses. The average median loss for other incidents was around $101,000.
One bit that wasn’t featured in the report is that there was a “marked decline” in hacks and scams over the weekends during 2023. “Tuesdays, Wednesdays, Thursdays and Fridays all see about the same prevalence of incidents, while Mondays are noticeably quieter, Saturdays quieter again, and Sundays the quietest of all,” CertiK co-founder and CEO Ronghui Gu told TechCrunch+.
About 12%, or $219 million, of total losses in 2023 were ultimately returned following “retroactive bug bounty negotiations,” Gu said. While that number is cited in the report, it wasn’t subtracted from the total value lost because it still represents money stolen — even if a portion was later returned.
Gu said that “2023’s reduction in losses is a positive indicator that security measures may be improving,” but that doesn’t mean projects or consumers should lower their guard.
Image Credits: CertiK 2023 web3 security report
On the consumer side, there’s a significant need for increased awareness and education. “Many users are not fully aware of the best practices for safeguarding their assets, such as using hardware wallets, enabling two-factor authentication, and recognizing common phishing tactics.”
“There’s always room for improvement, especially when we’re still measuring losses in the billions,” Gu said. “Web3 needs to move towards a more proactive and holistic approach to security. This involves not only implementing robust technical safeguards but also fostering a security-centric culture.”
Even crypto companies that have had few or no security incidents should focus on maintaining and continually improving their security posture, Gu said. “Complacency can be a significant risk,” and the industry as a whole has “significant agency to reduce losses.”
“My advice remains the same regardless of how many incidents a platform or protocol may have experienced: Security must be the number one priority,” Gu said. “While it may be tempting to get a working product out the door as quickly as possible, there is no true functionality without security.”