Crypto investors experienced significant losses in the third quarter of 2023, with a total of $686.5 million lost to hacks and fraud, according to a report from Immunefi, a bug bounty and security services platform. This represents a 59% increase from the same period in the previous year when losses amounted to $428 million.
The losses in Q3 2023 also marked a substantial increase compared to earlier quarters, with a 55.7% rise from Q1 2023 and a staggering 158.2% surge from Q2 2023. Two major hacks targeting Mixin Network and Multichain were responsible for almost half of the total stolen amount, amounting to $326 million combined.
While there were instances of recovery in Q1 2023, with 40.5% of the stolen amount being reclaimed through specific cases involving Euler Finance and SperaxUSD, the recovery rate dropped significantly in the third quarter. Only $61.1 million, or 8.9% of the total losses, were recovered.
The Lazarus Group, a North Korean hacker cell, played a significant role in the losses, accounting for $208.6 million, or 30% of the total losses in Q3 2023. This group was allegedly behind high-profile attacks on platforms such as CoinEx, Alphapo, Stake, and CoinsPaid.
The report also noted that state-backed actors, like the Lazarus Group, were increasingly involved in these attacks, with a focus on centralized finance (CeFi) platforms leading to a surge in losses within this sector.
The decentralized finance (DeFi) sector was hit the hardest, representing 72.9% of the total losses, while CeFi hacks, such as those targeting CoinEx and Alphapo, accounted for 27.1% of the total. Ethereum, BNB Chain, and Coinbase-incubated Base blockchain were among the most targeted chains by hackers.
The rise in incidents from 63 in the previous quarter and 73 in Q1 to 76 independent incidents in Q3 2023 indicates the growing threat landscape in the crypto space, with airdrop farming and fraudulent schemes like rug pulls contributing to the vulnerabilities.
Airdrop farming involves receiving tokens from a new blockchain or application distributed to community members retroactively, while a rug pull is a scam event where a project’s team steals users’ funds deposited into the project’s liquidity pools.