Web3 projects witnessed $685.5 million in losses during Q3, with major exploits on cross-chain protocols Mixin Network and Multichain accounting for nearly half of the total losses. The Q3 losses represent a 59.9% increase on the $428.7 million lost in Q2, with incidents up 153% year-over-year, according to the latest report from web3 bug bounty platform Immunefi.
The losses marked the worst quarter for the year, reaching $1.4 billion in 2023 due to hacks and fraud. “Q3 witnessed the highest loss in this year, driven by large-scale attacks such as the one on Mixin Network and Multichain”, Immunefi CEO Mitchell Amador said in the report. “State-backed actors played a crucial role as they were allegedly behind several cases this quarter. Their particular focus on CeFi led to a sharp surge in losses within this sector.”
Mixin Network’s $200 million exploit in September and Multichain’s $126 million funds stolen in July were responsible for $326 million in losses alone, making up 47.5% of the Q3 total. North Korean regime-backed Lazarus Group, allegedly behind high-profile attacks on platforms like CoinEx ($70 million), Alphapo ($60 million), Stake ($41.3 million) and CoinsPaid ($37.3 million), stole a total of $208.6 million — representing 30% of the Q3 losses.
Ethereum was the most targeted network, registering 35 of the 76 incidents (42.7% of the losses), while BNB Chain witnessed 25 incidents, accounting for 30.5% of losses. Coinbase-incubated Layer 2 network Base followed, suffering losses across four projects since launching on Aug. 9, namely LeetSwap, SwirlLend, Magnate Finance and RocketSwap. Optimism accounted for three of the incidents.
Crypto losses Q3 2023. Image: Immunefi.
DeFi hacks lead Q3 crypto losses
Some $662.9 million was lost to hacks across 49 exploits, accounting for 96.7% of losses — representing a 66.1% year-over-year increase. Meanwhile, $22.6 million was lost to 27 incidents of fraud, scams and rug pulls, totaling 3.3% of the losses combined — down 23.9% year-over-year.
DeFi platforms remained the most attractive targets for cybercriminals, suffering $499.8 million (72.9%) of Q3 losses — up 18.5% year-over-year and adding to around $3 billion in funds stolen by DeFi attackers to date, according to The Block’s data dashboard. Centralized platforms accounted for the remaining 27.1% —worth $185.7 million — representing an eye-watering 3,400% increase compared to Q3 last year.
A small consolation is the recovery of $61.2 million in stolen funds from six cases, representing just 8.9% of the total Q3 losses. Curve Finance recovered the most, reclaiming $5.3 million from $24 million stolen. However, recovery efforts are ongoing, with Mixin Network offering hackers a $20 million “bug bounty” last week in an on-chain message designed to incentivize the return of the stolen funds.
Immunefi says it has paid more than $80 million in bounties and saved over $25 billion in user funds across protocols like Chainlink, The Graph, Synthetix and MakerDAO.
Last week, Immunefi launched on-chain vaults in its first milestone toward decentralizing its bug bounty platform.
