Crypto Users Lost $2B to Hacks, Scams and Exploits in 2023, De.Fi Says

Cryptocurrency users lost nearly $2 billion to scams, rug pulls and hacks in 2023, roughly half the amount of last year, but a sign that the industry remains susceptible to security risks, researchers at security app De.Fi said in their annual report on Wednesday.

The reduction, largely attributed to the implementation of improved security protocols, increased awareness within the community and the overall decreased activity in the market, is even greater when the $40 billion lost to the collapses of stablecoin issuer Terraform Labs, crypto lender Celsius and the FTX exchange are taken into account.

The drop coincides with a bear market in which some major alternative tokens slumped as much as 85% from their 2021 peaks before recovering in the past few months as conditions turned more bullish. Additionally, the recovery rate of funds improved significantly to around 10%, up from just 2% in 2022, De.Fi said.

Ethereum, the biggest blockchain by active users and value locked, experienced the highest losses, with about $1.35 billion erased in an estimated 170 incidents. This figure is indicative of Ethereum's appeal to malicious actors due to its extensive ecosystem and high-profile projects. The largest exploit was July's $230 million attack on the cross-chain platform Multichain.

BNB Chain also proved an attractive target, with $110.12 million lost across 213 incidents. Emerging network zkSync Era lost $5.2 million in two incidents and Solana had a loss of $1 million in a single attack.

Losses on centralized platforms, such as exchanges and trading platforms, totaled some $256 million across seven cases. The largest, November's attack on Poloniex, netted $122 million.

Access control exploits were by far the most damaging, with attackers taking advantage of weaknesses in how permissions and access rights are managed within smart contracts or platforms. Such exploits often grant unauthorized access to funds or critical functionalities and resulted in losses of more than $852 million out of 29 instances.

Flash-loan attacks were the second-most cash-generative method, leading to $275 million lost over 36 cases. These attacks exploit the uncollateralized loan feature in decentralized finance (DeFi), allowing attackers to borrow large amounts of cryptocurrency without upfront capital. Attackers use these borrowed funds to manipulate market prices and exploit vulnerabilities in DeFi.

Exit scams accounted for $136 million over 263 cases. In such an exploit, a rogue developer simply drains all liquidity from a token they have issued or removes their online presence after raising money from unsuspecting market participants.