Oct 6, 2023

A new report from Immunefi, which is a bug bounty and security services platform for Web3, found that more than $1 billion was lost in crypto this year and more than $600 million was lost last quarter.

Video transcript

A new report found that more than a billion dollars was lost in crypto this year and more than 600 million lost last quarter. Joining us now to unpack the findings is immun five, founder and Ceo Mitchell Amador. Welcome to the show. Mitchell. Thank you very much. Great to be here. Great to have you. Well, immun Phi has put together this report for Q three, unpacking some pretty large losses. Talk to us about what's driving these big numbers over $600 million lost in Q three. Sure. Sure. So there are two major factors that are driving us the first one and arguably the more concerning is the significant increase in the total number of successful hacks. So this is more than a doubling from the previous quarter at 75 versus 30. The second major factor and making up about 50%. Almost 50% of all the losses over the last quarter were two specific hacks which were the Mixon and the multi chain events. And what you can see here just from that is that there's an extreme Power Law distribution in terms of the level of impact, in terms of the level of loss that occurs as a result of hacks. That is what's driving these losses as a whole. So is sorry, Laura, it's going to go crazy. Is hacking getting easier because more vulnerabilities are introduced into these ecosystems or are hackers getting more sophisticated? That's a difficult question because we have to know who these secret shadowy operators are and what exactly they're doing. Uh But I can tell you on the inside of the good guys, right, in the security industry and our work every day to protect the industry that things are getting much better. Our technology has improved leaps and bounds, the number of participants and the number of companies contributing effective technical solutions has improved. So I don't think it's the and, and I should say, you know, to the point of more vulnerabilities getting introduced the average security bar, the standard for work has improved very significantly, right? So, you know, your investors will not let you launch in YOLO contracts in the way that they might have during defi summer, for example. So I don't think it's more vulnerabilities of being introduced. I do suspect, although it's hard to know that is that our adversaries, if you will, the Attackers and the thieves that plague our industry have become more sophisticated, have increased with in number and have invested more in this as a potential uh channel for their own profits and revenue. Unfortunately, now as far as the scams go how uh how are you defining scams in, in this case? And have they changed in nature at all? I think, you know, here we did a very tight definition of scams because hackers is more of our particular interest in looking into the technical side of things. So uh the, the, the fraud definitions and only like really strongly confirmed cases where we know that to be the case when in fact, if, if you wanna, you, let's just say a be a little bit more liberal with the definitions, I imagine we'd see the numbers be quite a bit larger than our initial investigation. However, it does indicate the broader trend that overall kind of fraudulent activity seems to not be growing in the same way that hacks are. And uh this makes sense, although I suppose I should wait to see if that's of interest to you. Uh Yeah, I, I, you know, I guess, I guess my question is, are, are, are these, uh, you know, spam emails sent to grandma saying, you know, here's your chance to invest in, in Bitcoin and, or, or like, you know, I don't know, Steven Segal coin, whatever it is that that's going on here or is it more of, uh, you know what, uh I guess my question is, what's the nature of those kind of scams? Sure. The really obvious ones are naked rug pulls, right? And for all of our uh viewers who don't understand what that is a rug pull is when someone creates a project and then steals all the money by uh draining, you know, either the project funds or by selling all the tokens that they might have created in mass. Hence pulling out the rug from under everybody else at, at their expense. So that is the the kind of uh very poignant example. There are other types of fraud that are much harder to understand in terms of their scope such as pig butchering, which you might be familiar of or such as fishing and spear fishing or steam swapping that you might be familiar of. But as that activity is much more shadowy, it's, it's extremely difficult to get any read on the magnitude of it. Now, the report said that 70% of successful exploits took place in D I and then just under 30% in CP I, um my first question here on this stat is what chain saw the most losses. Oh, that would be the Ethereum Chain, unfortunately. All right. And why, why do you think that is? Well, I'm afraid the reason is not exciting. It's because all the money is on Ethereum. Ethereum remains the predominant solution for or, you know, just the center of DFI activity as a whole. It remains the place where you have the strongest. Um How do we say it uh Sovereignty assurances? So there's no chance that anybody's gonna be rolling back Ethereum or doing funny business. If you steal something there, you're in the clear. So, you know, for many that's also connected to a lot of the, the major privacy cha uh chains and major Privacy tech that's available if you want to launder your assets. So there's a lot of reasons why Ethereum remains the place to operate as a criminal. Unfortunately. Uh, it, it, now that we're seeing kind of a softness in volumes in crypto, do you think that we'll see a softness in volumes of scams and rug poles and all that stuff? It has, has the, the wind that's gone out of the sales of, of legitimate trading also gone out of the sales of, of uh theft. That's a, that's a complicated question. The answer is, it depends what you look at. Right. My sentiment based on our analysis is that it looks like the fraudulent activity is not growing in the same way. So, you know, crypto is less hot, there's less money in it, more and more of the people participating in the space are hardened. It's less of a juicy target for scammers, you know, and, and the kind of scammer industry tends to go where things are hot where the opportunity is. So you have that side of things and I think that's for the better. Sure. A I it also depends on what country it could be, any number of things. Uh Let's hope they remain far away for as long as possible. But I don't think they will. Now, the hack side is the opposite. Right. When you make an investment into being a advanced, persistent threat, right? A, a professional hacking group for some nation state or as a private business as there are many of those as well. When you make that investment, you can't easily repurpose it. But so after you hire a bunch of, you know, hacker types and set up your organization and start cracking on things you have to stay committed. Because if you don't, then your team falls apart and all your investment is lost. Consequently, the hacking side of things, we should not expect that to slow down in any shape, right? We should expect that to continue to increase. And I think that's what this last quarter is showing in terms of the very material increase in the frequency of successful hacking attempts. Mitchell, thanks so much for joining us this morning. It was a pleasure.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to coindesk.consensus.com to register and buy your pass now.