Full Report
The amount of crypto stolen in the Web3 ecosystem rose by 31.6% compared to 2023, with phishing the most costly attack vector
Analysis Summary
# Incident Report: 2024 Cryptocurrency Losses via Web3 Exploits
## Executive Summary
In 2024, security incidents within the Web3 ecosystem resulted in total cryptocurrency losses exceeding \$2.3 Billion across 760 recorded incidents, marking a significant 31.6% increase in monetary value stolen compared to 2023. The shift in attack methodology saw Phishing emerge as the dominant and most costly vector, directly indicating that social engineering is now outpacing complex technical exploits against decentralized systems.
## Incident Details
- Discovery Date: Throughout 2024 (Data compiled by Certik)
- Incident Date: Primarily occurred in 2024
- Affected Organization: Various global Web3 users, protocols, and investors.
- Sector: Cryptocurrency, Decentralized Finance (DeFi)
- Geography: Global (Based on cross-blockchain data)
## Timeline of Events
### Initial Access
- Date/Time: Throughout 2024 (Specific dates vary per incident)
- Vector: Phishing (Most common and costly), Private Key Compromise (Second most common)
- Details: In the most costly phishing incident in August 2024, attackers posed as Google and Gemini support staff to manipulate a Genesis creditor into resetting 2FA and transferring funds to a compromised wallet.
### Lateral Movement
* Data not explicitly detailed in this summary, though the nature of phishing and private key compromise implies direct access to wallets or sensitive accounts bypasses traditional lateral movement stages common in IT infrastructure attacks.
### Data Exfiltration/Impact
- **Impact:** \$2.3 Billion in cryptocurrency losses across 760 incidents.
- **Most Affected Chains:** Ethereum (\$748.6m loss across 403 incidents), Bitcoin (\$542.7m loss), Tron (\$133m loss).
### Detection & Response
- **Detection:** Statistics derived from analysis conducted by blockchain security firm Certik.
- **Response actions taken:** Not detailed for individual incidents; the analysis is retrospective based on blockchain tracing.
## Attack Methodology
- Initial Access: Phishing (296 incidents, \$1.05bn stolen), Private Key Compromise (65 incidents, \$855.4m stolen).
- Persistence: Not explicitly detailed.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: The shift to phishing suggests that existing technical controls within Web3 protocols are becoming more robust, forcing attackers toward more effective social engineering.
- Credential Access: Social engineering leading to 2FA reset and transfer authorization.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed, focus was on immediate asset theft.
- Collection: Direct wallet access/key compromise.
- Exfiltration: Direct cryptocurrency transfers to attacker-controlled wallets.
- Impact: Direct financial loss of digital assets.
## Impact Assessment
- Financial: \$2.3 Billion in losses in 2024 (23% increase in average loss per hack to \$3.1m).
- Data Breach: Cryptocurrency assets, credentials (implied via social engineering). Volume is value-based, not data type based.
- Operational: Varied across protocols/users, but overall impacted DeFi confidence and stability.
- Reputational: Negative impact on the perceived security of the Web3 ecosystem.
## Indicators of Compromise
- **Network indicators (Defanged):** N/A (Attacks primarily involve on-chain transactions to attacker wallets.)
- **File indicators:** N/A
- **Behavioral indicators:** Successful use of social engineering to convince victims to authorize transfers or reset authentication factors (e.g., impersonation of Google/Gemini support staff).
## Response Actions
- **Containment measures:** Not detailed for individual incidents.
- **Eradication steps:** Not detailed for individual incidents.
- **Recovery actions:** Not detailed for individual incidents.
## Lessons Learned
- Phishing has become the most financially damaging attack vector in Web3, surpassing infrastructure exploits.
- The increase in phishing suggests that technical security maturity in Web3 is improving, as attackers shift to exploiting the human element.
- The overall value stolen in 2024 was lower than the peaks seen in 2021 (\$5.2bn) and 2022 (\$3.5bn), despite increased Total Value Locked (TVL).
## Recommendations
- Implement rigorous education and training programs focusing heavily on recognizing sophisticated social engineering, especially related to support impersonation and 2FA procedures.
- Users must exercise extreme caution when dealing with support requests or authentication resets that involve transferring funds to new locations.
- Further bolster multi-factor authentication mechanisms beyond simple 2FA, given the effectiveness of attacks targeting 2FA procedures.