On June 30, blockchain security firm Beosin posted its H1 2023 Web3 Security Statistics report, which showed a significant decrease in funds stolen by hackers compared to H1 2022. While the losses dropped from $1.91 billion to nearly $470 million, the total amount of stolen funds in H1 2023 is also much lower than in H2 2022 when it was equal to $1.7 billion.
Beosin reports a single hack with damage exceeding $100 million and seven hacks leading to a loss between $10 million and $100 million happened during the studied period.
Most hacks in the first half of 2023 occurred due to the exploitation of the contract vulnerability. The next common issue through which malicious actors could conduct attacks was a flash loan. Price manipulation and a private key compromise were also popular.
Another positive trend Beosin has uncovered was a quite high rate of fund recovery.
"Approximately $215 million of stolen assets were recovered, accounting for 45.5% of all stolen assets. In contrast, in 2022, only 8% were recovered," Beosin says, adding the statistics on criminals' use of cryptocurrency mixers, "$113 million of stolen assets were transferred to mixers: $45.38 million to Tornado Cash and $68.14 million to other mixers."
Unfortunately, there are still many unsolved cases of hacks that occurred in H1 2023. The June 3 attack on Atomic Wallet was one of the most frustrating incidents for victims, who are losing hope to get their funds back. Atomic Wallet claims that only 1% of its users were affected by the attack and does not disclose the extent of financial losses, while third-party estimates show that up to $100 million may have been stolen.
Meanwhile, victims, many of whom lost their life savings, are demanding compensation from Atomic Wallet, believing that the Atomic Wallet team is responsible for the vulnerability that enabled the hack.
While these statistics showing a significant decrease in hacking activity are quite promising, it turns out that the popularity of rug pulls reported by Beosin has surpassed that of hacks. Beosin has also provided insights into audits of hacked Web 3 projects, most of which were DeFi. While the firm reports a fairly high percentage of attacked companies that underwent an audit (81%), the total damage they experienced was more than $380 million. This fact supports the general concern about the quality of Web3 audit services in the crypto industry.
In total, there were 108 hacking attacks, while 110 cases of rug pulls were detected. Beosin has not shared the method it used to detect rug pulls, which means there could be more similar scams that have not yet been officially identified as rug pulls by security firms.
Still, the amount of money stolen through hacks was more than six times the losses from rug pulls, amounting to almost $76 million. In contrast, victims lost $108 million to phishing scams in the first half of 2023.
According to Beosin, Fintoch was the biggest rug pull in H1 2023 was Fintoch, resulting in losses of $31.6 million.
"Fintoch was a Ponzi project that showed all of the warning signs of an exit scam in the making," blockchain security firm Halborn explained the scheme in its May 26 blog post.
"Fintoch was a blockchain financial platform that was allegedly built by Morgan Stanley and promised users a guaranteed 1% return on investment each day," Halborn reported, adding that after raising millions of dollars, the scammers "bridged the stolen cryptocurrency to other blockchains, including Tron and Ethereum." Originally, the project’s team used Binance Smart Chain (BSC) but then claimed to have built their own blockchain, which was supposedly the reason for disabling the withdrawal of the funds.
The second largest rug pull cited by Beosin was Kokomo Finance. Its team stole $5.5 million from investors. The other notable rug pulls in H1 2023 according to Beosin were XIRTAM, Swaprum, FCS, CirculateBUSD, YieldRobot, Sui Fusion, and Merlin DEX.