Cybersecurity team CertiK has estimated the total losses experienced by Web3 projects and cryptocurrency users in December. While the damage surpassed a staggering $116.5 million, it was still nearly three times lower than the November losses estimated at over $363 million. Based on this data, it is safe to state that November was the month that saw the largest financial losses in the crypto space in 2023.
Attack on Orbit Chain
The largest December heist occurred amid the winter festive season. Unfortunately for multi-asset blockchain Orbit Chain, it experienced a loss of nearly $81.5 million during the last hours of 2023. The attack might have been performed by Lazarus Group, a North Korea-backed hacker group.
The team behind Orbit Chain informed its community about the exploit yesterday; however, since the unauthorized access to the funds was confirmed at 08:52:47 PM (+UTC) on December 31, CertiK has added the stolen sum to its December statistics.
Read also: SlowMist Warns: "Past Approvals Can Still Be a Ticking Bomb"
SlowMist, another prominent Web3 security firm, is currently investigating the vulnerability that allowed hackers to exploit the protocol. "A vulnerability may exist in the Orbit Chain bridge, or the centralized server may have been compromised," SlowMist shared its assumptions based on the preliminary assessment with the X community yesterday.
"It looks like 2024 is going to be another year of handing DPRK billions of dollars on a silver platter," on-chain analyst Tay remarked on X. Tay is one of the experts who have detected a link between the exploit and the notorious criminals.
According to the most recent update from the Orbit Chain team, to resolve the issue, they have reached out to law enforcement and "have developed a system for investigation support and cause analysis with the Korean National Police Agency and KISA, enabling a more proactive and comprehensive investigation approach."
In the meantime, Orbit Chain is cautioning its community about numerous scams impersonating the protocol, luring users to participate in reimbursement programs. "Only refer to this official account, Orbit Chain, for updates, which will be provided as the situation unfolds," the team advises users to stay vigilant.
The largest exploits in December
According to CertiK, the second-largest security incident was a phishing attack resulting in the theft of $4.4 million; however, over $2.5 million of the loot was returned to the victim. This incident is followed by the hack of NFT trading platform NFT Trader, which suffered an exploit of a vulnerability related to reentrancy and old approvals in the contract, affecting users with outdated approvals.
CertiK estimates the losses of NFTs worth $3 million. Yet, it is unclear whether the cybersecurity team has included recovered NFTs in this estimation. Fortunately, on-chain sleuths helped some victims to recover stolen assets. For instance, 0xQuit recovered 5 OCM, 11 Hashmasks, and 1 Game Disease.
Read also: One-Third of Stolen Crypto in Top 2023 Exploits Funneled Through Bitcoin
The attack on another NFT trading solution, Flooring Protocol, also became one of the top exploits in December. This incident resulted in the theft of 36 Pudgy Penguins and 14 Bored Apes, valued at almost $1.68 million. Unfortunately for the users of Flooring Protocol, the stolen assets were reportedly dumped.
CertiK also provides specific statistics dedicated to flash loan attacks in December, naming the exploit of BearnDao, which lost $769,000, as the largest incident of this type.
December did not see a particularly large number of exit scams, with total losses from this type of exploit amounting to $4.6 million, surpassing only the damage experienced in September ($1.9 million) and November ($1.1 million). Still, some rug pulls led to especially massive losses. For instance, StoicDAO investors lost almost $1.345 million, while those investing in fake Venom lost almost $0.84 million. Other notable rug pulls were MegabotETH ($742,615), CKD ($539,614), and fake Rats ($344,242).
Security statistics for 2023
CertiK estimates that altogether, crypto users and Web3 projects lost $1,840,879,064 in 2023, with the largest exploits occurring in September, resulting in a community loss of $329.8 million. November and July were also among the most damaging months, with total losses from exploits amounting to $316.4 million and $285.8 million, respectively.
According to CertiK, August was the month with the smallest damage caused by exploits, resulting in an overall loss of $13.5 million.
SlowMist provides other statistics, which show even greater figures. This on-chain security team claims there were 464 hack events detected, resulting in a loss of $2,486,083,875.72. While this number is already impressive, it does not include the damage caused by scammers.
The most notable security incidents in 2023
Cryptocurrency data aggregator CoinMarketCap compiled an overview of the "worst crypto hacks of 2023," listing notable attacks on Stake ($41 million), Kyber Network ($54.7 million), Curve ($73.5 million), Atomic Wallet (over $100 million), Multichain Bridge ($126 million), and Mixin Network ($200 million). In all likelihood, the platform did not mention the exploit of Orbit Chain since it occurred after the article was published.
Mixin Network fell victim to a catastrophic cloud service-based attack in September 2023, resulting in the theft of around $200 million worth of customer assets, while Euler Finance suffered a $197 million hack through an intricate flash loan attack. Euler Finance traced the attacker, who returned "all recoverable funds" to the Euler treasury, prompting the team to open redemptions for users and hinting at a new modular open lending solution.
Multichain, a popular cross-chain bridge protocol, raised suspicions regarding an inside job, which could have led to the $126 million hack, due to the disappearance of its CEO and the operation of the protocol’s compromised front end.
The breach of Atomic Wallet in June 2023 raised great controversy not only due to the loss of a staggering $100 million but also because of the company’s unwillingness to support the victims of the hack. The recent attack on KyberSwap Elastic also surprised the community not only with considerable losses but also with the motive of the hacker, who demanded control of the Kyber Network company and assets in exchange for returning the stolen funds.
Furthermore, the operation of the Stake casino was significantly compromised, as the September 2023 exploit had an issue with paying out large wins. The attacker accessed Stake’s internal transaction approval system rather than breaching the hot wallet private keys.