Private Key Compromises and Exit Scams Are Current Major Web3 Threats

The primary cause of significant losses in 2023 was private key compromises, with exit scams being the most prevalent form of security incidents.

Wallet lying on a carpet surrounded by money
According to Certik, the total losses resulting from private key compromises in 2023 amounted to nearly $881 million.

CertiK, a cybersecurity firm, has released its annual Hack3D Web3 security report, providing insights into the 2023 incident statistics. This comprehensive overview of incidents that took place last year reveals a significant Web3 security trend: private key compromises and exit scams, also known as rug pulls, had the most substantial impact on cryptocurrency projects and users.

Private key compromises emerged as the most damaging type of exploit in 2023, while exit scams were the most widespread. Concurrently, another cybersecurity team, SlowMist, highlights the damage caused by hacker groups and wallet drainers.

Private key compromises in 2023

CertiK reports, that "Private key compromises were the most costly attack vector, resulting in $880,892,924 lost in just 47 incidents." The cybersecurity team notes that private key compromises "account for nearly half of all financial losses."

Despite their low frequency, CertiK claims that "private key compromises only constituted 6.3% of all security incidents." Notably, six out of the ten most expensive security incidents in 2023 were attributed to private key compromises.

Read also: Turbulent Start of 2024: Gamma Strategies, Radiant Capital Hacks and Solana Drainers

According to SlowMist, the Mixin database attack on September 23, which resulted in the loss of nearly $200 million, stood as the largest security incident in 2023. During the incident investigation, BlockSec, a smart contract audit firm, concluded, that the malicious actor compromised the cloud and "recovered the private keys of deposit addresses (and hot wallet addresses)."

Poloniex, which experienced a significant private key compromise on November 10, losing nearly $130 million, serves as another example of such an incident type. The SlowMist security team suggested that the swift and professional nature of the attack indicated a typical Advanced Persistent Threat (APT) attack, likely orchestrated by the North Korean-backed hacker organization, Lazarus Group.

Incidents by type in 2023
Source: CertiK

A further illustration of a major exploit involving a private key compromise in 2023 was the attack on CoinEx on September 12. Preliminary investigations indicated a hot wallet private key leak, resulting in estimated losses of over $70 million and affecting multiple blockchains.

One contributing factor to the severe vulnerability of private keys is centralization risk. CertiK highlighted this risk based on another massive private key compromise that affected Multichain in July. "Behind the scenes, it was revealed that, contrary to its claims of decentralization, Multichain’s multi-party computation servers and private keys were solely controlled by its CEO," explained CertiK regarding the root of the issue.

In response to the serious consequences of private key compromises in 2023, CertiK provided a set of best practices to mitigate associated risks.

Firstly, as mentioned above, it is crucial to minimize centralization in private key management. Transitioning to multi-signature wallets, which allow "distributing control among multiple parties, reducing the risk of single-point failures," is a fundamental security measure.

"Consider MPC [Multi-Party Computation ] for key management to enable key sharing without exposing the entire key to a single party," CertiK adds, emphasizing the importance of using strong encryption standards for storing private keys.

Secondly, CertiK recommends using hardware wallets for storing high-grade keys and cryptographic operations, with offline forms of storage, known as cold wallets, suggested for the long-term storage of private keys. Ensuring the security of backups of private keys is critical, and they should be stored "in secure, offline environments like safety deposit boxes or vaults."

For companies, CertiK stresses the importance of employee training, clear access control policies, and regular audits and monitoring.

Read also: Losses to Web3 Exploits Surpassed $2.48 Billion in 2023

Exit scams in 2023

The cumulative losses suffered by victims of rug pulls in 2023 amounted to a significant figure, surpassing an astonishing $152 million. However, this total was over $50 million lower than the damage caused by phishing attacks and nearly six times lower than the impact resulting from private key compromises.

Despite the financial scale not reaching the levels observed in some other types of security breaches, exit scams emerged as the most prevalent form of incident in 2023. According to CertiK, there were at least 306 documented cases of exit scams during the year, while the second most common security incident was the exploitation of code vulnerabilities, which was reported 197 times.

It is crucial to note that the statistics provided by CertiK regarding exit scams may not capture all cases, as there could be instances of rug pulls that remained undetected or unreported.

In its "Blockchain Security and Anti-Money Laundering Annual Report 2023," SlowMist presented slightly lower figures for rug pulls, estimating a total of 117 incidents and losses exceeding $83 million. These statistics might be based on exit scams detected by the SlowMist team itself.

Considering this data, SlowMist highlighted that "The Base ecosystem suffered the highest losses, amounting to $32.5 million."

An example of a 2023 exit scam provided by SlowMist involved a particularly "covert rug pull" utilizing contract storage manipulation. The IEGT token deployed on BSC was the subject of this exit scam.

SlowMist's investigation uncovered malicious code in the IEGT token contract, allowing the project team to mint a substantial amount of tokens during initialization without proper recording. The attackers used inline assembly to manipulate contract storage, specifically modifying the balance of a specific address during the contract's initialization, enabling the minting of tokens without detection.

SlowMist considers the July BALD rug pull as the largest exit scam of the year, while Web3 security firm Halborn reported that BALD investors lost approximately $23 million, with the malicious coin's deployer profiting around $5.9 million.

In its August report, Halborn explained that the memecoin launched on Coinbase's Layer 2 testnet experienced a 4,000,000% surge in value within 24 hours, reaching an estimated $68 million. The rapid growth was attributed to the deployer's active investments, injecting $12 million on the first day and strategically buying BASE to boost prices. Despite lacking a user interface for bridging the contract, the coin attracted significant investment.

Halborn reported potential links to Alameda Research, a sister company to the FTX exchange, and other major DeFi projects like Sushi and dydx governance in its post-incident investigation.

SlowMist’s recommendations for protection against exit scams

While the cryptocurrency space presents lucrative opportunities, particularly associated with new projects, it is also a breeding ground for scammers targeting investors. Exercising vigilance, especially with unknown projects offering high returns, is crucial.

The fear of missing out is a common sentiment among cryptocurrency users, given the rapid pace of industry development. SlowMist recommends investors take the time to conduct thorough research on a project's background before making decisions.

This includes not only assessing the project's background but also scrutinizing its code for potential vulnerabilities that could facilitate future rug pulls. While this task may seem reserved for experienced developers and cybersecurity analysts, there are tools available to assist in code validation. While these tools may not catch all vulnerabilities, neglecting any form of analysis exposes investments to significant risk.

Read also: How to Use Token Sniffer and DEXTools Crypto Data Aggregator for Fast Sniff Test?

On top of that, SlowMist advises avoiding any projects that are not open-source and cannot be assessed, as well as those that have not undergone audits. Finally, no matter how legitimate and promising the project appears, the best approach is to refrain from investing more than you can afford to lose.

Incidents by chain in 2023
Source: CertiK

Lazarus Group and wallet drainers

While individual hackers pose a significant threat to the Web3 space, hacker groups, particularly the North Korean-backed Lazarus Group, are responsible for some of the largest hacks in 2023. Among the confirmed 2023 exploits orchestrated by the Lazarus Group were the attacks on CoinsPad, Atomic Wallet, Alphapo, and Stake.

At the same time, SlowMist emphasizes that cryptocurrency-related malware, known as wallet drainers, gained particular popularity last year. The team highlighted noteworthy wallet drainers such as Inferno Drainer, MS Drainer, Angel Drainer, Monkey Drainer, Venom Drainer, Pink Drainer, and Pussy Drainer. Some, like Inferno Drainer, are already inactive, while others, such as Angel Drainer, continue to engage in cryptocurrency thefts.

The most affected chain in 2023

CertiK states that "BNB Chain [BNB Beacon Chain] experienced the highest number of security incidents, with a total of 387 hacks, scams, and exploits leading to $134 million in losses," which resulted in "an average of $346,253 per incident."

However, despite having the largest number of security breaches, the BNB blockchain was not the most affected chain when considering the damage. With 224 incidents, Ethereum saw a total of $686 million in losses. CertiK also emphasizes cross-chain interoperability challenges, reporting losses of almost $800 million from 35 incidents that took place across multiple chains.

Ongoing threats in 2024

Unfortunately, the end of the year does not mean the end of the cybersecurity threats affecting the cryptocurrency industry in 2023. The threats highlighted in this article are likely to remain in 2024, and the recent advent of wallet drainers designed specifically for Solana is one of the proofs of the evolving and persistent challenges faced by the crypto community as well as the high adaptability of strategies deployed by malicious actors.