web3 security - Pwim.Net

Web3 Security Losses Skyrocket to $889.26M in Q3 2023, Says Beosin Report

Key Takeaways

Web3 security losses in Q3 2023 escalate to $889.26M.

North Korean APT group Lazarus emerges as a significant threat, responsible for over $208M in thefts.

Ethereum remains the most targeted blockchain, with losses totaling $227M.

Alarming Surge in Q3 2023 Losses

According to a recent report jointly released by Beosin and SUSS NiFT on September 27, 2023, the third quarter of this year has seen a disturbing rise in Web3 security incidents. Losses have skyrocketed to $889.26M, a figure that outstrips the combined losses of the first two quarters of the year, which were $330M and $333M respectively.

The Lazarus Group: A Formidable Adversary

The report highlights the North Korean APT group Lazarus as a major security threat in Q3 2023. The group has been implicated in thefts totaling over $208M across four significant attacks. Their tactics are complex, involving a range of methods from social engineering to brute force attacks, indicating a high level of sophistication.

Types of Attacks and Vulnerabilities

Private key compromises led the way in types of attacks, causing losses of $223M. Cloud database attacks, notably the Mixin Network incident, accounted for $200M. Contract vulnerabilities were also significant, leading to about $93.27M in losses. DeFi projects were the most frequent targets, suffering 29 attacks that led to $98.23M in losses.

Blockchain and Project Types Most Affected

Ethereum continues to be the most targeted blockchain, with losses amounting to $227M and 16 major attacks. Public blockchains were the most affected among project types, primarily due to the $200M Mixin Network hack. Payment platforms were the next most affected, with two incidents causing combined losses of $97.3M.

Audit and Regulatory Concerns

The report also sheds light on the audit status of the attacked projects. The proportion of audited and non-audited projects was nearly equal, at 48.8% and 46.5% respectively. This raises questions about the effectiveness of current auditing practices in the industry.

Recommendations and Future Outlook

The report suggests that crypto service providers need to be extra vigilant, especially against sophisticated adversaries like the Lazarus group. It recommends regular security training for employees and the implementation of robust monitoring and alert systems.

Disclaimer & Copyright Notice: The content of this article is for informational purposes only and is not intended as financial advice. Always consult with a professional before making any financial decisions. This material is the exclusive property of Blockchain.News. Unauthorized use, duplication, or distribution without express permission is prohibited. Proper credit and direction to the original content are required for any permitted use.

Web3 Security 2023 State Revealed, Nearly $2 Billion Lost

In 2023, the Web3 landscape witnessed a significant number of security incidents. The CertiK report revealed that a total of $1.84 billion was lost across 751 security incidents, marking a 51% decline from the $3.7 billion lost in 2022. Despite this decline, the scale of these incidents remains alarming, with the ten most costly incidents alone accounting for $1.11 billion in losses. The median loss per incident was $101,132, substantially lower than the average of $2.45 million per incident, indicating a wide disparity in the impact of individual incidents.

Most Vulnerable Chains and Attack Vectors

BNB Chain experienced the highest number of security incidents with 387 hacks, scams, and exploits, resulting in $134 million in losses. Ethereum, despite a lower number of incidents (224), suffered higher financial damage totaling $686 million. Remarkably, private key compromises emerged as the most costly attack vector, accounting for nearly half of all financial losses ($880,892,924) in just 47 incidents. This underscores the critical vulnerability associated with private key security in the Web3 space.

Analysis of Trends and Developments

CertiK’s report goes beyond raw data to offer in-depth analysis of how these breaches have impacted the broader Web3 ecosystem. The report includes explorations of new developments, such as sophisticated negotiation tactics by hackers and the ongoing quest for institutional adoption in the blockchain space. These insights are vital for stakeholders, including blockchain developers, crypto investors, policymakers, and digital currency enthusiasts, in understanding and navigating the complexities of this rapidly evolving industry.

Key Highlights and Insights

The third quarter of 2023 saw the most significant financial losses, amounting to $686,558,472 from 183 incidents. The report also highlights the persistent challenge of cross-chain interoperability, with security breaches affecting multiple chains accounting for $799 million of losses in just 35 incidents. Furthermore, the report delves into significant events like “retroactive bug bounty” negotiations and major hardware wallet backend compromises, offering a clear picture of the evolving landscape of institutional adoption in Web3.

Conclusion

“Hack3d: The Web3 Security Report 2023” is an indispensable resource for anyone invested in the Web3 world. The report not only recaps significant security events of the past year but also provides forward-looking projections and insights, helping stakeholders prepare for the challenges and opportunities ahead. This comprehensive analysis is crucial for understanding the current state of Web3 security and the direction in which it is headed.

Web3 Security CertiK X Account Compromised in Phishing Scam

On January 5, CertiK, a blockchain security and smart contract audit firm, fell victim to a cyber attack. This incident occurred on the company’s official X (formerly Twitter) account, where a phishing link was posted after a bad actor hacked into the protocol’s social media profile. CertiK announced that a “verified account associated with well-known media” managed to hack into one of their employee’s X accounts, which led to the posting of links to phishing scams. The company quickly addressed the breach by removing the phishing link within 14 minutes, and there were no significant losses from the exploit.

The phishing attack was initially detected due to a direct message received by the CertiK employee, which showed signs of being dangerous. Blockchain detective ZachXBT highlighted that the account contacting CertiK had not posted since April 2020, indicating it was likely compromised. CertiK, responding to the incident, encouraged those affected by the exploit to contact them, emphasizing the challenges in combatting phishing attacks that exploit human trust and vulnerabilities.

This security breach is particularly notable given CertiK’s role in blockchain security. Just a day before the incident, CertiK had released its 2023 Hack3D security report, which highlighted a 50% decline in crypto losses, marking it as a significant milestone in blockchain security. The compromised CertiK account posted tweets about a fake vulnerability in Uniswap V3’s smart contract code, directing users to a fraudulent website impersonating Revoke.cash. Revoke.cash confirmed that Uniswap was not compromised, but this incident raised questions about CertiK’s own security practices.

The official CertiK Discord site was also hacked, replaced with a fake Discord promoting phishing links. CertiK subsequently regained control of its account and removed the fake tweets. However, the breach underscores the ongoing vulnerability of the crypto industry to hackers, with stolen funds exceeding $3.8 billion in the last year. CertiK’s investigation into the breach revealed it as part of a “large scale ongoing attack” using social engineering through Calendly, a scheduling app.

The recent hacking of CertiK’s X account, a Web3 security firm, to promote a cryptocurrency wallet drainer, highlights a notable irony and concern in the blockchain security landscape. This breach, achieved through social engineering, utilized a compromised account associated with a prominent media outlet. The attackers, impersonating a journalist, lured a CertiK employee with a phishing link disguised as a scheduling site, ultimately compromising the company’s account. This incident underscores the sophisticated nature of modern phishing scams, which exploit human trust and vulnerabilities, and poses critical questions about the robustness of security measures within blockchain and crypto-related firms.

The use of social engineering in this attack reflects a growing trend in the cyber world, where even security-savvy individuals and organizations are vulnerable. This breach is particularly striking given CertiK’s role in ensuring the security of blockchain technologies. The event not only points to the need for heightened vigilance and advanced security protocols in the Web3 space but also serves as a reminder of the relentless and evolving nature of cyber threats in the blockchain ecosystem. The irony of a Web3 security firm falling victim to such an attack highlights the universal susceptibility to sophisticated cyber threats and emphasizes the importance of continuous improvement in security practices across the industry

Animoca Brands Partners with Blockpass to Enhance Web3 Security and Compliance

Animoca Brands has announced a strategic partnership with Blockpass, a pioneer in compliant identity verification. This collaboration is set to enhance the safety and regulatory adherence of the emerging Web3 and metaverse ecosystems, leveraging Blockpass’s KYC/AML SaaS solutions to benefit Animoca Brands and select portfolio companies.

As digital interactions and transactions become increasingly commonplace, the issue of user safety and security has escalated. The partnership addresses these concerns head-on by incorporating Blockpass’s identity verification solutions, which are crucial in mitigating fraud risks and safeguarding users, especially in an era of sophisticated AI deepfakes and rampant identity fraud.

The strategic collaboration is particularly timely, considering the growing regulatory landscape for cryptocurrencies and related technologies. By integrating Blockpass’s KYC and AML requirements, Animoca Brands and its subsidiaries will be able to operate with greater confidence and compliance, a critical factor as scrutiny from regulatory bodies intensifies.

Moreover, the partnership promises to streamline the user onboarding process. Blockpass offers a reusable identity verification process that is both user-friendly and efficient, ensuring smooth access to Web3 services. This is instrumental in simplifying the user experience while adhering to necessary regulatory frameworks.

Blockpass, recognized as “Web3’s OG identity verifier,” brings to the table an extensive suite of compliance tools designed to reduce onboarding costs, automate remediation, and protect against a range of security threats. The company boasts a network of around one million verified identity profiles and over a thousand businesses, thus facilitating instant onboarding and compliance.

Animoca Brands, on the other hand, is a global leader in gamification and blockchain, with a large portfolio of over 400 investments in Web3 projects. Its mission to advance digital property rights and build the open metaverse is well-served by the partnership, as it looks to develop and publish blockchain games and products based on global brands.

Yat Siu, co-founder and executive chairman of Animoca Brands, emphasized the alignment of the partnership with the company’s core philosophy of empowering builders who believe in Web3 and the open metaverse. Adam Vaziri, CEO of Blockpass, echoed these sentiments, highlighting the collaboration as a significant step in establishing trust and regulatory compliance in the metaverse.

This partnership marks a considerable milestone in the evolution of Web3 and the open metaverse, setting a precedent for prioritizing user safety, regulatory compliance, and user experience. As the decentralized world moves towards a more secure and inclusive future, industry observers will be keenly watching the outcomes of this strategic alliance.

As the Web3 space evolves, this strategic partnership between Animoca Brands and Blockpass is poised to play a pivotal role in shaping a safer, more compliant, and user-friendly digital world.