Web3 security incidents in 2024 resulted in a staggering $2.3 billion worth of cryptocurrency losses, marking a 31.6% increase in stolen value compared to the previous year. According to data from blockchain security firm Certik, a total of 760 incidents occurred in 2024, which was slightly lower than the 789 incidents reported in 2023. The average amount stolen per hack also saw a significant increase, reaching $3.1 million in 2024, a 23% spike from the previous year.
While the losses in 2024 were substantial, they were still lower than the amounts lost in 2021 and 2022, which totaled $5.2 billion and $3.5 billion, respectively. Web3, an internet service built on decentralized blockchains, aims to empower users by providing more control over their online activities.
The fluctuations in cryptocurrency value heavily influence the amount of crypto stolen on Web3 platforms. Certik highlighted that the total value locked in blockchain networks saw a significant increase in 2024, driven by the growing adoption of decentralized finance (DeFi). The approval of Spot Bitcoin and Ethereum exchange-traded funds (ETFs) by the US Securities and Exchange Commission (SEC) last year also contributed to this uptick in DeFi adoption.
In contrast, the value of DeFi experienced a 46% decline in 2023 compared to the previous year. Ethereum emerged as the most targeted cryptocurrency in 2024, with 403 security incidents leading to $748.6 million in losses. Bitcoin and Tron were also among the heavily targeted cryptocurrencies, with $542.7 million and $133 million stolen, respectively.
Phishing emerged as the most costly attack vector in 2024, accounting for $1.05 billion in losses across 296 incidents. This represents nearly half of the total value stolen during the year and 39.1% of the total number of incidents. The researchers noted that phishing attacks tend to result in larger amounts stolen per incident compared to other attack techniques.
One notable phishing incident in August involved a sophisticated social engineering attack that led to the theft of $243 million in crypto from a Genesis creditor in Washington D.C. The attackers posed as support employees from Google and Gemini, tricking the victim into resetting their two-factor authentication (2FA) and transferring funds to a compromised wallet.
The prevalence of phishing attacks in 2024 marks a significant shift from 2023 when private key compromise was the dominant attack vector. In 2024, private key compromise ranked as the second highest attack vector, resulting in $855.4 million in losses across 65 incidents.
Certik suggested that the rise of phishing attacks indicates an improvement in technical security controls within the Web3 ecosystem, making other attack techniques less effective. This data underscores the importance of robust security measures to safeguard cryptocurrency assets in the evolving landscape of blockchain technology.