So far, in 2023, approximately $28,047,532 was lost to various scams and exploits in the Web3 industry with a total of 55 recorded attacks. This is a significant decrease from the average loss per month in 2022, which stood at $313 million, and is approximately 43% below December's figure, which saw the least amount of funds lost. Exit scams account for approximately $10,222,994 in losses across 21 incidents and made up 38% of the overall funds lost in January. This is due to the lack of any major incidents exceeding over $10 million, which hasn’t occurred for over 12 months.
In the month of January there have been a total of 27 major attacks. This is the second fewest number of attacks recorded since February 2022, which saw 20 major attacks. An average of $998,734 was lost per attack, which is a significant decrease from the average of $2,455,613 per attack in the month of December.
The largest exploit this month was the LendHub incident, which saw a ~$5.3 million loss. The LendHub exploit, which happened 12th January, is the largest attack this year thus far. The exploiter took advantage of a discrepancy between an old IBSV cToken and a new token. The old and new IBSV tokens exist simultaneously in the market, with both taking their price from the new IBSV. The exploiter obtained old IBSV tokens by depositing HBSV tokens, borrowing assets from the new market, then redeemed HBSV back in the old market. The exploiter transferred the stolen funds from LendHub to other chains like Ethereum and Optimism. After transferring the assets to Ethereum, the exploiter funneled stolen funds into sanctioned cryptocurrency mixer Tornado Cash.
The second largest exploit was on the 3rd January of a GMX whale wallet being compromised, leading to a loss of ~$3.5 million. The GMX was swapped for Ethereum and bridged to the Ethereum mainnet from Abritrum. The victim wallet sets the hackers wallet as the pending receiver, which was then swapped. The swapping of GMX caused a slippage of the GMX token, causing the community to ask questions as to its nature. This prompted figures in GMX to announce that a whale wallet had been hacked, and had nothing to do with the GMX project.
The third moss significant loss, reported on December 31, 2022. One of the original core developers behind Bitcoin Luke Dahjr, claims he lost all his bitcoin as a result of a hack before the new year. Luke claims that the alleged hackers somehow gained access to his private key to steal his BTC. Luke did not share how much of his BTC was stolen in total. The 4 transactions that he posted online at the time of writing suggest that ~$3.6 million was taken. There is no definite answer to how Luke lost his bitcoin, but people speculate that he had lax security, or that someone stumbled across the seed phrase somehow. Some even suggested that it was a boating accident ahead of tax season.
January 2023 has seen a total of 21 exit scams resulting in the loss of $10.2 million. The amount lost this month to exit scams is approximately the average seen across 2022 when discounting outlier events (exit scams with losses over 10 million). However, exit scams accounted for a significant portion of the overall monthly loss in January, at 38.1%. This compares to 27.2% in December and 5% in November and October, respectively.
The high proportion of the overall funds being attributed to exit scams is likely due to the overall low number of incidents in other categories such as major exploits. While other categories have trended lower, exit scams continued a steady trend seen in 2022. This even comes after a relative drop in incidents in January 2023 compared to the average in 2022. The overall incidents in January 2023 were 21 compared to the overall average of 26.1 in 2022.
Despite the lower incidents, the continuation of the trend of funds lost was maintained primarily by three major exit scams whose funds lost exceeded $2 million. FUT, malicious circulate contracts and Yield Robot resulted in a combined loss of approximately $7 million, roughly 70% of all funds lost in January.
January 2023 saw a total of 16 attacks. The total number of losses for January were approximately $762,000 with an average of $47,647 lost per attack. The most significant flashloan attack occurred on BRA. On January 9th, 2023, BRA experienced several flashloan attacks that exploited the flawed fee collecting system to cause over minting on the victim liquidity pool which had been drained. Leading to a loss of approximately $237,000. The first attacker address gained 819 BNB and the second attacker address gained 53BNB as the liquidity pool was still vulnerable to copycat attackers. The attacker took advantage of the vulnerability in the fee - collecting system to cause overminting on the victim liquidity pool.
Overall, the number of malicious flash loans was higher than any month seen in 2022; however the overall funds lost didn’t exceed $800,000. It is significantly lower than the 2022 average, which stands at $29.5 million lost per month. Despite the higher number of flash loans, the majority of incidents targeted low liquidity tokens, with the vast majority leading to losses below $50,000.
The start of 2023 has begun how 2022 ended; there were 36 compromised Discord servers in December 2022 and 36 in January 2023. We also recorded 5 Twitter account compromises related to NFTs in both months. On top of this we are also starting to see an increase in the number of fake Twitter accounts and wallet drainers being advertised on Twitter. This increase may be due to the prevalence of wallet drainer phishing kits, which scammers can purchase from a variety of vendors.
In the largest phishing incident of the month, a fake Cool Cats NFT website was able to steal 357 NFTs. Five days later,the same group were able to steal 195 NFTs from another phishing site imitating Hasbullah NFT. The Hasbullah phishing account is perhaps the first incident in which we have seen being promoted via Twitter ads.
Compared to January 2022, there was an uptick in attacks. In January 2022, we recorded 31 total attacks, while this year we have recorded 54 total attacks. However, when comparing to total loss there was a significant decrease in funds lost. The downward trend in funds lost, which was observed at the end of 2022, has continued into 2023, primarily due to the absence of major exploits where the total loss exceeds $10 million.