Web3 security incidents resulted in over $2.3bn worth of cryptocurrency in losses in 2024, a 31.6% increase in the value stolen compared to 2023, according to new figures from blockchain security firm Certik.
These losses took place across 760 incidents, 29 less than in 2023. The average amount stolen per hack was $3.1m in 2024, a 23% increase from 2023.
The crypto value stolen in 2024 is still significantly lower than the amount lost in 2021 and 2022, which was $5.2bn and $3.5bn, respectively.
Web3 is an internet service built using decentralized blockchains, designed to put control in the hands of the users.
The amount of crypto stolen on this service is heavily influenced by the fluctuating value of cryptocurrency. Certik noted that the total value locked across blockchain networks increased substantially in 2024, driven by renewed adoption of decentralized finance (DeFi).
Last year, the US Securities and Exchange Commission (SEC) approved Spot Bitcoin and Ethereum exchange-traded funds (ETFs), helping with this boost.
In contrast, the value of DeFi had fallen by 46% in 2023 compared to 2022.
Ethereum was the cryptocurrency that experienced the highest number of security incidents and losses in 2024, with a total of 403 hacks, scams, and exploits leading to $748.6m in losses.
Bitcoin and Tron were also heavily targeted, with $542.7m and $133m stolen, respectively.
Read now: Crypto-Hackers Steal $2.2bn as North Koreans Dominate
Phishing Becomes Most Costly Attack Vector
Phishing was the costliest attack vector in 2024, resulting in $1.05bn of losses across 296 incidents. This represents nearly half of all value stolen in the year and 39.1% of the number of incidents.
The researchers said these figures suggest that phishing attacks typically lead to larger amounts stolen per incident than other attack techniques.
The most costly phishing incident took place in August, when a sophisticated social engineering attack led to the theft of $243m in crypto from a single Genesis creditor located in Washington D.C.
The attackers posed as support employees from Google and Gemini to trick the victim into resetting their two-factor authentication (2FA) and transferring funds to a compromised wallet.
The prominence of phishing marks a significant change compared 2023 when private key compromise was the dominant attack vector. Phishing was the fifth highest attack vector in 2023, responsible for $203m of losses across 55 incidents.
In 2024, private key compromise was the second highest attack vector, causing $855.4m of losses across 65 incidents.
Certik said that the shift to phishing shows that technical security controls in the Web3 ecosystem are improving, making other attack techniques less effective.