Web 3.0, the blockchain version of the traditional internet that hosts decentralized blockchain crypto-currencies, lost over US$1.8 billion in 2023 to cybercrime.
Newly released findings from cybersecurity firm Certik’s latest Hack3D Annual Report cast a pall over the US Securities and Exchange Commission (SEC)’s much-anticipated approval of up to a dozen Bitcoin ETFs (exchange-traded funds) on Wednesday. It will also cast a long shadow over the hoped-for institutional acceptance of crypto-currencies by influential financial entities, including Swift, the Hong Kong Monetary Authority, and the Australia and New Zealand Banking Group (ANZ). In the second half of last year, the SEC scrutinized a series of proposals, notably extending review periods for Bitcoin ETF applications from major firms like BlackRock, ARK, and Fidelity.
According to Certik’s report, cybercrime impacting Web 3.0 accelerated in the latter half of 2023. The third quarter of last year saw roughly US$687 million lost to cybercrime in only 183 hacks. And the barrage of hefty cyber-attacks did not cease its rapid growth until the Christmas lull. In November alone, US$ 360 million was lost in 45 incidents. Although overall annual losses were only half those in 2022, this discrepancy is explained by the tumbling value of crypto-currencies in what was effectively an 18-month bear market.
Blockchain hits average US$3m to US$19m each
The findings directly confound the idea that encrypted and decentralized blockchains are somehow invulnerable to hackers. Blockchain software platform Ethereum, best-known for its crypto-currency ‘ether,’ alone lost US$686 million to cybercrime in 2023. There were 224 cyber incidents, representing a loss of roughly US$3 million per hit.
With such easy and untraceable loot on offer, determined cybercriminals are increasingly targeting blockchains and their crypto riches. On December 14, for example, Ledger, a manufacturer of crypto hardware wallets, suffered a $610,000 hit with resulting reputational damage. All the hit involved was a relatively straightforward phishing attack on a single Ethereum staff member.
The breach allowed the attackers to upload a malicious file that operated as a ‘Trojan horse.’ Instead of establishing a secure link between users’ wallets and Ledger’s app, the malicious code rerouted the connection through a fake protocol. A single successful phishing attack on one employee’s account was enough to create a breach that affected a wide range of users and decentralized applications (dApps).
As humans are the weakest links in any blockchain, cybercriminal gangs, already proficient in social engineering across public networks, increasingly concentrate on phishing attacks tailored to key employees or to gain access to unsuspecting individuals’ crypto-wallets. Such private key compromises account for almost half of Web 3.0’s total losses for 2023. Losses totaling $880 million stem from just 47 key-compromise incidents, working out to roughly $19 million per incident. Although representing only 6.3 percent of total security incidents throughout the year, private key compromises account for over half of Web 3.0 losses to cybercrime in 2023.
Nor is the infrastructure supporting crypto-currencies always as decentralized and invulnerable to attack as claimed. Despite the decentralized ethos of blockchain and cryptocurrency, elements within the ecosystem, such as software libraries like the Ledger Connect Kit, represent centralized points of vulnerability.
