According to cybersecurity firm Cyvers’ mid-year Web3 security report, the total volume of stolen crypto funds so far this year is approaching $1.4 billion as centralized exchanges emerge as the new ground zero for exploits.
In the second quarter of 2024, total crypto losses exceeded $600 million, marking a 100% increase over the same period last year. The surge in pilfered funds was driven primarily by a 900% increase in losses on centralized exchanges, according to the report.
“This quarter has witnessed a significant shift in attack vectors, with centralized exchanges (CEX) bearing the brunt of major incidents, while decentralized finance (DeFi) protocols show improved resilience,” the report said. “This trend may be attributed to the concentration of assets in centralized platforms and potentially lax security measures in some exchanges.”
Access control breaches—often in the form of phishing attacks—accounted for the overwhelming majority of stolen funds, around $490 million in Q2 alone, according to Cyvers. That figure dwarfs losses from smart contract exploits, which saw less than $70 million drained during the same period.
Quick action by decentralized finance (DeFi) protocols to freeze compromised smart contracts has protected users, but Cyvers cautioned that exploit risk remains prevalent as hackers unearth new vulnerabilities in complex contracts. Cross-chain bridges are also becoming a significant attack vector, the report noted, citing the $1.44 million exploit of XBridge in April.
The high-profile breach in May of Japanese cryptocurrency exchange DMM heavily impacted Cyvers’ Q2 data. The hack—which was reportedly caused by a compromised private key—drained upward of $300 million. Another significant outlier was the Turkish cryptocurrency exchange BtcTurk, which lost around $50 million to hackers in June.
The report noted that explicit victims are having greater success than before in recovering lost funds, with total funds recovered increasing by 42% in Q2 over the same period last year. Still, the vast majority of lost funds—some 76%—have not been retrieved.
Web3 users should remain on the lookout for emergent threats posed by artificial intelligence and quantum computing, which could provide hackers with sophisticated new tools for bypassing onchain security measures, Cyvers said.