According to statistics from Beosin Alert, the total losses from hacks, phishing scams, and rug pulls in Web3 reached $730 million in Q3 2024. Among them, 23 major attacks resulted in a total loss of approximately $430 million; 3 rug pulls with total losses of around $4.24 million; and total losses from phishing scams of approximately $295 million.
About $577 million (78.9%) of the stolen funds are held at hacker addresses. As global regulatory agencies intensify their anti-money laundering efforts, it has become more difficult for hackers to launder their stolen funds. As a result, a considerable number of hackers have chosen to temporarily keep the stolen funds at on-chain addresses.
In Q3 2024, out of 23 attack incidents, 4 involved projects that had not been audited, while 16 involved projects that had been audited. The proportion of audited projects is higher than in 2024 H1, indicating that the Web3 industry as a whole is placing greater importance on security. Among the 4 unaudited projects, 3 incidents (75%) involved contract vulnerabilities. Of the 16 audited projects, 11 incidents (68.75%) involved contract vulnerabilities. The overall proportions are roughly equivalent. Compared to H1, the overall quality of security audits in 2024 has somewhat declined.
As in 2024 H1, private key compromises remained the most damaging type of attack in 2024 Q3. About 41.7% of the loss amount came from private key leak compromises. In terms of project types, private key compromise incidents spanned various Web3 domains: gaming platforms, token contracts, individual wallets, infrastructure, exchanges, etc. All Web3 project teams and individual users need to be vigilant, storing private keys offline, using multi-signature wallets, being cautious with third-party services, and conducting regular security training for privileged employees.
