Web3 Crypto Security Report: Beware of Phishing During Bull Market Gains
Bitcoin has once again broken through its historical high, approaching $99,000, closing in on the $100,000 mark. Looking back at historical data, scams and phishing activities in the Web3 space have proliferated during bull markets, with total losses exceeding $350 million. Analysis shows that hackers primarily target the Ethereum network, with stablecoins being the main objective.
Cryptocurrency Security Ecosystem Map
We have categorized the cryptocurrency security ecosystem for 2024. In the field of smart contract auditing, established players include Halborn, Quantstamp, and OpenZeppelin. Smart contract vulnerabilities remain one of the primary attack vectors in the cryptocurrency space, and projects providing comprehensive code review and security assessment services each have their strengths.
In the DeFi security monitoring section, there are specialized tools like DeFiSafety and Assure DeFi, which focus on real-time threat detection and prevention for decentralized finance protocols. Notably, the emergence of AI-driven security solutions is worth mentioning.
Recently, meme trading has been extremely popular, and security check tools like Rugcheck and Honeypot.is can help traders identify potential issues in advance.
USDT is the Most Stolen Asset
According to bitsCrunch data, attacks based on Ethereum account for about 75% of all attack incidents, with USDT being the most targeted asset, with thefts amounting to $112 million, averaging about $4.7 million per attack. The second most affected asset is ETH, with losses of about $66.6 million, followed by DAI, with losses of $42.2 million.
It is noteworthy that lower market cap tokens also experience a high volume of attacks, indicating that attackers are on the lookout for assets with lower security. The largest incident occurred on August 1, 2023, involving a complex fraud attack that resulted in a loss of $20.1 million.
Polygon is the Second Most Targeted Chain
While Ethereum dominates all phishing incidents, accounting for 80% of phishing transaction volume, theft activities have also been observed on other blockchains. Polygon has become the second most targeted chain, accounting for about 18% of the transaction volume. Often, theft activities are closely related to on-chain TVL and daily active users, with attackers making judgments based on liquidity and user activity.
Time Analysis and Attack Evolution
Attack frequency and scale exhibit different patterns. According to bitsCrunch data, 2023 has been the year with the highest concentration of high-value attacks, with multiple incidents valued over $5 million. At the same time, the complexity of attacks has gradually evolved from simple direct transfers to more complex approval-based attacks. The average time between significant attacks (>$1 million) is about 12 days, primarily concentrated around major market events and new protocol launches.
Types of Phishing Attacks
Token Transfer Attacks
Token transfer is the most direct attack method. Attackers manipulate users into transferring their tokens directly to accounts controlled by the attackers. According to bitsCrunch data, these types of attacks often have a high single-transaction value, leveraging user trust, fake pages, and scam rhetoric to persuade victims to initiate token transfers voluntarily.
These attacks typically follow this pattern: establishing trust by creating similar domain names that completely mimic certain well-known websites, while creating a sense of urgency during user interactions, providing seemingly reasonable token transfer instructions. Our analysis shows that the average success rate of such direct token transfer attacks is 62%.
Approval Phishing
Approval phishing primarily exploits the smart contract interaction mechanism and is a technically more complex attack method. In this approach, attackers trick users into providing transaction approvals, thereby granting them unlimited spending rights over specific tokens. Unlike direct transfers, approval phishing creates long-term vulnerabilities, allowing attackers to gradually deplete funds.
Fake Token Addresses
Address poisoning is a comprehensive multi-faceted attack strategy where attackers create transactions using tokens with the same name as legitimate tokens but different addresses. These attacks exploit users' negligence in checking addresses, thereby yielding profits.
NFT Zero-Cost Purchases
Zero-cost purchase phishing specifically targets the digital art and collectibles market within the NFT ecosystem. Attackers manipulate users into signing transactions, significantly reducing the price or even selling their high-value NFTs for free. We identified 22 significant NFT zero-cost purchase phishing incidents, with an average loss of $378,000 per incident. These attacks exploit the inherent transaction signature processes of the NFT market.
Distribution of Stolen Wallets
The data in this chart reveals the distribution pattern of stolen wallets across different transaction price ranges. We found a clear inverse relationship between transaction value and the number of affected wallets— as the price increases, the number of affected wallets gradually decreases.
The number of victim wallets for transactions between $500 and $1,000 is the highest, with about 3,750 wallets, accounting for over one-third. Victims of smaller transactions often do not pay attention to details. The number of wallets for transactions between $1,000 and $1,500 drops to 2,140. Transactions over $3,000 account for only 13.5% of the total number of attacks. This indicates that the larger the amount, the stronger the security measures, or victims consider more carefully when dealing with larger sums.
By analyzing the data, we reveal the complex and evolving attack methods within the cryptocurrency ecosystem. As the bull market arrives, the frequency of complex attacks will increase, and the average losses will grow larger, significantly impacting the finances of project teams and investors. Therefore, not only do blockchain networks need to strengthen security measures, but we must also be more vigilant during transactions to prevent phishing incidents.