- $409 million stolen in the third quarter, 40% less than in the year-earlier period.
- The majority of stolen funds can be attributed to the hacks of WazirX and BingX, with $235 million and $52 million being stolen respectively.
- DeFi remains an unparalleled opportunity for blackhat hackers, Immunefi said.
Hackers stole $409 million worth of cryptocurrency in the third quarter, and an additional $3 million was lost to fraud, according to a report by Immunefi.
The figure is 40% less than in third-quarter 2023, the bug bounty platform said.
The amount of capital locked on decentralized finance (DeFi) protocols represents an "unparalleled and attractive opportunity for blackhat hackers," Immunefi said. There is currently $87.2 billion in total value locked (TVL) across DeFi, according to DefiLlama.
Most the quarter's losses came from hacks of crypto exchanges, with India's WazirX losing $235 million and Singapore's BingX $52 million. The report said 32 other hacks accounted for 32% of total losses.
"We're seeing a higher number of incidents targeting DeFi, while CeFi experiences fewer incidents but often with more severe consequences, with hundreds of millions in stolen funds in a single exploit," said Mitchell Amador, founder and CEO of ImmuneFi.
"In CeFi, the biggest infrastructural issue is private key management, which is essential to maintaining the self-custody of crypto assets but is not typically subject to security audits. It requires rigorous key management policies, practices, and emergency plans."
WazirX lost funds after hackers compromised the exchange's private keys. The exchange halted withdrawals and froze trading on July 18, and is now seeking a moratorium from Singapore's courts to give it time to restructure.
The Ethereum blockchain was the most common target for hackers, with 15 incidents of theft reported compared with eight on BNB Chain and two on Base.
There were also two incidents of funds being recovered after being stolen. Ronin Network recouped $10 million from a $12 million hack and ShezmuTech clawed back all $4.9 million that was taken.