The year 2023 marked a pivotal shift in the Web3 ecosystem, with notable improvements in blockchain security and a dramatic rise in off-chain criminal activities. While on-chain attacks, scams, and rug pulls declined significantly, underground financial crimes such as money laundering, online gambling, and fraud surged to unprecedented levels. This comprehensive analysis explores the evolving security landscape of Web3, highlights key threats, examines attack vectors, and provides insights into anti-money laundering (AML) trends shaping the crypto industry.
Web3 Security Overview in 2023
According to data from Beosin’s EagleEye platform, total losses due to hacking, phishing, and rug pulls in 2023 reached $2.02 billion, a 53.9% decrease compared to 2022. The decline was driven by improved security awareness across the ecosystem, more rigorous audits, and enhanced monitoring tools.
- Hacking incidents: 191 attacks, totaling $1.397 billion in losses (down 61.2% YoY)
- Rug pull events: 267 cases, amounting to $388 million in losses (down 8.8% YoY)
- Phishing scams: Resulted in $238 million in losses (down 33.2% YoY)
Notably, the top 10 security incidents accounted for approximately $1 billion, representing 71.5% of total hacking losses. This concentration underscores the high-impact nature of major breaches and the critical need for robust defenses in large-scale protocols.
👉 Discover how leading platforms are strengthening security against emerging threats
Top 10 Web3 Security Incidents of 2023
1 Mixin Network – $200 Million Lost
Attack Vector: Cloud Service Database Breach
In September, Mixin Network suffered a breach via its cloud service provider, resulting in the loss of $200 million. The attack primarily impacted Bitcoin holdings, while native tokens like BOX and XIN remained largely unaffected.
2 Euler Finance – $197 Million Exploited
Attack Vector: Smart Contract Logic Flaw
A vulnerability in Euler Finance’s donateToReserves function allowed attackers to manipulate reserve balances without sufficient collateral. Remarkably, all stolen funds were voluntarily returned after community negotiations.
3 Poloniex – $126 Million Stolen
Attack Vector: Private Key Leak / APT Attack
In November, Poloniex experienced unauthorized withdrawals due to a suspected advanced persistent threat (APT), likely linked to the North Korean Lazarus group.
4 HTX & Heco Bridge – $110 Million Compromised
Attack Vector: Private Key Exposure
HTX and its Heco Bridge lost over $110 million following a private key leak, highlighting risks associated with centralized custody systems.
5 Curve Finance (via Vyper Bug) – $73 Million Drained
Attack Vector: Reentrancy Vulnerability
A flaw in Vyper compiler versions 0.2.15–0.3.0 disabled reentrancy guards, enabling attackers to exploit Curve’s stablecoin pools across multiple chains.
6 CoinEx – $70 Million Breached
Attack Vector: Hot Wallet Compromise
CoinEx detected suspicious withdrawals from its hot wallet, leading to losses across Ethereum, TRON, and Polygon networks.
7 Atomic Wallet – $67 Million Stolen
Attack Vector: APT-Driven Private Key Theft
Atomic Wallet fell victim to a sophisticated cyberattack attributed to Lazarus, affecting users across 21 blockchains.
8 Alphapo – $60 Million Drained
Attack Vector: Hot Wallet Exploit
The payment processor lost $60 million in another confirmed Lazarus operation.
9 KyberSwap – $54.7 Million Exploited
Attack Vector: Complex Business Logic Flaw
Kyber Network described this as one of the most technically intricate DeFi hacks to date, requiring precise sequence manipulation.
10 Stake.com – $41.3 Million Lost
Attack Vector: Unauthorized Access to Hot Wallets
The crypto gambling platform faced breaches on both Ethereum and BSC chains, again linked to Lazarus.
Most Targeted Project Types
Web3 attacks diversified beyond DeFi and bridges in 2023:
- DeFi: 130 attacks ($408 million lost) — highest frequency and value
- CEXs (Centralized Exchanges): 9 incidents ($275 million lost)
- DEXs (Decentralized Exchanges): 16 attacks ($85.7 million lost)
- Public Blockchains: $208 million lost
- Cross-chain Bridges: $98 million lost (down sharply from 2022)
- Payment Platforms: $97.3 million lost (Alphapo + CoinsPaid)
This expansion reflects hackers targeting weaker security postures outside traditional DeFi infrastructure.
Chain-Specific Loss Distribution
Ethereum remained the most heavily impacted chain:
- Ethereum: $766 million lost across 71 incidents (54.9% of total)
- Mixin Network: $200 million (single incident)
- HECO Chain: $92.6 million
- BNB Chain: 76 attacks ($70.8 million), mostly under $1M each
BNB Chain saw the highest number of attacks, though individual losses were smaller compared to Ethereum.
Dominant Attack Vectors in 2023
Two primary methods dominated:
1. Private Key Leaks – $627 Million Lost (44.9%)
Caused by APT attacks, insider threats, or poor key management. Major breaches included Poloniex, HTX, CoinEx, and Atomic Wallet.
2. Smart Contract Exploits – 99 Incidents (51.8%)
Despite fewer high-value exploits than 2022, contract vulnerabilities remained the most frequent attack vector.
Breakdown of Contract Vulnerabilities:
- Business Logic Flaws: $313 million lost (72.7% of contract-related losses)
- Reentrancy Bugs: $93.5 million lost
- Access Control Failures: Multiple mid-sized breaches
👉 Learn how next-gen security tools detect vulnerabilities before deployment
Case Study: Euler Finance Attack
On March 13, Euler Finance suffered a flash loan attack exploiting a logic flaw in its donation mechanism. Attackers donated eDAI without adequate backing, triggering artificial liquidations that drained protocol reserves.
Despite undergoing audits from six firms — including Halborn and Certora — the vulnerability went undetected until exploitation. The incident emphasizes that even audited projects are not immune to novel attack patterns.
After public appeals and negotiations, the attacker returned all funds — a rare but encouraging example of ethical hacking behavior.
AML Trends and Fund Flow Analysis
While on-chain attacks decreased, illicit activity surged:
- Total illicit crypto flows in 2023: $656.88 billion, up 377% YoY
- Top crime types: Online gambling ($549B**), money laundering (**$40B), fraud ($20.5B**), MLM schemes (**$14.3B)
Notable Enforcement Actions:
- China dismantled a $549B crypto-facilitated gambling ring
- Singapore uncovered a $28B money laundering scheme
- U.S. charged Bitzlato co-founder with $700M in laundering offenses
- Hong Kong’s JPEX scam led to 66 arrests involving $205M
These cases reveal how criminals leverage crypto’s pseudonymity for large-scale financial crimes — often operating outside blockchain networks entirely.
Asset Recovery and Mixing Trends
- $295 million recovered (21.1% of total) — up from just 8% in 2022
$330 million sent to mixers (23.6%), down from 38.7% in 2022
- Tornado Cash: $71M used (heavily reduced post-sanctions)
- Other mixers (e.g., Sinbad): $259M used
- U.S. OFAC sanctioned Sinbad in November 2023 for aiding North Korean hackers
Hackers now use complex cross-chain routing instead of relying solely on mixers.
Audit Effectiveness in 2023
Of the 191 compromised projects:
- 79 had no audit
- 101 had been audited
Interestingly:
- 59.5% of unaudited projects failed due to contract bugs
- 50.5% of audited projects still suffered from exploitable logic flaws
This indicates that while audits help reduce risk, they do not guarantee security — especially when audits are rushed or lack depth.
Rug Pull Trends
Beosin recorded 267 rug pulls totaling $388 million:
- 87% under $1M
- Major cases: Multichain ($210M), Fintoch ($31.6M), BALD ($23M)
Most occurred on BNB Chain (159) and Ethereum (81) — together accounting for 92.3% of total cases.
Key Takeaways for 2024
Despite progress in securing smart contracts and improving recovery rates, Web3 faces growing threats from off-chain criminal ecosystems. The convergence of cybercrime, financial fraud, and geopolitical actors like Lazarus poses long-term risks.
Core challenges include:
- Evolving APT tactics targeting private keys
- Proliferation of multi-chain laundering techniques
- Persistent weaknesses in business logic design
- Regulatory gaps enabling large-scale illicit flows
👉 Stay ahead with real-time threat intelligence and secure trading solutions
Frequently Asked Questions
Q: Why did on-chain attacks decrease in 2023?
A: Improved security practices — including better audits, real-time monitoring, and lessons learned from past exploits — made it harder for hackers to succeed through smart contract vulnerabilities.
Q: What caused the surge in crypto-related crime?
A: Criminals increasingly use crypto for money laundering and gambling due to its global reach and partial anonymity. Economic instability and weak cross-border enforcement have exacerbated the trend.
Q: Are blockchain audits enough to prevent hacks?
A: No. While audits are essential, they can miss logic flaws or assume honest behavior. Continuous monitoring and formal verification are needed for stronger protection.
Q: How effective are mixers after sanctions?
A: Sanctions reduced usage of platforms like Tornado Cash, but hackers migrated to alternatives like Sinbad — which was later also sanctioned — showing an ongoing cat-and-mouse game.
Q: Which blockchains are safest?
A: Safety depends more on project implementation than chain choice. However, Ethereum leads in tooling and transparency, while BNB Chain sees higher attack frequency due to rapid deployment cycles.
Q: Can stolen funds be recovered?
A: Yes — about 21% were recovered in 2023 via negotiation or law enforcement action. Cross-chain tracking tools have improved traceability despite obfuscation efforts.