Preface: SlowMist has released the 2023 Blockchain Security and Anti-Money Laundering Annual Report. We hope that this report provides readers with valuable information, assisting professionals and users in gaining a more comprehensive understanding of the current state of blockchain security and solutions. We aim to contribute to the security of the blockchain ecosystem through this effort.
Due to space constraints, only the key findings from the analysis report are listed here. The complete content can be downloaded via the link.
2023 has been a revitalizing and tumultuous year for the blockchain industry. Against this backdrop, this report reviews key regulatory compliance policies and dynamics in the blockchain industry in 2023, summarizes blockchain security incidents and the anti-money laundering landscape, provides statistics on some money laundering tools, and offers detailed analyses of typical security incidents and phishing scams. The report also presents preventive measures and recommendations. Additionally, we have invited Web3 anti-fraud platform Scam Sniffer to contribute content on the phishing group Wallet Drainers. Simultaneously, we have analyzed and tallied money laundering techniques and profits of the hacking group Lazarus Group.
According to the SlowMist Hacked blockchain incident archive, there were a total of 464 security incidents in 2023, resulting in losses of up to $2.486 billion. This represents a 34.2% decrease in losses compared to 2022, which had 303 incidents with approximately $3.777 billion in losses.
Overview of Blockchain Security Incidents
Looking at the project types, Decentralized Finance (DeFi) remains the most frequently attacked sector. In 2023, there were 282 DeFi security incidents, accounting for 60.77% of the total number of incidents. The losses from these incidents amounted to $773 million. Compared to 2022, which had 183 incidents with losses around $2.075 billion, there was a 62.73% decrease in losses year-over-year.
From an ecosystem perspective, Ethereum experienced the highest losses, amounting to $487 million. This was followed by Polygon, with losses reaching $123 million.
Looking at the causes of incidents, the most common were exit scams, totaling 110 cases with losses of about $83 million. The next most frequent cause was account compromise.
Top 10 Major Security Breaches of 2023
This section highlights the top 10 security attack incidents with the highest losses in 2023. Details can be found in the PDF content at the end of the document.
Rug Pull Scams
According to statistics from the SlowMist Hacked blockchain incident archive, there were as many as 117 rug pull incidents in 2023, with losses exceeding $83 million. The Base ecosystem suffered the highest losses, amounting to $32.5 million. This was followed by the BSC ecosystem, with losses of $23.05 million.
Rug pull is a type of scam typically orchestrated by project developers themselves, occurring in various ways. For instance, the developers might provide initial liquidity, inflate the price, and then withdraw the liquidity. Alternatively, they may create a cryptocurrency project, attract crypto investors through various marketing tactics, and then suddenly abscond with the invested funds, selling off crypto assets and disappearing without a trace. Another method involves launching a website, attracting hundreds of thousands in deposits, and then shutting down. Or, the developers might leave backdoor codes in the project. Regardless of the method, any form of rug pull results in financial losses for investors.
Here we introduce an extremely covert RugPull case caused by a contract storage issue: Despite no records of token issuance, malicious users used a large number of unrecorded newly issued tokens to drain funds from the pool.
In recent years, the cryptocurrency market has increasingly become a frequent hunting ground for scammers. They often use tactics such as impersonating celebrities with fake accounts, romance scams (also known as ‘pig butchering’), promoting fake trading platforms, and Ponzi schemes to deceive their victims. With the advancement of technology, scammers are also employing artificial intelligence software to make their schemes more convincing. This section will introduce a cryptocurrency scam known as the JPEX incident. The JPEX incident is a major cryptocurrency scam that primarily occurred in Hong Kong. According to reports, the collapse of JPEX could become the largest financial fraud case in Hong Kong’s history.
This section highlights some of the phishing/scam techniques disclosed in 2023.
Anti-Money Laundering(AML) Trends
This section is divided into four parts: AML and Regulatory Dynamics, Anti-Money Laundering in Security Incidents, Profile and Activities of Hacker Groups, Money Laundering Tools.
AML and Regulatory Dynamics
In 2023, the world of cryptocurrencies continued to experience turmoil. During the previous crypto bull market, every move by industry giants SBF and CZ seemed to have a profound impact on the market. However, in November, a federal jury found SBF guilty on charges of fraud and conspiracy related to the collapse of FTX. Just weeks later, Binance accepted criminal charges and paid a fine of $4.3 billion, with CZ agreeing to relinquish control over Binance. As the crypto asset industry oscillates between a turbulent “crypto winter” and a bear market, governments and international organizations are adopting a more cautious approach. Regulatory policies concerning cryptocurrencies are still being progressively developed across various countries. Specific policies and law enforcement actions can be found in the PDF at the end of the document.
Anti-Money Laundering in Security Incidents
Frozen Funds Data
With substantial support from partners in the InMist Intelligence Network, SlowMist successfully assisted clients, partners, and publicly hacked entities in freezing over $12.5 million in funds in the year 2023.
Funds Recovery Data
In 2023, there were 31 incidents where victims of attacks were able to recover all or part of their lost funds. In these 31 incidents, a total of approximately $384 million in stolen funds was involved, with about $297 million being returned, accounting for 77% of the stolen amount. Among these incidents, funds from 10 different protocols were fully recovered.
Profile and Activities of Hacker Groups
The Lazarus Group
Based on public information available in 2023, as of June, no major cryptocurrency thefts had been attributed to the North Korean hacker group Lazarus Group for that year. Their activities, according to on-chain data, mainly involved laundering the cryptocurrencies stolen in 2022, including approximately $100 million taken in the Harmony cross-chain bridge attack on June 23, 2022. Subsequent events revealed that in addition to laundering the cryptocurrencies stolen in 2022, the North Korean hacker group Lazarus Group was also actively engaged in other activities, including carrying out Advanced Persistent Threat (APT) related attacks. These activities led to what the cryptocurrency industry refers to as the “Dark 101 Days” starting June 3rd.
During the “Dark 101 Days,” a total of 5 platforms were compromised, with the stolen amount exceeding $300 million. Most of the targets were centralized service platforms.
According to our analysis, the money laundering methods used by the North Korean hacker group Lazarus Group have been continuously evolving over time, with new techniques emerging periodically. The timeline of changes in money laundering methods is available in the PDF at the end of the document.
Phishing Groups: Wallet Drainers
Note: This section is written by the Scam Sniffer team.
Wallet Drainers, a type of cryptocurrency-related malware, have achieved notable “success” in the past year. These software programs are deployed on phishing websites to deceive users into signing malicious transactions, thereby stealing assets from their cryptocurrency wallets. These phishing activities continuously target ordinary users in various forms, leading to significant financial losses for many who unwittingly sign these malicious transactions. Over the past year, Scam Sniffer has monitored these Wallet Drainers and identified that they have stolen nearly $295 million in assets from approximately 324K victims.
Notably, on March 11, nearly $7 million was stolen, primarily due to fluctuations in the USDC exchange rate and phishing sites impersonating Circle. There was also a significant spike in thefts around March 24, coinciding with the compromise of Arbitrum’s Discord and subsequent airdrop events.
Each peak in thefts is associated with community-wide events, which could be airdrops or hacking incidents.
After ZachXBT exposed Monkey Drainer, they announced their exit after being active for 6 months. Venom then took over most of their clientele. Subsequently, MS, Inferno, Angel, and Pink emerged around March. With Venom ceasing operations around April, most phishing groups shifted to using other services. With a 20% Drainer fee, they made at least $47 million by selling these services.
Money Laundering Tools:
- Sinbad Mixer
- Tornado Cash
This report summarizes key regulatory compliance policies and trends in the blockchain industry for 2023, including but not limited to the global attitude towards cryptocurrency regulation and a series of critical policy changes. Additionally, it covers blockchain security incidents and anti-money laundering dynamics of the year, analyzes certain money laundering tools, explains typical security incidents and phishing scams, and proposes corresponding prevention and response measures. We hope this report provides valuable information, helping readers comprehensively understand the current state of security and anti-money laundering in the blockchain industry. We aim for every industry participant to benefit from this report and contribute to the secure development of the blockchain ecosystem.
Check out our full report below:
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.