CertiK Security Report: $1.19 Billion Lost Due to Security Incidents in H1 2024

Certik, a Web3.0 security agency, has released its quarterly Web3 security report, “Hack3d: Q2 and H1 2024 Web3.0 Security Report.” The report states that in Q2 2024, there were 184 on-chain security incidents resulting in losses of $688 million, representing a 37% increase in losses compared to Q1 2024. The report also highlights that in H1 2024, there were 408 security incidents with total losses amounting to $1.19 billion.

Q2 Security Incident Data

Phishing and private key compromises were the main causes of asset losses in Q2. Out of the $688 million lost in 184 incidents, $99,328,507 was recovered from 7 separate incidents.

Top 10 Projects by Loss Amount in Q2:

1. DMM Bitcoin: $304,700,000

2. BtcTurk: $90,000,000

3. Phishing Victim (0x1e22): $68,597,540

4. Lykke: $23,052,860

5. Gala Token: $21,613,470

6. Sonne Finance: $20,000,000

7. UwULend: $19,700,000

8. Rain: $14,277,950

9. Phishing Victim (5Fmwfk): $11,522,660

10. Phishing Victim (0x2154): $10,167,780

H1 Security Incident Data

Phishing and private key compromises were also the main causes of asset losses in H1 2024. Out of the $1.19 billion lost in 408 incidents, $177,728,142 was recovered from 17 separate incidents.

Top 10 Projects by Loss Amount in H1:

1. DMM Bitcoin: $304,700,000

2. Chris Larsen: $112,500,000

3. BtcTurk: $90,000,000

4. Phishing Victim (0x1e22): $68,597,537

5. Munchable: $63,000,000

6. BitForex: $55,745,130

7. Play Dapp: $32,350,000

8. FixedFloat: $26,176,240

9. Lykke: $23,052,860

10. Gala Token: $21,613,471

How to Avoid Phishing Attacks and Private Key Compromises

The Certik security report highlights that phishing attacks and private key compromises are the main causes of security incidents. Common causes include:

1. Fake Websites and Apps: Attackers create fake websites or apps that look identical to legitimate ones to trick users into entering sensitive information. These phishing sites are often spread through email, social media, or search engine ads.

2. Impersonation Communications: Attackers impersonate trusted entities (e.g., wallet providers, exchanges) and send fake security warnings or account update requests via email, SMS, or social media to induce users to provide sensitive information.

3. Malware and Viruses: Users' devices get infected with malware or viruses that can record keystrokes, take screenshots, or directly steal private keys stored on the device.

4. Insecure Storage: Users store private keys in insecure locations such as unencrypted text files, screenshots, or cloud storage, making them easy targets for hackers.

5. Using Public Wi-Fi: Transmitting sensitive information over unencrypted public Wi-Fi networks can allow hackers to intercept these details using network sniffing tools.

Preventive Measures:

1. Enable Two-Factor Authentication (2FA): Adds an extra layer of security to accounts, making it harder for attackers to access accounts even if private keys are compromised.

2. Use Hardware Wallets: Hardware wallets securely store private keys and can only sign transactions when the physical device is connected, enhancing security.

3. Be Wary of Phishing Sites: Always check the URL and SSL certificate of websites before entering sensitive information to ensure they are official sites.

4. Regularly Update Devices and Software: Keep devices and security software updated to prevent exploitation of known vulnerabilities.

5. Education and Awareness: Continuously learn about new security threats and protective measures to enhance personal security awareness.