More than $2 billion has been lost to Web3 security hacks in the first half of 2022, more than the entire amount lost during 2021, and making this the most expensive year to date for Web3 security breaches. The figures are contained in a new report from CertiK.
The authors of the report suggest the scale of loss represents a devastating year for Web3 security, “a fact sharpened by the wider losses incurred by the persistent bear market."
The company is forecasting a 223 percent increase in the funds lost to attacks when compared with 2021.
“There is some cause for slight optimism given that the amount lost to attack is down by 42 percent from the previous quarter, however, this data is skewed by the catastrophic attack against the Ronin Network for $624 Million in late March.
“Whilst marking a decline in overall attack, there has been a steep rise in the number of flash loan attacks and phishing attacks, two of the most popular hacks that, frustratingly for Web3 security, can often be avoided and mitigated by the web3 security tools available.”
Web3 is developing a well-earned reputation as a cybersecurity bin fire. For example, as Digital Nation Australia has reported NFT transactions are at risk of wash trading and money laundering, according to Chainalysis, Opensea, the biggest secondary market for NFTs has a track record of lax security enabling theft and insider trading, while more broadly, cryptocurrency is seen by the cybersecurity industry as an enabler and facilitator of ransomware.
On that last point, however, industry researchers Gartner take a more optimistic view. In a paper released earlier this year, they wrote, "Despite what many think, cryptocurrencies and the blockchains they run on are more secure than legacy payment networks."
Indeed the firm predicted in January (before the rout on crypto markets) that in the next three years alone, successful cryptocurrency thefts and ransomware payments will drop by 30 percent.
"This positive change is largely attributable to four factors: the transparency of blockchains, the emerging blockchain intelligence market, government involvement and the use of virtual asset service providers."
Discordant
One social network, in particular, is responsible for facilitating a massive increase in phishing attacks up by 170 percent this quarter compared to the first quarter of this year – Discord.
Beloved by the global gaming community and the NFT world, Discord does not support account verification, unlike, for instance, social media platforms such as Twitter.
According to the authors of the Certik report, “This allows hackers to clone accounts, and lay bait in the form of giveaways and “too good to pass up” token offers.”
There is nothing particularly new about what is happening from a Web3 security perspective they say.
“Hackers are deploying the tried and tested tricks of web2 that exploit centralisation and human error as a starting point, and are using this to make lateral moves to exploit web3 in turn. In this way, the prevalence of phishing attacks shows Web3’s ongoing and fraught relationship with the outmoded and vulnerable infrastructures of Web2.”
They suggest, "Much of Web3’s negative reputation as a digital ‘wild west’ arises from the points where it relies on Web2 technologies and the vulnerabilities it entails. This drives home how Web3 security depends on it moving further away from, rather than returning to, the centralised practices of its predecessors.”
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
