Private key and phishing “most prevalent,” crypto scams security firm says

Out of all the crypto scams plaguing users, private key theft and phishing are among the most prevalent a blockchain security firm has said.

Speaking to Cryptopolitan, a spokesperson for blockchain security firm CertiK said, “Phishing attacks are especially effective because they typically target human vulnerabilities rather than technical ones.”

“Attackers often create fake websites or impersonate well-known platforms to lure users into providing sensitive information,” the spokesperson said.

“Since private keys grant full access to one’s crypto assets, losing them can be financially devastating,” they added.

Phishing is a scam in which hackers deceive people into revealing sensitive information, such as a private key that allows access to a company’s systems. Private key theft can also occur when a hacker installs phishing malware, such as viruses, adware, or ransomware, on a user’s device to steal information.

According to an Oct. 31 CertiK report posted to X, October’s two most significant security incidents came from phishing crypto scams.

An attacker gained control of several signers’ private keys and smart contracts and was able to drain $58 million from lending protocol Radiant Capital. An unlucky Whale also lost $36 million in a phishing attack.

Overall, CertiK found that around $129.7 million was lost to exploits, hacks and scams throughout October. Specifically, $1.2 million to exit scams, $1.5 million to flash loan attacks, and $127 million to exploits, including the $94 million from Radiant Capital and the Whale’s phishing attacks.

October experiences more security incidents but lower losses

In 2024, an average of 63 crypto-related security incidents per month have been recorded. October sits above this average at 71 incidents. However, the number of incidents in October with losses above $1 million was the lowest in six months.

“October losses due to private key compromises accounted for approximately $75 million, and losses due to phishing scams accounted for approximately $50 million,” the CertiK spokesperson said. “Additionally, a lot less has been lost to code vulnerabilities this year,” they added.

In its Hack3d: The Web3 Security Quarterly Report, CertiK found that over $753 million was stolen by malicious actors in Quarter 3 across 155 security incidents. The value loss increased by 9.5% compared to Q2, but there were 27 fewer total incidents than in the previous quarter.

“From what we’ve seen, there has been a fundamental shift to the use of drainers as a service and private key compromises, which typically yield higher rewards for scammers and enable malicious actors without coding backgrounds to take advantage,” the CertiK spokesperson said.

“As smart contracts get more secure, combined with lucrative bug bounties, we expect code exploits to decrease. On the other hand, phishing is likely to increase if preventative measures do not improve.”

Crypto scam losses lower than previous years

A report from Blockchain intelligence firm TRM Labs found that losses from crypto hacking were down more than 50% from 2022 to 2023, thanks to improvements in industry security.

In 2023, crypto projects lost about $1.7 billion to hacks and crypto scams, less than half the $4 billion stolen in 2022.

CertiK estimates losses in 2024 have exceeded $2 billion across the crypto space. Unless significant incidents happen in the next two months, 2024’s losses will likely be lower than 2022’s as well.  

According to the CertiK spokesperson, while blockchain security has improved over the years, more work remains as attackers become more sophisticated and change tactics.

“Advances in blockchain security tools and techniques — such as more sophisticated auditing practices and enhanced on-chain monitoring — may discourage some malicious actors,” they said.

“Additionally, regulatory scrutiny and compliance standards have encouraged some protocols to implement stronger safeguards. However, there is still a lot of work to be done.”