Crypto Update | Crypto Lost $1.49B to Hacks in 2024: Securing Your Stack in 3 Steps - Markets Outlook

Summary5 min read

Markets Daily Crypto Roundup: Crypto Lost $1.49B to Hacks in 2024 – Securing Your Stack in 3 Steps

Release Date: January 8, 2025 | Host: Jen Sanasi | Guest: Mitchell Alle, Founder and CEO of Immunefi

Introduction

In the latest episode of Markets Daily Crypto Roundup, hosted by Jen Sanasi of CoinDesk, the focus centers on the significant developments in crypto security over the past year. The episode delves into the alarming statistics of crypto hacks in 2024, explores the dynamics between decentralized (DeFi) and centralized (CeFi) finance security, and offers practical advice for securing cryptocurrency assets. The conversation is enriched by insights from Mitchell Alle, the Founder and CEO of Immunefi, a leading platform in crypto security.

2024 Crypto Hacks: A Statistical Overview

Jen Sanasi opens the discussion by presenting key statistics from Immunefi’s report on crypto hacks and fraud in 2024:

Total Losses: Over $1.4 billion lost to hacks and fraud, marking a 17% decrease from the $1.8 billion recorded in 2023.
Major Attacks: Two significant breaches targeted DMM, a Japanese crypto exchange, and Wazrx, an exchange operating in India.
DeFi vs. CeFi: While decentralized finance experienced fewer but more targeted attacks compared to centralized finance, CeFi faced higher losses primarily due to the increased returns attracting more significant breaches.
Most Targeted Chains: Ethereum and BNB Chain were the focal points, with Ethereum accounting for 44% of total losses (104 incidents) and BNB Chain for 39% (71 incidents).

Jen Sanasi states at [00:29], "According to Immunefi, 2024 saw a loss of more than $1.4 billion due to hacks and fraud. The number marks a 17% decrease compared to 2023."

Mitchell Alle responds at [02:23], "It was a surprise because the number was so low. It was a surprise because the number was so good."

Decrease in Hacks: Underlying Causes

Despite the surge in DeFi Total Value Locked (TVL) by approximately 160% to $163 million in 2024, the total hack losses decreased. Mitchell Alle attributes this positive trend to enhanced security measures within the DeFi ecosystem:

Improved Code Security: Significant advancements in audits and bug bounty programs have fortified on-chain security.
Security Technologies: Adoption of cutting-edge security technologies has played a crucial role in mitigating vulnerabilities.

At [03:44], Alle notes, "We are seeing more effective security measures at the on-chain layer," emphasizing that DeFi platforms have become increasingly resilient against attacks that previously plagued the sector.

Rising Threats to Centralized Exchanges

Conversely, centralized exchanges have become more attractive targets for hackers, primarily due to private key management issues inherent in their operations. Mitchell Alle explains that while DeFi's attack vectors have diminished, CeFi exchanges are grappling with:

Private Key Vulnerabilities: Centralized exchanges manage hot wallets that are susceptible to breaches.
Human Element: The management of private keys involves human oversight, which introduces potential security gaps.

At [05:05], Alle elaborates, "Centralized exchanges have private key management issues… that are becoming almost, not quite, but almost the major attack vector."

Security Recommendations for Crypto Enthusiasts

Addressing the audience, Mitchell Alle provides a three-step strategy to secure cryptocurrency assets effectively:

Cold Wallet Setup: Store the majority of funds in a cold wallet, which remains offline and impervious to online threats.
Hot Wallet Utilization: Use hot wallets for regular transactions and interactions, ensuring that they hold only the necessary amount for daily activities.
Risk-On Wallet: Maintain a separate wallet for high-risk, speculative activities to prevent exposure of main holdings.

At [08:51], Alle advises, "Start with some kind of cold wallet… put all of your money stay safe at all times." He emphasizes the importance of segregating funds to minimize potential losses from breaches.

The Human Element in Crypto Security

Mitchell Alle underscores the persistent challenge of the human element in security. Despite technological advancements, scammers leveraging Large Language Models (LLMs) are increasingly sophisticated, targeting individuals through phishing and fraud. Alle expresses concern over the difficulty in combating human-centric attacks:

At [20:44], he states, "We're going to win the blockchain code security war. Can we win the human security war? Even so, that remains to be seen."

Personal Motivation: Mitchell Alle’s Commitment to Security

In a heartfelt segment, Alle shares his personal journey and passion for enhancing crypto security. Coming from a background with limited opportunities, he credits crypto with providing economic empowerment and a platform for wealth creation. This personal stake drives his dedication to ensuring robust security measures in the industry:

At [12:02], Alle explains, "Crypto has a lot to offer the world… The single greatest risk to the entire promise of our industry and this technology is code security."

Looking Ahead to 2025: Predictions and Expectations

As the conversation shifts to future prospects, Mitchell Alle shares his optimistic yet cautious outlook for 2025:

Proliferation of Blockchains: The cost of launching blockchains is decreasing, leading to an expanded attack surface.
Security Advancements: Continuous improvements in security technologies, boosted by AI, are expected to further reduce hack incidents.
AI Integration: Artificial Intelligence will play a dual role, enhancing detection and mitigation of threats while also enabling more sophisticated scams.

At [15:58], Alle mentions, "We're going to start being able to talk about 99% hack prevention at least according to the raw technical developments for the most battle-hardened code bases."

The Dual Role of Artificial Intelligence

AI's involvement in crypto security presents both opportunities and challenges. While AI enhances threat detection and response capabilities, it also empowers scammers to execute more convincing and widespread attacks:

At [20:44], Alle states, "LLMs are a phenomenal threat that we, not just as an industry, but as a society have not figured out how to solve."

He highlights the necessity of balancing technological advancements with proactive measures to safeguard against AI-driven threats.

Conclusion

The episode concludes with a reflection on the critical importance of security in the crypto ecosystem. As the industry continues to evolve, the interplay between technological advancements and human behavior will shape its resilience against threats. Mitchell Alle’s insights provide a roadmap for both individuals and organizations to navigate the complexities of crypto security effectively.

Jen Sanasi wraps up at [23:24], emphasizing, "If you don't have security top of mind, I think you can only be so successful."

Key Takeaways

Reduced Hack Losses in 2024: A notable decrease in total losses despite increased DeFi activity.
Shift in Attack Targets: Centralized exchanges face heightened security challenges due to inherent vulnerabilities.
Security Best Practices: Implementing cold, hot, and risk-on wallets can significantly enhance asset security.
Human vs. Code Security: Technological solutions are advancing, but human-centric threats remain a significant concern.
Future Outlook: Continued innovation in security technologies, particularly AI, is essential for safeguarding the crypto landscape.

For comprehensive insights and updates on cryptocurrency markets and security, subscribe to the CoinDesk Podcast Network available across all major platforms or visit their YouTube channel.

Loading summary

Transcript24 lines

[00:00]
Mitchell Alle
While code security will improve dramatically, the human element of security will be the tough, tough thing to cover. Because the scammers are already starting to use LLM technology to go after human beings as the weakling in acts of fraud, in acts of phishing and acts of scamming. And there's nothing that we can do.
[00:28]
Jen Sanasi
We all want to believe in something.
[00:30]
Mitchell Alle
In Chinese, belief also means trust. We want to trust our systems and each other so we can build a future beyond what we know. Join us at Consensus Hong Kong, where belief becomes real.
[00:43]
Jen Sanasi
Hello and welcome to Markets Daily, hosted by me, Jen Sanasi. On this show, we navigate the currents shaping the crypto markets, providing insights against the broader financial landscape. So whether you're actively trading or simply fascinated by the volatility of the crypto markets, this show is your compass to understanding what's happened, where we are, and where we're going. According to Immunefi, 2024 saw a loss of more than $1.4 billion due to hacks and fraud. The number marks a 17% decrease compared to 2023. The year was marked by two major attacks, one on DMM, Bitcoin, the Japanese crypto exchange, and the other on Wazrx, an exchange operating in India. Last year, Defi was the main target of successful explosion exploits when compared to cefi, although CEFI experienced higher losses than before, Aminfi says that this is most likely due to their outsized returns. And Ethereum and BNB chain were the two most targeted chains. Ethereum saw 104 incidents, representing 44% of total losses. And BNB chain suffered 71 incidents, representing 39%. On today's episode, we are unpacking these numbers and taking a look at what they indicate as we move into 2025 with the founder and CEO of Immunefi, Mitchell Alle. Commodore Mitchell, welcome to the show.
[02:00]
Mitchell Alle
Thank you. Great to be here.
[02:02]
Jen Sanasi
Well, some big numbers in this report on chart of the day. We take a look at a lot of Immunefi's reports, but just talk to me about what we saw in 2024. Level set for me. I know you follow this closely, so I don't imagine that that $1.4 billion number was a surprise to you, but talk to us about what what we saw in 2024.
[02:23]
Mitchell Alle
Sure. Well, this may surprise you, but it was a surprise for once. And it was a surprise because the number was so low. It was a surprise because the number was so good. That's a 17% decrease compared to 2023 losses, which were about $1.8 billion. But consider that in this same time period, DeFi TVL specifically, and of course overall crypto market value increased dramatically. So we're looking at something like 150, 160% increase to I think around $163 million in DeFi TVL relative to 2023. And yet you had total hack losses, the magnitude of hacks decrease. So you could think of that if you wanted to do a calculation of what's, you know, security effectiveness, dollar for dollar relative to value on chain, we had an explosive 2023 for security effectiveness. So, you know, it's still a big number. It's still way too big. We need to bring this number down. But compared to 2023, 2024 was a pretty, pretty, pretty great year.
[03:28]
Jen Sanasi
That is really interesting that TVL increased so dramatically and hacks and fraud decreased so dramatically. Talk to me about what you think led to this. I mean, to see that decrease in just one year, you're right, is a pretty big deal. What do you think led to that?
[03:45]
Mitchell Alle
Sure. So there's another interesting data point that kind of reveals what's going on here. When we noted that the two biggest hacks by magnitude, we're talking about DMM and wizurex, both of those are centralized exchanges, not defi products, not lending protocols, not stablecoins, centralized exchanges, very much so with centralized exchange, probably private key management security issues. And while we are still seeing defi hacks, we're seeing the magnitude of those come way, way, way down. And the big defi hacks that characterize 2020, 2021, 2022, those are not really to be found over 2024. So this is all being driven by more effective security measures at the on chain layer. You know, another way of saying this is defi is actually getting safer and safer in such a way that it seems like the major threat vectors are moving towards centralized exchanges as the easier marks to steal from and to hack. Now what's driving that, of course? Well, you know, audits and bug bounties have improved a lot. Security technologies have improved a lot. But all things together, it's just comprehensive code security as opposed to, you know, say private key management issues, which are human security problems.
[05:05]
Jen Sanasi
That's an interesting point you brought up there about the interest and the, the increase, I guess, of hacks and fraud when it comes to centralized exchanges. And I want to dig a little bit deeper there because we talk so much about mainstream adoption in this industry and centralized exchanges have long been talked about as the entry point for folks who are Curious. It's a little bit safer, it's maybe a little bit more regulated. It's easier to contact folks if you need help, if you want to contact customer support. But yet we're seeing an increase in. In hacks when it comes to centralized exchanges. Unpack that a little bit more for me. And what you think that indicates when it comes to more mainstream adoption of crypto products.
[05:48]
Mitchell Alle
Sure. So there's a few ways to look at it. It's not like the centralized exchanges have been sitting on their behinds not doing anything. We've really seen the standards for security increase dramatically. You see things like proof of reserves, which got a major kick last year, and the kind of increasing transparency of exchanges and the further investment into security programs by various exchanges like, we know that they're improving there very markedly, very significantly. But by virtue of being centralized, you can't. And the need. Right. If you're running a centralized exchange to keep a very amply supplied hot wallet, you cannot get around the fact that you have private key management issues. And this is becoming almost. Not quite, but almost the major attack vector. Looking back into 2024, in contrast. And also I should note, that's the one that everybody doesn't like to take seriously. Whether you have, you know, individuals like you and I like everybody is just doesn't want to think about how they manage their keys, how they manage their seats, how they manage their hot wallets. Right. That happens to funds, that happens to projects in their multisigs, and that that even happens at the level of exchanges. This kind of human security is the central place where complacency can settle in, no matter who you are, no matter how good you are. So the centralized exchanges have done a lot, but solving the problem of human behavior is just the most difficult one. And this hides a little bit the fact that while things have really improved there, it's not like decentralized exchanges have not improved. If we want to look at the level of security per dollar on a centralized exchange. Right. Those numbers have increased dramatically over the last year as well with the increase of value in Bitcoin, Ethereum and a variety of other assets. So they could also say quantitatively that security across Centralized Exchange and C5 Solutions is getting comprehensively better as measured by hack impact. Right. The challenge is it's just defi has blown them out of the water with the security developments and the protection developments. In terms of onchain code, we're talking, you know, several hundred percent better when we're looking at the amount hacked per year relative to tbl, that the comparison doesn't look as nice. But in reality, everybody's getting better, and everybody's getting better at a pretty fast clip relative to the growth in the value of assets. So it's just the comparison, right, that makes decentralized exchanges look like they're falling further behind. But, you know, everybody's way ahead of where they were in 2023 when losses were considerably grander.
[08:21]
Jen Sanasi
I want to talk a little bit about what that means for 2025 in just a second. But when we can on this show, I do like to remind our audience how to be safe, how to maneuver in the crypto ecosystem, I guess, in the safest way possible. And we bring up private keys and just, you know, keeping things safe. Talk to me about some tips people should keep in mind if they're just getting into crypto when it comes to private keys and seed phrases.
[08:52]
Mitchell Alle
Sure. Okay. High level. First thing you should do is think about it. The thing nobody really wants to do is think about the scary outcome and how everything could go wrong. Everybody's looking for the 10 of the 100X. But, you know, all prosperity starts with a simple foundation, a secure foundation, a firm foundation. And in the context of crypto, that means thinking about your private key setup and doing a little research to understand that. Now you're going to want to start with some kind of cold wallet. Okay? This is going to be where you're going to store most of your funds. And then you're going to have, you're going to want to split up your infrastructure. Basically, a cold wallet where you're going to put the majority of your valuable assets. See phrase should never touch the Internet. That means don't put it on Google Drive, then don't put it on Dropbox. I mean, don't send it by email. It means don't take a picture of your phone connected to icloud or whatever stays off the Internet, put it in a safe or something and walk away checking it every once in a while. And then you're going to want a hot wallet. And a hot wallet is where you're going to be doing, you know, the regular transactions you might have as you're settling on bills with friends. That's where you're going to do it. If you are, you know, paying people for stuff, functioning before you run through it. And then I would say also have a risk on wallet, okay? So if you've got a real speculative fever, if you've got just, you just, you just want to gamble. You just Want to go all in, Right. Well then you have a special wallet, okay, that is dedicated that activity so that you know, if you're interacting with problematic contracts or if you're, you know, getting exposed to places where you maybe shouldn't be acting. Not the safest environment. It never touches your hot wallet, right, which is what we're using for convenience on a regular basis. And none of that ever touches your cold wallet. And so all of your money stay safe at all times. So this relatively simple structure, okay, is what I would recommend for thinking about just the very, very basics. And then once you have that, you know, the next step, very simply, is to take another thing as that, you know, the amount of on chain activity you do. Well, how should your security posture and your security infrastructure be changing? There's a bunch of great solutions on the market. They're all just waiting for you to contact them so that they can help you level up your security. But you just gotta show an interest, right, and put up your hand and say, hey, I'm ready to do more. I'm ready to be safer. And they'll carry you the rest of the way.
[11:11]
Jen Sanasi
I always think it's a great reminder, you know, because we take a look at reports like this and there are big companies who people trust. You know, you put a lot of trust in big companies who are falling victim to hacks. There are thought leaders, there are OGs, there are people who have been in the space for 10 years who still sometimes fall victim to some of these things. So thank you for that reminder. I think it's great. And I don't think that anyone is too experienced to hear it.
[11:39]
Mitchell Alle
Nobody. We all do our checks. Even I do my checks, right? Just part of this game.
[11:46]
Jen Sanasi
Well, tell me a little bit more. I just would love to hear a little bit more about your personal story. Why are you so passionate about making the space more secure? Why is security kind of what drives you through your crypto experience?
[12:02]
Mitchell Alle
Sure, sure. Well, I think for me it was very much an instrumental question. I think crypto has a lot to offer the world. Growing up, let's say poor or lacking certain opportunities, lacking connections, you know, how are you going to break into the, into the system, so to speak, and make a life for yourself, make a life for your future family wasn't obvious to me. I was lucky. I interacted with crypto and this idea of kind of permissionless, open access to all these tools was a pretty phenomenal game changer. It was a game changer for my economic life, for my future for the future, for my family. And it was a game changer in terms of the wealth I could build and all the ways I could enjoy my life. And it simplified my life dramatically. The classic example is if you ever try to buy a financial product in most of these western countries and most of the ones with generally the best financial infrastructure available to most citizens, it's the biggest pain in the ass. And even then, you're restricted from the vast majority of financial products that don't make sense. They're sold in suspicious ways. Crypto has the promise to which we're still in the process of delivering. We've hardly done it all, but it has the promise of offering a globally competitive financial product that simplify how we deal with wealth in the era where everybody, you know, it's just part of our civilization where we're expected to manage our own wealth, which is very, very complicated, right? This kind of competitiveness, open market competitiveness that forces and drives the best possible products, the simplest possible products, the most competitive possible products to consumers is a real, real advantage to most normal people. I think it's already proving that way with something like bitcoin, which is an asset. Almost nobody, except for, you know, very, very powerful and elite people in historical times could afford such a kind of a safe haven asset. So you get vast amounts of gold, for example, or similar things. Bitcoin is available to everybody and allows everybody to protect their wealth. I mean, this is pretty phenomenal. We're starting to see that with Ethereum and Defi as well. So this future of kind of giving everybody the best leg up to go and live their life and achieve what they want is what I signed up for because I lacked it. And I saw the importance of that. And that's also where the security element came. Because the single greatest risk to the entire promise of our industry and this technology is code security. We cannot help that. The body upon which the mind or the idea or the spirit of crypto depends is, is entirely code. Code written by humans for which there never was now buggy code. And if anything goes wrong there, then all your money can disappear. So that's pretty dangerous. Banks used to have the issue of, well, if you don't secure the vault, you're not going to be in business very long. And so that's the most important thing. Giant bank vaults and banks are built like fortresses, complex security guards and the financial institutions became enmeshed in the elites and the policing forces to make sure that that wealth was protected. And in our case, that comes down to code security. Can we make sure that this code is safe under all conditions, under all circumstances? And if we can solve that problem, then we usher in an age of prosperity and openness, a kind of inclusivity and a welcoming to anybody in the world who wishes it to the greatest potential tools for wealth creation and by extension, creativity that you can imagine. And if we cannot, if we cannot solve the code security problem, then all of this comes to not and becomes illegitimate just depending on what timescale. And so crypto gave me a lot, and I figured I should return the favor by solving the most important problem. And that's why I do what I do.
[15:59]
Jen Sanasi
I like that a lot. I mean, you know, we talk so much about the opportunities that this industry opens up for people when it comes to financial opportunities, creative opportunities, but none of that can be realized if the security is not there. And I think you did a really good job at articulating that. As we wrap up the show here, I want to talk a little bit about what this report indicates for 2025. So just talk to me a little bit about what you expect to see in 2025 as it pertains to security, but you can also broaden it out. Talk to me about what narratives you're excited about as we head into a new year.
[16:33]
Mitchell Alle
That's a big question. Okay, I would say a few things. Number one, security 2025, very optimistic, but major potential wildcards in play. So here are the wild cards. First, everybody's launching a blockchain. I wrote up this post called the World of a Thousand Blockchains, where basically I'm describing how the cost of a blockchain is going towards zero and the competitive advantages for controlling your own compute are increasing. So this combination means everybody's launching their own chain. We've seen so many L2s. We've seen so many all player ones. We're seeing the world of app chains, and it's only getting better on that front. This is a good thing, all things considered. You know, all these blockchains are creating more ways for these businesses to grow and to monetize and create value for the end consumer. Ultimately, okay. But in consequence, they are creating and dramatically expanding the security attack surface. And this is a huge wildcard. Now, this is a little bit different from DeFi, which we have absolutely done an amazing job as a security community over the last four years. Right. You can see immunity. We've done all of our work on the bug bounties, which has been successful. The auditors on chain Security technologies and so on. And the reason it's different is because defi applications have very, very small attack surfaces. They're pretty small programs at the end of the day, but all these blockchains are massive, massive programs. So the attack service is blowing up dramatically. And while we're hopeful we can protect all those chains, we're certainly going to make our best effort. We don't know how well that's going to go. I think a lot of it is going to depend on how, how well the original code base is. Since most of these are forked, were designed and were built. That's one wild card. Now on the flip side, why things are progressing. We've seen an unprecedented surge in security advancements in 2024 and I have every reason to expect that's going to continue in 2020. I mean I certainly think that because I'm building that kind of stuff, that's what's driving down these defi hack numbers ultimately, which is, is performing the bulk of the work and making our industry safer. And the reason artificial intelligence applications and developments that are coming out are boosting that are adding, you know, fuel to that fire. We'll be releasing a bunch of stuff in 2025 ourselves, which we think will be game changers for most of our customers. We're starting to get to the point where we can start to talk about like we're at to quantify this. We're at like a 90% hack prevention from those criticals. I think by the end of 2025, maybe early 2026, we're going to start being able to talk about 99% hack prevention at least according to the raw technical developments for the most battle hardened code bases. So that's that that's super exciting. And the only other, there's one wrinkle, it stands in between those two things. So big attack surface for 2025, bigger than ever and greater security technology developments on the other side. And that is we're going to start going across the stack because what we're seeing is we are winning the code security battles for on chain code like all these defi programs, all these defi dapps and so on and so forth. But we're not necessarily winning the battle across the whole stack like web two like these private key secured. So going back to basics and finding new solutions for old problems is going to be the kind of the thing that you know, we could win it and kill it and make maybe by the end of 2025 everybody's like wow, crypto. So Safe, it's safer than traditional finance, or we could not do that at all. And maybe people are saying the opposite. So that's the other wild card that we're going to have to deal with. And you know, God willing, we'll all do that together and find a solution.
[20:10]
Jen Sanasi
By the end of 2025. Seems like a really optimistic timeline to me, but I love it. If we could get there by the end of 2025, I would absolutely love that. The one thing I do want to follow up on that you said though. Well, I would just love to hear more about how you think AI's involvement now. Well, I guess the convergence of AI and crypto, does that make the industry more secure, more safe, or does that present more security challenges that need to be solved?
[20:45]
Mitchell Alle
Unfortunately, the answer is both. So on one side, firms like ours are leveraging AI technologies to detect one threat, detect one solution to a particular kind of threat, and then we can instantly broadcast across our whole network. And we're servicing 360, 370 customers, 370 protocols. And so our ability to instantly take in this data and apply solutions across our whole customer base, this is a pretty incredible superpower when it comes to security. We're beginning to do types of vulnerability analysis for our customers in real time that is making us even more effective that we can start applying at different layers of the stack. Right. So you can think of that post while something is on mainnet, can we spot a vulnerability there? And pre, you know, can we find something in the auditing process, can we find something in the development process? That is these types of technologies, while very kind of under the hood, are what's going to drive that 90 to 99% growth. So that's phenomenal. But while code security will improve dramatically, the human element of security will be the tough thing to cover because the scammers are already starting to use LLM technology to go after human beings as the weak LinkedIn in Acts of fraud and acts of phishing and acts of scamming and there's nothing that like we can do. I can make the machines as battle hardened and as you know, iron plated as they can possibly be. But if the guy in the cockpit, right, you know, pushing the engine forward is like, oh, I'm going to get out now and see what's out there and bad things happen there, there's nothing we can do about that from the perspective of code security. And so there the LLMs are a phenomenal threat that we, not just as an industry, but as a society have not figured out how to solve. And that's the major, major scary thing for AI just tricking everybody via ultra dirt cheap, ultra sophisticated, very convincing scams at a global scale. We'll win the blockchain code security war. We're going to win. But can we win the human security war? Even so, that remains to be seen.
[23:04]
Jen Sanasi
Well, I guess we'll see what happens in 2025. Mitchell, thank you so much for joining Markets Daily today. I think this was a really important conversation to have about security. So many investors and traders watch and listen to this show. But if you don't have security top of mind, I think you can only be so successful. So thanks so much.
[23:23]
Mitchell Alle
My pleasure. Thank you, Jim.
[23:25]
Jen Sanasi
And thank you to our audience for watching Markets Daily and listening to Markets Daily. If you enjoy listening to us, subscribe to the Coindesk podcast network that is available on all podcast platforms. If you prefer watching, we are on YouTube, subscribe to our YouTube channel. Give us a thumbs up and we will see you tomorrow.