
2023 Web3 Blockchain Security Landscape and Anti-Money Laundering Analysis
TechFlow Selected TechFlow Selected

2023 Web3 Blockchain Security Landscape and Anti-Money Laundering Analysis
In 2023, on-chain hacking incidents, phishing scams, and project team rug pulls all showed a significant decline compared to 2022.
Authors: Mario and Donny from the Beosin Research Team
This article is the first part of "Review of 2023 Web3 Blockchain Security Landscape, Anti-Money Laundering Analysis, and Key Regulatory Policies in the Crypto Industry," presenting only the security landscape section of the report. For regulatory policies and related content, see "Observations on Global Web3 Virtual Asset Industry Regulations and Events in 2023."
Preface
This research report was initiated by the Blockchain Security Alliance and jointly authored by its members Beosin, Web3 Lawyer Xiao Lü, and Elven, aiming to comprehensively explore the global blockchain security landscape in 2023 and key regulatory policies within the crypto industry. By analyzing and assessing the current state of global blockchain security, the report reveals existing security challenges and threats while offering solutions and best practices. Additionally, it examines governmental and regulatory stances and policy directions regarding crypto industry oversight, helping readers understand the dynamic shifts in the regulatory environment and their potential impacts.
Through this report, readers will gain a more comprehensive understanding of the evolving dynamics of Web3 blockchain security and core aspects of regulatory policies. This knowledge will help assess and address security challenges in the blockchain domain, promoting sustainable industry development under compliance with regulations. Furthermore, readers can obtain valuable insights into security measures, compliance requirements, and industry trends to make informed decisions and take effective actions. Blockchain security and regulation are pivotal issues in the Web3 era. Through in-depth research and discussion, we can better understand and respond to these challenges, advancing the safety and sustainability of blockchain technology.
1. Overview of the 2023 Web3 Blockchain Security Landscape

According to monitoring by EagleEye, a platform under blockchain security auditing firm Beosin, the total losses caused by hacking attacks, phishing scams, and project team rug pulls in the Web3 sector reached $2.02 billion in 2023. There were 191 attack incidents resulting in approximately $1.397 billion in losses; 267 rug pull incidents by project teams causing about $388 million in losses; and phishing scams leading to around $238 million in losses.

In 2023, incidents of hacking attacks, phishing scams, and project team rug pulls significantly declined compared to 2022, with total losses dropping by 53.9%. Hacking attacks saw the largest decrease, falling from $3.6 billion in 2022 to $1.397 billion in 2023—a reduction of about 61.2%. Losses from phishing scams decreased by 33.2% compared to 2022, while rug pull losses dropped by 8.8%.

In 2023, there were four major attack incidents each exceeding $100 million in losses, and 17 incidents with losses between $10 million and $100 million. The top 10 security incidents accounted for roughly $1 billion in total losses, representing 71.5% of the annual total loss from attacks.
The types of projects targeted in 2023 became more diverse compared to 2022, including DeFi, CEXs, DEXs, public chains, cross-chain bridges, wallets, payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, and Telegram bots. DeFi remained the most frequently attacked category, accounting for 130 attacks and causing approximately $408 million in losses—the highest both in frequency and amount.
Public chain attacks occurred more frequently in 2023, with multiple incidents involving theft across several chains. Ethereum continued to suffer the highest losses—71 attacks on Ethereum led to $766 million in losses, making up 54.9% of the year’s total losses.
From the perspective of attack methods, 30 private key leakage incidents resulted in approximately $627 million in losses, accounting for 44.9% of total losses—the single largest cause of financial damage. Exploitation of smart contract vulnerabilities was the most frequent attack method: out of 191 attacks, 99 (51.8%) stemmed from contract flaws.
About $295 million (21.1%) of stolen funds were recovered throughout the year—an improvement over 2022. Approximately $330 million (23.6%) of stolen funds were sent to mixers.
Unlike the significant decline in on-chain hacking, phishing, and rug pulls, crime in the off-chain crypto space surged dramatically in 2023. Global criminal activity in the crypto industry reached an astonishing $65.688 billion in 2023, up approximately 377% from $13.76 billion in 2022. The top three categories by value involved online gambling, money laundering, and fraud.

2. Top 10 Web3 Security Incidents in 2023
In 2023, four attack incidents exceeded $100 million in losses: Mixin Network ($200 million), Euler Finance ($197 million), Poloniex ($126 million), and HTX & Heco Bridge ($110 million). The top 10 security incidents collectively caused about $1 billion in losses, representing 71.5% of the annual total from attacks.
No.1 Mixin Network
Loss Amount: $200 million
Attack Method: Cloud Service Provider Database Attack
In the early hours of September 23, the cloud service provider database of Mixin Network was hacked, resulting in partial asset loss on its mainnet involving approximately $200 million. On September 25, the founder of Mixin explained during a live stream that the compromised assets were primarily Bitcoin-based, while assets such as BOX and XIN were not severely affected. Specific details about the attack could not be disclosed at the time.
No.2 Euler Finance
Loss Amount: $197 million
Attack Method: Contract Vulnerability – Business Logic Flaw
On March 13, the DeFi lending protocol Euler Finance was attacked, losing approximately $197 million. The root cause was that the contract failed to properly verify users’ actual token balances and the health status of user accounts after donations. All stolen funds were eventually returned by the attacker.
No.3 Poloniex
Loss Amount: $126 million
Attack Method: Private Key Leak / APT Attack
On November 10, large-scale asset withdrawals occurred from addresses associated with Poloniex, Sun Yucheng's exchange, raising suspicion of a breach. Shortly afterward, Sun Yucheng and Poloniex confirmed the incident via social media announcements. According to tracking statistics using Beosin Trace by the Beosin security team, the total stolen assets amounted to approximately $126 million.
No.4 HTX & Heco Bridge
Loss Amount: $110 million
Attack Method: Private Key Leak
On November 22, HTX, Sun Yucheng’s exchange, and the Heco Bridge were hacked, resulting in total losses of $110 million—$86.6 million from Heco Bridge and about $23.4 million from HTX.
No.5 Curve/Vyper
Loss Amount: $73 million
Attack Method: Contract Vulnerability – Reentrancy
In the early morning of July 31, Vyper, the Ethereum programming language, tweeted that versions 0.2.15, 0.2.16, and 0.3.0 had reentrancy lock bugs. Combined with native ETH being able to trigger callbacks during transfers, liquidity pools pairing with ETH became vulnerable to reentrancy attacks. Subsequently, Curve's official Twitter stated that due to the failure of the reentrancy guard, many stablecoin pools using Vyper 0.2.15 (alETH/msETH/pETH) were attacked. The incident resulted in losses of approximately $73 million.
No.6 CoinEx
Loss Amount: $70 million
Attack Method: Private Key Leak / APT Attack
On September 12, cryptocurrency exchange CoinEx issued a statement saying its risk control system detected suspicious high-value withdrawal activities from a hot wallet used for temporarily storing platform trading assets. A special response team was immediately formed. The incident mainly involved tokens such as ETH, TRON, and Polygon, with stolen assets amounting to approximately $70 million.
No.7 Atomic Wallet
Loss Amount: $67 million
Attack Method: Private Key Leak / APT Attack
Monitoring by EagleEye, Beosin's security risk monitoring, alerting, and blocking platform, showed that Atomic Wallet was attacked in early June. Based on statistics from the Beosin team combining known victim reports on-chain, the losses from this attack were at least approximately $67 million.
No.8 Alphapo
Loss Amount: $60 million
Attack Method: Private Key Leak / APT Attack
On July 23, the hot wallet of cryptocurrency payment service provider Alphapo was breached, resulting in a loss of $60 million. The incident was carried out by the North Korean hacker group Lazarus.
No.9 KyberSwap
Loss Amount: $54.7 million
Attack Method: Contract Vulnerability – Business Logic Issue
On November 22, the DEX project KyberSwap was attacked, resulting in approximately $54.7 million in losses. Kyber Network stated that this hack was one of the most complex in DeFi history, requiring the attacker to execute a series of precise on-chain operations to exploit the vulnerability.
No.10 Stake.com
Loss Amount: $41.3 million
Attack Method: Private Key Leak / APT Attack
On September 4, the crypto gambling platform Stake.com suffered a hacking attack. Afterward, Stake.com announced unauthorized transactions occurred in its hot wallets on ETH and BSC, investigations were underway, and deposits and withdrawals would resume once full security was restored. The incident was attributed to the North Korean hacker organization Lazarus.
3. Types of Attacked Projects
Compared to 2022, the types of projects attacked in 2023 were broader, and losses were no longer concentrated in just a few categories. In addition to common types like DeFi, CEXs, DEXs, public chains, cross-chain bridges, and wallets, 2023 also saw attacks on payment platforms, gambling platforms, crypto brokers, infrastructure, password managers, development tools, MEV bots, and Telegram bots.

Among the 191 attack incidents in 2023, DeFi projects accounted for 130 (about 68%), making them the most frequently attacked type. Total losses from DeFi attacks were approximately $408 million, or 29.2% of all losses—the highest among all categories.
CEXs (centralized exchanges) ranked second in loss amounts, with nine attacks causing $275 million in losses. Additionally, 16 attacks occurred on DEXs (decentralized exchanges), totaling about $85.68 million in losses. Overall, exchange-related security incidents were frequent in 2023, making exchange security the second biggest challenge after DeFi security.

Public chains ranked third in loss amounts, with approximately $208 million lost, largely due to the $200 million theft from Mixin Network.
Cross-chain bridges ranked fourth in loss amounts, accounting for about 7% of total losses. In 2022, however, 12 cross-chain bridge security incidents caused about $1.89 billion in losses, representing 52.5% of that year’s total. Cross-chain bridge incidents significantly decreased in 2023.
Fifth place goes to crypto payment platforms, where two security incidents (Alphapo and CoinsPaid) resulted in combined losses of about $97.3 million. Both incidents were linked to the North Korean APT group Lazarus.
4. Loss Distribution Across Chains
Compared to 2022, the variety of public chains targeted in 2023 also increased, primarily due to multiple CEX private key leaks affecting various chains. The top five chains by loss amount were Ethereum, Mixin, HECO, BNB Chain, and TRON. By number of attack incidents, the top five were BNB Chain, Ethereum, Arbitrum, Polygon, and a tie for fifth between Optimism and Avalanche.

Similar to 2022, Ethereum remained the chain with the highest losses. Seventy-one attacks on Ethereum caused $766 million in losses, accounting for 54.9% of the year’s total.
Mixin ranked second in losses, with a single incident causing $200 million in losses. Third was HECO, with losses of approximately $92.6 million.

There were 76 attacks on BNB Chain, representing 39.8% of all attack events—the highest among any chain. Total losses on BNB Chain were approximately $70.81 million, with the vast majority (88%) of incidents involving less than $1 million.
5. Attack Method Analysis
Compared to 2022, attack methods in 2023 became more diverse, especially incorporating various Web2-style attacks, including: database breaches, supply chain attacks, third-party service provider compromises, man-in-the-middle attacks, DNS attacks, and front-end attacks.

In 2023, 30 private key leak incidents caused $627 million in losses, representing 44.9% of total losses—the costliest attack vector. Major incidents included Poloniex ($126 million), HTX & Heco Bridge ($110 million), CoinEx ($70 million), Atomic Wallet ($67 million), and Alphapo ($60 million). Most of these incidents were linked to the North Korean APT group Lazarus.

Contract vulnerability exploitation was the most frequent attack method: out of 191 attacks, 99 (51.8%) stemmed from contract flaws. These exploits caused $430 million in losses, ranking second in total financial impact.
Breaking down contract vulnerabilities further, business logic flaws were both the most frequent and costly, accounting for about 72.7% of losses from contract exploits, totaling approximately $313 million. Reentrancy ranked second, with 13 incidents causing about $93.47 million in losses.

6. Case Studies of Attack Methods
6.1 Euler Finance Security Incident
Incident Summary
On March 13, the lending project Euler Finance on the Ethereum chain suffered a flash loan attack, resulting in losses of $197 million.
On March 16, the Euler Foundation offered a $1 million bounty for information leading to the arrest of the hacker and recovery of stolen funds.
On March 17, Michael Bentley, CEO of Euler Labs, tweeted that Euler had “always been a security-conscious project.” From May 2021 to September 2022, Euler Finance underwent 10 audits by six blockchain security firms: Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica.
From March 18 to April 4, the attacker began returning funds incrementally. During this period, the attacker apologized via on-chain messages, stating they had “disrupted others' money, work, and lives,” and requested forgiveness.

On April 4, Euler Labs announced on Twitter that through successful negotiation, the attacker had returned all stolen funds.
Vulnerability Analysis
In this attack, the donateToReserves function in the Etoken contract failed to correctly verify the user's actual token balance and the health status of the user's ledger after donation. The attacker exploited this flaw by donating 100 million eDAI while having only pledged 30 million DAI.
After the donation, the user's ledger met liquidation conditions, triggering the lending contract's liquidation mechanism. During liquidation, eDAI and dDAI were transferred to the liquidator contract. However, due to the massive bad debt, the maximum discount rate was applied during liquidation. After completion, the liquidator contract held 310.93 million eDAI and 259.31 million dDAI.
At this point, the user's account health recovered, allowing fund withdrawals. The withdrawable amount equaled the difference between eDAI and dDAI. But since the pool actually contained only 38.9 million DAI, only that amount could be withdrawn.

6.2 Vyper/Curve Security Incident
Incident Summary
On July 31, Vyper, the Ethereum programming language, tweeted that versions 0.2.15, 0.2.16, and 0.3.0 had reentrancy lock vulnerabilities. Curve reported that multiple stablecoin pools using Vyper 0.2.15 (CRV/alETH/msETH/pETH) were attacked, resulting in total losses of $73 million—of which about $52.3 million was later returned by the hacker.

Vulnerability Analysis
The primary cause of this attack was the failure of the reentrancy lock in Vyper 0.2.15. When calling the remove_liquidity function of relevant liquidity pools to withdraw liquidity, the attacker reentered the add_liquidity function. Since balance updates occurred before entering add_liquidity, price calculations were corrupted.


7. Review of Notable Anti-Money Laundering Cases
7.1 Atomic Wallet Breach Case
According to monitoring by EagleEye, Beosin’s security risk monitoring, alerting, and blocking platform, Atomic Wallet was attacked in early June this year. Based on data compiled by the Beosin team from known victim reports on-chain, the incident caused losses of at least approximately $67 million.
According to Beosin team analysis, the breach has so far impacted a total of 21 blockchains, including BTC, ETH, and TRX. Stolen funds were primarily concentrated on the Ethereum chain:
On Ethereum, stolen funds amounted to virtual currencies worth 16,262 ETH, valued at about $30 million.
On TRON, known stolen funds amounted to virtual currencies worth 251,335,387.3208 TRX, valued at about $17 million.
On BTC, known stolen funds amounted to 420.882 BTC, equivalent to $12.6 million.
On BSC, known stolen funds amounted to virtual currencies worth 40.206266 BNB.
Other chains: XRP: 1,676,015 XRP (~$840k), LTC: 2,839.873689 LTC (~$220k), DOGE: 800,575.67369797 DOGE (~$50k)
We illustrate the money laundering process using the Ethereum chain
In handling the illicit funds, hackers employed two primary methods on the Ethereum chain:
Distributing funds through contracts followed by cross-chain laundering via Avalanche
According to Beosin team analysis, hackers first consolidated valuable coins into the native coin of the chain, then aggregated them through two contracts.
These contract addresses would bundle ETH into WETH through two layers of intermediaries, then transfer the WETH to another contract responsible for distributing ETH. The funds were then relayed through up to five intermediate steps into wallet addresses on Avalanche designated for cross-chain bridging. This cross-chain transfer does not use smart contracts and falls under internal bookkeeping transactions on Avalanche.
Simplified diagram of Ethereum pathway:

Aggregation Contract 1:
0xe07e2153542eb4b768b4d73081143c90d25f1d58 involved a total of 3,357.0201 ETH
After converting to WETH, transferred to contract 0x3c3ed2597b140f31241281523952e936037cbed3
Detailed money laundering route shown below:

Aggregation Contract 2: 0x7417b428f597648d1472945ff434c395cca73245 involved a total of 3,009.8874 ETH
After converting to WETH, transferred to contract 0x20deb1f8e842fb42e7af4c1e8e6ebfa9d6fde5a0
Detailed money laundering route shown below:

Join TechFlow official community to stay tuned Telegram:https://t.me/TechFlowDaily X (Twitter):https://x.com/TechFlowPost X (Twitter) EN:https://x.com/BlockFlow_News










