Quantstamp 2023 Web3 Security Year In Review

January 8, 2024
Quantstamp Announcements

It’s been a big year for web3 filled with new protocols, product developments, partnerships, and more. The industry is maturing, but there’s one major setback that stands in the way. Web3 is still rife with exploits and scams that hinder its ability to establish trust among the masses. We made great strides this year, but when it comes to web3 security, there’s always more work to be done.‍

As the year comes to a close, we wanted to take a moment to reflect on this year’s biggest hacks, root causes, and noteworthy trends. Whether you’re a developer, security expert, or end user, we hope these insights will guide you toward a more secure future in the coming year. ‍

Want to dive deeper into what happened each month? Check out our monthly hacks roundups on YouTube.

Quantstamp Announcements
January 8, 2024

It’s been a big year for web3 filled with new protocols, product developments, partnerships, and more. The industry is maturing, but there’s one major setback that stands in the way. Web3 is still rife with exploits and scams that hinder its ability to establish trust among the masses. We made great strides this year, but when it comes to web3 security, there’s always more work to be done.‍

As the year comes to a close, we wanted to take a moment to reflect on this year’s biggest hacks, root causes, and noteworthy trends. Whether you’re a developer, security expert, or end user, we hope these insights will guide you toward a more secure future in the coming year. ‍

Want to dive deeper into what happened each month? Check out our monthly hacks roundups on YouTube.

Year in Review (PDF)
Download
Year in Review (PDF)
Download
Quantstamp Announcements

June Security Beat: Keys Over Code

$75.32M was lost across 32 crypto incidents in June, up from May's $59.52M. No coordinated campaign carried the month, but one targeted operation did. A targeted social-engineering attack against Humanity Protocol reached the keys behind the $H token and drained $32M, roughly 42% of every dollar lost in June. Quantstamp led the independent investigation and traced the tooling to a phishing campaign previously seen targeting macOS users. Offchain, a fresh npm supply chain wave hit Red Hat's packages on the first day of the month, and a PeopleSoft zero-day was exploited for two weeks before Oracle said a word. Here's the month in security 👇

Read more
Quantstamp Announcements

May 2026 Security Beat

$59.52M was lost across 29 crypto incidents, down sharply from April's ~$635M. No single hack carried the month. The bigger story happened off-chain, where a self-propagating npm worm called Mini Shai-Hulud kept resurfacing in new waves through the month, ultimately spanning more than 1,000 malicious package versions across the npm ecosystem.

Read more
Quantstamp Announcements

April 2026 Security Beat: Same Actors, New Targets

April was undoubtedly a rocky month in security. $635M was lost across 28 crypto incidents. The Axios npm package was compromised on day one, exposing an estimated 600,000 installs in three hours. Vercel was breached through a third party. Three major CVEs under active exploitation. Here's the month in security 👇

Read more