A report published on September 26, 2024, by blockchain security platform Immunefi reveals that cryptocurrency losses from hacks and scams declined by 40 percent year-over-year in the third quarter, falling to $413 million. While the decline signals improvement, the sheer scale of losses—$1.34 billion since January alone—underscores that the crypto industry remains far from achieving the security maturity its users deserve. With Bitcoin trading above $65,000 and Ethereum near $2,632, the stakes for investors have never been higher.
The Threat Landscape
The Immunefi report documents 34 separate incidents of hacks and scams between July and September 2024. Two centralized exchange breaches dominated the quarter: WazirX lost $235 million and BingX lost $52 million, together accounting for 69.5 percent of all Q3 losses. These figures reveal a stark reality—centralized finance platforms remain the most lucrative targets for attackers.
The data paints a clear picture of where the danger lies. CeFi platforms suffered only three attacks, but those three incidents yielded $309 million in stolen funds. DeFi protocols, by contrast, were hit 31 times for a combined $104 million. The frequency of DeFi attacks is much higher, but individual losses tend to be smaller. Hacker attacks accounted for 99.25 percent of all damage, with outright fraud contributing just 0.75 percent.
Monthly losses varied significantly: July saw $281.9 million in losses, August dropped to $15.1 million, and September recorded $115.9 million. Ethereum and BNB Chain were the most targeted networks, with 15 and eight incidents respectively, together representing over 67 percent of total losses.
Core Principles
Protecting your crypto assets starts with understanding the attack vectors that matter most. The Immunefi data shows that the primary threat to CeFi users is private key management—exchanges and platforms that lack rigorous key security policies represent the greatest risk. For DeFi users, the main risks come from smart contract vulnerabilities, flash loan exploits, and logic errors in protocol code.
The report notes that private key management in CeFi usually lacks proper security auditing, requiring strict policies, multi-signature frameworks, and emergency action plans. On the DeFi side, the pattern of losses reveals that many exploits target well-known vulnerability classes—reentrancy, flash loan manipulation, and precision errors in forked code.
A particularly troubling finding: affected projects managed to recover only $14.9 million—3.6 percent of stolen funds. Furthermore, more than 77.8 percent of projects that suffered hacks experienced sustained negative price impact on their native tokens for at least six months following the incident.
Tooling and Setup
For individual investors, the security toolkit should include several non-negotiable components. Hardware wallets remain the single most effective protection against exchange hacks and phishing attacks. Moving funds off centralized platforms into self-custody eliminates exposure to CeFi breaches like those that struck WazirX and BingX.
For DeFi participants, on-chain monitoring tools such as Forta, OpenZeppelin Defender, or Immunefi’s own monitoring infrastructure can provide early warning of suspicious contract interactions. Browser extensions that simulate transactions before execution—like Tenderly or PocketUniverse—help users identify malicious smart contract interactions before signing.
Portfolio trackers with real-time alerts can notify you immediately if a protocol you are invested in experiences unusual activity. Setting up withdrawal whitelists and time-locked withdrawals on exchange accounts adds another layer of protection.
Ongoing Vigilance
The crypto security landscape evolves constantly. New attack vectors emerge as protocols grow more complex, and the intersection of AI and crypto introduces novel risks alongside new opportunities. Staying informed through security research platforms, following incident reports from organizations like Immunefi and CertiK, and participating in community security discussions are all essential practices.
The Q3 decline in losses is encouraging, but it should not breed complacency. The $413 million figure still represents significant harm to users and platforms. As the total crypto market cap hovers near $2.3 trillion, with Bitcoin at $65,181 and Ethereum at $2,632, the incentive for attackers will only grow. Security is not a destination—it is an ongoing process that requires constant attention and adaptation.
Final Takeaway
The Immunefi Q3 2024 report tells a story of incremental progress against a backdrop of persistent threat. CeFi platforms must prioritize private key security and undergo regular third-party audits. DeFi protocols need to stop forking unaudited code and invest in comprehensive security reviews. Individual users must take self-custody seriously, use hardware wallets, and stay informed about the latest attack vectors. The 40 percent year-over-year decline in losses is a step in the right direction, but the industry is still losing nearly half a billion dollars per quarter to preventable attacks.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research and consult with security professionals before making decisions about your crypto holdings.
3 CeFi attacks, $309M. 31 DeFi attacks, $104M. the math is pretty clear on where the real risk lives
cefi_death_count this is the stat that matters. 3 attacks vs 31 attacks but 3x the losses. frequency means nothing when each CeFi hit is 30x larger
DeFi bugs get caught and patched, CeFi single points of failure just sit there until someone walks away with 9 figures
per attack its $103M cefi vs $3.3M defi. the frequency doesnt matter when one cefi hit drains 30x more
3 CeFi hits for $309M vs 31 DeFi hits for $104M. one proper multisig setup on WazirX would have prevented the biggest loss of the quarter
WazirX losing $235M in a single breach is insane. how does an exchange not have better cold wallet segregation in 2024
wazirx was storing user funds in a single multi-sig wallet. not even hardware wallets for the majority. 2024 and still acting like its 2016
cold_storage_ single multi-sig for an exchange holding billions in user funds is negligence pure and simple. there is no excuse in 2024
40% drop YoY sounds great until you see its still 413M in a single quarter. the trend line is improving but the absolute numbers are still horrifying
40% drop in losses sounds good until you realize thats still $413M gone in 3 months. the trend is improving but the baseline is horrifying
immunefi calling wazirx cefi is generous. that exchange had zero transparency on reserves even before the $235M drain
3 CeFi attacks generating $309M vs 31 DeFi attacks for $104M. centralized platforms are still the biggest honey pot and always have been
cefisk_ptn 103M per CeFi hit vs 3.3M per DeFi hit. one proper cold storage policy on WazirX would have saved 235M but you cant regulate incompetence
cefisk_ptn WazirX alone was $235M. one exchange single-handedly made up more than half the quarters losses