Inventory of security incidents in May: the total loss amount was about 19.69 million US dollars, a decrease of about 79% compared with April

What happened this month?

Written by: Beosin

It's time for a monthly security check again! According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin, in May 2023, the amount involved in various security incidents continued to decline for two consecutive months. **There were more than "22" more typical security incidents in May, and the total loss of various attack incidents was about 19.69 million US dollars, which was about 79% lower than that in April. In addition, the total amount involved in the fraudulent escape reached 45.02 million US dollars, exceeding the loss amount of the attack. **

The largest attack this month was the attack on Jimbos on the Arbitrum chain, with a loss of about $7.5 million. Security incidents related to hardware wallets have increased, and users need to pay more attention. In May, fraudulent running away incidents still occurred frequently, and the amount involved in many running away projects reached more than 1 million US dollars.

A total of "10" typical security incidents occurred in DeFi

No.1 On May 2, the Level Finance project on the BSC chain was attacked and lost $1.09 million.

No.2 On May 3, Never Fall on the BSC chain was attacked and lost $70,000.

No.3 On May 6, the stablecoin DEI launched by DEUS was hacked, and the hackers made a profit of about 6.3 million US dollars.

No.4 On May 7th, the BFT on the BSC chain suffered a flash loan attack and lost $270,000.

No.5 On May 10, SNK on the BSC chain was attacked, and hackers used SNK's invitation reward mechanism to make a profit of 190,000 US dollars.

No.6 On May 20, Swap-Lp on the BSC chain was attacked and lost $1 million.

No.7 On May 20, Tornado Cash was attacked and lost $1.07 million.

No.8 On May 24, the CS token on the BSC chain was attacked, and the loss was about 710,000 US dollars.

No.9 On May 24, the LCT project on the BSC chain was attacked, and the loss was about 118,000 US dollars.

No.10 On May 28, Jimbos on the Arbitrum chain was attacked and lost about $7.5 million. The project party stated that if the attacker returns 90% of the funds, it will give up the responsibility of the attacker.

There were "3" typical security incidents in wallet/user security

The No.1 hardware wallet imKey said that it has recently discovered that an unofficial store online store sells "activated" imKey hardware wallets. This situation may be attacked by social engineering, and there is a greater risk of fraud.

No.2 security firm claims Trezor T hardware wallets have vulnerabilities that allow attackers to crack the mnemonic phrase when physically accessing the hardware wallet.

No.3 At present, there is a new way of stealing coins by using the shared power bank to steal the private key. Fraud gangs modified the shared power bank of KTV and implanted malicious programs to steal the private key in the mobile phone.

A total of "6" typical security incidents occurred in the aspect of fraudulent escape

No.1 On May 4th, the Arbitrum ecological project XIRTAM had a rug pull, and the project party transferred 1909 ETH (about 3.58 million U.S. dollars) to Binance and was frozen.

No.2 On May 4th, a Rug Pull occurred on the Meme coin project WSB Coin, involving a fund of 635,000 US dollars.

No.3 On May 19, a Rug Pull occurred in the application Swaprum on Arbitrum, and the deployer made a profit of 3 million US dollars.

No.4 On May 24, the team behind the blockchain financial platform Fintoch was suspected of a Ponzi scheme, defrauding 31.6 million USDT.

No.5 On May 30, a Rug Pull occurred in the BlockGPT project, involving assets of about 256,000 US dollars.

No.6 A multi-chain fraud service provider named Inferno Drainer has stolen about $5.9 million in assets and has nearly 4,888 victims so far.

There were "2" typical security incidents in encryption crime/case supervision

No.1 On May 20th, the U.S. Department of Justice announced that a Nevada man was charged for allegedly participating in CoinDeal. CoinDeal was an investment fraud scheme that defrauded more than 10,000 victims of over $45 million.

No.2 In May, the U.S. Department of Justice seized up to $112 million worth of cryptocurrency from addresses related to hog-killing scams.

A total of "1" typical security incidents occurred in other areas

No.1 The Beosin security team discovered a serious vulnerability CVE-2023-33252 in the SnarkJS 0.6.11 and earlier versions of the library, reminding all zk projects that use the SnarkJS library to update SnarkJS to version 0.7.0 to ensure security sex.

Further reading: Beosin found the CVE-2023-33252 vulnerability in the Circom verification library, reminding the zk project party to pay attention to related risks

In view of the new situation in the current blockchain security field, "Beosin" summarizes here:

On the whole, the amount involved in various blockchain security incidents in May 2023 continued to decline. In May, the total amount of losses from various attacks reached USD 19.69 million, a decrease of about 79% compared with April. **

This month, the amount of money involved in fraudulent running has exceeded the attack incident, and there have also been new ways of stealing coins such as using shared charging treasures to steal private keys. Hackers and scammers are gradually shifting their attack targets from project parties to ordinary users. It is recommended that users must increase anti-fraud awareness, do a good job of project background investigation, and learn from multiple channels to ensure the safety of their own assets. In addition, more than half of the projects attacked this month have not been audited. It is recommended to find a professional auditing company for auditing before the project goes live.