Crypto Investors Lost $54M to Rugpulls, Scams in May: Blockchain Security Firm De.Fi

In a turbulent month for the cryptocurrency market, May 2023 witnessed a wave of scams and hacking incidents that resulted in cumulative losses of over $54 million, a new report from security firm De.Fi shows.

The amount is a nearly half of April's $101.5 million loss, suggesting better security practices among users and developers. However, no funds were recovered in May 2023 – compared to $2.2 million recovered in April.

The BNB Chain ecosystem accounted for the majority of the incidents, with losses above $37 million across ten cases. Ethereum-based projects saw the least exploits at just over $2 million.

Among the top ten cases, Fintoch suffered the highest loss of $31.7 million due to a smart contract exploit. Jimbo Protocol on Arbitrum experienced a loss of $7.5 million due to a rugpull, while Deus Finance on BNB lost $6.2 million in a smart contract exploit.

Other notable cases included Tornado Cash, Mother, WSB Coin, Linda Yaccarino, Block Forest, SNOOKER, and land, with losses ranging from $145,000 to $733,000.

Rug pulls remained the most prevalent, accounting for twelve cases and losses totaling $37 million. There were nine cases of exploits resulting in losses of $8.8 million, while flash loan Attacks, although less frequent with five cases, still led to significant losses totaling $8.9 million. Exit scams were responsible for two cases, resulting in a loss of $177,000.

A “rug pull” is a colloquial term for a type of crypto scam that typically see the developer, or developers, gain legitimacy on social media, hype up a project and raise a significant sum of money only to drain liquidity after that project’s tokens are first offered to the public.

Flash loans, on the other hand, are a sophisticated type of exploit that allows traders to borrow unsecured funds from lenders using smart contracts instead of third parties. Attackers typically take out flash loans to manipulate the prices of a project’s token – where the smart contract is unable to detect the manipulation – and drain treasury funds.

As such, governance tokens were the most commonly targeted category, with 19 cases reported and losses totaling $3.3 million. Decentralized exchanges (DEX) were targeted in three cases, resulting in losses of $4 million. Stablecoins recorded the highest amount lost, reaching $6.2 million in a single case.

Other categories, such as yield aggregators, gaming and metaverse applications, non-fungible tokens (NFTs) and centralized crypto platforms reported no losses during this period. Borrowing and lending protocols remained unaffected as well.