It is no secret that Web3 is not as secure as some would have you believe. The concept of blockchain and the “immutable” ledger does not remove people from the equation so it will never be secure (just like everything else). Attackers are still going to scan exchanges, marketplaces, wallet apps and software and even investigate smart contracts to find was to compromise them or the users that use them. In most major thefts (not counting rug pulls) there has been the same root causes that we see in the existing system. Phishing, exploitation of vulnerabilities etc. You get the picture here.
Recently OpenSea, a large NFT Marketplace saw its users become the victims of an elaborate phishing scam. The scam resulted in the loss of $1.7 Million in virtual assets. The scammers took advantage of a planed maintenance window where OpenSea was reminding users to migrate their existing Ethereum items to a new smart contract. Attackers made a copy of the message and sent it out to users with a small change. The poisoned email would now send the target to a copycat web page where they would sign a transaction that would assign rights to the attacker. OpenSea says that the attack does not appear to be ongoing, and they are working on identifying the source of the attack. The caution against signing anything without first confirming the legitimacy of the contract (just like existing guidance for phishing emails related to normal banking).
Although the OpenSea attack is not one of the top 10 in terms of what was stollen it still shows that there is a long way to go before the utopia of Web3 is anywhere near even being a thought on reality. The same types of attacks that plague Web2.0 are still effective in Web3.0. We are seeing an increase in these types of attacks as popularity rises around Web3. It is not just phishing, but even the platforms used to communicate like Discord are seeing a rise in attacks and attempts to compromise tokens and user information. Things are likely to get worse before they get any better.