THE IMPACT OF BLOCKCHAIN SECURITY BREACHES

by

ZHE LI

B.Sc., University of British Columbia, 2021

MM, University of British Columbia, 2022

A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF

THE REQUIREMENTS FOR THE DEGREE OF

MASTER OF SCIENCE IN BUSINESS ADMINISTRATION

in

THE FACULTY OF GRADUATE AND POSTDOCTORAL STUDIES

(Management Information Systems)

THE UNIVERSITY OF BRITISH COLUMBIA

(Vancouver)

April 2024

© Zhe Li, 2024

The following individuals certify that they have read, and recommend to the Faculty of Graduate and
Postdoctoral Studies for acceptance, the thesis entitled:

The Impact of Blockchain Security Breaches

submitted by Zhe Li in partial fulfillment of the requirements for

the degree of Master of Science in Business Administration

in Management Information Systems

Examining Committee:

Dr. Mi Zhou, Assistant Professor, Accounting and Information Systems Division,

Sauder School of Business, UBC
Supervisor

Dr. Hasan Cavusoglu, Associate Professor, Accounting and Information Systems Division,
Sauder School of Business, UBC
Supervisory Committee Member

Dr. Frank Li, Assistant Professor, Accounting and Information Systems Division,
Sauder School of Business, UBC
Supervisory Committee Member

Dr. Ning Nan, Associate Professor, Accounting and Information Systems Division,
Sauder School of Business, UBC
Additional Examiner

ii
Abstract

While blockchain technology has developed rapidly and the crypto market has prospered, vulnerabilities and

security breaches have occurred in blockchain derivative projects. To raise funds, these projects can issue

tradable crypto tokens representing project stakes, such as voting rights or revenue shares. Through the event

study method, this research investigates the crypto token market reaction to security breaches in blockchain

projects, focusing on the breaches’ impact on the token value of the project. Potential moderators, including

project and breach-specific attributes, and the role of social media in the post-breach market dynamics are

also studied. This research provides evidence of a significantly negative impact on the token price on the

breach day and over an event window of three days centered on the breach day. For moderators, larger

projects with more market capital are found to be less penalized on their token price. Meanwhile, projects

mainly providing financial services in the blockchain ecosystem suffer more negative abnormal returns under

breach than non-financial projects. We also find that timely official Twitter announcements about the breach

from the project are associated with more negative abnormal returns, potentially because of the negative

sentiment and topics in the comments of the tweets. To the best of our knowledge, this research contributes

to the literature for being the first to study how security breaches impact token value while also providing

risk assessment tools for investors and urging the prioritization of security, especially for smaller and financial

blockchain projects.

iii
Lay Summary

Projects using blockchain technology can raise funds by issuing crypto tokens, like the stocks of traditional

companies. Through an event study approach, this research investigates the token market reaction to security

breaches, focusing on their impact on the token value issued by the project responsible for the exploited

vulnerability. The results show that security breaches can negatively impact token value, with larger projects

experiencing less damage and financial projects suffering more penalties. Making the timely official

announcement on Twitter worsen the reaction, potentially due to the negative sentiment and topics in the

comments to the announcement tweets. To the best of our knowledge, this paper is the first to study the

financial impact of the breach on crypto tokens, providing critical implications for project owners and an

important risk assessment tool for investors.

iv
Preface

Prof. Mi Zhou and Prof. Hasan Cavusoglu supervised this research. Inspired by Prof. Hasan Cavusoglu, I

initiated the research questions and developed the research design using the event study method with the

guidance and help of both supervisors. Prof. Frank Li helped revise the details. In this research, I collected,

processed, and analyzed the data, conducting research and drafting the manuscript based on the empirical

results. This paper is proofread and improved with the help of all my supervisors.

I presented this research in the Management Information Systems Research Workshop at the Sauder

School of Business in November 2023.

v
Table of Contents

Abstract .......................................................................................................................................... iii

Lay Summary ................................................................................................................................. iv

Preface ............................................................................................................................................. v

Table of Contents ........................................................................................................................... vi

List of Tables .................................................................................................................................. ix

List of Figures ................................................................................................................................. x

List of Abbreviations ...................................................................................................................... xi

Acknowledgments ......................................................................................................................... xii

1 Introduction ............................................................................................................................. 1

2 Literature Review .................................................................................................................... 6

2.1 Financial and Economic Impact of Security Events ...................................................... 6

2.2 Events Influencing Cryptocurrency Market ................................................................. 10

3 Hypotheses Development ...................................................................................................... 13

3.1 Main Security Breach Effect on Token Value ............................................................. 13

3.2 Moderators for the Main Effect.................................................................................... 14

4 Dataset Construction ............................................................................................................. 24

4.1 Event Data .................................................................................................................... 24

vi
 4.2 Market History ............................................................................................................. 30

4.3 Twitter Data Collection................................................................................................ 31

5 Methodology ......................................................................................................................... 32

5.1 Event Study for the Main Impact ................................................................................. 32

5.2 Cross-Sectional Analysis for Moderators .................................................................... 36

5.3 Twitter Content Analysis ............................................................................................. 39

6 Research Results.................................................................................................................... 41

6.1 Event Study Plots ......................................................................................................... 41

6.2 Results of the Main Effect ........................................................................................... 42

6.3 Results of Moderating Effects...................................................................................... 44

6.4 Further Analysis: Twitter Content Exploration............................................................ 53

7 Discussion and Conclusion.................................................................................................... 56

7.1 Discussion of Main Effect............................................................................................ 56

7.2 Discussion of Results for Moderating Effects ............................................................. 57

7.3 Discussion of Results for Social Media Exploration ................................................... 60

7.4 Conclusion ................................................................................................................... 61

References ..................................................................................................................................... 63

Appendices .................................................................................................................................... 69

vii
Appendix A: Example Security Breach Event Data .................................................................. 69

viii
List of Tables

Table 2.1 Literature of Security Events and Their Impact on Company......................................................... 7

Table 2.2 Literature of Security Events and Their Impact on Cryptocurrency ............................................... 9

Table 2.3 Literature of Other Events and Their Impact on Cryptocurrency .................................................. 11

Table 4.1 Breach Attributes Reported in the Rekt Leaderboard ....................................................................25

Table 4.2 Hack Attributes Reported by DefiLlama .......................................................................................26

Table 4.3 Criteria for Project Type Classification .........................................................................................28

Table 5.1 Descriptive Statistics for AR and CAR ..........................................................................................35

Table 5.2 Descriptive Statistics for AR and CAR Excluding Outliers ...........................................................38

Table 5.3 Descriptive Statistics for AR and CAR Excluding Events with Market Value 0 ...........................39

Table 6.1 Event Study Results .......................................................................................................................44

Table 6.2 Event Study Results for Subsets Split on Dummy Moderators .....................................................46

Table 6.3 Comparison Results for Subsets Split on Dummy Variable ...........................................................47

Table 6.4 Cross-Sectional Analysis for Model Specification 1 .....................................................................50

Table 6.5 Cross-Sectional Analysis for Model Specification 2 .....................................................................52

Table 6.6 T-Test Results for Comparing Tweets and Comments ...................................................................54

Table 7.1 Results Summary for Moderating Effects ......................................................................................60

ix
List of Figures

Figure 3.1 Conceptual Model ........................................................................................................................23

Figure 4.1 Distribution of RO Category in the Event Dataset .......................................................................28

Figure 4.2 Distribution of Labels for Project Type, Auditing Status, and Breach Type.................................30

Figure 4.3 Distribution of Twitter Announcement Label...............................................................................31

Figure 5.1 Event Study Illustration................................................................................................................33

Figure 5.2 Distribution of AR and CAR ........................................................................................................35

Figure 6.1 Model Free Evidence ...................................................................................................................42

Figure 6.2 Project-Specific Average Tweet and Comment Negativity Score Distribution ............................53

Figure 6.3 Frequency Distribution of Topics .................................................................................................55

Figure 6.4 Top 8 Topics from BERTopic with Representative Words ...........................................................55

x
List of Abbreviations

AR Abnormal Return

BT Blockchain Technology

BTC Bitcoin

CAR Cumulative Abnormal Return

CPMAM Comparison Period Mean Adjusted Model

DeFi Decentralized Finance

PATN Project Average Tweet Negativity

PACN Project Average Comment Negativity

RO Responsibility Owner

xi
Acknowledgments

Working with Prof. Mi Zhou for the past two years, I have received considerable academic and personal

development suggestions. I am writing to express my sincere gratitude to Prof. Mi Zhou for her patient

guidance. She led me into the management information systems research field, enlightened me with valuable

information about academic opportunities, and prepared me for my subsequent stage as a research scholar.

I want to thank Prof. Hasan Cavusoglu for his rigorous but patient instructions on my topic selection

and research design. He helped me master several empirical research methods and constructively critiqued

my work from many subtle but important points, assisting me in becoming a better researcher in technology

security.

I want to thank all the instructors of the courses I have taken during this program for the knowledge and

skills I learned from them. I also want to thank all the administrative staff for their support and help.

Additionally, I want to thank all the authors and contributors of the literature and resources referred to and

used in this research.

I want to thank my colleagues and friends, Yingdi Tian and Zijia Zhang, for their support, advice, and

inspiration. I especially want to thank Melody Chou for her mental and spiritual support and patience

throughout my studies. Lastly, I also want to express my appreciation for my parents' efforts in making my

studies in this program possible.

xii
1 Introduction

The field of finance has been drastically transformed by blockchain technology (BT) since the introduction

of Bitcoin by Nakamoto (2008), whose innovation brought the use of BT as a distributed peer-to-peer

electronic cash system without a central bank to issue and manage the currency. Such a distributed system

acts as a database and public ledger storing verifiable and immutable transaction records whose information

is available to all participants in the system, thus being known as having benefits of security and transparency

(Crosby et al., 2016). Although Bitcoin cryptocurrency is the most famous example of a blockchain

application, it is far from the only one. Buterin (2014) introduced the Ethereum chain to explore the

possibility of BT beyond being just money in the form of cryptocurrency, developing a blockchain with a

built-in programming language to support applications like smart property, non-fungible assets, smart

contracts, etc. Despite the well-known security of blockchain technology itself, many of these derivative

applications built upon BT have been victims of security breaches that exploit various vulnerabilities of

different categories throughout the history of BT (Hasanova et al., 2019). This research intends to explore the

financial repercussions associated with such security breaches.

Building upon BT, the crypto industry has witnessed remarkable growth and prosperity. According to

the 2023 Annual Crypto Industry Report by CoinGecko (2024), in 2023, the Bitcoin (BTC) cryptocurrency

experienced a 155.2% price increase, while Ethereum's native cryptocurrency ETH climbed to $2,294 by

year-end, marking a 90.5% increase. The report also shows that the overall performance of the crypto industry

mirrored these trends, with the total market capitalization soaring by 108% to $1.72 trillion in 2023 and the

trading volume reaching a staggering $10.3 trillion in the fourth quarter. However, the prevalence of

1
cyberattacks has shadowed the rapid development of BT and the crypto industry. Chainalysis (2023) reported

that the amount stolen in various hacks escalated from $0.5 billion in 2019 and 2020 to $3.3 billion in 2021

and $3.8 billion in 2022. In the third quarter of 2022 alone, losses due to hacks and exploits amounted to

$383 million (Ciphertrace, 2023). As of January 2024, the total value hacked in decentralized finance (DeFi)

is $5.83 billion, and the total value hacked in bridges is $2.83 billion (DefiLlama, 2024b). On a micro level,

although blockchain is very difficult to hack, projects built on or using blockchains, like cryptocurrency

exchanges, are vulnerable to cyberattacks (Storsveen & Veliqi, 2020). Individual security breaches have led

to significant funds stolen for venture projects as derivatives of BT. For instance, at the top of the breach

leaderboard, the attack on Ronin Network resulted in a $624 million loss; the Poly Network suffered a $611

million loss; and the BNB Bridge was hit with a $586 million loss (Rekt, 2024). These incidents impact the

blockchain projects and their investors, who hold stakes as crypto tokens in these projects. Consequently,

investors should be vigilant about cyberattack risks when investing in blockchain venture projects.

Although cryptocurrency and crypto tokens are often used interchangeably by the public and are often

traded and listed on digital exchanges, it is essential to distinguish between them as they represent two distinct

types of assets within the blockchain ecosystem. The differentiation is rooted in the extended application of

the blockchain concept beyond money (the cryptocurrency) by using an on-chain digital asset named “token”

to represent other digital or physical assets such as USD or gold (Buterin, 2014). This ability of representation

enables blockchain projects to raise money through coin offerings. According to the Financial Industry

Regulatory Authority (n.d.), the developer of an entity, such as a company or project, may raise money

through a coin or token offering by selling investors the digital tokens distributed by a blockchain network.

2
Tokens issued through initial coin offerings (ICO) have different features and uses. As the European

Securities and Markets Authority (2017) describes, some tokens are like stocks, providing voting rights or

shares in the issuer's revenues. Others may be used as a payment method for the product or service the issuer

provides (Chod & Lyandres, 2021).

For investors contemplating investments in purchasing crypto tokens of blockchain projects, security

emerges as a critical risk factor because of the potential for substantial losses stemming from security

breaches, as illustrated by the previously mentioned incidents. For cryptocurrencies, there has been a stream

of literature studying the financial impact of security breaches (Abhishta et al., 2019; Ramos et al., 2021;

Shanaev et al., 2020; Tomić, 2020). However, to our knowledge, this research is the first to investigate the

impact of security breaches on crypto tokens instead of cryptocurrency. Specifically, this research aims to

understand how crypto token investors react to security breaches and, therefore, how crypto token prices

fluctuate when breaches happen. We focus this research on the token prices of the responsibility owners in

the breaches. The responsibility owners (ROs) are blockchain projects responsible for the vulnerabilities

exploited in the security breaches. Examples of ROs and vulnerabilities include but are not limited to bugs

in the ROs’ codebase and behavioral mistakes by stakeholders of the ROs.

To achieve better risk assessment for investment decisions, it is also equally important to identify and

analyze the factors that might moderate the magnitude of token price fluctuations following a breach. These

moderating factors could include attributes of the RO and those of the breach itself. Moreover, because the

blockchain ecosystem is relatively novel, social media serves as a primary source of information in the

industry where Twitter is a prevalent information source instead of traditional news media (Kraaijeveld & De

3
Smedt, 2020). So, the post-breach tweets and their associated comments are interesting to explore for

heuristics to understand token price fluctuation under security breaches. With the aforementioned research

objectives and interests, we propose the following research questions (RQs):

1. RQ1: What is the main impact of security breaches on the ROs’ crypto token value?

2. RQ2: What attributes of the RO and breach might moderate the magnitude of the main impact?

3. RQ3: How does RO’s timely Twitter announcement moderate the magnitude of the main impact?

To address the research questions empirically, this research first applies an event study method to the

99 breach events in the blockchain ecosystem from January 1st, 2020, until May 1st, 2023. The event data are

collected from two sources: DefiLlama and Rekt. The abnormal returns (AR) on the breach date and the

cumulative abnormal returns (CAR) over a 3-day window centered around the breach date are used to

investigate the changes in RO token returns and, therefore, prices in response to the breach events. Then, this

research conducts cross-sectional analyses to identify the moderating variables (attributes of the breaches and

ROs) and their effects on the magnitude of the main impact. Lastly, this research explores social media

content, comparing the sentiment between the tweets and comments while also modeling the topics of the

comments to understand the social media circumstances around the RO under breach.

This research shows that investors penalize ROs with significantly negative AR and CAR in response

to security breach events. For moderators of the main impact, there is evidence for RO-specific attributes,

including project size and type. Larger projects are found to suffer less damage on token value under security

breaches, and financial projects are more penalized than non-financial projects in the token market. This

4
research also finds that making timely Twitter announcements regarding the breach within the event window

is associated with a more negative market reaction to the token price.

This research critically contributes to covering the knowledge gap in the finance and security literature

regarding crypto tokens, adding risk assessment tools for token investors, and advising the project owners on

security implications and crisis management. Specifically, with the characteristics of the stock as the

representation of stake and the characteristics of cryptocurrency in regulation and investor demographics,

crypto tokens and their market reaction to security breaches are first studied in this research, which adds to

the well-established stream of literature regarding the post-breach reaction of the stock and cryptocurrency

market. Moreover, our findings advise investors to factor in security when deciding on investment and pay

attention to the project size and the business sector when assessing the risk. Project owners are also

recommended to prioritize security, especially for smaller projects with less developed systems and lower

shock absorption ability and financial projects that are more substitutable than projects of other kinds.

The rest of the thesis has six sections. Section 2 covers the literature review. Section 3 presents the

hypotheses development. Section 4 describes the dataset construction process. Section 5 illustrates the

empirical research design. Section 6 presents the results of the empirical analyses. Section 7 discusses the

results, implications, and limitations, concluding this research.

5
2 Literature Review

There are two streams of literature associated with this research. The first stream includes research about the

security events, most of which are breaches, and their financial and economic impact. This stream can be

further divided into research on stocks of traditional companies and cryptocurrencies. The second stream is

about research on events influencing the cryptocurrency market. This section presents the extant literature in

each stream and discusses the contribution this research may make to the literature.

2.1 Financial and Economic Impact of Security Events

The financial and economic repercussions of security breaches or their announcements have been intensively

investigated. In the past two decades, a series of studies has studied security breaches and their influence on

the stocks of traditional companies, while a body of literature about breach impact on cryptocurrency has

emerged more recently. Section 2.1.1 and section 2.1.2 review the studies in each context, respectively.

2.1.1 Security Events and Their Impact on Company

There are various types of security breaches (Uma & Padmavathi, 2013). A summary of existing literature

about various security events and their financial and economic impact on companies is presented in Table

2.1. While many studies cover general security breaches (Goel & Shawky, 2009; Michel et al., 2020) as well

as information and IT breaches overall (Campbell et al., 2003; Colivicchi & Vignaroli, 2019; Garg et al.,

2003; Gordon et al., 2011; Ko et al., 2009; Yayla & Hu, 2011), others focus on specific breach types such as

the Denial-of-Service attacks (Hovav & D’Arcy, 2003), privacy breach (Acquisti et al., 2006), data breach

(Foerderer & Schuetz, 2022; Gatzlaff & McCullough, 2010; Morse et al., 2011; Rosati et al., 2019), and

6
cyberattacks (Arcuri et al., 2018; Hung, 2019; Tweneboah-Kodua et al., 2018). Some research does not study

breaches directly but investigates relevant events, such as developer companies' announcement of software

vulnerabilities (Telang & Wattal, 2007) and the service crisis (Rasoulian et al., 2023).

It can be observed from Table 2.1 that there is an overwhelming adoption of the event study

methodology and the metrics of stock abnormal return and cumulative abnormal return to approach the

financial and economic impact of security breaches. Most of the extant literature provides evidence showing

a negative breach impact on the stock values, but few exceptions are showing mixed findings (Campbell et

al., 2003; Hovav & D’Arcy, 2003; Tweneboah-Kodua et al., 2018) or no significant result (Kannan et al.,

2007).

Table 2.1 Literature of Security Events and Their Impact on Company

Authors Methodology Event of Interest Metrics Main Findings

Campbell et al. Event Study Publicly announced Stock market reaction: Mixed evidence for
(2003) information security AR and CAR effect on stock value
breach
Garg et al. (2003) Event Study IT security breach Stock market reaction: Negative effect on
AR stock value
Hovav & D’Arcy Event Study Announcement of Stock market reaction: Mixed evidence for
(2003) Denial-of-Service AR and CAR effect on stock value
attacks
Cavusoglu et al. Event Study Announcement of Stock market reaction: Negative effect on
(2004) Internet security AR and CAR stock value
breach
Acquisti et al. Event Study Privacy breach Stock market reaction: Negative effect on
(2006) AR and CAR stock value
Telang & Wattal Event Study Announcement of Stock market reaction: Negative effect on
(2007) Software AR and CAR stock value
Vulnerability
Kannan et al. Event Study Information Security Stock market reaction: No evidence for the
(2007) breach announcement AR and CAR effect on stock value
Ko et al. (2009) Matched Information security Three performance Negative effect on the
Sampling breach indicators indicators.
Goel & Shawky Event Study Announcement of Stock market reaction: Negative effect on
(2009) security breach AR and CAR stock value

7
 Authors Methodology Event of Interest Metrics Main Findings
Gatzlaff & Event Study Data breach Stock market reaction: Negative effect on
McCullough (2010) AR and CAR stock value
Yayla & Hu (2011) Event Study Information security Stock market reaction: Negative effect on
events AR and CAR stock value
Morse et al. (2011) Event Study Data security breach Stock market reaction: Negative effect on
AR and CAR stock value
Gordon et al. (2011) Event Study Information security Stock market reaction: Negative effect on
breach AR and CAR stock value
Tweneboah-Kodua Event Study Cyberattacks Stock market reaction: Mixed evidence for
et al. (2018) AR and CAR effect on stock value
Arcuri et al. (2018) Event Study Cyberattacks Stock market reaction: Negative effect on
AR and CAR stock value
Hung (2019) Event Study Cyberattacks Stock market reaction: Negative effect on
AR and CAR stock value
Colivicchi & Event Study Information security Stock market reaction: Negative effect on
Vignaroli (2019) breach AR and CAR stock value
Rosati et al. (2019) Event Study Data breach Stock market reaction: Negative effect on
AR and CAR stock value
Michel et al. (2020) Event Study Security breach Stock market reaction: Negative effect on
AR and CAR stock value
Foerderer & Event Study Data breach Stock market reaction: Negative effect on
Schuetz (2022) AR and CAR stock value
Rasoulian et al. Event Study Service Crisis Stock market reaction: Negative effect on
(2023) AR and CAR stock value

2.1.2 Security Events and Their Impact on Cryptocurrency

Although blockchain technology is widely known to be secure, there are still a variety of possible

vulnerabilities, such as the ones in smart contracts used by participants, such as blockchain projects

(Hasanova et al., 2019). Table 2.2 summarizes the literature on the impact of security-related events on the

cryptocurrency market. This body of literature is relatively younger and more diverse, studying a variety of

breaches from multiple aspects of the impact through various methodologies. One focal yet novel point of

interest is the attacks on cryptocurrency exchanges, with evidence showing the consequences of dropped

cryptocurrency valuation (Hu et al., 2020; S. A. Lee, 2022; Milunovich & Lee, 2022), increased volatility

(Lyócsa et al., 2020), and decreased trading volume (Abhishta et al., 2019).

8
 For cryptocurrencies, extant studies consistently show increased price volatility under security breaches

(Caporale, Kang, et al., 2020b; Corbet et al., 2019; Storsveen & Veliqi, 2020) with a spillover effect among

cryptocurrencies (Caporale et al., 2021). Specifically, Shanaev et al. (2020) show a negative impact of the

51% attacks on cryptocurrency valuation. Storsveen & Veliqi (2020) and Caporale, Kang, et al. (2020a)

further indicate the negative impact of cyberattacks. However, Tomić (2020) finds mixed evidence for the

impact on cryptocurrency valuation by Bitcoin forks. Even more surprisingly, M. S. Brown & Douglass (2020)

find a positive impact on cryptocurrency value when theft occurs.

Table 2.2 Literature of Security Events and Their Impact on Cryptocurrency

Authors Methodology Event of Interest Metrics Main Findings

Abhishta et al. Event Study DDoS attacks on Trading volume in Negative effect on trading
(2019) cryptocurrency exchange volume in attacked exchange
exchanges
Corbet et al. GARCH Cryptocurrency Price volatility Positive effect on
(2019) hacks cryptocurrency volatility
Shanaev et al. Event Study 51% attacks Crypto market reaction: Negative effect on
(2020) AR and CAR cryptocurrency valuation
Storsveen & Time Series Cyberattacks Crypto market reaction: Negative effect on
Veliqi (2020) Returns, volatility, and cryptocurrency return,
trading volume positive for volatility, and
positive for trading volume
Tomić (2020) Event Study Bitcoin forks Crypto market reaction: Mixed evidence for effect on
AR and CAR cryptocurrency valuation
Caporale, Kang, Markov- Cyberattacks Crypto market reaction: Positive effect on
et al. (2020b) switching Volatility cryptocurrency volatility
non-linear
specification
Hu et al. (2020) Visualization Hacks to Crypto market reaction: Negative effect on
and statistical Cryptocurrency Price cryptocurrency valuation
tests Exchange
Lyócsa et al. HAR Model Hacking to Crypto market reaction: Positive effect on
(2020) Cryptocurrency Volatility cryptocurrency volatility
Exchange
Caporale, Kang, Pooled OLS Cyberattacks Crypto market reaction: Negative effect on
et al. (2020a) Regression Returns cryptocurrency valuation
M. S. Brown & Event Study Cryptocurrency Crypto market reaction: Positive effect on
Douglass Theft AR and CAR cryptocurrency valuation
(2020)

9
 Authors Methodology Event of Interest Metrics Main Findings
Ramos et al. Event Study Cyberattacks Crypto market reaction: Mixed evidence for effect on
(2021) AR and CAR cryptocurrency valuation
Caporale et al. GARCH Cyberattacks Crypto market reaction: Evidence for volatility
(2021) Volatility spillover spillover among three
cryptocurrencies
Milunovich & GARCH Cyberattacks on Crypto market reaction: Negative effect on
Lee (2022) cryptocurrency BTC returns cryptocurrency valuation
exchange
S. A. Lee Various Cyberattacks on Crypto market reaction: Negative effect on
(2022) models cryptocurrency BTC returns cryptocurrency valuation
exchange

2.2 Events Influencing Cryptocurrency Market

Besides breaches, as presented in Table 2.3, there has been a body of literature in recent years focusing on

various events that may influence the cryptocurrency market, mostly adopting the event study method and

metrics of AR and CAR. Studies regarding general news and events have consistently shown that positive

and negative events are associated with AR and CAR in the same direction (Hashemi Joo et al., 2020; Öget,

2022; Yue et al., 2021). The market considers government regulation an adverse event (Chokor & Alfieri,

2021). However, monetary policy announcements (Marmora, 2022) and law enforcement actions (Abramova

& Bohme, 2021) are regarded as positive signs by investors as reflected in positive changes in cryptocurrency

valuation.

Ante et al. (2021) studied stablecoin issuances and found a positive effect on cryptocurrency values for

events in the blockchain ecosystem. In addition, due to the critical role played by Elon Musk in

cryptocurrency, especially Dogecoin, Ante (2023) continued this line of research and investigated the impact

of Musk’s Twitter activities, demonstrating a positive Musk effect on cryptocurrency price. Lastly, H. Lee

& Wie (2023) show that the shutdown of a cryptocurrency exchange can damage the price of the

cryptocurrencies primarily traded in the exchange temporarily out of operation.

10
Table 2.3 Literature of Other Events and Their Impact on Cryptocurrency

Authors Methodology Event of Interest Metrics Main Findings

Hashemi Joo Event Study Major news Crypto market reaction: High abnormal returns on
et al. (2020) announcements AR and CAR the day of the news event.

Chokor & Event Study Market regulation Crypto market reaction: Negative effect on
Alfieri (2021) news AR and CAR cryptocurrency valuation

Ante et al. Event Study Stablecoin issuances Crypto market reaction: Positive effect on
(2021) AR and CAR cryptocurrency valuation.

Yue et al. Event Study News Cryptocurrency liquidity Positive (Negative) effect
(2021) on cryptocurrency liquidity
by good (bad) news.

Abramova & Event Study Law enforcement Crypto market reaction: Positive effect on
Bohme actions AR and CAR cryptocurrency valuation.
(2021)

Marmora Event Study Monetary policy Crypto market reaction: Positive effect on BTC
(2022) announcement abnormal search intensity attention and trading
and abnormal trading volume.
volume of BTC

Öget (2022) Event Study Various positive and Crypto market reaction: Negative events are more
negative events AR and CAR impactful than positive
events.

Ante (2023) Event Study Elon Musk’s Twitter Crypto market reaction: Positive effect on
Activity AR, CAR and trading cryptocurrency valuation
volume and trading volume.

H. Lee & Wie Event Study Cryptocurrency Crypto market reaction: Negative effect on
(2023) exchange shutdown AR and CAR cryptocurrency valuation

The review of extant research reveals a critical lack of focus on crypto tokens, as defined in the

introduction of this paper. There has been a comprehensive collection of studies regarding the impact of

security breaches on both company stocks and cryptocurrencies. Extensive literature has also been on

cryptocurrencies and events influencing their market dynamics. However, to our knowledge, the crypto token

is underexplored in general. There is no research intersecting security breaches and the market dynamics by

11
investors' reactions in the crypto token market. Being the first to study this point of critical importance to

investors and project owners, this research tries to fill this gap by providing empirical evidence testing the

breach impact on crypto token valuation and the moderators of the impact, along with exploring the social

media sentiment and topics around the breach time.

12
3 Hypotheses Development

This section develops seven sets of hypotheses based on the findings of previous studies to answer the three

research questions. Hypothesis set 1 in section 3.1 tests the main impact of security breaches. Hypothesis sets

2 to 7 in section 3.2 test the potential moderating effects of six variables.

3.1 Main Security Breach Effect on Token Value

Although some studies discover a mixed or insignificant effect on stock return and market value of the

company by the security events overall (Campbell et al., 2003; Hovav & D’Arcy, 2003; Kannan et al., 2007;

Tweneboah-Kodua et al., 2018), the majority of the literature we reviewed as listed in Table 2.1 indicates an

overall significant association between the negative abnormal return of the stock and the occurrence of the

events included in their event dataset. Our review is consistent with the meta-analysis results, which conclude

that security breaches are significantly associated with negative stock returns (Ebrahimi & Eshghi, 2022).

Regarding the security of blockchain and cryptocurrency valuation, there is mixed evidence for the

impact of security breaches on cryptocurrency prices. Specifically, it is reported in some literature that

security events are associated with significant negative effects on cryptocurrency value (Caporale et al., 2021;

Hu et al., 2020; S. A. Lee, 2022; Milunovich & Lee, 2022; Shanaev et al., 2020; Storsveen & Veliqi, 2020).

However, others suggest mixed evidence for the impact of the breaches in their event dataset (Ramos et al.,

2021; Tomić, 2020). M. S. Brown & Douglass (2020) even found positive price changes following the news

of cryptocurrency thefts.

13
 Combining the features of stock and cryptocurrency, the breach's impact on token valuation remains

unexplored and undetermined. Given the inconclusive evidence, which, however, mainly directs to the

negative impact on the stock and cryptocurrency market, we propose the first set of hypotheses below:

H1 (a, b): A security breach negatively impacts its RO’s crypto token abnormal return (a)

or cumulative abnormal return (b) on the breach date.

3.2 Moderators for the Main Effect

After identifying the main impact, the next question to answer is what factors may affect its magnitude.

Based on previous research in the relevant fields, this research suggests six potential moderating factors of

the impact size. Two factors are the attributes of the RO project, and four are the attributes of the breach

itself.

3.2.1 Project Size

The first project-specific feature is the size of the project proxied by its market capital. Project size may

moderate the severity of the token valuation impact by security breaches because larger projects may have

built more confidence in investors and have better resilience through accumulated capital enough for proper

post-breach compensation and patch. However, it can also be argued that the breaches in smaller companies

may be excused for not having fully developed a secure system yet. Apart from the logical reasoning, extant

literature has explored this question in the stock market, providing evidence in favor of larger companies.

Cavusoglu et al. (2004) led this research direction in considering firm size as a moderating factor by

hypothesizing that larger firms are less impacted due to their higher ability to absorb the shock from the

14
breach and providing evidence supporting the hypothesis. This observation is further supported by Gatzlaff

& McCullough (2010), who documented that larger firms, with their substantial market capital, have their

stock price less damaged by the breach. Focusing on privacy breaches, Acquisti et al. (2006) discovered that

larger firms measured by market capitalization suffer less market value damage. On the other hand, Kannan

et al. (2007) presented evidence challenging these findings, indicating no significant disparity in market

reactions between larger and smaller companies. In a more recent meta-analysis, Ebrahimi & Eshghi (2022)

concluded that investors tend to perceive security breaches in larger firms less negatively.

Although this company size as a moderating variable has been intensively studied in the stock market,

to our knowledge, there is no similar research in the crypto market, either for tokens or currencies. Based on

the findings in the previous studies as summarized in the meta-analysis mentioned above, we expect larger

projects to experience less negative post-breach impact, and thus propose the following set of hypotheses:

H2 (a, b): Blockchain projects with higher market capital are less impacted in abnormal

returns (a) or cumulative abnormal returns (b) than those with lower market capital.

3.2.2 Project Type

Whether the project mainly serves a financial function in the blockchain ecosystem or not is the second

project-specific attribute that possesses the possibility to be a moderator for the size of the impact of security

breaches. It has long ago been noticed that different types of companies have their stock price affected

differently by security-related events or announcements. At the beginning of the century, with the rapid

development of the internet, Hovav & D’Arcy (2003) and Cavusoglu et al. (2004) classified companies as

internet-heavy and other companies, presenting evidence supporting that these internet companies are more
15
penalized by investors on the stock return and market value than others. Then, as information technology (IT)

and e-commerce become prevalent in business, IT-intensive, e-commerce, and technical companies suffer

more post-breach damage on multiple performance indicators, including stock value (Ko et al., 2009; Yayla

& Hu, 2011).

The way of classifying companies based on the degree of technology involvement was later replaced in

more recent studies, which categorized companies based on their business sector: whether the company

mainly provides financial services. The research by Morse et al. (2011), Tweneboah-Kodua et al. (2018), and

Arcuri et al. (2018) all report that financial service providers receive more negative market reactions under

security breaches and their announcements as reflected in the stock price performance. However, specific to

banks, Michel et al. (2020) find mixed evidence for the impact of security events, concluding that breaches

in highly privacy-sensitive institutions are shockingly not associated with more negative market reactions

with the breach.

Given the blockchain landscape, which encompasses projects offering financial services such as lending

and options, and those focusing on functional and infrastructural aspects like NFT marketplaces, centralized

and decentralized exchanges, and games, it is pertinent to examine their potentially different market dynamics

under security breach. The overall more negative findings against financial companies motivate us to expect

financial blockchain projects to earn more negative abnormal returns and cumulative abnormal returns as

expressed in the following hypotheses:

16
 H3 (a, b): Blockchain projects that mainly provide financial services are more negatively

impacted in abnormal returns (a) or cumulative abnormal returns (b) than those that

mainly provide functional or infrastructural services.

3.2.3 Auditing Status

The first breach-specific feature to consider as a potential moderating variable is the auditing status of the

exploited vulnerability in the breach. In response to the rapidly growing adoption of information systems in

different organizations, code auditing emerges essentially as a software vulnerability report to help ensure

the information system's security through source code testing and analysis (Xiang & Lin, 2015). As critical

stakeholders in an audit, business owners and creditors prioritize identifying and assessing risks to the

enterprise's security, as it directly influences their financial stakes (Shchyrba et al., 2023). Within the realm

of blockchain and the ecosystem based on this technology, vulnerabilities in code or smart contracts pose

significant financial risks capable of leading to considerable loss, and conducting audits helps in identifying

these security vulnerabilities within the codebase before the program or smart contract becomes operational

(He et al., 2020). This highlights the critical nature of audits in safeguarding digital assets and ensuring the

integrity of information systems, thereby protecting the interests of those invested in the enterprise.

For security breaches in blockchain, Caporale et al. (2020a) uncovered that a better cybersecurity level,

in general, reduces the negative breach impact on the value of Bitcoin, Ethereum, and Litecoin. However, the

contrast between the better-perceived security by the investors and the actual occurrence of the breach may

lead to more detrimental financial repercussions in the price of the crypto tokens. Despite the importance of

code audits in contemporary information systems and their representation of the cybersecurity level, the

17
finance and economics of auditing remain understudied. Auditing may bring better-perceived security overall

for the investors, but a breach after auditing may lead to a drastic contrast that leads to a more negative market

reaction. To find out how investors view the breached audits, we propose the following hypotheses:

H4 (a, b): Breaches whose exploited vulnerabilities are audited more negatively impact

the associated crypto token value of the responsible owner with more negative abnormal

returns (a) or cumulative abnormal returns (b) than breaches without their exploited

vulnerabilities audited.

3.2.4 Loss Amount

Another breach-specific attribute to consider is the severity of the breach, and there have been studies in both

the stock and cryptocurrency markets exploring how severity affects the effect size of breaches. Acquisti et

al. (2006) studied privacy breaches and measured the severity of the breach using the number of affected

subjects, concluding that breaches affecting more people lead to more negative market reactions to the stock

price of the company than those with fewer people involved. Telang & Wattal (2007) focused on software

vulnerability announcements and provided evidence for the hypothesis that more severe vulnerabilities are

associated with a more negative impact on market value when the announcements are made. Similar findings

have also been reported in cryptocurrency studies. Storsveen & Veliqi (2020) concluded that the post-attack

return of a cryptocurrency is influenced by the loss magnitude incurred during the attack. Hu et al. (2020)

further discovered that more enormous stolen value in cryptocurrency theft events results in more significant

drops in cryptocurrency prices.

18
 In this study, we operationalize the severity of the breach following the two cryptocurrency studies

above, adopting the estimated loss amount directly incurred by the breach as the proxy. Furthermore, based

on the results of the studies mentioned earlier, we expect higher severity to result in a more negative breach

impact on the crypto token valuation and propose a set of alternative hypotheses:

H5 (a, b): Breaches with more extensive direct loss amounts more negatively impact the

associated crypto token value of the responsible owner with more negative abnormal

returns (a) or cumulative abnormal returns (b) than those breaches with smaller direct

loss amounts.

3.2.5 Breach Type

A body of literature in the past two decades shows that breaches of different types can lead to significantly

different reactions in both the stock and cryptocurrency markets. In their respective fields, Uma &

Padmavathi (2013) and Hasanova et al. (2019) present a wide range of classifications of breaches and

vulnerabilities that are explored in other studies. Specifically, earlier studies investigated three distinct

categories of breaches: confidentiality, availability, and integrity. Campbell et al. (2003) and Ko et al. (2009)

report confidentiality breaches' damaging financial and economic impact. For availability breaches, while

Cavusoglu et al. (2004) found no significant difference between the impact of availability and non-

availability breaches, Ko et al. (2009) report breaches’ negative impact on three performance indicators, and

Gordon et al. (2011) suggest that availability breaches cause the most pessimistic market reaction among all

breach types, contradicting the findings of Campbell et al. (2003) stating that confidentiality breaches result

in the most negative reaction.

19
 More studies on more specific breach types have also been conducted. As a kind of availability breach,

the Denial-of-Service attack and its influences on the breach effect size on stock value have been studied

with mixed evidence. Garg et al. (2003) compared the theft of credit card information with the DoS and

website defacement, concluding that the theft causes more negative abnormal returns. On the contrary, Yayla

& Hu (2011) show that the DoS attack leads to the most negative impact on the stock value.

More recent studies have shifted the focus to examine the difference between breaches with a more

human-behavioral nature, such as equipment theft, and breaches with a more technical nature, such as hacks.

Morse et al. (2011) indicate that breaches from stolen laptops are more damaging to stock prices than

technical breaches. However, Rasoulian et al. (2023) present evidence supporting that hacker attacks are

associated with a more negative impact on stock prices. The result of the research by Michel et al. (2020)

partially supports both by showing that only hacks and phishing significantly negatively impact the stock

price.

The literature on blockchain has limited exploration in this field. Ramos et al. (2021) find that 51% of

attacks and wallet attacks cause negative market reactions, but the effect of the hark fork depends on the

perceived security of the forked cryptocurrency. To the best of our knowledge, there is no cryptocurrency

study comparing behavioral and technical attacks. Behavioral breaches that are avoidable with reasonable

precautions may have more severe repercussions, as Morse et al. (2011) suggest. However, it is also possible

that, due to the technology-intensive nature of blockchain projects, technical breaches are deemed as more

unacceptable mistakes. To investigate the effect of breach type on the magnitude of breach impact, we expect

more negative impact by technical breaches and test the following alternative hypotheses:

20
 H6 (a, b): Technical breaches more negatively impact the associated crypto token value

of the responsible owner with more negative abnormal returns (a) or cumulative

abnormal returns (b) than those non-technical breaches.

3.2.6 Twitter Announcement

Media plays a critical role in connecting the companies and investors. The timing, content, and sentiment of

the media disclosure of the breach may affect how investors react to the breach and, therefore, the post-breach

market dynamics. Gatzlaff & McCullough (2010) investigated the moderating effect on cumulative abnormal

return by whether the breached company is willing to answer breach-related questions in the initial news

report of the data breach and found that companies refusing information disclosure are more penalized by the

investors. On the other hand, Rosati et al. (2019) suggest that disclosure of the data breach on social media

at the time of the breach intensifies the negative abnormal return in the stock price in reaction to the

announcement. Michel et al. (2020) further report the interesting discovery that there are negative abnormal

returns before the announcement but positive after. Foerderer & Schuetz (2022) differentiate on the timing

of the media disclosure and conclude that data breaches announced on busy press days cause less negative

market reaction.

The content and sentiment in the media are also demonstrated to be important factors affecting the post-

breach market reaction. Hung (2019) examined the relationship between news content about information

security and abnormal returns in the company's stock price, showing that news that includes more negative

words is associated with a more negative impact on abnormal returns. Specifically for cryptocurrency, Lyócsa

21
et al. (2020) present that the positive investor sentiment about Bitcoin online causes a significant increase in

the volatility of Bitcoin, while negative sentiment does not have a significant impact.

Overall, there is inconclusive and even conflicting evidence for the exact effect of timely

announcements regarding the security breach on investor and market reaction. We argue that making timely

announcements and updates about the breach by the RO on Twitter may help clarify the situation and show

the willingness to take responsibility and, therefore, face less negative investor perception. Due to the unique

importance of Twitter in the blockchain, we focus on the official announcement in the event window by the

vulnerability responsibility owners of the breach and explore their moderating effect by testing the hypothesis

below:

H7: The breaches with timely official announcements in the event window by the

vulnerability responsibility owner less negatively impact the associated crypto token

value of the responsible owner with less negative cumulative abnormal returns than those

without a timely official announcement.

In summary, there are, in total, seven sets of hypotheses. The first set is for the main effect. The second

to the seventh hypotheses are for the moderators. A conceptual model of H1 to H7 is illustrated in Figure 3.1.

22
Figure 3.1 Conceptual Model

23
4 Dataset Construction

This research tests the hypotheses using data acquired from three phases. The first phase is dedicated to

compiling data about the security breach events and collecting and identifying various attributes for each

breach. Subsequently, the second phase involves gathering historical market data for the token of the RO in

the breach. The final phase focuses on accruing the breach-related tweets by the ROs and the associated

comments for each tweet. The three distinct yet interrelated stages collectively result in constructing three

datasets: the event, market history, and Twitter data.

4.1 Event Data

The security breach event is the focal point of this research, so in the first phase, events with attributes are

gathered, labeled, and processed to build the event dataset. This research concentrates on breaches between

January 1st, 2020, to May 1st, 2023. The event information is collected from two sources. The first source is

the breach event leaderboard, sorted on the estimated direct loss from the breach and maintained by Rekt

(2024), a blockchain security news website. The second source is the hack event database maintained by

DefiLlama (2024b), an open-source platform recording data in decentralized finance (DeFi). From these two

sources, we collect attributes for each breach.

4.1.1 Event Data Collection

For each event, along with a short news report, the Rekt leaderboard records the victim’s name, breach date,

estimated direct loss from the breach in U.S. dollars, and the auditing status of the exploited vulnerability.

There are four values that the auditing status can take: (1) “Unaudited,” indicating that the system

24
vulnerability is not audited; (2) the name of the auditor indicating who audited the vulnerability; (3) “Out of

scope” indicating the vulnerability happens in code beyond the scope of the previous audit; (4) “N/A”

indicating auditing is irrelevant for the breach. A summary of the attributes from the Rekt leaderboard is

provided in Table 4.1. In total, 130 breach events were gathered from the Rekt leaderboard.

Table 4.1 Breach Attributes Reported in the Rekt Leaderboard

Attribute Name Description Possible Values

Victim Name This feature includes information about the name Blockchain project names
of the victim project in the breach.
Breach Date This feature includes information about the date Date between Jan 1st, 2020 and May 1st,
when the security breach happened. 2023.
Estimated Loss This feature includes information about the Natural numbers for the dollar value of
estimated loss amount in dollar value caused by the the estimated direct loss.
security breach.
Audit Status This feature includes the audit status of the 1. “Unaudited”
vulnerability exploited in the breach. 2. Auditor name.
3. “Out of scope”
4. “N/A”

DefiLlama, in parallel, maintains a database cataloging hacks specifically targeting DeFi protocols. Like

the leaderboard, this database provides essential details such as the victim's name, hack date, and direct

financial loss. It further enhances the dataset by classifying the hacks based on targeted vulnerability in the

infrastructure, smart contract language, protocol logic, and ecosystem (interaction between multiple

protocols). The database also includes a 'Rugpull' classification signifying insider hack. Additionally, it

documents the various techniques employed in these hacks, ranging from private key compromises to

sophisticated attack vectors such as flash loan price oracle and re-entrancy attacks. The attributes from the

DefiLlama database are encapsulated in Table 4.2. In total, there are 166 breach events collected from

DefiLlama.

25
Table 4.2 Hack Attributes Reported by DefiLlama

Attribute Name Description Possible Values

Victim Name This feature includes information about the name Blockchain project names
of the victim project in the breach.
Hack Date This feature includes information about the date Date between Jan 1st, 2020 and May 1st,
when the security breach happened. 2023.
Estimated Loss This feature includes information about the Natural numbers for the dollar value of
estimated loss amount in dollar value caused by the the estimated direct loss.
security breach.
Classification This feature includes information about the 1. “Infrastructure”
classification of the hack. 2. “Smart Contract Language”
3. “Protocol Logic”
4. “Ecosystem”
5. “Rugpull”
Technique This feature includes information about the A variety of techniques
technique used in the hack.

Upon reconciling the overlapping data from both sources, a unified dataset of 173 events taking the

union of the two sources was created. This dataset includes 43 events exclusive to DefiLlama and seven

unique to the Rekt leaderboard. This merge led to missing information, as some events are only documented

by one source, lacking specific attributes unique to the other. Moreover, discrepancies in event dates and loss

amounts were observed between the two sources. To rectify these inconsistencies and fill in missing

information, supplementary sources such as news reports, social media posts, blockchain activity logs, and

other relevant mediums were consulted to ensure data accuracy.

Central to this research is identifying the responsible owner for the vulnerabilities in each breach. This

is achieved by examining news reports and analyzing the breach mechanisms. Subsequently, the RO's token

ID on CoinGecko was identified by searching the RO’s name on CoinGecko. It is noteworthy that some ROs

either do not issue tokens or operate outside the blockchain ecosystem; such instances fall outside the ambit

of this study and are consequently excluded. Therefore, the refined dataset comprises 99 pertinent events,

with an example subset presented in Appendix A.

26
4.1.2 Labeling and Variable Construction for Hypothesis Testing

The completion of the event dataset and the development of pertinent variables for hypothesis testing

necessitates further processing.

4.1.2.1 Project Type

To investigate hypotheses 3a and 3b, a classification criterion is devised to differentiate between the

types of RO blockchain projects. This classification bifurcates the projects into those primarily serving

financial functions and those catering to non-financial functions in the blockchain ecosystem. The basis for

this classification is the category information provided by DefiLlama (2024a). DefiLlama offers a

comprehensive list of categories for DeFi protocols, defining each category and assigning these category

labels to various protocols. Additionally, the 'CEX' (Centralized Exchange) category is introduced to

encompass the broader spectrum of the cryptocurrency market. This category supplements the above DeFi-

centric categories.

Each RO project in the event dataset is classified according to the category labels from the DefiLlama

database. When specific projects are not listed in the database, the category label is determined based on

DefiLlama's definitions. The resultant dataset has 20 distinct categories, the distribution of which is illustrated

in Figure 4.1. The criteria outlined in Table 4.3 distinguish financial from non-financial projects. This

categorical distinction is pivotal in examining the type of blockchain projects and its moderating effect on

the impact of breaches.

27
Figure 4.1 Distribution of RO Category in the Event Dataset

Distribution of RO Category

Yield Aggregator
Yield
Synthetics
Services
Payments
Oracle
Options
NFT Marketplace
NFT Lending
Liquidity manager
Liquid Staking
Lending
Insurance
Indexes
Gaming
Dexes
Derivatives
CEX
CDP
Bridge
0 5 10 15 20 25

Table 4.3 Criteria for Project Type Classification

Project Type Categories Description

Financial Lending “Protocols that allow users to borrow and lend assets”
Yield “Protocols that pay you a reward for your staking/LP on their
platform”
Yield Aggregator “Protocols that aggregated yield from diverse protocols”
Derivatives “Protocols for betting with leverage”
Liquidity Manager “Protocols that manage Liquidity Positions in concentrated
liquidity AMMs”
Insurance “Protocols that are designed to provide monetary protections”
Liquid Staking “Protocols that enable you to earn staking rewards on your tokens
while also providing a tradeable and liquid receipt for your staked
position”
CDP “Protocols that mint its own stablecoin using collateralized
lending”
Options “Protocols that give you the right to buy an asset at a fixed price”
Indexes “Protocols that have a way to track/created the performance of a
group of related assets”

28
 Project Type Categories Description
Non-financial Synthetics “Protocol that created a tokenized derivative that mimics the value
of another asset”
Services “Protocols that provide a service to the user”
Payments “Protocols that offer the ability to pay/send/receive
cryptocurrency”
Oracle “Protocols that connect data from the outside world (off-chain)
with the blockchain world (on-chain)”
NFT Marketplace “Protocols where users can buy/sell/rent NFTs”
NFT Lending “Protocols that allow you to collateralize your NFT for a loan”
Gaming “Protocols that have gaming components”
Dexes “Protocols where you can swap/trade cryptocurrency”
CEX Centralized exchanges
Bridge “Protocols that bridge tokens from one network to another”

Note. This table includes the definitions of each DeFi protocol category and centralized exchange CEX. The

definitions of DeFi protocol categories in quotes are directly adopted from DefiLlama (2024a).

4.1.2.2 Auditing Status

For hypotheses 4a and 4b, replacing the attribute collected in stage 1, a new dummy variable is established

to represent the auditing status of the vulnerabilities involved in the breaches. This variable is allocated a

value of 1 for breaches with audited vulnerabilities and 0 for those unaudited. The criteria for this assignment

are clearly defined: breaches with an audit status labeled with the auditor's name are classified as audited. In

contrast, breaches tagged as “Unaudited,” “Out of scope,” or “N/A” (Not Applicable) are categorized as

unaudited. This binary classification system is integral to analyzing the moderating effect proposed in

hypothesis development.

4.1.2.3 Breach Type

To test hypotheses 6a and 6b, a dummy variable is constructed to represent the technical nature of a breach.

This variable is assigned a value of 1 for technical breaches. The initial labeling phase leverages the

29
classification attribute collected in the last stage. A breach is categorized as technical if it falls under protocol

logic, smart contract language, and ecosystem interactions. Further labeling is conducted based on the

techniques for breaches that are not immediately classifiable under these categories. Breaches through

techniques of DNS spoofing, exploits of outdated oracles, and private key compromises through brute force

are also labeled as technical. Conversely, non-technical breaches encompass incidents like rugpulls, private

key compromises via phishing, and those involving social engineering tactics.

The distribution of labels for project type, auditing status, and breach type are presented in Figure 4.2.

Figure 4.2 Distribution of Labels for Project Type, Auditing Status, and Breach Type

4.2 Market History

Following the aggregation of event data, the next phase involves the detailed collection of market history for

the tokens associated with the ROs. This stage is crucial for analyzing token returns and assessing the

moderating effects of the ROs' market capitalization on the day of the breach. To acquire this data, we utilize

the API provided by CoinGecko. This API retrieves day-to-day price and market capitalization, keyed to the

30
specific token IDs identified previously. The market history dataset used in this research includes all the daily

price records from the API for the token of every event. In addition, being integrated into the event dataset,

the token's market capitalization of the respective RO on the breach day is recorded for each event.

4.3 Twitter Data Collection

The third stage is designed to support the testing of hypothesis 7 and explore the social media atmosphere

after the breach. We collected tweets and their corresponding comments posted by the official Twitter

accounts of all ROs. The time frame for this data collection spans a 3-day event window centered on the

breach date. This data is gathered using the twscrape library. It is noteworthy that seven of the projects in our

dataset do not have Twitter accounts. Excluding the tweets irrelevant to the breaches, the inspection of these

tweets led to creating an additional dummy variable within our event dataset. This variable indicates whether

the RO announced that breach on Twitter within the 3-day event window. Projects lacking a Twitter account

are labeled as not having made announcements. The distribution of the Twitter announcement label is shown

in Figure 4.3.

Figure 4.3 Distribution of Twitter Announcement Label

31
5 Methodology

In this research, we conduct three stages of analyses addressing the four research questions by examining the

hypotheses established in Section 2. This initial stage investigates the primary impacts of security breaches

on the crypto token valuation of the responsibility owners for the exploited vulnerabilities. Taking an event

study approach, this examination answers RQ1 and H1. The second stage extends the investigation by

examining potential moderating variables that could influence the magnitude of the impact identified in the

first study. Through a cross-sectional analysis, we answer RQ2 and RQ3 by testing hypotheses 2 through 7,

which are developed to explore these moderating effects. The final stage shifts focus to social media,

conducting sentiment analysis and exploring the comments with topic modeling for a more comprehensive

understanding.

5.1 Event Study for the Main Impact

Taking an event study approach, this study focuses on the main impact operationalized in H1. In the event

study design, abnormal return, which is the difference between the actual return and the counterfactual

expected return assuming the absence of the event, on the event day is used to test the effect of the event on

the price of a security (MacKinlay, 1997), which is, in this research, crypto token. In addition to only focusing

on the event date, an event study can also use an event window constructed around the event date and

cumulate the abnormal returns in the window as cumulative abnormal return CAR (S. J. Brown & Warner,

1985), so the study can account for the anticipation of the event before its occurrence (Kothari & Warner,

2007). Figure 5.1 illustrates the timeline of the event study method. Details of the event study design are

presented in the subsequent subsections.

32
Figure 5.1 Event Study Illustration

5.1.1 Variable Definitions

In this study, the event of interest is security breaches collected in the event dataset, and we focus on their

impact on the token returns computed using (1).

𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑒𝑒𝑡𝑡+1 − 𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑒𝑒𝑡𝑡 (1)

𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑖𝑖𝑖𝑖 =
𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑒𝑒𝑡𝑡

In formula (1), i stands for the i-th event in the event dataset, while t stands for the day t. Following the

convention, the event day is indexed as day 0. The difference between the actual and expected returns on the

event day is taken to compute the abnormal return, as shown in (2).

𝐴𝐴𝑅𝑅𝑖𝑖𝑖𝑖 = 𝑅𝑅𝑖𝑖𝑖𝑖 − 𝐸𝐸(𝑅𝑅𝑖𝑖𝑖𝑖 ) (2)

With the AR on the event day for all the events in our event set, we take the average of the ARs named the

average abnormal return (AAR) across all n events using (3).

𝑛𝑛
1 (3)
𝐴𝐴𝐴𝐴𝑅𝑅𝑡𝑡 = � 𝐴𝐴𝑅𝑅𝑖𝑖𝑖𝑖
𝑛𝑛
𝑖𝑖=1

More generally, we also study the cumulative abnormal returns over an event window of [-1, 1] days,

which is used in various event study research (Campbell et al., 2003; Hovav & D’Arcy, 2003; Yayla & Hu,

2011; Gordon et al., 2011; Brown & Douglass, 2020). This choice also helps account for pre-breach

anticipations of the breach because Shanaev et al. (2019) showed evidence for the pre-breach anticipation of

33
specific cryptocurrency breaches. The post-breach period is short to avoid confounding events. Having

specified the event window, the CAR over the days in set W for the days in the event window is computed

using (4).

𝐶𝐶𝐶𝐶𝑅𝑅𝑖𝑖 = � 𝐴𝐴𝑅𝑅𝑖𝑖𝑖𝑖 (4)

𝑑𝑑∈𝑊𝑊

Like AAR, we compute the averaged CAR, the cumulative average abnormal return (CAAR), using (5) to

aggregate the CAR over all the events.

𝑛𝑛
1 (5)
𝐶𝐶𝐶𝐶𝐶𝐶𝑅𝑅𝑖𝑖 = � 𝐶𝐶𝐶𝐶𝑅𝑅𝑖𝑖
𝑛𝑛
𝑖𝑖

5.1.2 Expected Return Model

Being vital to the event study, the expected return on the event day and the other days in the event window is

a counterfactual estimation of the return without the event's occurrence. The estimation is based on the

historical data from the estimation window, which is chronologically before the event window. Due to the

high volatility in the crypto market, we use a short estimation window of 2 weeks (14 days) before the event

window. Specifically, indexing the event day as day 0, the estimation window is [-15, -2] days. According to

Wolf et al. (2014), there are many different models to compute the estimation. However, most of the models

are market models relying on a market index, except the comparison period mean adjusted model (CPMAM).

Because there is no widely accepted market index to proxy the overall trend in the crypto market, to compute

the expected return for days in the event window, we employ the CPMAM for the estimation based on the

returns of D days in the estimation window W using formula (6) adopted from Wolf et al. (2014):

34
 1 (6)
𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝑛𝑛𝑖𝑖𝑖𝑖 = � 𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑑𝑑
𝐷𝐷
𝑑𝑑∈𝑊𝑊

Because the tokens involved in some events do not have a market history long enough to cover the estimation

window, this study skips these events and computes the AR and CAR for the rest. The descriptive statistics

and distribution of AR and CAR are presented in Table 5.1 and

Figure 5.2.

Table 5.1 Descriptive Statistics for AR and CAR

Variable Min. 1st Qu. Median Mean 3rd Qu. Max Count
AR -0.91799 -0.27481 -0.13063 -0.17770 -0.03181 0.43078 83
CAR -1.45436 -0.27692 -0.13647 -0.18493 -0.00909 1.91353 83

Figure 5.2 Distribution of AR and CAR

5.1.3 Significance and Test Statistics

Hypothesis 1a and 1b are tested in study 1 using two different significance tests: parametric and non-

parametric. Following Wolf et al. (2014), because our study has multiple event instances in the event dataset,

35
we can run the parametric cross-sectional test and, due to the data distribution and the outliers, as shown in

Figure 5.2, the non-parametric sign test. For the significance tests, the null hypotheses of H1a and H1b

mathematically translated to:

𝐻𝐻1𝑎𝑎: 𝐸𝐸(𝐴𝐴𝐴𝐴𝑅𝑅0 ) = 0

𝐻𝐻1𝑏𝑏: 𝐸𝐸(𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶) = 0

The test statistics for the cross-sectional test are defined in formula (7), and the statistics for the sign test are

defined in formula (8), according to Wolf et al. (2014).

𝐴𝐴𝐴𝐴𝐴𝐴
𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴 = √𝑛𝑛 assuming 𝑡𝑡 ~ 𝑡𝑡𝑛𝑛−1
𝑆𝑆(𝐴𝐴𝐴𝐴𝐴𝐴)

𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 (7)
𝑡𝑡𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 = √𝑛𝑛 assuming 𝑡𝑡 ~ 𝑡𝑡𝑛𝑛−1
𝑆𝑆(𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶)

𝑤𝑤𝐴𝐴𝐴𝐴 −𝑁𝑁∗0.5
𝑧𝑧𝐴𝐴𝐴𝐴𝐴𝐴 = assuming z ~ N(0, 1)
√𝑁𝑁∗0.5∗0.5

𝑤𝑤𝐶𝐶𝐶𝐶𝐶𝐶 −𝑁𝑁∗0.5 (8)

𝑧𝑧𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 = assuming z ~ N(0, 1)
√𝑁𝑁∗0.5∗0.5

In the z statistic, wAR counts the positive ARi0, and wCAR counts the positive CARi.

5.2 Cross-Sectional Analysis for Moderators

5.2.1 Event Study Analyses by Moderators

Among the six potential moderators identified in the development of the hypotheses, three are dummy for

AR and four for CAR. So, the event dataset can be partitioned into two subsets for each dummy variable, and

the event study using a cross-sectional test and sign test can be applied to each subset individually through a

similar process described in section 5.1. Such a design of splitting the event set and testing each subset has

been used in previous studies (Arcuri et al., 2018; Campbell et al., 2003; Gordon et al., 2011; Michel et al.,

36
2020; Morse et al., 2011; Yayla & Hu, 2011). This research then adapts the design of Yayla & Hu (2011),

conducting a series of tests to compare the subsets concerning the moderators using the T-test and the

nonparametric Mann-Whitney U test, which works well on relatively smaller samples without the assumption

of normal distribution.

5.2.2 Cross-Sectional Regressions

5.2.2.1 Model Specification 1

In multiple studies, cross-sectional regression has been used to identify the moderating variables for the effect

size by different events (Cavusoglu et al., 2004; Gatzlaff & McCullough, 2010; Tweneboah-Kodua et al.,

2018). To test the related hypotheses 2 to 7 for the six moderators, we run a cross-sectional analysis specified

in formulas (9) and (10) for AAR and CAAR, respectively. Notably, there are 0 market capital values in the

history collected from CoinGecko. So, in this model, we include the regressor, the log of market capital plus

1.

𝐴𝐴𝑅𝑅𝑖𝑖0 = 𝛽𝛽0 + 𝛽𝛽1 log(𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑙𝑙𝑖𝑖 + 1) (10)

+𝛽𝛽2 𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝑡𝑡𝑖𝑖
+𝛽𝛽3 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝑠𝑠𝑖𝑖
+𝛽𝛽4 log(𝑙𝑙𝑙𝑙𝑙𝑙𝑠𝑠𝑖𝑖 )
+𝛽𝛽5 𝑇𝑇𝑇𝑇𝑇𝑇ℎ𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑙𝑙𝑖𝑖 + 𝜖𝜖𝑖𝑖

𝐶𝐶𝐶𝐶𝑅𝑅𝑖𝑖 = 𝛽𝛽0 + 𝛽𝛽1 𝑙𝑙𝑙𝑙𝑙𝑙(𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑙𝑙𝑖𝑖 + 1) (11)

+𝛽𝛽2 𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝑡𝑡𝑖𝑖
+𝛽𝛽3 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝑠𝑠𝑖𝑖
+𝛽𝛽4 𝑙𝑙𝑙𝑙𝑙𝑙(𝑙𝑙𝑙𝑙𝑙𝑙𝑠𝑠𝑖𝑖 )
+𝛽𝛽5 𝑇𝑇𝑇𝑇𝑇𝑇ℎ𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑙𝑙𝑖𝑖
+𝛽𝛽6 𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋 + 𝜖𝜖𝑖𝑖

37
 We noticed that the AR and CAR have long tails and outliers in both the positive and negative directions.

Therefore, we also ran the cross-sectional analysis excluding the events with AR or CAR outliers. The outliers

are detected as 1.5 times the interquartile range below the 25 percentile or 1.5 times the interquartile range

above the 75th percentile. The descriptive statistics and distribution of AR and CAR, excluding the outliers,

are presented in Table 5.2.

Table 5.2 Descriptive Statistics for AR and CAR Excluding Outliers

Variable Min. 1st Qu. Median Mean 3rd Qu. Max Count
AR (No Outlier) -0.57898 -0.23701 -0.11778 -0.15071 -0.03069 0.16809 78
CAR (No Outlier) -0.65871 -0.22688 -0.10464 -0.13661 -0.00441 0.38155 75

5.2.2.2 Model Specification 2

We also run a second regression analysis after excluding the events with market capital equal to 0. The

analysis is also conducted with and without outliers in AR and CAR. The regression models are specified in

formulas 12 and 13. Descriptive statistics for AR and CAR, excluding events with an RO market value equal

to 0, are presented in Table 5.3.

𝐴𝐴𝑅𝑅𝑖𝑖0 = 𝛽𝛽0 + 𝛽𝛽1 log(𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑙𝑙𝑖𝑖 ) (12)

+𝛽𝛽2 𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝑡𝑡𝑖𝑖
+𝛽𝛽3 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝑠𝑠𝑖𝑖
+𝛽𝛽4 log(𝑙𝑙𝑙𝑙𝑙𝑙𝑠𝑠𝑖𝑖 )
+𝛽𝛽5 𝑇𝑇𝑇𝑇𝑇𝑇ℎ𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑙𝑙𝑖𝑖 + 𝜖𝜖𝑖𝑖

𝐶𝐶𝐶𝐶𝑅𝑅𝑖𝑖 = 𝛽𝛽0 + 𝛽𝛽1 𝑙𝑙𝑙𝑙𝑙𝑙(𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑀𝑙𝑙𝑖𝑖 ) (13)

+𝛽𝛽2 𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝐹𝑡𝑡𝑖𝑖
+𝛽𝛽3 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝑠𝑠𝑖𝑖
+𝛽𝛽4 𝑙𝑙𝑙𝑙𝑙𝑙(𝑙𝑙𝑙𝑙𝑙𝑙𝑠𝑠𝑖𝑖 )
+𝛽𝛽5 𝑇𝑇𝑇𝑇𝑇𝑇ℎ𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑙𝑙𝑖𝑖
+𝛽𝛽6 𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋𝑋 + 𝜖𝜖𝑖𝑖

38
Table 5.3 Descriptive Statistics for AR and CAR Excluding Events with Market Value 0

Variable Min. 1st Qu. Median Mean 3rd Qu. Max Count
AR -0.9180 -0.2406 -0.1170 -0.1648 -0.0181 0.4308 77
AR (No Outlier) -0.5611 -0.1987 -0.1061 -0.1260 -0.0120 0.1681 70
CAR -1.4544 -0.2500 -0.1263 -0.1657 -0.0068 1.9135 77
CAR (No Outlier) -0.6020 -0.2050 -0.0971 -0.1178 -0.0044 -0.3302 67

5.3 Twitter Content Analysis

We have collected the breach-related tweets by the ROs in the event window and the comments under these

tweets to compare these mostly user-generated comments and these official tweets as sentiment analysis and

perform additional exploratory analysis. To conduct the sentiment analysis, we first adopted the pre-trained

RoBERTa model, specialized in Twitter sentiment by Barbieri et al. (2020), to generate sentiment scores for

every tweet and comment. For each piece of text, the model assigns the possibilities for the text to be positive,

neutral, and negative. The three possibilities sum up to 1. For our study, we only use the possibility of the

text being negative and name this variable the negativity score. We compute the average negativity score for

each event across all breach-related tweets. There are 75 RO blockchain projects that made an official Twitter

announcement of the breach, so 75 project-specific average negativity scores for tweets are computed. Based

on the scores, we can further compute the project average tweet negativity (PATN) by taking the average of

the 75 scores. In parallel, we computed 75 project-specific average negativity scores for comments and the

project average comment negativity (PACN). We then compared the PATN and PACN using a simple T-test.

Furthermore, to gain a deeper understanding, this research dives into the content of the comments and

conducts topic modeling using a pre-trained BERTopic model (Grootendorst, 2022). After removing the

English stopwords, we fit the model using multilingual mode and maximum word diversity. We also enable

39
automatic topic reduction and reduced impact from frequent words for meaningful and interpretable results.

The results are visualized using the bar chart tool provided with the BERTopic.

40
6 Research Results

6.1 Event Study Plots

Figure 6.1 includes four subplots showing the average abnormal return across all the events for each day in

the event window. Each subplot compares the abnormal return change among the overall events set, and the

two subsets are divided using the moderator values. From Figure 6.1, reading the curve with the legend

“Total,” we can first observe that, in general, breaches drop the abnormal return on the event day, but the

abnormal return recovery also occurs quickly.

Moreover, subplot (a) shows a relatively big gap in the average abnormal returns for financial and non-

financial projects on the breach date, with financial projects earning more negative abnormal returns. For the

auditing status of the exploited vulnerability, subplot (b), there is no apparent gap in abnormal returns for any

day among the three days of the event window between the audited and unaudited breaches. The subplot (c)

of breach type shows that technical and non-technical breaches not only have a big difference in the AR on

the breach day but also keep the gap one day after, indicating a potentially significant difference in the long-

lasting effect of the breach. Lastly, whether the RO makes a timely Twitter announcement about the breach

has an interesting pattern in the subplot (d). There is not much difference on the event day, but there is a clear

difference in the cumulative abnormal return caused by the big gap in the other two days of the event window.

41
Figure 6.1 Model Free Evidence

6.2 Results of the Main Effect

Table 6.1 elucidates the outcomes of the event study designed to scrutinize the repercussions of security

breaches on the valuation of RO project crypto tokens. This valuation is operationalized through the AR and

the CAR within a three-day event window encompassing the breach. The results reveal discernible model-

free evidence. In both cases, the average values of the variables manifest a negative trend. Notably, on the
42
day of the breach, the mean AR across the entire dataset approximates a 17.77% decline. This negative trend

is more pronounced when extending the analysis beyond the breach day. The mean cumulative abnormal

return over the event window for the full CAR dataset is -18.49%. The model-free evidence indicates a

deleterious effect on the RO project crypto token valuation in the immediate aftermath of the breach and over

the event window, potentially exhibiting a short-term duration.

Table 6.1 further delineates the empirical findings from testing the hypotheses H1a and H1b. The data

substantiates the breaches’ detrimental influence on the RO project token prices on the event day and over

the entire event window. Specifically, the test statistics for the mean AR, both parametric and non-parametric,

are strikingly negative, recorded at -6.8526 and -5.8175, respectively. These figures are statistically

significant at the 0.001 level, corroborating that the mean AR substantially deviates from zero, with p-values

of 0.0000 at a four-digit precision level. The findings about the mean CAR resonate with these observations.

The test statistics for the mean CAR, accounting for both the parametric and non-parametric tests, are -4.2239

and -4.9394, respectively. With both p-values falling below the 0.001 threshold, there is a significant

deviation of the mean CAR from zero. Consequently, the null hypotheses of H1a and H1b, which posit that

the expected mean values of AR and CAR are zero, are rejected. The signs of the test statistics suggest that

the security breach exerts a significantly negative impact on the valuation of RO project tokens.

43
Table 6.1 Event Study Results

AR CAR
Event Window 0 [-1, 1]
Mean -0.1777 -0.1849
Standard Error 0.2362 0.3989
Cross-Sectional Test Statistic -6.8525*** -4.2239***
(p = 0.0000) (p = 0.00006)
Sign Test Statistic -5.8175*** -4.9394***
(p = 0.0000) (p= 0.0000)
Negative Value Count 68 64
Sample Size 83 83

Note. *p<0.05; **p<0.01; ***p<0.001

6.3 Results of Moderating Effects

6.3.1 Event Study Approach

The results of applying the event study approach to the subsets spilt on each moderator are presented in Table

6.2, and the comparison between the subsets is shown in Table 6.3. From Table 6.2, it can be observed that

the events in all subsets are leading to a significant negative impact on the AR and CAR of the RO at a 5%

level, except for the ones that are not technical and the ones not making timely official breach announcements

on Twitter. This finding provides evidence for rejecting the null hypothesis of H6b and H7. Comparing the

subsets, financial projects, on average, experience a drop in AR of 22.8% and in CAR of 22.3%, which are

much more negative influences than that on non-financial projects, with a decrease of 11.1% and 13.4% for

AR and CAR, respectively. However, there are smaller gaps between audit statuses, breach types, and Twitter

announcement decisions.

Statistically comparing the subsets in Table 6.3, evidence is found using the T-test to reject the null

hypotheses of H3a and the Mann-Whitney U Test to reject the null hypotheses of H3a and H3b. The median
44
of the two subsets of different project types indicates that financial and non-financial blockchain projects

suffer different damage to their token return under security breaches. Specifically, using the median value

and the U statistic, financial projects are more penalized than non-financial projects during the breach.

However, there is no significant difference in the split on other dimensions.

45
Table 6.2 Event Study Results for Subsets Split on Dummy Moderators

AR CAR
Mean Std. T p-value Z p-value Mean Std. T p-value Z p-value
Error Statistic for t Statistic for z Error Statistic for t Statistic for z
Financial -0.2285 0.2502 -6.2609 0.0000 -5.1053 0.0000 -0.2237 0.4507 -34024 0.0014 -48135 0.0000
Project Type
Non-Financial -0.1114 0.2012 -3.3208 0.0021 -3.0000 0.0027 -0.1343 0.3180 -2.5348 0.0159 -2.0000 0.0455

Auditing Audited -0.1855 0.2370 -4.6308 0.00005 -4.2258 0.0000 -0.2197 0.3446 -3.7716 0.0006 -3.2116 0.0013
Status Unaudited -0.1720 0.2380 -5.0060 0.0000 -4.0415 0.00005 -0.1596 0.4360 -2.5356 0.0146 -3.7528 0.0002
Technical -0.1729 0.2254 -6.3713 0.0000 -5.4174 0.0000 -0.1665 0.3849 -3.5923 0.0006 -4.6950 0.0000
Breach Type
Non-Technical -0.2015 0.2926 -2.5766 0.0230 -2.1381 0.0325 -0.2760 0.4667 -2.2123 0.0455 -1.6036 0.1088

Twitter Announced - - - - - - -0.1780 0.3980 -3.7424 0.0004 -5.2590 0.0000

Announcement Not Announced - - - - - - -0.2221 0.4177 -1.9168 0.0794 -0.2774 0.7815

Note. Bolded statistics are significant at the 5% level at least.

Table 6.3 Comparison Results for Subsets Split on Dummy Variable

AR CAR
T Statistic U Statistic Median for Group 1 Median for Group 0 T Statistic U Statistic Median for Group 1 Median for Group 0
-2.3639* 510** -1.0579 610*
Project Type -0.1858 -0.0940 -0.1715 -0.0724
p = 0.0205 p = 0.0021 p = 0.2933 p = 0.0305
-0.2559 757 -0.7014 833
Auditing Status -0.1382 -0.1094 -0.1212 -0.1408
p = 0.7987 p = 0.4468 p = 0.4851 p = 0.9522
0.3455 466 0.8229 517
Breach Type -0.1306 -0.1177 -0.1263 -0.2083
p = 0.7341 p = 0.841 p = 0.4221 p =0.6837
- - - - 0.3516 435
Twitter Announcement -0.1314 -0.1781
- - - - p = 0.7297 p = 0.807

Note. *p<0.05; **p<0.01; ***p<0.001

47
6.3.2 Model Specification 1

The cross-sectional regression results for the first model specification running with events having a market

value equal to 0 on the event day are presented in Table 6.4. The dependent variable for model 1 and model

2 is abnormal return with and without outliers, respectively. The F statistics show that these two models are

significant overall. Focusing on each moderator, it is observed that market capital has significant positive

coefficients in models 1 and 2 at a 5% significance level, indicating that RO projects with more considerable

market capital are associated with less negative abnormal returns on the beach day. These results support the

rejection of the null hypothesis of H2a. Furthermore, we see a significantly negative coefficient for financial

RO projects in models 1 and 2, meaning that financial projects experience more negative abnormal returns

under security breaches. This result helps reject the null hypothesis of H3a. Neither model shows a significant

coefficient for auditing status, the direct loss in the breach, and the type of the breach. So, in our event dataset,

there is no difference in abnormal return between breaches with varying values on these attributes. Therefore,

no evidence exists to reject hypotheses H4a, H5a, and H6a.

The dependent variable for models 3 and 4 is CAR with and without outliers, respectively. Because

model 3 is not significant overall, given the F statistic, we focus on model 4 with a significant F statistic. It

can be observed that market capital has a significant positive coefficient, consistent with the findings in

models 1 and 2. So, when excluding outliers in CAR, the result supports rejecting the null hypothesis of H1b.

Additionally, the project type is shown to have a significantly negative coefficient. This result is consistent

with the results in the models against abnormal returns. Therefore, we can reject the null hypothesis of H2b.

Results of auditing status, loss in the breach, and attack type do not show significance, and thus, we cannot
reject the null hypotheses of H4b, H5b, and H6b. However, it is interesting that making official Twitter

announcements in the event window has a significantly negative coefficient. This result suggests that making

such announcements is associated with more negative abnormal returns, supporting rejecting the null

hypothesis of H7.

49
Table 6.4 Cross-Sectional Analysis for Model Specification 1

Dependent Variable

AR CAR

(1) (2) (3) (4)

log(Market Capital + 1) 0.012* 0.008* 0.019* 0.015**

(0.005) (0.004) (0.009) (0.005)

Project Type -0.111* -0.118** -0.110 -0.105*

(Financial)
(0.055) (0.038) (0.096) (0.050)

Auditing Status 0.004 -0.053 -0.008 0.024

(Audited)
(0.053) (0.037) (0.092) (0.049)

log(Loss) -0.010 -0.019 0.030 -0.019

(0.019) (0.013) (0.032) (0.017)

Breach Type 0.089 -0.029 0.259 0.025

(Technical)
(0.078) (0.057) (0.134) (0.073)

Twitter Announcement -0.035 -0.143*

(0.122) (0.067)

Constant -0.223 0.139 -1.106 0.055

(0.333) (0.238) (0.577) (0.313)

Observations 83 78 83 75

R2 0.133 0.247 0.111 0.218

Adjusted R2 0.077 0.195 0.041 0.149

Residual Std. Error 0.227 (df = 77) 0.155 (df = 72) 0.391 (df = 76) 0.198 (df = 68)

F Statistic 2.359* (df = 5; 4.723*** (df = 5; 1.581 (df = 6; 76) 3.154** (df = 6;
77) 72) 68)

Note. Standard errors are reported in parentheses. *p<0.05; **p<0.01; ***p<0.001

50
6.3.3 Model Specification 2

The results of the second model specification running with events having a market value equal to 0 on the

event day are presented in Table 6.5. The meta-information for interpreting the table is the same as in Table

6.4. For AR, it can be observed that only model 2 is significant overall, with three significant coefficients for

abnormal returns. Similar to the previous results, there are significant coefficients for project size and project

type. Larger projects are shown to earn less negative AR than smaller projects, while financial projects face

more negative market reactions than non-financial projects under security breaches. The results support

rejecting the null hypotheses of H2a and H3a. Moreover, this model specification brings new significant

coefficients for auditing status and loss in the breach; both show significance at the 5% level. Specifically,

breaches exploiting audited vulnerability are related to more negative market reactions. More losses in a

breach are also associated with more negative abnormal returns. These results provide evidence to reject H4a

and H5a.

Only model 4 is overall significant for cumulative abnormal returns. Unlike the previous specification,

the only significant coefficient is the one for market capital. Projects with more token market capital are less

damaged than those with less. The project type and making Twitter announcements lose significance as

moderators. There is no significant coefficient for auditing status, loss, and breach type in model 4. These

results allow the rejection of the null hypothesis of H2b, but we cannot reject H3b through H6b and H7.

51
Table 6.5 Cross-Sectional Analysis for Model Specification 2

Dependent Variable

AR CAR

(1) (2) (3) (4)

log(Market Capital ) 0.025 0.026** 0.041 0.037***

(0.013) (0.008) (0.023) (0.010)

Project Type -0.091 -0.077** -0.079 -0.079

(Financial) (0.057) (0.034) (0.102) (0.043)

Auditing Status 0.013 -0.067* -0.021 0.040

(Audited)
(0.054) (0.033) (0.093) (0.041)

log(Loss) -0.020 -0.031* 0.022 -0.029

(0.020) (0.012) (0.035) (0.015)

Breach Type 0.076 -0.028 0.253 0.017

(Technical)
(0.077) (0.049) (0.135) (0.061)

Twitter -0.062 -0.106

Announcement
(0.137) (0.062)

Constant -0.314 -0.014 -1.467* 0.143

(0.351) (0.221) (0.627) (0.277)

Observations 77 70 77 67

R2 0.116 0.305 0.108 0.326

Adjusted R2 0.054 0.251 0.032 0.1259

Residual Std. Error 0.223 (df = 71) 0.131 (df = 64) 0.388 (df = 70) 0.158 (df = 60)

F Statistic 1.862 (df = 5; 71) 5.623*** (df = 5; 1.415 (df = 6; 70) 4.843*** (df = 6;
64) 60)

Note. Standard errors are reported in parentheses. *p<0.05; **p<0.01; ***p<0.001

52
6.4 Further Analysis: Twitter Content Exploration

We explore the Twitter activities in the event window by comparing the sentiment of official announcement

tweets by the RO projects and the comments, which are also analyzed through topic modeling to explore the

content. The distribution of the project-specific average tweet and comment negativity generated using the

RoBERTa model specifically trained on Tweets (Barbieri et al., 2020) is shown in Figure 6.2. Reading the

distribution, it is intuitively observable that the distribution of project-specific average tweet sentiments

concentrates on the region with a negativity score lower than 0.25, with many occurrences below 0.1. On the

contrary, the average comment sentiments for each project from a more bell-shaped distribution centered

around 0.25 and 0.275, with no occurrence of a negativity score below 0.1. So, at a glance, although the

breach announcement tweets by the ROs are, to some extent, showing negative sentiment in general, the

comments mostly from other entities are more negative.

Figure 6.2 Project-Specific Average Tweet and Comment Negativity Score Distribution

The comparison was further tested using a T-test. The result is shown in Table 6.6. Quantitatively, it is

observed that the average negativity for tweets is lower than the negativity of comments. The p-value is

0.0028, which is significant at the 0.01 level.

53
Table 6.6 T-Test Results for Comparing Tweets and Comments

Variable Value
Project-specific Average for Tweet Negativity 0.1740
Project-specific Standard Deviation for Tweet Negativity 0.0161
Project-specific Average for Comment Negativity 0.2365
Project-specific Standard Deviation for Comment Negativity 0.0151
Test Statistic -2.8104**
p-Value 0.0028

Note. *p<0.05; **p<0.01; ***p<0.001

The content of the comments is further explored using BERTopic (Grootendorst, 2022). Fitting the

model with the automatic topic number configuration, we get 66 distinct topics with distribution presented

in a scatter plot of Figure 6.3. The point in the upper left corner of the plot should be discarded because

BERTopic generates a topic numbered -1 for the unclassifiable text pieces. For the rest of the topics, it is

observable that the topics numbered 0, 1, and 2 are dominant, and there is a turning point at topic 7. So, we

present the leading topics using the bar chart illustrating the topics from 0 to 7 with representative words, as

shown in Figure 6.4. Interpreting the topics, the most significant topic, 0, includes words like “security” and

“upgrade,” seemingly urging the need for security upgrade with strong emotion indicated by the bad word.

The second largest, topic 1, emerges words featuring “withdraw,” hinting at the urgent demands of

withdrawing money from the RO project. Topic 2 further illustrates the words “hacker” and “code” as well

as “economic” and “responsible,” potentially inferring the technical breach and the economic responsibility

of the entities involved.

54
Figure 6.3 Frequency Distribution of Topics

Figure 6.4 Top 8 Topics from BERTopic with Representative Words

55
7 Discussion and Conclusion

This research has identified a significant negative security breach impact on the crypto token value of the

responsible owner for the exploited vulnerability while also providing evidence of varying strength for five

potential moderators for the effect size and exploring the social media content related to the breach.

7.1 Discussion of Main Effect

The event study involves one parametric and a non-parametric significance test on the 99 breaches in our

event set using the CPMAM model for expected return estimation to provide evidence rejecting the null

hypothesis of H1a and H1b, indicating that, over average, security breaches are associated with significantly

negative abnormal returns on the breach date and the cumulative abnormal returns over the event window.

The non-parametric test adds robustness to this result by showing the same result. This result is consistent

with the findings of similar previous studies in the stock market (Acquisti et al., 2006; Arcuri et al., 2018;

Cavusoglu et al., 2004; Colivicchi & Vignaroli, 2019; Foerderer & Schuetz, 2022; Garg et al., 2003; Gatzlaff

& McCullough, 2010; Goel & Shawky, 2009; Gordon et al., 2011; Hung, 2019; Ko et al., 2009; Michel et al.,

2020; Morse et al., 2011; Rasoulian et al., 2023; Rosati et al., 2019; Telang & Wattal, 2007; Yayla & Hu,

2011) and provide further evidence for breaches’ negative price impact in the blockchain ecosystem along

with Shanaev et al. (2020), Storsveen & Veliqi (2020), Hu et al. (2020), Caporale et al. (2020a), Milunovich

& Lee (2022), and S. A. Lee (2022).

The findings of this study extend this knowledge domain from the well-established stock and

cryptocurrency market to crypto tokens for the first time, highlighting the importance of security in the

blockchain ecosystem due to the severe financial repercussions caused by the breaches. For investors, the
56
result emphasizes the need to factor in security breaches when assessing the risks of investing in crypto tokens.

For members of blockchain projects, this study underscores the priority and necessity of enhancing security

measures to prevent detrimental economic damage from breaches. Regulators may also use this research to

develop investor protection policies and risk disclosure requirements.

Future studies may explore other aspects of the post-breach market dynamics of crypto tokens, such as

the long-term effect on the price, volatility, trading volume, and spill-over effects among tokens. Also, this

research is limited to a relatively small dataset, which can be expanded with the new occurrence of breaches

after our cut-off date. Different methodologies may also be used to understand further the dynamics between

security breaches and crypto token prices.

7.2 Discussion of Results for Moderating Effects

This research also investigated the moderating effect of six variables. A summary of all the test and model

results is presented in Table 7.1. For H2a and H2b, regarding project size as represented by market capital,

this study finds evidence in all applicable tests to reject the null hypotheses because project size is a

significant moderator in all applicable examinations. This finding is in alignment with the results in the stock

market presented by Cavusoglu et al. (2004), Acquisti et al. (2006), Gatzlaff & McCullough (2010), and

Ebrahimi & Eshghi (2022) suggesting that security breaches less negatively impact larger projects. This may

be due to the accumulated capital by larger projects to absorb the shock, pay compensations, and make

patches to fix the problem. This result helps investors assess investment decisions better and advise smaller

projects to pay more attention to security development whose shortcomings are not excusable.

57
 Concerning project type as financial or non-financial project, the null hypotheses of H3 are rejected

with significant evidence in all tests against AR and half of the tests against CAR. The findings of this study

indicate that projects mainly serving financial services suffer more negative abnormal returns and cumulative

abnormal returns under security breaches than non-financial projects, being aligned with the results of similar

studies in the stock market showing financial companies suffer more damage to stock price when breached

(Arcuri et al., 2018; Morse et al., 2011; Tweneboah-Kodua et al., 2018). This result may be due to the

relatively high substitutability of financial services. Hence, financial projects may be suggested to prioritize

security-related and develop comparative advantages to stay resilient.

The three attack-specific attributes have only weak or no significant evidence as moderators. Regarding

the auditing status of the exploited vulnerability, only the null hypothesis of H4a is rejected in model

specification 2. The overall moderating effect of auditing status is not supported. This is not expected and

contradicts the findings by Caporale et al. (2020a), who state that better cybersecurity levels mitigate the

negative impact of breaches. Similarly, for the loss incurred in the breach, only the null hypothesis of H5a is

rejected in model specification 2, being inconsistent with the majority of previous studies showing the

association between more severe breaches and more negative market reactions (Acquisti et al., 2006;

Storsveen & Veliqi, 2020; Telang & Wattal, 2007). Furthermore, no significant finding for breach type

classifies breaches into technical and non-technical classes.

Shifting gears to social media, the moderating effect of making timely official announcements by the

ROs in the event window is supported by the event study results on the subsets and one cross-sectional

regression. Although the T-test does not show significant differences between announced and not-announced

58
events, the more suitable Mann–Whitney U test provides evidence rejecting H7. The significant coefficient

in the first model specification rejects the null hypothesis of H7, indicating with the negative sign that such

announcements are associated with more negative abnormal returns in ROs’ tokens. This finding expands the

conclusion of Rosati et al. (2019) by adding evidence in the blockchain ecosystem beyond the stock market,

urging the need for more sophisticated public relations and crisis communication after the breach.

In summary, the two project-specific attributes have evidence for their moderating effect, while the three

attack-specific attributes lack enough support. Making official breach announcements on Twitter during the

event window is associated with a more severe penalty by investors. This study is, however, limited to the

small event sample size and relatively imbalanced distribution of some attributes. Future research may also

use different classification dimensions for projects, attacks, or other attributes.

59
Table 7.1 Results Summary for Moderating Effects

Project Project Type Audit Status Loss Breach Type Twitter

Size Announcement
AR T Test - √ × - × -
AR U Test - √ × - × -
AR Regression 1
√ √ × × × -
with Outlier
AR Regression 1
√ √ × × × -
without Outlier
AR Regression 2
Overall Model Invalidity
with Outlier
AR Regression 2
√ √ √ √ × -
without Outlier
CAR T Test - × × - × ×
CAR U Test - √ × - × ×
CAR Regression 1
Overall Model Invalidity
with Outlier
CAR Regression 1
√ √ × × × √
without Outlier
CAR Regression 2
Overall Model Invalidity
with Outlier
CAR Regression 2
√ × × × × ×
without Outlier

Note: The “√” in the table indicates the support of the alternative hypothesis and the rejection of the null

hypothesis. The “×” in the table indicates that we cannot reject the null hypothesis.

7.3 Discussion of Results for Social Media Exploration

Twitter is a crucial way of communication in the blockchain ecosystem. Exploring the tweets and their

comments in the event window, this study finds that the comments by different kinds of people have

significantly more negative sentiment scores than the tweets by the RO. Moreover, the result of topic

modeling of all comments shows that representative words do not favor the RO among the three largest topics.

The results of social media exploration, in conjunction with the result testing H7, align with the results of

60
Hung (2019), showing that negative sentiments and words in the security news are associated with more

negative market reactions.

The findings of this study further emphasize the challenge of public relations after breaches, especially

in managing the overall sentiment and maintaining the overall confidence in RO. The collection of Twitter

data limits this exploration, so future studies may expand the dataset and delineate between users' and ROs'

content.

7.4 Conclusion

This research answers the three research questions about the impact of security breaches on the crypto token

valuation, the moderators for the impact, and the role of social media in the post-breach market dynamics.

Through event study, the results provide evidence supporting a significantly negative breach impact on crypto

returns. The two breach-specific moderator variables in the cross-sectional analysis are project size and type.

Smaller projects with lower market capital and financial projects experience a more negative impact on token

value. A timely official breach announcement on Twitter was also found to be related to more severe price

drops, possibly due to the negative sentiments and words spread in the comments of the announcement tweets.

This research contributes to the finance and security literature about post-breach market reactions, being

the first to study the reaction in the crypto token market. We further provide risk-assessment tools for

investors and advise owners of the projects, especially small and financial projects, to prioritize security

development and be cautious about public relations and crisis communication after the breach. Nevertheless,

this research is limited to its relatively small event sample size. Future studies may include the breach events

that happened after the cut-off date of this study to include more events. Other market aspects, such as trading
61
volume and volatility in response to breaches, may also be studied, and other moderators may be discovered

with further data and analysis.

62
References

Abhishta, A., Joosten, R., Dragomiretskiy, S., & Nieuwenhuis, L. J. M. (2019). Impact of Successful DDoS
Attacks on a Major Crypto-Currency Exchange. 2019 27th Euromicro International Conference on
Parallel, Distributed and Network-Based Processing (PDP), 379–384.
https://doi.org/10.1109/EMPDP.2019.8671642

Abramova, S., & Bohme, R. (2021). Out of the Dark: The Effect of Law Enforcement Actions on
Cryptocurrency Market Prices. 2021 APWG Symposium on Electronic Crime Research (ECrime), 1–
11. https://doi.org/10.1109/eCrime54498.2021.9738787

Acquisti, A., Friedman, A., & Telang, R. (2006). Is There a Cost to Privacy Breaches? An Event Study. ICIS
2006 Proceedings, 94. http://aisel.aisnet.org/icis2006/94

Ante, L. (2023). How Elon Musk’s Twitter activity moves cryptocurrency markets. Technological
Forecasting and Social Change, 186, 122112. https://doi.org/10.1016/j.techfore.2022.122112

Ante, L., Fiedler, I., & Strehle, E. (2021). The influence of stablecoin issuances on cryptocurrency markets.
Finance Research Letters, 41, 101867. https://doi.org/10.1016/j.frl.2020.101867

Arcuri, M. C., Brogi, M., & Gandolfi, G. (2018). The effect of cyber-attacks on stock returns. Corporate
Ownership and Control, 15(2), 70–83. https://doi.org/10.22495/cocv15i2art6

Barbieri, F., Camacho-Collados, J., Neves, L., & Espinosa-Anke, L. (2020). TweetEval: Unified Benchmark
and Comparative Evaluation for Tweet Classification. http://arxiv.org/abs/2010.12421

Brown, M. S., & Douglass, B. (2020). An Event Study of the Effects of Cryptocurrency Thefts on
Cryptocurrency Prices. Spring Simulation Conference (SpringSim 2020).
https://doi.org/10.22360/SpringSim.2020.CSE.001

Brown, S. J., & Warner, J. B. (1985). The Case of Event Studies*. In Journal of Financial Economics (Vol.
14). North-Holland USING DAILY STOCK RETURNS.

Buterin, V. (2014). A Next-Generation Smart Contract and Decentralized Application Platform. In white
paper.

Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced
information security breaches: empirical evidence from the stock market. Journal of Computer
Security, 11(3), 431–448. https://doi.org/10.3233/JCS-2003-11308

Caporale, G. M., Kang, W.-Y., Spagnolo, F., & Spagnolo, N. (2020a). Cyber-Attacks, Cryptocurrencies, and
Cyber Security (8124; CESifo Working Paper Series).
https://ideas.repec.org/p/ces/ceswps/_8124.html

63
Caporale, G. M., Kang, W.-Y., Spagnolo, F., & Spagnolo, N. (2020b). Non-linearities, cyber attacks and
cryptocurrencies. Finance Research Letters, 32, 101297. https://doi.org/10.1016/j.frl.2019.09.012

Caporale, G. M., Kang, W.-Y., Spagnolo, F., & Spagnolo, N. (2021). Cyber-attacks, spillovers and
contagion in the cryptocurrency markets. Journal of International Financial Markets, Institutions and
Money, 74, 101298. https://doi.org/10.1016/j.intfin.2021.101298

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The effect of internet security breach
announcements on market value: Capital market reactions for breached firms and internet security
developers. International Journal of Electronic Commerce, 9(1), 70–104.
https://doi.org/10.1080/10864415.2004.11044320

Chainalysis. (2023). The 2023 Crypto Crime Report. https://go.chainalysis.com/2023-crypto-crime-

report.html

Chod, J., & Lyandres, E. (2021). A Theory of ICOs: Diversification, Agency, and Information Asymmetry.
Management Science, 67(10), 5969–5989. https://doi.org/10.1287/mnsc.2020.3754

Chokor, A., & Alfieri, E. (2021). Long and short-term impacts of regulation in the cryptocurrency market.
The Quarterly Review of Economics and Finance, 81, 157–173.
https://doi.org/10.1016/j.qref.2021.05.005

Ciphertrace. (2023). Cryptocurrency crime and anti-money laundering Opening comment 4 Executive
summary Cross-chain bridges Dark market-third quarter analysis. https://ciphertrace.com/wp-
content/uploads/2023/03/Ciphertrace-CAML-Report-Q3_FINAL.pdf

CoinGecko. (2024). 2023 Annual Crypto Industry Report.

https://www.coingecko.com/research/publications/2023-annual-crypto-
report?utm_source=web&utm_campaign=2023-Annual-Crypto-Industry-
Report&utm_medium=website-announcement

Colivicchi, I., & Vignaroli, R. (2019). Forecasting the Impact of Information Security Breaches on Stock
Market Returns and VaR Backtest. Journal of Mathematical Finance, 09(03), 402–454.
https://doi.org/10.4236/jmf.2019.93024

Corbet, S., Cumming, D. J., Lucey, B. M., Peat, M., & Vigne, S. (2019). Investigating the Dynamics
Between Price Volatility, Price Discovery, and Criminality in Cryptocurrency Markets. SSRN
Electronic Journal. https://doi.org/10.2139/ssrn.3384707

Crosby, M., Pattanayak, P., Verma, S., & Kalyanaraman, V. (2016). BlockChain Technology: Beyond
Bitcoin. Applied Innovation Review, 2. https://scet.berkeley.edu/wp-content/uploads/AIR-2016-
Blockchain.pdf

DefiLlama. (2024a). Categories. https://defillama.com/categories

64
DefiLlama. (2024b). Hacks. Defillama.Com. https://defillama.com/hacks

Ebrahimi, S., & Eshghi, K. (2022). A meta-analysis of the factors influencing the impact of security breach
announcements on stock returns of firms. Electronic Markets, 32(4), 2357–2380.
https://doi.org/10.1007/s12525-022-00550-2

European Securities and Markets Authority. (2017). ESMA highlights ICO risks for investors and firms.

Financial Industry Regulatory Authority. (n.d.). Digital Assets.

Foerderer, J., & Schuetz, S. W. (2022). Data Breach Announcements and Stock Market Reactions: A Matter
of Timing? Management Science, 68(10), 7298–7322. https://doi.org/10.1287/mnsc.2021.4264

Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security breaches.
Information Management and Computer Security, 11(2), 74–83.
https://doi.org/10.1108/09685220310468646

Gatzlaff, K. M., & McCullough, K. A. (2010). The Effect of Data Breaches on Shareholder Wealth. Risk
Management and Insurance Review, 13(1), 61–83. https://doi.org/10.1111/j.1540-6296.2010.01178.x

Goel, S., & Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm
values. Information and Management, 46(7), 404–410. https://doi.org/10.1016/j.im.2009.06.005

Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The impact of information security breaches: Has there
been a downward shift in costs? Journal of Computer Security, 19(1), 33–56.
https://doi.org/10.3233/JCS-2009-0398

Grootendorst, M. (2022). BERTopic: Neural topic modeling with a class-based TF-IDF procedure.
http://arxiv.org/abs/2203.05794

Hasanova, H., Baek, U., Shin, M., Cho, K., & Kim, M. (2019). A survey on blockchain cybersecurity
vulnerabilities and possible countermeasures. International Journal of Network Management, 29(2).
https://doi.org/10.1002/nem.2060

Hashemi Joo, M., Nishikawa, Y., & Dandapani, K. (2020). Announcement effects in the cryptocurrency
market. Applied Economics, 52(44), 4794–4808. https://doi.org/10.1080/00036846.2020.1745747

He, D., Deng, Z., Zhang, Y., Chan, S., Cheng, Y., & Guizani, N. (2020). Smart Contract Vulnerability
Analysis and Security Audit. IEEE Network, 34(5), 276–282.
https://doi.org/10.1109/MNET.001.1900656

Hovav, A., & D’Arcy, J. (2003). The Impact of Denial‐of‐Service Attack Announcements on the Market
Value of Firms. Risk Management and Insurance Review, 6(2), 97–121.
https://doi.org/10.1046/j.1098-1616.2003.026.x

65
Hu, J., Luo, Q., & Zhang, J. (2020). The Fluctuations of Bitcoin Price during the Hacks. International
Journal of Applied Research in Management and Economics, 3(1), 10–20.
https://doi.org/10.33422/ijarme.v3i1.278

Hung, C. C. (2019). Analysis of information security news content and abnormal returns of enterprises. Big
Data and Cognitive Computing, 3(2), 1–21. https://doi.org/10.3390/bdcc3020024

Kannan, K., Rees, J., & Sridhar, S. (2007). Market Reactions to Information Security Breach
Announcements: An Empirical Analysis. International Journal of Electronic Commerce, 12(1), 69–
91. https://doi.org/10.2753/JEC1086-4415120103

Ko, M., Osei-Bryson, K.-M., & Dorantes, C. (2009). Investigating the Impact of Publicly Announced
Information Security Breaches on Three Performance Indicators of the Breached Firms. Information
Resources Management Journal, 22(2), 1–21. https://doi.org/10.4018/irmj.2009040101

Kothari, S. P., & Warner, J. B. (2007). Econometrics of Event Studies. In Handbook of Empirical Corporate
Finance (pp. 3–36). Elsevier. https://doi.org/10.1016/B978-0-444-53265-7.50015-9

Kraaijeveld, O., & De Smedt, J. (2020). The predictive power of public Twitter sentiment for forecasting
cryptocurrency prices. Journal of International Financial Markets, Institutions and Money, 65.
https://doi.org/10.1016/j.intfin.2020.101188

Lee, H., & Wie, D. (2023). Gone with the fire: Market reaction to cryptocurrency exchange shutdown.
Heliyon, 9(7), e18231. https://doi.org/10.1016/j.heliyon.2023.e18231

Lee, S. A. (2022). Investigating the Impact of Cyber Security Attacks on Cryptocurrency Markets
[Macquarie University]. https://doi.org/https://doi.org/10.25949/21598905.v1

Lyócsa, Š., Molnár, P., Plíhal, T., & Širaňová, M. (2020). Impact of macroeconomic news, regulation and
hacking exchange markets on the volatility of bitcoin. Journal of Economic Dynamics and Control,
119, 103980. https://doi.org/10.1016/j.jedc.2020.103980

MacKinlay, A. C. (1997). Event studies in economics and finance. Journal of Economic Literature, XXXV,
13–39.

Marmora, P. (2022). Does monetary policy fuel bitcoin demand? Event-study evidence from emerging
markets. Journal of International Financial Markets, Institutions and Money, 77, 101489.
https://doi.org/10.1016/j.intfin.2021.101489

Michel, A., Oded, J., & Shaked, I. (2020). Do security breaches matter? The shareholder puzzle. European
Financial Management, 26(2), 288–315. https://doi.org/10.1111/eufm.12236

Milunovich, G., & Lee, S. A. (2022). Measuring the impact of digital exchange cyberattacks on Bitcoin
Returns. Economics Letters, 221, 110893. https://doi.org/10.1016/j.econlet.2022.110893

66
Morse, E. A., Raval, V., & Wingender, J. R. (2011). Market Price Effects of Data Security Breaches.
Information Security Journal, 20(6), 263–273. https://doi.org/10.1080/19393555.2011.611860

Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System. www.bitcoin.org

Öget, E. (2022). The Effect of Positive and Negative Events on Cryptocurrency Prices. Ekonomi, Politika &
Finans Araştırmaları Dergisi, 7(1), 16–31. https://doi.org/10.30784/epfad.1011204

Ramos, S., Pianese, F., Leach, T., & Oliveras, E. (2021). A great disturbance in the crypto: Understanding
cryptocurrency returns under attacks. Blockchain: Research and Applications, 2(3), 100021.
https://doi.org/10.1016/j.bcra.2021.100021

Rasoulian, S., Grégoire, Y., Legoux, R., & Sénécal, S. (2023). The Effects of Service Crises and Recovery
Resources on Market Reactions: An Event Study Analysis on Data Breach Announcements. Journal
of Service Research, 26(1), 44–63. https://doi.org/10.1177/10946705211036944

Rekt. (2024). Leaderboard. Rekt.News. https://rekt.news/leaderboard/

Rosati, P., Deeney, P., Cummins, M., van der Werff, L., & Lynn, T. (2019). Social media and stock price
reaction to data breach announcements: Evidence from US listed companies. Research in
International Business and Finance, 47, 458–469. https://doi.org/10.1016/j.ribaf.2018.09.007

Shanaev, S., Shuraeva, A., Vasenin, M., & Kuznetsov, M. (2020). Cryptocurrency Value and 51% Attacks:
Evidence from Event Studies. The Journal of Alternative Investments, 22(3), 65–77.
https://doi.org/10.3905/jai.2019.1.081

Shchyrba, M., Shchyrba, I., & Shchyrba, M. (2023). Security Audit of the Enterprise.

Storsveen, M., & Veliqi, F. (2020). The Impact of Cryptocurrency-Related Cyberattacks on

Cryptocurrencies and Traditional Financial Assets [University of Stavanger].
https://hdl.handle.net/11250/2687376

Telang, R., & Wattal, S. (2007). An Empirical Analysis of the Impact of Software Vulnerability
Announcements on Firm Stock Price. IEEE Transactions on Software Engineering, 33(8), 544–557.
https://doi.org/10.1109/TSE.2007.70712

Tomić, N. (2020). Measuring the effects of Bitcoin forks on selected cryptocurrencies using event study
methodology. Industrija, 48(2), 21–36. https://doi.org/10.5937/industrija48-26003

Tweneboah-Kodua, S., Atsu, F., & Buchanan, W. (2018). Impact of cyberattacks on stock performance: a
comparative study. Information and Computer Security, 26(5), 637–652. https://doi.org/10.1108/ICS-
05-2018-0060

Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and Their Classification.
International Journal of Network Security, 15(5), 390–396.

67
Wolf, M., Schimmer, M., Levchenko, A., & Müller, S. (2014). EventStudyTools (Research Apps).

Xiang, L., & Lin, Z. (2015). An Overview of Source Code Audit. 2015 International Conference on
Industrial Informatics - Computing Technology, Intelligent Technology, Industrial Information
Integration, 26–29. https://doi.org/10.1109/ICIICII.2015.94

Yayla, A. A., & Hu, Q. (2011). The impact of information security events on the stock value of firms: The
effect of contingency factors. Journal of Information Technology, 26(1), 60–77.
https://doi.org/10.1057/jit.2010.4

Yue, W., Zhang, S., & Zhang, Q. (2021). Asymmetric News Effects on Cryptocurrency Liquidity: an Event
Study Perspective. Finance Research Letters, 41, 101799. https://doi.org/10.1016/j.frl.2020.101799

68
Appendices

Appendix A: Example Security Breach Event Data

Name Date Loss Classification Technique Auditing Responsibility Coingecko Category

Status Owner Token ID
Ronin 2022-03-23 624000000 Infrastructure Private Key Unaudited Sky Mavis axie-infinity Gaming
Compromised (Social
Engineering)
Euler Finance 2023-03-13 197000000 Protocol Logic Flashloan Donate Sherlock Euler Finance euler Lending
Function Logic Exploit
Qubit Finance 2022-01-28 80000000 Protocol Logic Transfer Logic Exploit Unaudited Qubit Finance qubit Lending
Ascendex 2021-12-12 77700000 Infrastructure Private Key Unaudited Ascendex asd CEX
Compromised
(Unknown Method)
EasyFi 2021-04-19 59000000 Infrastructure Private Key Unaudited EasyFi easyfi Yield
Compromised
(Unknown Method)
Elephant Money 2021-04-12 22200000 Ecosystem Flashloan Price Oracle Solidity Finance Elephant Money elephant-money Yield
Attack
Cover 2020-12-29 9400000 Protocol Logic Incentives Function Arcadia Group Cover cover-protocol Insurance
Mistake
Audius 2022-07-23 6000000 Protocol Logic Malicious Governance Kudelski, Audius audius NFT
Proposal OpenZeppelin Marketplace
Treasure DAO 2022-03-03 1400000 Protocol Logic Buy Function Exploit Unaudited Treasure DAO magic Yield
GMX 2022-09-18 565000 Ecosystem Price Oracle Attack Quantstamp GMX gmx Derivatives
Saddle Finance 2021-01-20 275735 Protocol Logic Price Oracle Attack Openzeppelin, Saddle Finance saddle-finance Dexes
Certik,
Quantstamp