Original source: Beosin
In 2024, the blockchain industry is facing increasingly severe security challenges while innovating technology and expanding its ecosystem. According to the Alert platform of security audit company Beosin, as of press time, the total losses in the Web3 field in 2024 due to hacker attacks, phishing scams and project party Rug Pulls reached US$2.491 billion.
These incidents not only exposed technical defects such as private key management and smart contract vulnerabilities, but also highlighted the potential risks of social engineering and internal management. This article will review the top ten Web3 security incidents in 2024 to help the industry learn lessons from them and better deal with future security threats.
No.1 DMM Bitcoin
Amount of loss: $304 million
Attack method: private key leakage
On May 31, 2024, DMM Bitcoin, a long-established cryptocurrency exchange in Japan, suffered a historic attack. The attacker used the leaked private key to directly transfer more than $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed DMM Bitcoin's serious deficiencies in private key management and multi-layer security protection. Although the exchange tried to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and transferred and cleaned using mixing tools, which brought great challenges to tracking.
On December 24, Japanese police determined that the DMM Bitcoin theft was caused by the North Korean hacker organization Lazarus Group.
No.2 PlayDapp
Amount of loss: $290 million
Attack method: private key leakage
On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens with an initial value of $36.5 million by stealing private keys. As negotiations between the project and the hackers failed, the hackers further minted 15.9 billion PLA tokens worth $253.9 million in a short period of time. After some of these tokens flowed into the Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and incident emergency response.
No.3 WazirX
Amount of loss: $235 million
Attack methods: Cyber attacks and phishing
On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely attacked by hackers. The attacker used social engineering to induce the multi-signature signer to sign a contract upgrade transaction, and then used the upgraded contract permissions to transfer all the assets in the wallet. This case highlights the potential risks of multi-signature wallets in terms of management authority configuration and operational transparency, and has also triggered in-depth reflection within the industry on the internal risk control and security mechanisms of the project.
For a detailed analysis of the incident and fund tracking, please read "Beosin | Analysis of the $235 million theft from Indian exchange WazirX".
No.4 Gala Games
Amount of loss: $216 million
Attack method: Access control vulnerability
On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens at one time by calling the mint function in the token contract. Subsequently, the hacker exchanged the additional tokens for ETH in batches, directly causing a loss of 216 million US dollars. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered the losses through legal channels.
No.5 Chris Larsen (Ripple's co-founder)
Amount of loss: $112 million
Attack method: private key leakage
On January 31, 2024, four personal wallets of Chris Larsen, co-founder of Ripple, were hacked, resulting in the theft of $112 million in XRP. These wallets were suspected to have become targets of attack due to the lack of dual protection of hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had been laundered through decentralized exchanges and currency mixing services.
No.6 Munchables
Amount of loss: $62.5 million
Attack method: social engineering attack
On March 26, 2024, Munchables, a Web3 game platform based on Blast, suffered a rare internal penetration attack. The attacker was a North Korean hacker disguised as a blockchain developer, who obtained the core code and sensitive keys through long-term lurking. Although the attack caused huge losses, due to pressure from the community and the team, the hacker eventually returned all the stolen funds. This incident reveals the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Amount of loss: $55 million
Attack method: private key leakage
On June 22, 2024, Turkey's largest cryptocurrency exchange, BtcTurk, was attacked by a private key leak, losing more than $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but other assets have not yet been recovered. This incident has deepened the market's concerns about the private key management of centralized exchanges.
BtcTurk officially releases an attack announcement
No.8 Radiant Capital
Amount of loss: $53 million
Attack method: private key leakage
On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Because it adopted a low-threshold 3/11 signature verification mode, the hacker initiated an off-chain signature by mastering the private keys of three signers, transferred the ownership of the wallet contract to a malicious address, and ultimately led to the theft of $53 million. This attack triggered an industry reflection on the design and governance mechanism of multi-signature wallets.
Before this attack, Radiant Capital lost $4.5 million due to a contract vulnerability, and more than 1,900 ETH were stolen. Web3 project owners still need to pay more attention to security.
No.9 Hedgey Finance
Amount of loss: $44.7 million
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance suffered an attack on multiple on-chain contracts. Hackers exploited the approval vulnerability of its ClaimCampaigns contract and successfully extracted tokens on both Ethereum and Arbitrum chains, with a total loss of $44.7 million. This incident shows the importance of code auditing, especially the strict verification of token approval logic.
No.10 BingX
Amount of loss: $44.7 million
Attack method: private key leakage
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, Tron, etc. Although the exchange quickly launched the asset transfer and withdrawal freezing mechanism, the hacker successfully withdrew assets worth 44.7 million US dollars. This attack reflects the high risk of hot wallet management of centralized exchanges and further promotes the industry to explore safer asset storage solutions.
The frequent security attacks in 2024 remind us again that the development of the blockchain industry cannot be separated from the escort of security. From private key leaks to contract loopholes, from internal management omissions to the escalation of external attack methods, each incident has brought profound lessons. In order to cope with the increasingly complex attack threats, all parties in the industry need to continue to increase investment in technology research and development, management standards and risk prevention and control. In the future, we look forward to jointly building a more secure blockchain ecosystem through industry collaboration and technological innovation, and providing more reliable protection for users and investors.