Beosin December 24, 2024 16:39 Singapore In 2024, while the blockchain industry faces increasingly severe security challenges alongside technological innovation and ecological expansion, according to monitoring by Beosin's security auditing company under the Alert platform, as of the time of writing, the total loss in the Web3 sector due to hacker attacks, phishing scams, and project rug pulls has reached 2.491 billion USD.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 in 2024, helping the industry learn lessons and better cope with future security threats.

No.1 DMM Bitcoin

Loss amount: 304 million USD

Attack method: Private key leak

On May 31, 2024, the well-established Japanese cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attackers used leaked private keys to directly transfer over 300 million USD worth of Bitcoin, quickly dispersing the stolen funds across more than 10 different addresses. This attack exposed DMM Bitcoin's serious shortcomings in private key management and multi-layer security protection. Although the exchange attempted to track the hackers through on-chain monitoring and fund freezing, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges to tracking efforts.

On December 24, Japanese police determined that the DMM Bitcoin theft incident was perpetrated by the North Korean hacker organization Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and money laundering, please read (Investigating the Most Audacious Cryptocurrency Theft Gang in History: Money Laundering Analysis of the Lazarus Group).

No.2 PlayDapp

Loss amount: 290 million USD

Attack method: Private key leak

On February 9, 2024, PlayDapp suffered a devastating blow, as hackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.50 million USD. Due to failed negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens in a short period, valued at 253.9 million USD. Some of these tokens flowed into the Gate exchange, forcing PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlighted the deficiencies of blockchain projects in private key protection and emergency response.

No.3 WazirX

Loss amount: 235 million USD

Attack method: Network attack and phishing

On July 18, 2024, India's largest cryptocurrency exchange WazirX's Safe Wallet multi-signature wallet was precisely attacked by hackers. The attackers induced multi-signature signers through social engineering to sign a contract upgrade transaction, and then used the upgraded contract permissions to transfer all assets from the wallet. This case highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, prompting an in-depth reflection on internal risk control and security mechanisms in the industry.

For detailed analysis and fund tracking of this incident, please read (Beosin | Analysis of the WazirX Theft of 235 million USD).

No.4 Gala Games

Loss amount: 216 million USD

Attack method: Access control vulnerability

On May 20, 2024, a privileged address of Gala Games was breached by hackers, who called the mint function in the token contract to mint 5 billion GALA tokens at once. Subsequently, the hackers exchanged the newly minted tokens for ETH in batches, directly causing a loss of 216 million USD. The Gala Games team urgently activated a blacklist feature to block some hacker accounts and sought to recover losses through judicial means.

No.5 Chris Larsen (Ripple's co-founder)

Loss amount: 112 million USD

Attack method: Private key leak

On January 31, 2024, four personal wallets of Chris Larsen, co-founder of Ripple, were hacked, resulting in the theft of 112 million USD in XRP. These wallets were likely targeted due to a lack of dual protection from hardware devices. After the incident, Binance successfully froze 4.2 million USD worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of the funds had already been laundered through decentralized exchanges and mixing services.

No.6 Munchables

Loss amount: 62.50 million USD

Attack method: Social engineering attack

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal infiltration attack. The attacker, posing as a blockchain developer, gained access to core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and team, the hacker eventually returned all the stolen funds. This incident highlighted the importance of supply chain security, especially for blockchain projects that rely on third-party development.

No.7 BtcTurk

Loss amount: 55 million USD

Attack method: Private key leak

On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leak attack, resulting in the loss of over 55 million USD in cryptocurrency assets. With the assistance of the Binance team, 5.3 million USD of the stolen funds was successfully frozen, but other assets have not yet been recovered. This incident deepened market concerns about the private key management of centralized exchanges.

BtcTurk officially announced an attack

No.8 Radiant Capital

Loss amount: 53 million USD

Attack method: Private key leak

On October 17, 2024, Radiant Capital's multi-signature wallet was breached by hackers. Due to its low-threshold 3/11 signature verification model, hackers initiated off-chain signatures by controlling the private keys of 3 signers, transferring the wallet contract's ownership to a malicious address, ultimately resulting in a theft of 53 million USD. This attack triggered industry reflection on the design and governance mechanisms of multi-signature wallets.

Radiant Capital had already lost 4.5 million USD due to contract vulnerabilities before this attack, with over 1900 ETH stolen. Web3 project parties still need to improve their focus on security.

No.9 Hedgey Finance

Loss amount: 44.70 million USD

Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance encountered an attack on multiple on-chain contracts. Hackers exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of 44.70 million USD. This incident highlights the importance of code auditing, especially the strict verification of token approval logic.

No.10 BingX

Loss amount: 44.70 million USD

Attack method: Private key leak

On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freezing mechanisms, hackers successfully extracted assets worth 44.70 million USD. This attack reflects the high-risk nature of centralized exchanges' hot wallet management and further drives the industry to explore more secure asset storage solutions.

The frequent security attack incidents in 2024 remind us that the development of the blockchain industry cannot be separated from security safeguards. From private key leaks to contract vulnerabilities, from internal management oversights to the escalation of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technology development, management standards, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.