Written by: Beosin
In 2024, the blockchain industry faces increasingly severe security challenges alongside technological innovation and ecosystem expansion. According to monitoring by the Alert platform under security auditing company Beosin, as of the time of writing, the total loss in the Web3 field due to hacker attacks, phishing scams, and project rug pulls has reached 2.491 billion USD.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, helping the industry learn from these lessons to better cope with future security threats.
No.1 DMM Bitcoin
Loss amount: 304 million USD
Attack method: Private key leakage
On May 31, 2024, the long-established Japanese cryptocurrency exchange DMM Bitcoin faced a historic attack. The attacker used leaked private keys to directly transfer over 300 million USD worth of Bitcoin and rapidly dispersed the stolen funds to more than 10 different addresses. This attack exposed DMM Bitcoin’s severe shortcomings in private key management and multi-layer security protection. Despite the exchange's attempts to track the hackers through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking efforts.
On December 24, Japanese police determined that the DMM Bitcoin theft was carried out by the North Korean hacker group Lazarus Group. For a detailed analysis of Lazarus Group’s past attacks and money laundering activities, see (Exposing the boldest cryptocurrency theft gang in history, money laundering analysis of hacker group Lazarus Group).
No.2 PlayDapp
Loss amount: 290 million USD
Attack method: Private key leakage
On February 9, 2024, PlayDapp suffered a major blow as hackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.50 million USD. After unsuccessful negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens, valued at 253.9 million USD, in a short period. Some of these tokens flowed into the Gate exchange, forcing PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and incident emergency response.
No.3 WazirX
Loss amount: 235 million USD
Attack method: Cyber attack and phishing
On July 18, 2024, WazirX, India's largest cryptocurrency exchange, suffered a precise attack on its Safe Wallet multi-signature wallet. The attackers used social engineering to induce multi-signers to approve a contract upgrade transaction, and then exploited the upgraded contract permissions to drain the assets from the wallet. This case highlights the potential risks in managing permission configurations and operational transparency of multi-signature wallets, prompting a deep reflection on internal risk control and security mechanisms in the industry.
For a detailed analysis and fund tracking of this incident, see (Beosin | Analysis of the 235 million USD theft incident at Indian exchange WazirX).
No.4 Gala Games
Loss amount: 216 million USD
Attack method: Access control vulnerability
On May 20, 2024, a privileged address of Gala Games was breached by hackers, who called the mint function in the token contract to mint 5 billion GALA tokens at once. The hackers then exchanged the minted tokens for ETH in batches, resulting in a direct loss of 216 million USD. The Gala Games team urgently activated the blacklist feature to block some hacker accounts and recovered the losses through legal means.
No.5 Chris Larsen (Ripple's co-founder)
Loss amount: 112 million USD
Attack method: Private key leakage
On January 31, 2024, the four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of 112 million USD worth of XRP. These wallets were likely targeted due to the lack of dual protection with hardware devices. After the incident, Binance successfully froze 4.2 million USD worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss amount: 62.50 million USD
Attack method: Social engineering attack
On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, suffered a rare internal penetration attack. The attacker, disguised as a blockchain developer, long-term infiltrated to obtain core code and sensitive keys. Despite the massive losses incurred, under pressure from the community and the team, the hacker ultimately returned all stolen funds. This incident reveals the importance of supply chain security, especially for blockchain projects dependent on third-party development.
No.7 BtcTurk
Loss amount: 55.00 million USD
Attack method: Private key leakage
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk was attacked due to private key leakage, resulting in a loss of over 55 million USD in crypto assets. With the assistance of the Binance team, 5.3 million USD of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns about private key management in centralized exchanges.
BtcTurk official announcement of the attack
No.8 Radiant Capital
Loss amount: 53.00 million USD
Attack method: Private key leakage
On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Due to its low-threshold 3/11 signature verification model, the hackers initiated off-chain signatures by controlling the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of 53 million USD. This attack triggered industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost 4.5 million USD due to contract vulnerabilities, with over 1900 ETH stolen. The attention to security among Web3 project teams still needs to improve.
No.9 Hedgey Finance
Loss amount: 44.70 million USD
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance encountered attacks targeting multiple on-chain contracts. Hackers exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from the Ethereum and Arbitrum blockchains, with total losses amounting to 44.70 million USD. This incident demonstrates the importance of code audits, especially the strict verification of token approval logic.
No.10 BingX
Loss amount: 44.70 million USD
Attack method: Private key leakage
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, hackers successfully extracted assets worth 44.70 million USD. This attack reflects the high risks associated with managing hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry relies on security safeguards. From private key leakage to contract vulnerabilities, from internal management oversights to upgrades in external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technology research and development, management standards, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.
