Article Source: Beosin
Original Source: Beosin
In 2024, while the blockchain industry faced increasing security challenges amidst technological innovation and ecological expansion, the total losses in the Web3 space due to hacker attacks, phishing scams, and project Rug Pulls reached 2.491 billion USD as monitored by Beosin's Alert platform.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, helping the industry learn from them and better respond to future security threats.
No.1 DMM Bitcoin
Loss Amount: 304 million USD
Attack Method: Private Key Leak
On May 31, 2024, Japan's long-established cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attacker utilized leaked private keys to directly transfer over 300 million USD worth of Bitcoin and quickly dispersed the stolen funds to over 10 different addresses. This attack exposed DMM Bitcoin's severe shortcomings in private key management and multi-layer security protection. Although the exchange attempted to track the hacker through on-chain monitoring and freezing of funds, the stolen Bitcoin was dispersed and laundered using mixing tools, presenting significant challenges for tracking efforts.
On December 24, Japanese police determined that the DMM Bitcoin theft was carried out by the North Korean hacker organization Lazarus Group.
No.2 PlayDapp
Loss Amount: 290 million USD
Attack Method: Private Key Leak
On February 9, 2024, PlayDapp suffered a severe blow, with hackers minting 2 billion PLA tokens through stolen private keys, initially valued at 36.5 million USD. Due to unsuccessful negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens in a short period, valued at 253.9 million USD. Some of these tokens flowed into Gate exchange, prompting PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlights deficiencies in blockchain projects concerning private key protection and emergency response to incidents.
No.3 WazirX
Loss Amount: 235 million USD
Attack Method: Network Attacks and Phishing
On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India’s largest cryptocurrency exchange, was precisely attacked by hackers. The attackers used social engineering to induce multi-signature signers to sign a contract upgrade transaction, then exploited the upgraded contract permissions to empty the assets in the wallet. This case highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, prompting in-depth reflection within the industry on internal risk control and security mechanisms.
For a detailed analysis of this incident and fund tracking, please refer to (Beosin | Analysis of the 235 million USD Theft Incident of Indian Exchange WazirX).
No.4 Gala Games
Loss Amount: 216 million USD
Attack Method: Access Control Vulnerability
On May 20, 2024, a privileged address of Gala Games was hacked, and the attacker minted 5 billion GALA tokens by calling the mint function in the token contract. Subsequently, the hacker exchanged the minted tokens for ETH in batches, resulting in a direct loss of 216 million USD. The Gala Games team quickly activated the blacklist feature to block some hacker accounts and sought to recover the losses through legal means.
No.5 Chris Larsen (Ripple's co-founder)
Loss Amount: 112 million USD
Attack Method: Private Key Leak
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of 112 million USD worth of XRP. These wallets were suspected to have become attack targets due to the lack of dual protection from hardware devices. After the incident, Binance successfully froze 4.2 million USD worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss Amount: 62.5 million USD
Attack Method: Social Engineering Attack
On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, encountered a rare internal infiltration attack. The attacker, disguised as a blockchain developer, was a North Korean hacker who obtained core code and sensitive keys through long-term lurking. Despite the significant losses caused by the attack, the hacker ultimately returned all stolen funds due to pressure from the community and the team. This incident reveals the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss Amount: 55 million USD
Attack Method: Private Key Leak
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leak attack, resulting in losses exceeding 55 million USD in cryptocurrency assets. With assistance from the Binance team, 5.3 million USD of the stolen funds was successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns about the private key management of centralized exchanges.
BtcTurk officially released an announcement regarding the attack
No.8 Radiant Capital
Loss Amount: 53 million USD
Attack Method: Private Key Leak
On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to its low-threshold 3/11 signature verification model, the hacker was able to initiate an off-chain signature by controlling the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of 53 million USD. This attack triggered industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost 4.5 million USD due to contract vulnerabilities, with over 1900 ETH stolen. Web3 project teams still need to enhance their focus on security.
No.9 Hedgey Finance
Loss Amount: 44.7 million USD
Attack Method: Contract Vulnerability
On April 19, 2024, Hedgey Finance encountered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens on both Ethereum and Arbitrum chains, with total losses amounting to 44.7 million USD. This incident highlights the importance of code auditing, especially for strict verification of token approval logic.
No.10 BingX
Loss Amount: 44.7 million USD
Attack Method: Private Key Leak
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth 44.7 million USD. This attack reflects the high risk of centralized exchanges' hot wallet management and further drives the industry to explore safer asset storage solutions.
The frequent security incidents in 2024 remind us that the development of the blockchain industry cannot do without security protection. From private key leaks to contract vulnerabilities, from internal management lapses to upgrades in external attack methods, each incident has brought profound lessons. To address increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technology research and development, management standards, and risk prevention. In the future, we look forward to collaboratively establishing a more secure blockchain ecology through industry cooperation and technological innovation, providing users and investors with more reliable protection.