*This report is jointly produced by Beosin and Footprint Analytics.
This chapter was written by: Mario from Beosin Research Team
1. Overview of Web3 blockchain security situation in the first half of 2024
According to Beosin Alert monitoring and early warning, the total losses in the Web3 field due to hacker attacks, phishing scams and project party Rug Pull reached 1.54 billion US dollars in the first half of 2024. Among them, there were 78 major attack incidents with a total loss of approximately 1.193 billion US dollars; 64 project party Rug Pull incidents with a total loss of approximately 119 million US dollars; and the total loss of phishing scams was approximately 232 million US dollars.
There were three security incidents with losses exceeding $100 million in the first half of 2024. May had the highest loss in the first half of 2024, with a total loss of $450 million.
In terms of the types of projects attacked, CEX suffered the highest losses. The four attacks on CEX caused a total loss of approximately US$392 million, accounting for 32.8% of the total loss from all attacks.
In terms of the amount of losses on each chain, Ethereum is still the chain with the highest amount of losses and the most attacks. 32 attacks on Ethereum caused a loss of $470 million, accounting for 39.4% of the total losses.
In terms of attack methods, there were 22 private key leakage incidents in the first half of the year, causing losses of US$894 million, accounting for about 75% of the total attack losses, which is the highest proportion of attack types.
Looking at the flow of funds, approximately $470 million (39.3%) of the stolen funds were frozen or recovered. This is a significant improvement from 2023.
Judging from the audit situation, the proportion of audited projects among the attacked projects has increased.
2. Top 10 attack events in the first half of 2024
78 major attacks caused a total of approximately $1.193 billion in losses
In the first half of 2024, Beosin Alert monitored a total of 78 major attacks in the Web3 field, with a total loss of US$1.193 billion. Among them, there were 3 security incidents with losses exceeding US$100 million, 15 incidents with losses between US$10 million and US$100 million, and 33 incidents with losses between US$1 million and US$10 million.
The top 10 hacking incidents in the first half of 2024 (sorted by loss amount):
● DMM Bitcoin - $300 million attack method: private key leakage Chain platform: BTC
On May 31, Japanese cryptocurrency exchange DMM Bitcoin was attacked and about $300 million worth of Bitcoin was stolen. The hackers dispersed the stolen funds to more than 10 addresses.
● PlayDapp - $290 million Attack method: private key leakage Chain platform: Ethereum
On February 9, the blockchain gaming platform PlayDapp was attacked, and the hacker's address minted 200 million PLA tokens worth $36.5 million. After PlayDapp failed to negotiate with the hacker, the hacker minted another 1.59 billion PLA tokens worth $253.9 million on February 12, and sent part of the funds to the Gate.io exchange. Afterwards, the project suspended the PLA contract and migrated the PLA tokens to PDA tokens.
● Chris Larsen (co-founder of Ripple) - $112 million Attack method: private key leakage Chain platform: XRP
On January 31, Ripple co-founder Chris Larsen said that his four wallets were hacked and a total of about $112 million was stolen. The Binance team has successfully frozen $4.2 million worth of XRP stolen by the attacker.
● Munchables - $62.3 million Attack method: social engineering Chain platform: Blast
On March 26, the Web3 game platform Munchables based on Blast was attacked, resulting in a loss of approximately $62.5 million. It is suspected that the project was attacked because it hired North Korean hackers as developers. All stolen funds have since been returned by the hackers.
● BTCTurk - $55 million Attack method: private key leakage Chain platform: Avalanche
On June 22, Turkish cryptocurrency exchange BTCTurk was hacked, losing approximately $55 million. Binance assisted in freezing more than $5.3 million of the stolen funds.
● Hedgey Finance - $44.7 million Attack method: contract vulnerability Chain platform: Arbitrum
On April 19, Hedgey Finance was hacked, resulting in a loss of approximately $44.7 million.
● FixedFloat - $26.1 million Attack method: security structure vulnerability Chain platform: Ethereum
On February 17, the crypto exchange FixedFloat suffered an attack, losing about $26.1 million. Hackers have transferred most of the stolen funds to the eXch exchange. On February 20, FixedFloat said that the attack "was not committed by our employees, but was an external attack caused by a vulnerability in our security structure."
● Gala Games - $22.5 million Attack method: private key leakage Chain platform: Ethereum
On May 20, the gaming platform Gala Games was attacked, and hackers minted 5 billion GALA tokens, and then quickly sold 592 million GALA. Afterwards, the hackers returned all the $22.5 million they had obtained.
● Lykke - $22 million Attack method: private key leakage Chain platform: Ethereum, BTC
On June 4, British cryptocurrency exchange Lykke suffered "unauthorized access" and lost a total of approximately $22 million.
● Sonne Finance - $20 million attack method: contract vulnerability Chain platform: Optimism
On May 15, Sonne Finance, a Compound fork project on the Optimism chain, was attacked due to a contract vulnerability, resulting in losses of $20 million.
3. Types of Attacked Projects
CEX is the project type with the highest loss amount
In the first half of 2024, the project type with the highest loss was CEX. Four attacks on CEX caused a total loss of approximately US$392 million, accounting for 32.8% of the total loss from all attacks. Although there are not many CEX security incidents, the amount of money stolen each time is huge, which poses a severe test to the ecological security of the exchange.
The second most vulnerable type of victims is gaming platforms. Eight gaming platform hacking incidents caused losses of $389 million, accounting for about 32.6%. Compared with 2023, attacks on Web3 gaming platforms in 2024 have increased significantly.
Of the 78 hacker attacks, 38 occurred in the DeFi field, accounting for about 48.7%, which is the project type with the most attacks. These 38 DeFi attacks resulted in a total loss of $157 million, ranking third among all project types.
Other types of projects that were attacked include: DEX, infrastructure, personal wallets, NFT, etc.
4. Amount of losses in each chain
Ethereum is the chain with the highest amount of losses and the most attacks
Similar to 2023, Ethereum is still the public chain with the highest loss in the first half of 2024. 32 attacks on Ethereum caused a loss of $470 million, accounting for 39.4% of the total losses.
The second largest public chain in terms of loss is BTC, which lost a total of $326 million, accounting for 27.3% of the total loss. The BTC loss mainly came from the $300 million theft of DMM Bitcoin, a Japanese exchange.
The third largest public chain in terms of loss is XRP ($112 million), which came from a theft of the wallet of Ripple co-founder Chris Larsen.
Ranked by the number of security incidents, the top three are Ethereum (32 times), BNB Chain (10 times), and Arbitrum (9 times). The number of security incidents on the Arbitrum chain has increased compared to 2023.
5. Analysis of attack methods
75% of the losses came from private key leaks
In the first half of 2024, there were 22 private key leaks, causing losses of $894 million, accounting for about 75% of the total attack losses. As in 2023, the losses caused by private key leaks are still the first among all attack types. The private key leaks that caused large losses include: DMM Bitcoin ($300 million), PlayDapp ($290 million), Ripple co-founder Chris Larsen ($112 million), and BtcTurk ($55 million).
Among the 78 attacks, 43 were caused by contract vulnerability exploitation, accounting for about 55%. The total loss from contract vulnerability exploitation reached $167 million, ranking second.
The third most common attack method in terms of loss was social engineering attacks, with three social engineering attacks causing losses of approximately US$65 million.
According to the vulnerability breakdown, the top three vulnerabilities causing losses are: business logic vulnerabilities (US$81.7 million), access control vulnerabilities (US$25.65 million), and algorithm defects (US$24.05 million). The most frequently occurring vulnerabilities are also business logic vulnerabilities, with 16 of the 43 contract vulnerability attacks being business logic vulnerabilities.
6. Analysis and review of typical anti-money laundering incidents
Analysis of money laundering by the North Korean hacker group Lazarus Group
According to an investigation by cryptocurrency sleuth ZachXBT, North Korea’s Lazarus Group laundered $200 million worth of cryptocurrency into fiat currency between August 2020 and October 2023.
The following introduces the dynamics of the North Korean hacker Lazarus Group in the past few years, and analyzes and summarizes its money laundering methods: After stealing crypto assets, the Lazarus Group basically obfuscates the funds by transferring them back and forth across chains and then transferring them to Tornado Cash. After the obfuscation, the Lazarus Group extracts the stolen assets to the target address and sends them to a fixed group of addresses for withdrawal operations. Previously, the stolen crypto assets were basically deposited in the Paxful deposit address and the Noones deposit address, and then the crypto assets were exchanged for fiat currency through OTC services.
Create CoinBerry and other attacks
On August 24, 2020, the wallet of Canadian cryptocurrency exchange CoinBerry was stolen.
Hacker Address:
0xA06957c9C8871ff248326A1DA552213AB26A11AE
On September 11, 2020, due to the leakage of private keys, Unbright experienced unauthorized transfers of $400,000 in multiple wallets controlled by the team.
Hacker Address:
0x6C6357F30FCc3517c2E7876BC609e6d7d5b0Df43
On October 6, 2020, due to a security breach, crypto assets worth $750,000 were transferred without authorization from CoinMetro’s hot wallet.
Hacker Address:
0x044bf69ae74fcd8d1fc11da28adbad82bbb42351
Beosin KYT: Stolen Funds Flow Chart
At the beginning of 2021, funds from various attacks were collected at the following addresses:
0x0864b5ef4d8086cd0062306f39adea5da5bd2603。
On January 11, 2021, the 0x0864b5 address deposited 3,000 ETH in Tornado Cash, and then deposited more than 1,800 ETH into Tornado Cash through the 0x1031ffaf5d00c6bc1ee0978eb7ec196b1d164129 address.
Subsequently, from January 11 to January 15, nearly 4,500 ETH were withdrawn from Tornado Cash to the address 0x05492cbc8fb228103744ecca0df62473b2858810.
By 2023, after multiple transfers and exchanges, the attacker finally gathered the funds to the address where the funds from other security incidents were collected and withdrawn. According to the fund tracking diagram, the attacker sent the stolen funds to the Noones deposit address and the Paxful deposit address one after another.
Nexus Mutual founder (Hugh Karp) hacked
On December 14, 2020, Nexus Mutual founder Hugh Karp had 370,000 NXM (US$8.3 million) stolen.
Beosin KYT: Stolen Funds Flow Chart
The stolen funds were transferred between the following addresses and exchanged for other funds.
0xad6a4ace6dcc21c93ca9dbc8a21c7d3a726c1fb1
0x03e89f2e1ebcea5d94c1b530f638cea3950c2e2b
0x09923e35f19687a524bbca7d42b92b6748534f25
0x0784051d5136a5ccb47ddb3a15243890f5268482
0x0adab45946372c2be1b94eead4b385210a8ebf0b
Lazarus Group used these addresses to confuse, disperse, and aggregate funds. For example, some funds were transferred to the Bitcoin chain through a cross-chain, and then transferred back to the Ethereum chain through a series of transfers. After that, they were mixed through a mixing platform and then sent to a withdrawal platform.
From December 16 to December 20, 2020, one of the hacker addresses 0x078405 sent more than 2,500 ETH to Tornado Cash. A few hours later, based on feature association, it can be found that the address 0x78a9903af04c8e887df5290c91917f71ae028137 started the withdrawal operation.
The hacker transferred and exchanged part of the funds to the address for fund collection and withdrawal involved in the previous incident.
Afterwards, from May to July 2021, the attacker transferred 11 million USDT to the Bixin deposit address.
From February to March 2023, the attacker sent 2.77 million USDT to the Paxful deposit address through the 0xcbf04b011eebc684d380db5f8e661685150e3a9e address.
From April to June 2023, the attacker sent 8.4 million USDT to the Noones deposit address through the 0xcbf04b011eebc684d380db5f8e661685150e3a9e address.
Steadefi and CoinShift hack
Beosin KYT: Stolen Funds Flow Chart
Steadefi incident attack address
0x9cf71f2ff126b9743319b60d2d873f0e508810dc
Coinshift attack address
0x979ec2af1aa190143d294b0bfc7ec35d169d845c
In August 2023, 624 stolen ETH from the Steadefi incident were transferred to Tornado Cash. In the same month, 900 stolen ETH from the Coinshift incident were transferred to Tornado Cash.
After transferring ETH to Tornado Cash, immediately withdraw the funds to the following addresses:
0x9f8941cd7229aa3047f05a7ee25c7ce13cbb8c41
0x4e75c46c299ddc74bac808a34a778c863bb59a4e
0xc884cf2fb3420420ed1f3578eaecbde53468f32e
On October 12, 2023, the above three addresses sent the funds withdrawn from Tornado Cash to the address 0x5d65aeb2bd903bee822b7069c1c52de838f11bf8.
In November 2023, the 0x5d65ae address began to transfer funds, and eventually sent the funds to the Paxful deposit address and Noones deposit address through transit and exchange.
7. Analysis of the flow of funds of stolen assets
39.3% of stolen assets were frozen and recovered
According to analysis by the Beosin KYT anti-money laundering platform, approximately US$470 million (39.3%) of the funds stolen in the first half of 2024 were frozen or recovered. This is a significant improvement from 2023.
About $550 million (46.3%) of the stolen funds remain in the hacker's address. As global regulators increase their anti-money laundering efforts, it becomes more difficult for hackers to launder stolen funds, so a considerable number of hackers choose to temporarily keep the stolen funds in on-chain addresses.
About $107.5 million of stolen funds were transferred to exchanges, accounting for about 9%, which is higher than in 2023. A total of $64.14 million (5.4%) was transferred to mixers: $52.43 million was transferred to Tornado Cash; $11.71 million was transferred to other mixers. Compared with last year, the amount of stolen funds laundered through mixers in the first half of 2024 decreased significantly.
8. Project audit situation analysis
The proportion of audited projects has increased
In the first half of 2024, among the 78 attacks, 26 of the projects were not audited, and 49 were audited. The proportion of audited projects is slightly higher than that in 2023, which shows that the entire Web3 industry project has paid more attention to security.
Among the 26 unaudited projects, 15 (57.7%) had contract vulnerabilities. Among the 49 audited projects, 28 (57.1%) had contract vulnerabilities. The overall proportions of the two are roughly the same. Compared with 2023, the overall security audit quality in 2024 has declined.
9. Rug Pull Analysis
64 Rug Pull Incidents Total Losses $119 Million
In the first half of 2024, a total of 64 Rug Pull incidents were monitored by project parties, involving an amount of US$119 million.
The top five Rug pull events in terms of loss amount are: Bitforex ($56.5 million), ZKasino ($33 million), Gemholic ($3.4 million), Hector Network ($2.7 million), and MangoFarm ($2 million). These five Rug Pull events are distributed in four chains: Ethereum, ZKsync, Fantom, and Solana.
The total amount of Rug Pulls on the Ethereum chain reached $96.28 million, accounting for 81% of the total losses. The most Rug Pulls occurred on the BNB Chain, with a total of 31 events, accounting for 48.4% of the total number of events.
10. Summary of Web3 blockchain security situation in the first half of 2024
Compared with the same period in 2023, the total losses caused by hacker attacks, phishing scams, and project Rug Pull in the first half of 2024 increased significantly, reaching 1.54 billion US dollars (the figure was 670 million US dollars in the first half of 2023). The rise in the price of coins in the first half of 2024 has a certain impact on the increase in the total amount, but overall, the situation in the field of Web3 security is still not optimistic.
As in 2023, the most harmful attack type in the first half of 2024 is still private key leakage. About 75% of the losses come from private key leakage incidents. From the perspective of project types, private key leakage incidents are spread across all areas of Web3: game platforms, DeFi, personal wallets, infrastructure, NFT, payment platforms, gambling platforms, data storage platforms, etc. All Web3 project parties/individual users need to be vigilant, store private keys offline, use multi-signatures, use third-party services with caution, and conduct regular security training for privileged employees.
In the first half of the year, 39.3% of the stolen assets were frozen and recovered, which indicates the improvement of the global regulatory system and the strengthening of anti-money laundering efforts. In the first half of the year, only 5.4% of the stolen assets were transferred to various mixers, and another 46.3% of the assets were still retained in the hacker's address, which further illustrates the increasing difficulty for hackers to launder stolen funds. In the first half of the year, 9% of the stolen funds were still transferred to various exchanges, which requires exchanges to identify hacker behavior in a timely manner and actively cooperate with law enforcement agencies and project parties to freeze funds and conduct evidence collection. At present, the cooperation between exchanges and law enforcement agencies, project parties, and security teams has achieved relatively obvious results. I believe that more stolen funds will be recovered in the future.
Of the 78 attacks in the first half of the year, 43 were still from contract vulnerability exploitation. It is recommended that project owners seek audits from professional security companies before going online. As one of the earliest blockchain security companies in the world engaged in formal verification, Beosin focuses on the "security + compliance" full-ecological business and has established branches in more than 10 countries and regions around the world. Its business covers code security audits before project launch, security risk monitoring and blocking during project operation, stolen recovery, virtual asset anti-money laundering (AML), and compliance assessments that meet local regulatory requirements, and other "one-stop" blockchain compliance products + security services.
