原文标题:$2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July

Source: Chainalysis

Original translation: Tao Zhu, Golden Finance

Cryptocurrency hacks remain a persistent threat, with more than $1 billion worth of cryptocurrency stolen in four of the past decade (2018, 2021, 2022, and 2023). 2024 marks the fifth year that this troubling milestone has been reached, highlighting that as cryptocurrency adoption and prices rise, so too does the amount of money that can be stolen.

In 2024, stolen funds increased by approximately 21.07%, reaching $2.2 billion, while the number of individual hacking incidents rose from 282 in 2023 to 303 in 2024.

Interestingly, the intensity of cryptocurrency hacking attacks changed around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen from January 2024 to July 2024 had reached $1.58 billion, about 84.4% higher than the stolen value during the same period in 2023. As we see in the chart below, by the end of July, the ecosystem was easily on track, potentially rivaling the over $3 billion seen in 2021 and 2022. However, the upward trend in cryptocurrency theft in 2024 notably slowed after July and remained relatively stable. We will later explore the potential geopolitical reasons for this change.

In terms of stolen amounts categorized by victim platform type, interesting patterns also emerged in 2024. In most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks because their developers tend to prioritize rapid growth and bringing products to market over implementing security measures, making them prime targets for hackers.

Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services underscores the growing importance of security mechanisms commonly used by hackers (such as private keys). In 2024, private key leaks accounted for the largest share of stolen cryptocurrency, reaching 43.8%. For centralized services, ensuring the security of private keys is crucial as they control access to user assets. Given that centralized exchanges manage large amounts of user funds, the impact of a private key leak can be devastating; we only need to look at the $305 million DMM Bitcoin hack, one of the largest cryptocurrency breaches to date, which may have occurred due to poor private key management or insufficient security.

After the leakage of private keys, malicious actors typically launder stolen funds through decentralized exchanges (DEXs), mining services, or mixing services, obfuscating transaction trails and complicating tracking. By 2024, we can see significant differences in the laundering activities of private key hackers compared to those utilizing other attack mediums. For instance, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack mediums, decentralized exchanges are more commonly used for laundering activities.

In 2024, the amount stolen by North Korean hackers from cryptocurrency platforms will be higher than ever before

Hackers associated with North Korea are notorious for their complex and ruthless methods, often utilizing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and evade international sanctions. U.S. and international officials assess that Pyongyang is using stolen cryptocurrency to fund its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korean hackers had stolen approximately $660.5 million through 20 incidents; by 2024, this number increased to $1.34 billion across 47 incidents, with the stolen value increasing by 102.88%. These figures accounted for 61% of the total amount stolen that year and 20% of the total number of incidents.

Please note that in last year's report, we released information that North Korea stole $1 billion through 20 hacking attacks. Following further investigation, we determined that some major hacking attacks previously attributed to North Korea may no longer be relevant, reducing the amount to $660.5 million. However, the number of incidents remained unchanged as we identified other smaller hacking attacks attributed to North Korea. Our goal is to continuously reassess our evaluations of hacking incidents related to North Korea as new on-chain and off-chain evidence becomes available.

Unfortunately, North Korea's cryptocurrency attacks appear to be becoming increasingly frequent. In the following chart, we examine the average time between successful DPRK attacks based on the scale of exploitation and find that attacks of various scales have decreased year-on-year. Notably, attacks valued between $50 million and $100 million and those exceeding $100 million occurred far more frequently than in 2023, indicating that North Korea is getting better and faster at conducting large-scale attacks. This contrasts sharply with the previous two years, where profits per attack often fell below $50 million.

When comparing North Korea's activities to all other hacking activities we monitor, it is evident that North Korea has been responsible for most large-scale attacks over the past three years. Interestingly, the lower-value North Korean hacking attacks, particularly those around $10,000, are also steadily increasing.

Some of these incidents appear to be related to North Korean IT professionals who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often employ sophisticated strategies, techniques, and procedures (TTPs), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) indicted 14 North Korean nationals working remotely in the U.S. The companies earned over $88 million by stealing proprietary information and extorting employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (where applicable).

Although all these trends indicate that North Korea has been very active this year, most of its attacks occurred early in the year, with overall hacking activity stagnating in the third and fourth quarters, as shown in the earlier charts.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang to sign a mutual defense agreement. So far this year, Russia has released previously frozen millions of dollars in North Korean assets in accordance with United Nations Security Council sanctions, marking the ongoing development of the two countries' alliance. Meanwhile, North Korea has deployed troops to Ukraine and reportedly sought advanced space, missile, and submarine technology from Moscow.

If we compare the average daily losses from DPRK vulnerabilities before and after July 1, 2024, we can see a significant decrease in the amount of stolen value. Specifically, as shown in the chart below, the amount stolen by North Korea decreased by approximately 53.73%, while the amount stolen by non-North Korean actors increased by about 5%. Therefore, aside from shifting military resources to the Ukraine conflict, North Korea, which has significantly strengthened cooperation with Russia in recent years, may also be changing its cybercriminal activities.

The decline in funds stolen by North Korea after July 1, 2024, is evident, and the timing is also clear, but it is noteworthy that this decline may not necessarily be related to Putin's visit to Pyongyang. Additionally, some events occurring in December could alter this pattern by the end of the year, as attackers often launch attacks during holiday periods.

Case Study: North Korea's Attack on DMM Bitcoin

A notable example of a North Korean-related hacking attack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which was hacked, resulting in a loss of approximately 4,502.9 bitcoins valued at $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM, with support from its parent company, made full payments to customers by seeking equivalent funds.

We were able to analyze the flow of funds on-chain after the initial attack. In the first stage, we observed the attackers transferring millions of dollars worth of cryptocurrency from DMM Bitcoin to several intermediary addresses before finally reaching Bitcoin CoinJoin mixing servers.

After successfully mixing the stolen funds using Bitcoin CoinJoin mixing services, the attackers transferred part of the funds through some bridging services to Huioneguarantee, an online marketplace associated with the Cambodian corporate group Huione Group, which is a significant player in facilitating cybercrime.

DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of Japan's financial group SBI, with the transition scheduled for completion in March 2025. Fortunately, emerging tools and predictive technologies are rising, which we will explore in the next section to prepare for preventing such destructive hacking attacks.

Using predictive models to prevent hacking attacks

Advanced predictive technologies are transforming cybersecurity by detecting potential risks and threats in real-time, providing a proactive approach to protecting digital ecosystems. Let's look at the example below involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, attackers manipulated UwU Lend's price oracle system to acquire approximately $20 million. The attackers initiated a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, resulting in incorrect valuations. Consequently, the attackers were able to borrow millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployment about two days prior to the exploitation.

Although the attack contract was accurately detected in real-time two days prior to the exploitation, its connection to the exploited contract did not immediately become apparent due to design reasons. Other tools, such as Hexagate's security oracle, can further leverage this early detection to mitigate threats. Notably, the first attack causing an $8.2 million loss occurred just minutes before subsequent attacks, providing another important signal.

Such alerts issued before significant on-chain attacks have the potential to change the security landscape for industry participants, allowing them to completely prevent costly hacking attacks rather than just responding to them.

In the following chart, we see that the attackers transferred the stolen funds through two intermediary addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.

However, it is noteworthy that merely accessing these predictive models does not guarantee the prevention of hacking attacks, as protocols may not always have the appropriate tools to take effective action.

Stronger encryption security is needed

The increase in stolen cryptocurrency in 2024 highlights the industry's need to address increasingly complex and evolving threats. While the scale of cryptocurrency theft has not yet returned to the levels seen in 2021 and 2022, the aforementioned resurgence underscores the gaps in existing security measures and the importance of adapting to new exploitation methods. To effectively respond to these challenges, collaboration between the public and private sectors is crucial. Data sharing programs, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.

Furthermore, as the cryptocurrency regulatory framework continues to evolve, scrutiny over platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing teams with rapid response resources and expertise, the cryptocurrency industry can bolster its theft prevention capabilities. These efforts are crucial not only for protecting individual assets but also for building long-term trust and stability in the digital ecosystem.

Original link