Original Title: $2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July

Original Author: Chainalysis

Original Translation: Tao Zhu, Jinse Finance

Reprinted: Luke, Mars Finance

Cryptocurrency hacking attacks remain an ongoing threat, with four of the past ten years seeing over $1 billion in cryptocurrency stolen (2018, 2021, 2022, and 2023). 2024 marks the fifth year of reaching this disturbing milestone, highlighting that as cryptocurrency adoption and prices rise, the amounts that can be stolen are also increasing.

In 2024, the amount of stolen funds increased by approximately 21.07% year-on-year, reaching $2.2 billion, while the number of individual hacker incidents rose from 282 in 2023 to 303 in 2024.

Interestingly, the intensity of cryptocurrency hacking attacks changed around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen from January 2024 to July 2024 had reached $1.58 billion, approximately 84.4% higher than the stolen value during the same period in 2023. As we see in the chart below, by the end of July, the ecosystem was easily on track to match the over $3 billion of 2021 and 2022. However, the upward trend in cryptocurrency theft in 2024 clearly slowed after July and remained relatively stable. We will later explore the potential geopolitical reasons for this change.

In terms of the amount stolen, 2024 also exhibits interesting patterns when broken down by the type of victim platform. During most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks because their developers tend to prioritize rapid growth and pushing products to market over implementing security measures, making them prime targets for hackers.

Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services underscores the increasing importance of security mechanisms commonly used by hackers (such as private keys). In 2024, private key leaks accounted for the largest share of stolen cryptocurrencies, reaching 43.8%. For centralized services, ensuring the security of private keys is crucial, as they control access to users' assets. Given that centralized exchanges manage large amounts of user funds, the impact of private key leaks can be devastating; we only need to look at the $305 million DMM Bitcoin hack, one of the largest cryptocurrency breaches to date, which may have occurred due to poor private key management or lack of sufficient security.

After leaking private keys, malicious actors typically launder stolen funds through decentralized exchanges (DEXs), mining services, or mixing services to obscure transaction trails and complicate tracking. By 2024, we can see that the laundering activities of private key hackers differ significantly from those using other attack vectors. For instance, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for laundering activities.

In 2024, North Korean hackers will steal more from cryptocurrency platforms than ever before

North Korea-related hackers are notorious for their complex and ruthless methods, often employing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and evade international sanctions. U.S. and international officials assess that Pyongyang uses stolen cryptocurrencies to fund its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korea-related hackers had stolen approximately $660.5 million through 20 incidents; by 2024, this number increased to $1.34 billion through 47 incidents, with the stolen value rising by 102.88%. These figures accounted for 61% of the total amount stolen that year and 20% of the total incidents.

Please note that in last year's report, we stated that North Korea had stolen $1 billion through 20 hacking attacks. After further investigation, we determined that some previous large hacks attributed to North Korea may no longer be relevant, thus reducing the amount to $660.5 million. However, the number of incidents remains unchanged as we discovered other smaller hacks attributed to North Korea. As we obtain new on-chain and off-chain evidence, we aim to continuously reassess our evaluations of North Korea-related hacking incidents.

Unfortunately, North Korea's cryptocurrency attacks seem to be becoming increasingly frequent. In the chart below, we examine the average time between successful DPRK attacks based on the scale of exploitation, finding that attacks of various scales have decreased year-on-year. Notably, attacks valued between $50 million and $100 million and those over $100 million occurred much more frequently in 2024 than in 2023, indicating that North Korea has become increasingly proficient and rapid in executing large-scale attacks. This stands in stark contrast to the previous two years, where each of its profits often fell below $50 million.

When comparing North Korea's activities to all other monitored hacking activities, it is clear that North Korea has been responsible for most of the major attacks over the past three years. Interestingly, the amount involved in North Korean hacks is lower, especially with the density of hacks around $10,000 also steadily increasing.

Some of these incidents appear to be linked to North Korean IT practitioners, who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often employ complex strategies, techniques, and procedures (TTPs), such as false identities, hiring third-party recruitment intermediaries, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) charged 14 North Korean nationals who worked remotely as IT practitioners in the U.S. Companies earned over $88 million by stealing proprietary information and extorting their employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (if applicable).

Although all these trends indicate that North Korea has been very active this year, most of its attacks occurred early in the year, and overall hacking activity stalled in the third and fourth quarters, as shown in earlier charts.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang to sign a joint defense agreement. So far this year, Russia has released millions of dollars in previously frozen North Korean assets in accordance with United Nations Security Council sanctions, marking a continuing development of the alliance between the two countries. Meanwhile, North Korea has deployed troops to Ukraine and provided Russia with ballistic missiles, reportedly also seeking advanced space, missile, and submarine technology from Moscow.

Comparing the average daily losses from DPRK exploits before and after July 1, 2024, we can see a significant decrease in the amount of stolen value. As shown in the figure below, the amount stolen by North Korea decreased by approximately 53.73%, while the amount stolen by non-North Korea actors increased by about 5%. Therefore, in addition to shifting military resources toward the Ukraine conflict, North Korea, which has significantly strengthened cooperation with Russia in recent years, may have also changed its cybercriminal activities.

The decline in the funds stolen by North Korea after July 1, 2024, is evident, and the timing is also clear; however, it is worth noting that this decline does not necessarily correlate with Putin's visit to Pyongyang. Additionally, some incidents in December may change this pattern by the year's end, as attackers often launch attacks during holiday periods.

Case Study: North Korea's Attack on DMM Bitcoin

A notable example of a hacking attack related to North Korea in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which was hacked, resulting in a loss of approximately 4,502.9 bitcoins, then worth $305 million. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM, with support from its parent company, paid back customer deposits in full by sourcing equivalent funds.

We were able to analyze the on-chain flow of funds after the initial attack. In the first phase, we observed that the attacker transferred cryptocurrency worth millions of dollars from DMM Bitcoin to several intermediary addresses before finally arriving at the Bitcoin CoinJoin mixing server.

After successfully mixing stolen funds using the Bitcoin CoinJoin mixing service, the attacker transferred part of the funds to Huioneguarantee via some bridging services, an online marketplace associated with the Cambodian business group Huione Group, which is a significant player in facilitating cybercrime.

DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of the Japanese financial group SBI, with the transition scheduled for completion in March 2025. Fortunately, emerging tools and predictive technologies are on the rise, which we will explore in the next section to prepare for preventing such destructive hacking attacks.

Using predictive models to prevent hacking attacks

Advanced predictive technologies are transforming cybersecurity by providing proactive methods to protect digital ecosystems through real-time detection of potential risks and threats. Let's look at the example below, involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, an attacker manipulated the price oracle system of UwU Lend, obtaining approximately $20 million in funds. The attacker initiated a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, leading to incorrect valuations. As a result, the attacker was able to borrow millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployments about two days before the exploit.

Despite the attack contract being accurately detected in real-time two days before the exploit, its connection to the exploited contract did not immediately become apparent due to design reasons. With tools like Hexagate's secure oracle, such early detection can be further leveraged to mitigate threats. Notably, the first attack, which resulted in an $8.2 million loss, occurred just minutes before subsequent attacks, providing another crucial signal.

Alerts issued prior to significant on-chain attacks have the potential to change the security landscape for industry participants, enabling them to prevent costly hacking attacks rather than merely respond to them.

In the chart below, we see that the attackers transferred stolen funds through two intermediary addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.

However, it is worth noting that merely accessing these predictive models does not guarantee protection against hacking attacks, as protocols may not always have the appropriate tools to take effective action.

Stronger encryption security needed

The increase in stolen cryptocurrencies in 2024 highlights the industry's need to address an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not recovered to the levels of 2021 and 2022, the aforementioned resurgence underscores the gaps in existing security measures and the importance of adapting to new exploitation methods. Effective responses to these challenges require cooperation between the public and private sectors. Data-sharing programs, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.

Furthermore, as the regulatory framework for cryptocurrencies continues to evolve, scrutiny over platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing teams with rapid response resources and expertise, the cryptocurrency industry can enhance its theft prevention capabilities. These efforts are crucial not only for protecting individual assets but also for establishing long-term trust and stability within the digital ecosystem.