Article source: Golden Finance

Source: Chainalysis

Compiled by: Tao Zhu, Golden Finance

Cryptocurrency hacks remain a persistent threat, with over $1 billion in cryptocurrencies stolen in four of the past ten years (2018, 2021, 2022, and 2023). 2024 will mark the fifth year of reaching this troubling milestone, highlighting that as cryptocurrency adoption and prices rise, so does the amount that can be stolen.

In 2024, stolen funds increased by approximately 21.07%, reaching $2.2 billion, with the number of individual hacking incidents rising from 282 in 2023 to 303 in 2024.

Interestingly, the intensity of cryptocurrency hacks changed around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen from January 2024 to July 2024 had reached $1.58 billion, approximately 84.4% higher than the stolen value during the same period in 2023. As we see in the chart below, by the end of July, the ecosystem was easily on track for a year comparable to the $3 billion of 2021 and 2022. However, the upward trend of stolen cryptocurrency in 2024 clearly slowed after July and remained relatively stable thereafter. Later, we will explore the potential geopolitical reasons for this change.

In terms of stolen amounts categorized by victim platform type, interesting patterns also emerged in 2024. Throughout most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks as their developers tend to prioritize rapid growth and getting products to market over implementing security measures, making them prime targets for hackers.

Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services highlights the increasing importance of security mechanisms commonly used by hackers (such as private keys). In 2024, private key leaks accounted for the largest share of stolen cryptocurrency at 43.8%. For centralized services, ensuring the security of private keys is crucial, as they control access to user assets. Given that centralized exchanges manage significant user funds, the impact of private key leaks can be devastating; we need only look at the DMM Bitcoin hack, valued at $305 million, which is one of the largest cryptocurrency breaches to date, possibly due to poor private key management or lack of adequate security.

After private keys are leaked, malicious actors typically launder stolen funds through decentralized exchanges (DEXs), mining services, or mixing services, obscuring transaction trails and complicating tracking. By 2024, we can see that the laundering activities of private key hackers differ significantly from those of hackers using other attack mediums. For example, after stealing private keys, these hackers often turn to bridging and mixing services. In contrast, decentralized exchanges are more commonly used for laundering activities by hackers using other attack mediums.

In 2024, the amount stolen by North Korean hackers from cryptocurrency platforms will be higher than ever before.

North Korean hackers are notorious for their sophisticated and relentless methods, often employing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and evade international sanctions. U.S. and international officials estimate that Pyongyang uses stolen cryptocurrencies to fund its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korean hackers had stolen approximately $660.5 million through 20 incidents; by 2024, this figure increased to $1.34 billion over 47 incidents, representing a 102.88% increase in stolen value. These numbers accounted for 61% of the total stolen amount that year, comprising 20% of the total incidents.

Please note that in last year's report, we published information that North Korea stole $1 billion through 20 hacking incidents. After further investigation, we determined that some of the large hacks previously attributed to North Korea may no longer be relevant, thus reducing the amount to $660.5 million. However, the number of incidents remained unchanged as we identified other smaller hacks attributed to North Korea. As we obtain new on-chain and off-chain evidence, our aim is to continually reassess our evaluations of hacking incidents related to North Korea.

Unfortunately, North Korea's cryptocurrency attacks seem to be becoming increasingly frequent. In the diagram below, we examine the average time between successful DPRK attacks based on the scale of exploitation, finding that attacks of various scales have decreased year-on-year. Notably, attacks valued between $50 million and $100 million and those over $100 million occurred much more frequently in 2024 than in 2023, indicating that North Korea is improving and speeding up its large-scale attacks. This starkly contrasts with the previous two years, where profits per attack often fell below $50 million.

When comparing North Korea's activities to all other hacking activities we monitor, it is clear that North Korea has been responsible for the majority of large-scale attacks over the past three years. Interestingly, the amounts involved in North Korean hacker attacks are lower, particularly with an increasing density of hacks around the $10,000 mark.

Some of these incidents appear to be related to North Korean IT practitioners, who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often employ sophisticated strategies, techniques, and procedures (TTPs), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) charged 14 North Korean nationals working as remote IT practitioners in the United States on Wednesday. The companies earned over $88 million by stealing proprietary information and extorting employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (if applicable).

Although all these trends indicate that North Korea has been very active this year, most of its attacks occurred at the beginning of the year, and overall hacking activity stagnated in the third and fourth quarters, as shown in earlier charts.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang to sign a mutual defense agreement. So far this year, Russia has released millions of dollars' worth of previously frozen North Korean assets in accordance with United Nations Security Council sanctions, marking the ongoing development of the alliance between the two countries. Meanwhile, North Korea has deployed troops to Ukraine, provided ballistic missiles to Russia, and reportedly sought advanced space, missile, and submarine technology from Moscow.

If we compare the average daily losses from DPRK exploits before and after July 1, 2024, we can see a significant decrease in the value of stolen funds. Specifically, as shown in the figure below, the amount stolen by North Korea decreased by approximately 53.73%, while the amount stolen by non-North Koreans increased by about 5%. Thus, in addition to redirecting military resources towards the conflict in Ukraine, North Korea, which has significantly strengthened its cooperation with Russia in recent years, may also be changing its cybercriminal activities.

The decline in funds stolen by North Korea after July 1, 2024, is evident, and the timing is also clear; however, it is worth noting that this decline may not necessarily be related to Putin's visit to Pyongyang. Additionally, some events occurring in December may change this pattern by the end of the year, and attackers often launch assaults during holiday periods.

Case Study: North Korea's Attack on DMM Bitcoin

A notable example of a North Korean-related hack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which was hacked, resulting in the loss of approximately 4,502.9 bitcoins, valued at $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM, with the support of its parent company, sought equivalent funds to fully reimburse customers.

We were able to analyze the flow of funds on-chain after the initial attack. In the first phase, we observed that the attackers transferred millions of dollars' worth of cryptocurrency from DMM Bitcoin to several intermediary addresses, eventually reaching Bitcoin CoinJoin mixing servers.

After successfully mixing stolen funds using Bitcoin CoinJoin mixing services, the attackers transferred part of the funds to Huioneguarantee via some bridging services, an online market associated with the Cambodian corporate group Huione Group, a significant player in facilitating cybercrime.

DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of the Japanese financial group SBI, with the transition scheduled for completion in March 2025. Fortunately, emerging tools and predictive technologies are on the rise, which we will explore in the next section, preparing for the prevention of such destructive hacking attacks.

Using predictive models to prevent hacking attacks

Advanced predictive technologies are transforming cybersecurity by providing proactive approaches to protect digital ecosystems through real-time detection of potential risks and threats. Let's look at the example below, involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, attackers manipulated the price oracle system of UwU Lend to acquire approximately $20 million in funds. The attackers launched a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, resulting in incorrect valuations. As a result, the attackers were able to borrow millions of dollars within seven minutes. Hexagate detected the attack contracts and their similar deployments about two days before the exploit.

Although the attack contracts were accurately detected in real time two days before the exploitation, their connection to the exploited contract did not become apparent immediately due to design reasons. Additional tools like Hexagate's secure oracle could further leverage this early detection to mitigate threats. Notably, the first attack that resulted in an $8.2 million loss occurred just minutes before subsequent attacks, providing another significant signal.

Such alerts issued before significant on-chain attacks have the potential to change the security of industry participants, enabling them to fully prevent costly hacking attacks rather than merely responding to them.

In the diagram below, we see that the attackers transferred stolen funds through two intermediary addresses before they reached the OFAC-approved Ethereum smart contract mixer Tornado Cash.

However, it is worth noting that simply accessing these predictive models does not guarantee the prevention of hacking attacks, as protocols may not always have the appropriate tools to take effective action.

Stronger encryption security is needed.

The increase in stolen cryptocurrency in 2024 underscores the industry's need to address an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not yet returned to the levels of 2021 and 2022, the aforementioned resurgence highlights gaps in existing security measures and the importance of adapting to new exploitation methods. To effectively tackle these challenges, collaboration between the public and private sectors is essential. Data-sharing initiatives, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.

Additionally, as the regulatory framework for cryptocurrencies continues to evolve, scrutiny over platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing teams with resources and expertise for rapid response, the cryptocurrency industry can bolster its theft prevention capabilities. These efforts are crucial not only for protecting individual assets but also for establishing long-term trust and stability in the digital ecosystem.