Written by: Beosin
In 2024, while the blockchain industry faces increasingly severe security challenges alongside technological innovations and ecological expansion, according to monitoring by Beosin's Alert platform, as of the time of publication, the total losses in the Web3 field due to hacker attacks, phishing scams, and project rug pulls have reached $2.491 billion.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight potential risks from social engineering and internal management. This article will review the top ten Web3 security incidents of 2024, helping the industry learn from them to better cope with future security threats.
No.1 DMM Bitcoin
Loss amount: $304 million
Attack method: Private key leak
On May 31, 2024, the historic attack on DMM Bitcoin, a well-established Japanese cryptocurrency exchange, occurred. The attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed serious deficiencies in DMM Bitcoin's private key management and multilayer security protection. Although the exchange attempted to track the hackers through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and laundered using mixing tools, presenting significant challenges for tracking.
On December 24, Japanese police determined that the DMM Bitcoin theft was perpetrated by the North Korean hacker group Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and money laundering, please read (Unveiling the most audacious cryptocurrency theft gang in history, analysis of hacker organization Lazarus Group's money laundering).
No.2 PlayDapp
Loss amount: $290 million
Attack method: Private key leak
On February 9, 2024, PlayDapp was severely impacted, as hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. After unsuccessful negotiations with the hackers, they further minted 15.9 billion PLA tokens in a short period, valued at $253.9 million. After some of these tokens flowed into the Gate exchange, PlayDapp was forced to pause the PLA contract and migrate to the PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and incident emergency response.
No.3 WazirX
Loss amount: $235 million
Attack method: Network attack and phishing
On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely attacked by hackers. The attackers induced multi-signature signers through social engineering to sign a contract upgrade transaction, then used the upgraded contract privileges to empty the assets in the wallet. This case highlights the potential risks of multi-signature wallets in managing privilege configurations and operational transparency, also prompting in-depth reflection on the internal risk control and security mechanisms of projects in the industry.
For a detailed analysis and fund tracking of this incident, please read (Beosin | Analysis of the $235 million theft incident of Indian exchange WazirX).
No.4 Gala Games
Loss amount: $216 million
Attack method: Access control vulnerability
On May 20, 2024, a privileged address of Gala Games was hacked, with the attacker calling the mint function in the token contract to mint 5 billion GALA tokens at once. Subsequently, the hacker exchanged the minted tokens for ETH in batches, causing a direct loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some hacker accounts and recovered losses through judicial means.
No.5 Chris Larsen (Ripple's co-founder)
Loss amount: $112 million
Attack method: Private key leak
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were suspected to be targeted due to the lack of dual protection from hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of the funds were laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss amount: $62.5 million
Attack method: Social engineering attack
On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, suffered a rare internal penetration attack. The attacker was a North Korean hacker disguised as a blockchain developer, who obtained core code and sensitive keys through long-term infiltration. Despite the significant losses incurred, the hacker ultimately returned all stolen funds due to pressure from the community and team. This incident underscores the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss amount: $55 million
Attack method: Private key leak
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leak attack, resulting in losses exceeding $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but other assets remain unrecovered. This incident deepened market concerns about private key management in centralized exchanges.
BtcTurk official announcement of the attack
No.8 Radiant Capital
Loss amount: $53 million
Attack method: Private key leak
On October 17, 2024, Radiant Capital's multi-signature wallet was breached by hackers. Due to its low-threshold 3/11 signature verification model, the hackers initiated off-chain signatures by controlling the private keys of three signers, transferring the ownership of the wallet contract to a malicious address, ultimately leading to a theft of $53 million. This attack prompted industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost $4.5 million due to a contract vulnerability, with over 1900 ETH stolen. Web3 project parties still need to improve their focus on security.
No.9 Hedgey Finance
Loss amount: $44.7 million
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance encountered attacks targeting multiple on-chain contracts. Hackers exploited an approval vulnerability in its ClaimCampaigns contract, successfully extracting tokens on Ethereum and Arbitrum, with a total loss amounting to $44.7 million. This incident highlights the importance of code audits, especially for the strict verification of token approval logic.
No.10 BingX
Loss amount: $44.7 million
Attack method: Private key leak
On September 19, 2024, the hot wallet of the BingX exchange was hacked, involving multiple chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freeze mechanisms, the hackers successfully extracted assets valued at $44.7 million. This attack reflects the high risks associated with the management of hot wallets in centralized exchanges and further pushes the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us that the development of the blockchain industry cannot be separated from secure protection. From private key leaks to contract vulnerabilities, from internal management oversights to upgraded external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management standards, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.