Original source: Beosin

In 2024, while the blockchain industry faces increasingly severe security challenges amidst technological innovation and ecological expansion, according to monitoring by Beosin's Alert platform, as of the time of writing, the total losses in the Web3 sector due to hacker attacks, phishing scams, and project rug pulls have reached $2.491 billion.

These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, helping the industry learn from them and better respond to future security threats.

No.1 DMM Bitcoin

Loss amount: $304 million

Attack method: Private key leak

On May 31, 2024, the long-established Japanese cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than ten different addresses. This attack exposed serious deficiencies in DMM Bitcoin's private key management and multi-layer security protection. Although the exchange attempted to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and washed using mixing tools, posing great challenges for tracking efforts.

On December 24, the Japanese police identified the DMM Bitcoin theft incident as being perpetrated by the North Korean hacker organization Lazarus Group.

No.2 PlayDapp

Loss amount: $290 million

Attack method: Private key leak

On February 9, 2024, PlayDapp faced a heavy blow, with hackers minting 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. As negotiations between the project team and the hackers were unsuccessful, the hackers further minted 15.9 billion PLA tokens in a short period, worth $253.9 million. Part of these tokens flowed into the Gate exchange, forcing PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the deficiencies in private key protection and emergency response within blockchain projects.

No.3 WazirX

Loss amount: $235 million

Attack method: Cyber attack and phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India’s largest cryptocurrency exchange, was precisely attacked by hackers. The attackers induced multi-signature signers through social engineering to sign a contract upgrade transaction, and then exploited the upgraded contract permissions to empty the assets in the wallet. This case highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, prompting an in-depth reflection within the industry on internal risk control and security mechanisms.

For a detailed analysis of this incident and fund tracking, please refer to (Beosin | Analysis of the $235 million theft incident at the Indian exchange WazirX).

No.4 Gala Games

Loss amount: $216 million

Attack method: Access control vulnerability

On May 20, 2024, a privileged address of Gala Games was breached by hackers, who called the mint function in the token contract, minting 5 billion GALA tokens at once. Subsequently, the hackers exchanged the increased tokens for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated blacklist features to block some hacker accounts after the incident and recovered losses through legal means.

No.5 Chris Larsen (Ripple's co-founder)

Loss amount: $112 million

Attack method: Private key leak

On January 31, 2024, four personal wallets of Chris Larsen, co-founder of Ripple, were hacked, resulting in the theft of $112 million in XRP. These wallets were suspected to have become attack targets due to a lack of dual protection from hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of funds had already been washed through decentralized exchanges and mixing services.

No.6 Munchables

Loss amount: $62.5 million

Attack method: Social engineering attack

On March 26, 2024, the Web3 gaming platform Munchables based on Blast suffered a rare internal infiltration attack. The attacker, disguised as a blockchain developer, obtained core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and team, the hacker ultimately returned all stolen funds. This incident revealed the importance of supply chain security, especially for blockchain projects that rely on third-party development.

No.7 BtcTurk

Loss amount: $55 million

Attack method: Private key leak

On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk was attacked due to a private key leak, resulting in losses of over $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns over centralized exchanges' private key management.

BtcTurk officially released an announcement regarding the attack

No.8 Radiant Capital

Loss amount: $53 million

Attack method: Private key leak

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to its low-threshold 3/11 signature verification model, hackers initiated off-chain signatures by mastering the private keys of three signers, transferring the ownership of the wallet contract to a malicious address, resulting in $53 million being stolen. This attack has prompted industry reflection on the design and governance mechanisms of multi-signature wallets.

Prior to this attack, Radiant Capital had already lost $4.5 million due to contract vulnerabilities, with over 1900 ETH stolen. The importance of security awareness among Web3 project parties still needs to be improved.

No.9 Hedgey Finance

Loss amount: $44.7 million

Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance was attacked, targeting multiple on-chain contracts. The hackers exploited an approval vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses reaching $44.7 million. This incident underscores the importance of code auditing, particularly the strict verification of token approval logic.

No.10 BingX

Loss amount: $44.7 million

Attack method: Private key leak

On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple chains including Ethereum, BNB Chain, Tron, and others. Despite the exchange quickly initiating asset transfer and withdrawal freeze mechanisms, the hackers successfully extracted assets worth $44.7 million. This attack reflects the high risks of centralized exchange hot wallet management and further drives the industry to explore safer asset storage solutions.

The frequent security attack incidents in 2024 remind us that the development of the blockchain industry relies on secure protection. From private key leaks to contract vulnerabilities, from internal management oversights to upgraded external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investments in technological research and development, management regulations, and risk prevention. In the future, we expect to collaboratively establish a more secure blockchain ecosystem through industry cooperation and technological innovation, providing more reliable protection for users and investors.