Source: Chainalysis; Compiled by Tao Zhu, Golden Finance
Cryptocurrency hacking attacks remain an ongoing threat, with over $1 billion worth of cryptocurrency stolen in four of the past ten years (2018, 2021, 2022, and 2023). 2024 marks the fifth year of reaching this disturbing milestone, underscoring that as cryptocurrency adoption and prices rise, the amount that can be stolen is also increasing.
In 2024, stolen funds increased by approximately 21.07% year-over-year, reaching $2.2 billion, with the number of individual hacking incidents rising from 282 in 2023 to 303 in 2024.
Interestingly, the intensity of cryptocurrency hacking attacks changed around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen between January 2024 and July 2024 had reached $1.58 billion, approximately 84.4% higher than the stolen value during the same period in 2023. As we see in the chart below, by the end of July, the ecosystem was easily on track, comparable to the over $3 billion stolen in 2021 and 2022. However, the upward trend in stolen cryptocurrency in 2024 noticeably slowed after July, subsequently remaining relatively stable. Later, we will explore the potential geopolitical reasons for this change.
In terms of stolen amounts categorized by victim platform type, 2024 also exhibited interesting patterns. In most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks because their developers tend to prioritize rapid growth and market deployment over implementing security measures, making them a primary target for hackers.
Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacking incidents include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).
The shift in focus from DeFi to centralized services highlights the growing importance of security mechanisms commonly used by hackers (such as private keys). In 2024, private key leaks accounted for the largest proportion of stolen cryptocurrency, reaching 43.8%. For centralized services, ensuring the security of private keys is crucial as they control access to user assets. Given that centralized exchanges manage substantial user funds, the impact of private key leaks can be devastating; we only need to look at the DMM Bitcoin hack incident worth $305 million, one of the largest cryptocurrency breaches to date, which may have occurred due to poor private key management or a lack of adequate security.
After a private key leak, malicious actors typically launder stolen funds through decentralized exchanges (DEX), mining services, or mixing services, thereby obfuscating transaction trails and complicating tracking. By 2024, we can see significant differences in the laundering activities of private key hackers compared to those using other attack vectors. For instance, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for laundering activities.
In 2024, the amount stolen by North Korean hackers from cryptocurrency platforms will be more than ever before.
North Korean hackers are notorious for their complex and ruthless methods, often utilizing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and evade international sanctions. U.S. and international officials assess that Pyongyang is leveraging stolen cryptocurrency to finance its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korean hackers had stolen approximately $660.5 million through 20 incidents; by 2024, this number increased to $1.34 billion across 47 incidents, a 102.88% increase in stolen value. These figures account for 61% of the total stolen amount that year and 20% of the total incidents.
Please note that in last year's report, we reported that North Korea had stolen $1 billion through 20 hacking incidents. After further investigation, we determined that some previously attributed large-scale hacks may no longer be relevant, reducing the amount to $660.5 million. However, the number of incidents remained the same, as we discovered other smaller hacking incidents attributed to North Korea. Our goal is to continually reassess our evaluations of North Korea-related hacking events as we obtain new on-chain and off-chain evidence.
Unfortunately, North Korea's cryptocurrency attacks seem to be becoming more frequent. In the figure below, we examine the average time between successful DPRK attacks based on the scale of the exploit and find that the frequency of attacks of various scales has decreased year-over-year. Notably, attacks valued between $50 million to $100 million and those exceeding $100 million occurred much more frequently in 2024 than in 2023, indicating that North Korea is becoming increasingly adept and faster at conducting large-scale attacks. This sharply contrasts with the previous two years, where their profits per incident often fell below $50 million.
When comparing North Korea's activities with all other hacking activities we monitor, it is clear that North Korea has been responsible for most large-scale attacks over the past three years. Interestingly, the amounts involved in North Korean hacks are lower, especially as the density of hacking incidents around the $10,000 mark continues to increase.
Some of these incidents appear to be linked to North Korean IT professionals, who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often use complex strategies, tactics, and procedures (TTP), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) charged 14 North Korean nationals who worked remotely in the U.S. The companies earned over $88 million by stealing proprietary information and extorting employers.
To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (if applicable).
Although all these trends indicate that North Korea has been very active this year, most of its attacks occurred early in the year, with overall hacking activity stagnating in the third and fourth quarters, as shown in earlier charts.
In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang to sign a joint defense agreement. So far this year, Russia has released previously frozen North Korean assets worth millions of dollars in accordance with UN Security Council sanctions, marking the ongoing development of the alliance between the two countries. Meanwhile, North Korea has deployed troops to Ukraine, provided ballistic missiles to Russia, and reportedly sought advanced space, missile, and submarine technologies from Moscow.
By comparing the average daily losses from DPRK breaches before and after July 1, 2024, we can see a significant decrease in the amount of stolen value. Specifically, as shown in the figure below, the amount stolen by North Korea decreased by approximately 53.73%, while the amount stolen by non-North Korea increased by about 5%. Therefore, aside from redirecting military resources to the Ukraine conflict, North Korea, which has significantly strengthened its cooperation with Russia in recent years, may also have altered its cybercriminal activities.
The decline in funds stolen by North Korea after July 1, 2024, is apparent, and the timing is also clear; however, it is worth noting that this decline may not necessarily be related to Putin's visit to Pyongyang. Additionally, some incidents that occurred in December may change this pattern by the end of the year, as attackers often launch attacks during holiday periods.
Case Study: North Korea's Attack on DMM Bitcoin
A notable example of a 2024 attack related to North Korea involved the Japanese cryptocurrency exchange DMM Bitcoin, which was hacked, resulting in a loss of approximately 4,502.9 bitcoins, valued at $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM, with support from its parent company, sought equivalent funds to fully reimburse customer deposits.
We were able to analyze the on-chain flow of funds after the initial attack; in the first stage, we saw the attackers transferring millions of dollars' worth of cryptocurrency from DMM Bitcoin to several intermediary addresses, eventually reaching Bitcoin CoinJoin mixing servers.
After successfully mixing the stolen funds using Bitcoin CoinJoin mixing services, the attackers transferred part of the funds to Huioneguarantee via several bridging services, which is an online marketplace associated with the Cambodian conglomerate Huione Group, an important player in facilitating cybercrime.
DMM Bitcoin has transferred its assets and customer accounts to SBI Group's subsidiary SBI VC Trade, with the transition scheduled for completion in March 2025. Fortunately, emerging tools and predictive technologies are on the rise, which we will explore in the next section to prepare for the prevention of such destructive hacking incidents.
Utilizing predictive models to prevent hacking attacks
Advanced predictive technologies are transforming cybersecurity by enabling real-time detection of potential risks and threats, offering proactive approaches to protect digital ecosystems. Let's take a look at the example below, involving the decentralized liquidity provider UwU Lend.
On June 10, 2024, attackers obtained approximately $20 million in funds by manipulating the price oracle system of UwU Lend. The attackers initiated a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, resulting in incorrect valuations. Consequently, the attackers could borrow millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployments about two days before the exploit.
Although the attack contract was accurately detected in real-time two days before the exploit, due to its design, its connection to the exploited contract did not immediately become apparent. With tools like Hexagate's secure oracle, such early detection can be further leveraged to mitigate threats. Notably, the first attack, which resulted in an $8.2 million loss, occurred just minutes before subsequent attacks, providing another important signal.
Such alerts issued before significant on-chain attacks have the potential to change the security landscape for industry participants, enabling them to fully prevent costly hacking incidents rather than merely responding to them.
In the figure below, we see that the attackers transferred the stolen funds through two intermediary addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.
However, it is worth noting that merely accessing these predictive models does not guarantee the prevention of hacking attacks, as the protocols may not always have the appropriate tools to take effective action.
Stronger encryption security is needed
The increase in stolen cryptocurrency in 2024 underscores the industry's need to address an increasingly complex and evolving threat landscape. Although the scale of cryptocurrency theft has not yet returned to the levels seen in 2021 and 2022, the above-mentioned resurgence highlights the gaps in existing security measures and the importance of adapting to new exploitation methods. Effective collaboration between the public and private sectors is crucial to addressing these challenges. Data-sharing programs, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.
Moreover, as the cryptocurrency regulatory framework continues to evolve, scrutiny over platform security and customer asset protection may increase. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing rapid response resources and expertise to teams, the cryptocurrency industry can strengthen its theft prevention capabilities. These efforts are crucial not only for protecting individual assets but also for establishing long-term trust and stability within the digital ecosystem.