Article source: Golden Finance

Source: Chainalysis

Compiled by: Tao Zhu, Golden Finance

Cryptocurrency hacks remain a persistent threat, with over $1 billion in cryptocurrency stolen in four of the past ten years (2018, 2021, 2022, and 2023). 2024 marks the fifth year to reach this alarming milestone, highlighting that as cryptocurrency adoption and prices rise, the amount that can be stolen is also increasing.

In 2024, the amount of stolen funds increased by approximately 21.07%, reaching $2.2 billion, while the number of individual hacking incidents rose from 282 in 2023 to 303 in 2024.

Interestingly, the intensity of cryptocurrency hacks fluctuated around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen from January to July 2024 had reached $1.58 billion, approximately 84.4% higher than the value stolen during the same period in 2023. As we can see in the chart below, by the end of July, the ecosystem was easily getting back on track, making this year comparable to the over $3 billion seen in 2021 and 2022. However, the upward trend of stolen cryptocurrency in 2024 clearly slowed after July, maintaining relative stability afterward. Later, we will explore the potential geopolitical reasons for this change.

In terms of the stolen amounts categorized by the type of victim platform, intriguing patterns also emerged in 2024. For most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more susceptible to attacks because their developers tend to prioritize rapid growth and market deployment over the implementation of security measures, making them prime targets for hackers.

Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacking incidents include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services underscores the increasing importance of security mechanisms commonly used by hackers, such as private keys. In 2024, private key leaks accounted for the largest proportion of stolen cryptocurrency, reaching 43.8%. For centralized services, ensuring the security of private keys is crucial because they control access to user assets. Given that centralized exchanges manage substantial amounts of user funds, the impact of private key leaks can be devastating; we only need to look at the DMM Bitcoin hack, which involved $305 million, one of the largest cryptocurrency breaches to date, possibly due to poor private key management or insufficient security.

After a private key leak, malicious actors often launder stolen funds through decentralized exchanges (DEX), mining services, or mixing services, obfuscating transaction trails and complicating traceability. By 2024, we can see significant differences in the laundering activities of private key hackers compared to those using other attack vectors. For instance, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for laundering activities.

In 2024, North Korean hackers will steal more money from crypto platforms than ever before.

North Korean-related hackers are notorious for their complex and ruthless methods, often employing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and evade international sanctions. U.S. and international officials assess that Pyongyang uses stolen cryptocurrency to finance its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korean hackers stole approximately $660.5 million through 20 incidents; by 2024, this figure increased to $1.34 billion across 47 incidents, with the stolen value rising by 102.88%. These figures accounted for 61% of the total amount stolen that year and 20% of the total incidents.

It is important to note that in last year’s report, we published information on North Korea stealing $1 billion through 20 hacking attacks. After further investigation, we determined that some large hacking incidents previously attributed to North Korea may no longer be relevant, reducing the amount to $660.5 million. However, the number of incidents remains unchanged as we discovered other smaller hacking attacks attributed to North Korea. Our goal is to continuously reassess our evaluations of North Korean-related hacking incidents as we obtain new on-chain and off-chain evidence.

Unfortunately, North Korean cryptocurrency attacks seem to be becoming more frequent. In the chart below, we examined the average time between successful DPRK attacks based on the scale of exploitation and found that attacks of various sizes have decreased year-over-year. Notably, in 2024, attacks valued between $50 million and $100 million, as well as those exceeding $100 million, occurred far more frequently than in 2023, indicating that North Korea is becoming increasingly effective and quicker at large-scale attacks. This contrasts sharply with the previous two years, during which their profits per incident often fell below $50 million.

When comparing North Korea's activities with all other hacking activities we monitor, it is evident that North Korea has been responsible for most large-scale attacks over the past three years. Interestingly, the amounts of North Korean hacking attacks are lower, particularly the density of hacking incidents valued around $10,000 has also been steadily increasing.

Some of these events appear to be related to North Korean IT practitioners, who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often employ complex strategies, techniques, and procedures (TTP), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) charged 14 North Korean nationals working remotely in the U.S. on Wednesday. The companies earned over $88 million by stealing proprietary information and extorting employers.

To mitigate these risks, companies should prioritize thorough hiring due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets (if applicable).

Although all these trends suggest that North Korea has been very active this year, most of its attacks occurred early in the year, and overall hacking activity stagnated in the third and fourth quarters, as shown in earlier charts.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un are also scheduled to hold a summit in Pyongyang to sign a joint defense agreement. So far this year, Russia has released previously frozen North Korean assets worth millions, in violation of UN Security Council sanctions, marking the ongoing development of the alliance between the two countries. Meanwhile, North Korea has deployed troops to Ukraine, provided ballistic missiles to Russia, and reportedly sought advanced space, missile, and submarine technology from Moscow.

If we compare the daily average losses from DPRK exploits before and after July 1, 2024, we can see a significant decrease in the value of stolen funds. Specifically, as shown in the chart below, the amount stolen by North Korea decreased by approximately 53.73%, while the amount stolen by non-North Korean entities increased by about 5%. Therefore, in addition to redirecting military resources toward the Ukraine conflict, North Korea, which has significantly strengthened cooperation with Russia in recent years, may also be changing its cybercrime activities.

The decline in funds stolen by North Korea after July 1, 2024, is evident, and the timing is also apparent. However, it is worth noting that this decline may not necessarily be related to Putin's visit to Pyongyang. Additionally, some events that occurred in December might change this pattern by the end of the year, and attackers often launch attacks during holiday periods.

Case Study: North Korea's Attack on DMM Bitcoin

A notable example of a North Korean-related hack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which was attacked, resulting in a loss of approximately 4,502.9 bitcoins, worth $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM fully reimbursed customer deposits by searching for equivalent funds with the support of its parent company.

We were able to analyze the flow of funds on-chain following the initial attack. In the first phase, we observed that attackers transferred millions of dollars in cryptocurrency from DMM Bitcoin to several intermediary addresses, which ultimately reached the Bitcoin CoinJoin mixing servers.

After successfully mixing the stolen funds using Bitcoin CoinJoin mixing services, the attackers transferred part of the funds through some bridging services to Huioneguarantee, an online marketplace associated with the Cambodian corporate group Huione Group, a significant player in facilitating cybercrime.

DMM Bitcoin has transferred its assets and customer accounts to SBI Group's subsidiary SBI VC Trade, with the transition set to be completed by March 2025. Fortunately, emerging tools and predictive technologies are on the rise, which we will explore in the next section, preparing for the prevention of such destructive hacking attacks.

Using predictive modeling to prevent hacking attacks

Advanced predictive technologies are transforming cybersecurity by enabling real-time detection of potential risks and threats, offering proactive methods to protect digital ecosystems. Let's look at the example below, involving the decentralized liquidity provider UwU Lend.

On June 10, 2024, attackers exploited the price oracle system of UwU Lend to acquire approximately $20 million in funds. The attackers initiated a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, resulting in incorrect valuations. Consequently, the attackers borrowed millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployments about two days before the exploitation.

Although the attack contract was accurately detected in real-time two days before the exploitation, its connection to the exploited contract did not immediately become apparent due to design reasons. Other tools, such as Hexagate's security oracle, can further leverage this early detection to mitigate threats. Notably, the first attack, which caused a loss of $8.2 million, occurred just minutes before subsequent attacks, providing another critical signal.

Alerts issued before significant on-chain attacks have the potential to change the security landscape for industry participants, enabling them to prevent costly hacking incidents rather than merely responding to them.

In the chart below, we see that the attackers transferred the stolen funds through two intermediary addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.

However, it is worth noting that merely accessing these predictive models does not guarantee the prevention of hacking attacks, as protocols may not always possess the appropriate tools to take effective action.

Stronger encryption security is needed.

The increase in stolen cryptocurrency in 2024 underscores the industry's need to address an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not yet returned to the levels seen in 2021 and 2022, the aforementioned resurgence highlights the gaps in existing security measures and the importance of adapting to new exploitation methods. To effectively respond to these challenges, collaboration between the public and private sectors is essential. Data-sharing programs, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to swiftly identify and eliminate malicious actors while building the resilience needed to protect cryptocurrency assets.

Furthermore, as cryptocurrency regulatory frameworks continue to evolve, scrutiny of platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing teams with rapid response resources and expertise, the cryptocurrency industry can enhance its theft prevention capabilities. These efforts are crucial not only for protecting individual assets but also for establishing long-term trust and stability within the digital ecosystem.