Written by: Beosin
In 2024, while the blockchain industry faces increasingly severe security challenges, it also experiences technological innovation and ecological expansion. According to monitoring by the Alert platform under the security audit company Beosin, as of the time of writing, the total losses in the Web3 field due to hacker attacks, phishing scams, and project rug pulls have reached 2.491 billion USD.
These incidents not only expose technical defects such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top 10 Web3 security incidents of 2024, helping the industry learn lessons and better respond to future security threats.
No.1 DMM Bitcoin
Loss Amount: 304 Million USD
Attack Method: Private Key Leakage
On May 31, 2024, the historic attack on the Japanese cryptocurrency exchange DMM Bitcoin occurred. The attackers directly transferred over 300 million USD worth of Bitcoin using the leaked private keys and quickly dispersed the stolen funds to over 10 different addresses. This attack exposed serious deficiencies in DMM Bitcoin's private key management and multi-layer security protection. Although the exchange attempted to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking.
On December 24, Japanese police confirmed that the DMM Bitcoin theft incident was perpetrated by the North Korean hacker organization Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and fund laundering, see (A deep dive into the most audacious cryptocurrency theft gang, analysis of the money laundering by the hacker organization Lazarus Group).
No.2 PlayDapp
Loss Amount: 290 Million USD
Attack Method: Private Key Leakage
On February 9, 2024, PlayDapp suffered a heavy blow when hackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.5 million USD. Due to failed negotiations between the project party and the hackers, the hackers further minted 15.9 billion PLA tokens in a short period, valued at 253.9 million USD. After some of these tokens flowed into the Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the deficiencies in private key protection and emergency response in blockchain projects.
No.3 WazirX
Loss Amount: 235 Million USD
Attack Method: Network Attack and Phishing
On July 18, 2024, the multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely targeted by hackers. The attackers used social engineering to induce multi-signature signers to sign a contract upgrade transaction, then utilized the upgraded contract's permissions to empty the wallet's assets. This case highlights the potential risks of multi-signature wallets regarding permission management and operational transparency and has sparked in-depth reflection on internal risk control and security mechanisms within the industry.
For a detailed analysis and fund tracking of this incident, see (Beosin | Analysis of the 235 Million USD theft incident at Indian exchange WazirX).
No.4 Gala Games
Loss Amount: 216 Million USD
Attack Method: Access Control Vulnerability
On May 20, 2024, a privileged address of Gala Games was breached by hackers, who minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hackers exchanged the minted tokens for ETH in batches, causing a direct loss of 216 million USD. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and pursued legal avenues to recover the losses.
No.5 Chris Larsen (Ripple's co-founder)
Loss Amount: 112 Million USD
Attack Method: Private Key Leakage
On January 31, 2024, four personal wallets of Chris Larsen, co-founder of Ripple, were hacked, resulting in the theft of 112 million USD worth of XRP. These wallets were suspected to have become targets due to the lack of dual protection from hardware devices. After the incident, Binance successfully frozen 4.2 million USD worth of XRP and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss Amount: 62.5 Million USD
Attack Method: Social Engineering Attack
On March 26, 2024, the Web3 game platform Munchables, based on Blast, suffered a rare internal infiltration attack. The attacker, disguised as a blockchain developer, obtained core code and sensitive keys through long-term infiltration. Despite the attack causing substantial losses, under pressure from the community and team, the hackers ultimately returned all stolen funds. This incident reveals the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss Amount: 55 Million USD
Attack Method: Private Key Leakage
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leakage attack, resulting in losses exceeding 55 million USD in crypto assets. With the assistance of the Binance team, 5.3 million USD of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns about the private key management of centralized exchanges.
BtcTurk officially announced the attack
No.8 Radiant Capital
Loss Amount: 53 Million USD
Attack Method: Private Key Leakage
On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Due to its low-threshold 3/11 signature verification model, hackers initiated off-chain signatures by mastering the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in 53 million USD stolen. This attack sparked industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already suffered a loss of 4.5 million USD due to contract vulnerabilities, with over 1900 ETH stolen. Web3 project parties still need to enhance their focus on security.
No.9 Hedgey Finance
Loss Amount: 44.7 Million USD
Attack Method: Contract Vulnerability
On April 19, 2024, Hedgey Finance encountered an attack targeting multiple on-chain contracts. Hackers exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens on Ethereum and Arbitrum chains, with total losses amounting to 44.7 million USD. This incident highlights the importance of code auditing, especially the strict verification of token approval logic.
No.10 BingX
Loss Amount: 44.7 Million USD
Attack Method: Private Key Leakage
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, hackers successfully extracted assets worth 44.7 million USD. This attack reflects the high-risk nature of centralized exchange hot wallet management and further drives the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us that the development of the blockchain industry cannot be separated from security safeguards. From private key leakage to contract vulnerabilities, from internal management oversights to upgrades in external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continue strengthening their investment in technology development, management standards, and risk prevention. In the future, we look forward to building a safer blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.