Article source: Beosin
Original source: Beosin
In 2024, while the blockchain industry faced technological innovation and ecological expansion, it also encountered increasingly severe security challenges. According to monitoring by Beosin's security audit company under the Alert platform, as of the press time, the total losses in the Web3 field due to hacker attacks, phishing scams, and project Rug Pulls reached 2.491 billion USD.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will summarize the top ten security incidents in Web3 in 2024, helping the industry learn lessons and better respond to future security threats.
No.1 DMM Bitcoin
Loss Amount: 304 million USD
Attack Method: Private Key Leakage
On May 31, 2024, Japan's established cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attacker utilized leaked private keys to directly transfer over 300 million USD worth of Bitcoin, quickly dispersing the stolen funds to more than 10 different addresses. This attack exposed serious shortcomings in DMM Bitcoin's private key management and multi-layer security protection. Although the exchange attempted to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking efforts.
On December 24, Japanese police confirmed that the DMM Bitcoin theft incident was perpetrated by the North Korean hacker organization Lazarus Group.
No.2 PlayDapp
Loss Amount: 290 million USD
Attack Method: Private Key Leakage
On February 9, 2024, PlayDapp suffered heavy losses as hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of 36.5 million USD. Due to unsuccessful negotiations between the project party and the hackers, the hackers further minted 15.9 billion PLA tokens in a short time, valued at 253.9 million USD. After some of these tokens flowed into Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.
No.3 WazirX
Loss Amount: 235 million USD
Attack Method: Network Attacks and Phishing
On July 18, 2024, the Safe Wallet multi-signature wallet of India's largest cryptocurrency exchange WazirX was precisely attacked by hackers. The attacker used social engineering to induce multi-signature signers to sign a contract upgrade transaction, then exploited the upgraded contract permissions to empty the assets in the wallet. This case highlights the potential risks of multi-signature wallets in management permission configuration and operational transparency, prompting an in-depth reflection on internal risk control and security mechanisms within the industry.
For a detailed analysis and fund tracking of this incident, please read (Beosin | Analysis of the 235 million USD Theft Incident of Indian Exchange WazirX).
No.4 Gala Games
Loss Amount: 216 million USD
Attack Method: Access Control Vulnerability
On May 20, 2024, a privileged address of Gala Games was hacked, and the attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker exchanged the minted tokens for ETH in batches, directly causing a loss of 216 million USD. The Gala Games team urgently activated the blacklist feature to block some hacker accounts and pursued legal means to recover the losses after the incident.
No.5 Chris Larsen (Ripple's co-founder)
Loss Amount: 112 million USD
Attack Method: Private Key Leakage
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of 112 million USD in XRP. These wallets were suspected of being targeted due to a lack of dual protection from hardware devices. After the incident, Binance successfully froze 4.2 million USD worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss Amount: 62.5 million USD
Attack Method: Social Engineering Attack
On March 26, 2024, the Web3 game platform Munchables, based on Blast, suffered a rare internal penetration attack. The attacker, disguised as a blockchain developer, infiltrated for a long time to obtain core code and sensitive keys. Despite the attack causing huge losses, the hacker eventually returned all stolen funds due to pressure from the community and team. This incident reveals the importance of supply chain security, especially for blockchain projects relying on third-party development.
No.7 BtcTurk
Loss Amount: 55 million USD
Attack Method: Private Key Leakage
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leakage attack, resulting in losses exceeding 55 million USD in crypto assets. With the assistance of the Binance team, 5.3 million USD of stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns regarding the private key management of centralized exchanges.
BtcTurk Officially Announces Attack
No.8 Radiant Capital
Loss Amount: 53 million USD
Attack Method: Private Key Leakage
On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Due to its low-threshold 3/11 signature verification model, the hacker initiated off-chain signatures by controlling the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in 53 million USD stolen. This attack sparked industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost 4.5 million USD due to contract vulnerabilities, with over 1900 ETH stolen. Web3 project teams still need to improve their emphasis on security.
No.9 Hedgey Finance
Loss Amount: 44.7 million USD
Attack Method: Contract Vulnerability
On April 19, 2024, Hedgey Finance faced an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both Ethereum and Arbitrum chains, totaling 44.7 million USD in losses. This incident highlights the importance of code auditing, especially for strict verification of token approval logic.
No.10 BingX
Loss Amount: 44.7 million USD
Attack Method: Private Key Leakage
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freezing mechanisms, the hacker successfully extracted assets worth 44.7 million USD. This attack reflects the high risks of managing hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from security safeguards. From private key leakage to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management norms, and risk prevention. In the future, we look forward to collaboratively establishing a safer blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.
