2024 is indeed a brutal year for Web3 retail investors. Too many investors have been wiped out by scammers and hackers. Although, as previously reported, obtaining precise data on the losses incurred by retail investors is an extremely difficult task, crime reports indicate that at least $5.84 billion has been wiped from their wallets. Among these, at least $4 billion was lost due to "pig butchering" scams, over $1 billion was lost due to phishing scams (including wallet theft and address poisoning), and $444 million was attributed to exit scams.

Written by: NEFTURE SECURITY

Translated by: Baihua Blockchain

2024 is indeed a brutal year for Web3 retail investors. Too many investors have been wiped out by scammers and hackers.

Although, as previously reported, obtaining precise data on the losses incurred by retail investors is an extremely difficult task, crime reports indicate that at least $5.84 billion has been wiped from their wallets. Among these, at least $4 billion was lost due to "pig butchering" scams, over $1 billion was lost due to phishing scams (including wallet theft and address poisoning), and $444 million was attributed to exit scams.

It must be noted that the state of the cryptocurrency market in 2024 has indeed provided significant opportunities for these scammers.

Starting from the bull market at the end of 2023, peaking on March 14, 2024, when Bitcoin reached a new all-time high of $73,738, it attracted a large influx of liquidity, not only from experienced cryptocurrency enthusiasts but also from a large group of eager new retail investors. 2024 is considered the year Bitcoin would break the $100,000 mark (which it did!), coupled with explosive activity in the meme coin supercycle, transforming the "ghost town" of the cryptocurrency market in 2023 into a vibrant hub of trading!

Source: Dune

Many newcomers are completely unaware of the treacherous waters of cryptocurrency, making them extremely vulnerable and ideal targets for scammers. Meanwhile, experienced traders, after enduring a long and painful bear market, are equally, if not more, susceptible to the temptation of FOMO (fear of missing out), creating a perfect environment for scammers to prey on retail investors.

Shockingly, excluding "pig butchering," the top five fraud schemes in 2024 caused an astonishing loss of $611 million.

Here are the most successful cryptocurrency scams of 2024!

1. $243 million stolen: The largest social engineering phishing heist to date - the second largest heist of the year

The most jaw-dropping cryptocurrency scam of 2024 was a simple social engineering phishing attack, ranking as the second most financially destructive crime of the year, only behind the $308 million attack on DMM Bitcoin's private keys by a North Korean threat group.

Currently, this also appears to be the largest amount lost by an individual in a single cryptocurrency phishing attack.

On August 19, 2024, crypto detective ZachXBT revealed on Twitter that he had discovered a suspicious $238 million transfer, with funds being laundered and cashed out through multiple centralized exchanges (CEX). Soon, rumors began to circulate about the identity of the victim—was it an individual, a hedge fund, or a trading platform? How was this heist carried out: through a private key vulnerability, phishing, or a combination of both?

For a long time, details of the case were scarce, except for two updates from ZachXBT reporting that Firn Protocol and NonKYC successfully froze about $500,000 of the stolen funds—merely a drop in the bucket.

A month later, exactly one month after the $238 million attack, ZachXBT revealed the full story of the incident on Twitter.

ZachXBT's investigation map - Source: ZachXBT

This heist was a "highly sophisticated social engineering attack," specifically a phishing scam targeting a single individual. The victim was a creditor of the now-bankrupt crypto trading firm Genesis.

On the day of the attack, he received a fraudulent call disguised as Google support, which allowed the scammers to breach his personal account. According to ZachXBT's investigation, the victim then received another call, this time from scammers impersonating Gemini support, claiming that his Gemini account had been hacked and instructing him to reset his two-factor authentication (2FA) and transfer funds from his Gemini account.

After multiple persuading attempts, the victim shared his screen using AnyDesk, allowing the scammers to access and leak his Bitcoin Core private key.

The attackers successfully stole $243 million and immediately attempted to disperse the funds into multiple wallets, then transfer them to over 15 trading platforms. According to ZachXBT's research, the stolen assets were rapidly converted between Bitcoin, Litecoin, Ethereum, and Monero to cover their tracks.

ZachXBT's initial vulnerability tracking - Source: ZachXBT

Unfortunately for them, but fortunately for the victim, they were not cautious enough during the attack and escape. This negligence allowed ZachXBT to trace the phishing attack back to three main suspects and their accomplices.

ZachXBT's list of suspects - Source: ZachXBT

One of the many mistakes they made was revealing the names of two of them to the victim during the screen sharing.

Source: ZachXBT Twitter

Other mistakes were related to their money laundering techniques. Although the attackers converted most of the stolen funds into Monero, ZachXBT discovered that two of them accidentally mixed stolen funds with clean funds by reusing deposit addresses. One attacker also exposed an address used to purchase luxury clothing while sharing the screen, which was linked to millions of dollars in stolen funds.

Source: ZachXBT Twitter

Most of them left enough traces on social media—or their predecessors did—that ultimately exposed their full identities in ZachXBT's investigation. ZachXBT collaborated with the BN security team, Zero Shadow, and CryptoForensic Investigators to further freeze $9 million.

The day before ZachXBT released the investigation results, Box (Jeandiel Serrano, 21) and Greavys (Malone Lam, 20) were arrested by the FBI and charged on September 19.

Malone Lam - Source: ZachXBT

Phishing attacks carried out through social engineering have been at the core of many high-yield crypto heists, with one particularly complex attack nearly succeeding in stealing $125 million from a single individual.

2. November 1, 2024, $129 million address poisoning attack

On November 20, 2024, a victim decided to transfer approximately $129.7 million from the address TGrS7QNCf85X2B6ddvGZY2MF9VwvFn6XAE to TMStAjRQHDZ8b3dyXPjBv9CNR3ce6q1bu8.

They first sent 100 USDT as a test transfer to the address TMStaj…6q1bu8. After the transaction was successfully completed, the victim almost immediately decided to transfer the entire $129.7 million.

What they did not know was that after the test transaction, the scammers "poisoned" their wallet with an address disguised as a test address (sending 1 USDT). When the victim copied and pasted the target address, they inadvertently selected this disguised address. This disguised address was even poorly forged, with only the last six digits matching, while the first half was completely different, starting with THcTxQ instead of TMStaj.

Source: Certik

Fortunately, the address poisoner returned $116.7 million within an hour and the remaining $12.97 million four hours later.

The amounts of the two transfers and the second transfer amount ($12.97 million) seem to indicate that the attackers initially considered taking 10% of the "bug bounty," but later changed their minds.

Source: SlowMist via ScamSniffer

The most likely reason they returned all the funds is fear—fear of being tracked by the resourceful victim, the blockchain forensics community, and law enforcement agencies, especially considering the enormous amount stolen, which would make them a significant target.

3. Crypto4winners: $100 million Ponzi scheme

On March 9, 2024, the investment company Crypto4winners (promising monthly returns of 3-20%) announced that they had suffered a vulnerability attack.

Source: Crypto4winners Telegram channel

Due to this "vulnerability," Crypto4winners claimed they could not process fund withdrawals until the issue was resolved.

The problem is that as early as two months prior, the crypto newspaper DL News had revealed that one of the co-owners of Crypto4winners was Luc Schiltz, a Luxembourger who had been sentenced to six years in prison for defrauding over $1.5 million in 2017, serving only two years. Shortly after his release, he co-founded the Crypto4winners project.

Therefore, when the "hacker attack" was announced, suspicion immediately arose. After the initial announcement, Crypto4winners went completely silent. By March 12 or earlier, its clients had contacted lawyers and the police.

In the following days, Crypto4winners was revealed to have all the characteristics of a Ponzi scheme, resulting in thousands of victims and at least $100 million in losses.

According to DL News, Luc Schiltz is a co-founder of Crypto4winners, but he has always hidden his involvement. The publicly listed CEO and founder is another Luxembourger, Adrien Castellani, but in reality, Castellani only co-founded the company with Luc Schiltz.

Source: Virgule

Despite ongoing questions about Luc Schiltz's involvement in Crypto4winners over the years, he has never admitted to being a co-founder or partner, only referring to himself as an advisor. In 2023, he promised to completely sever ties with Crypto4winners by the end of the year, which he clearly did not fulfill.

Source: DL News

Lies abound.

For example, the outrageous returns they promised. They even claimed that customer Bitcoin deposits had achieved a 377% return since 2019, as well as an average monthly return of 7% to 20%, regardless of the ups and downs of the crypto market, which is a typical characteristic of a crypto Ponzi scheme.

They also claimed to be working with Chainalysis and Ledger, leading both companies to publicly deny these claims in 2022.

Crypto4winners was registered in Sweden. In 2023, when the Swedish Companies Registration Office requested its annual reports for 2021 and 2022, they claimed they were not required to submit them as a trust management company, which was false. Even facing the risk of liquidation or being declared invalid, they still did not submit the reports by the deadline.

It was also found that Crypto4winners appeared to be a Luxembourg-Swedish entity, but in reality, it was a complex structure comprising Dubai, Lithuania, Ireland, Sweden, and Luxembourg.

Worse still, Crypto4winners was actually a shell company; all investor funds were transferred to an Irish company called Big Wave Developments Limited.

According to the Luxembourg newspaper Virgule, of the estimated $100 million in client funds, less than $200,000 remained in the Big Wave Developments Limited account.

The most astonishing aspect of this entire case is the reason for its disintegration: a very strange car accident that allegedly caused Luc Schiltz to lose his memory.

On March 5, just before dawn, Luc Schiltz crashed into a roadside barrier, and the car went up an embankment. According to the Luxembourg police, he was uninjured in the accident but subsequently walked onto the highway for unknown reasons and was struck by a bus.

He was not fatally injured and was taken to the orthopedic hospital.

However, he claimed the accident caused him to lose his memory. The problem is that Luc Schiltz had complete control over client funds; this meant he could no longer access the funds in cryptocurrency wallets and trading platform accounts.

Notably, according to Virgule's investigation and accounts from people who visited Luc Schiltz in the days following the accident, his amnesia is suspicious.

A friend of Adrien Castellani, who went by the name Mario, recalled to Virgule:

"He initially pretended to have amnesia, then told us he would get the USB key back from his parents, and everything would return to normal…" (translated from French)

On that day, Mario discovered the shell nature of Crypto4winners and Big Wave Developments Limited. Later, in a call with Shiltz on March 12, Mario inquired about the remaining $200,000 in the Big Wave Developments Limited account, and Shiltz reassured him that it was normal because it was just the funds in the hot wallet.

Despite claiming to have amnesia, Luc Shiltz seemed completely aware of his identity and how the company operated. So, what exactly did he forget that prevented him from accessing the funds? Clearly not the seed phrase; it is almost unheard of in crypto history for someone to manage $100 million solely by memory.

He himself said everything was with his parents and assured that everything would return to normal soon. So, where is the problem?

Hopefully, this incident and all the questions it raises will be revealed in court.

On March 15, the Luxembourg public prosecutor's office announced an investigation into fraud and money laundering charges against Crypto4winners, with two individuals detained and charged.

One of them is believed to be Luc Schiltz.

Source: TrustPilot

4. May 2024 $72 million address poisoning attack

On May 3, 2024, an individual became a victim of an address poisoning attack, which became the largest address poisoning heist in history at the time, with the victim transferring 1,155 wrapped Bitcoins to a malicious address, resulting in a loss of $72.7 million.

The incident can be summarized as extreme bad luck. The victim first successfully completed a $149 test transfer to a legitimate address (starting with 0xd9A1b). After that, they mistakenly copied and pasted a forged address—a poisoned address mimicking 0xd9A1b.

Address poisoning breakdown - Source: Chainalysis

The victim attempted to negotiate a 10% "bug bounty" in exchange for the return of the funds but was unsuccessful. The attackers were blinded by greed, thinking they could get away with it—how wrong they were.

Message sent by the victim to the attackers - Source: Chainalysis

The entire blockchain security community was involved in the investigation, and soon news emerged that the attackers returned the funds, minus the $7.2 million kept as a "bug bounty." On May 10, the attackers returned almost all the stolen funds, taking only $3 million due to the appreciation of the tokens.

Two weeks later, it was discovered that the rapid return of the funds was not due to the attackers' conscience but because, despite their efforts to cover their tracks, their "device fingerprints" exposed part of their identity, according to Match Systems CEO Andrey Kutin.

5. Epoch Times CFO $67 million crypto scam and money laundering heist

In June 2024, Bill Guan, the CFO of Epoch Times, was arrested for involvement in a large-scale crypto scam.

The U.S. Department of Justice (DOJ) charged Guan with conspiring to launder at least $67 million in fraudulently obtained funds, including proceeds obtained through unemployment insurance fraud. It is alleged that the scheme involved using cryptocurrency to purchase illegal funds at a discount and then transferring them through multiple accounts, including Epoch Times accounts, to hide the source of the funds.

This crypto scam was exposed when the bank reported that its revenue surged 410% from $15 million to over $62 million within a year.

The DOJ's indictment emphasized that these charges were unrelated to Epoch Times' news activities. Guan faces serious charges, including conspiracy to commit money laundering and bank fraud, and could face up to 80 years in prison.

6. Conclusion

In 2024, the Web3 space has been a year filled with crises for retail investors. Scams and hacking activities have run rampant, leading to investor losses of up to $5.84 billion, with "pig butchering," phishing scams, and exit scams being the primary forms of crime. From the Bitcoin bull market to the meme coin supercycle, the market's prosperity attracted a large number of newcomers and experienced investors, making them ideal targets for scammers. Nevertheless, there are still some positive signs, such as the recovery of some stolen funds and the rigorous crackdown and tracking of criminal activities by relevant law enforcement agencies and the blockchain security community.

However, these events also remind us that the risks in the cryptocurrency market are omnipresent, and investors must remain vigilant, enhance their security awareness, and approach every investment decision with caution to avoid becoming the next victim.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。