Original source: Beosin
In 2024, while the blockchain industry is innovating technologically and expanding its ecosystem, it also faces increasingly severe security challenges. According to monitoring by Beosin's Alert platform, as of the time of publication, the total losses in the Web3 space due to hacker attacks, phishing scams, and project rug pulls have reached $2.491 billion.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight potential risks in social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, helping the industry learn from these lessons and better respond to future security threats.
No.1 DMM Bitcoin
Loss Amount: $304 million
Attack Method: Private Key Leak
On May 31, 2024, the long-established Japanese cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attacker used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than ten different addresses. This attack exposed serious deficiencies in DMM Bitcoin's private key management and multi-layer security protections. Although the exchange attempted to track the hacker through on-chain monitoring and freezing of funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking.
On December 24, Japanese police identified the DMM Bitcoin theft as being perpetrated by the North Korean hacker group Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and money laundering activities, please read “Uncovering the Boldest Cryptocurrency Theft Gang in History: An Analysis of the Lazarus Group's Money Laundering”.
No.2 PlayDapp
Loss Amount: $290 million
Attack Method: Private Key Leak
On February 9, 2024, PlayDapp was severely impacted, as hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. After unsuccessful negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens, valued at $253.9 million, in a short period. Some of these tokens flowed into Gate exchange, prompting PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlighted the deficiencies in private key protection and incident emergency response for blockchain projects.
No.3 WazirX
Loss Amount: $235 million
Attack Method: Cyber Attack and Phishing
On July 18, 2024, WazirX, India's largest cryptocurrency exchange, faced a targeted attack on its Safe Wallet multi-signature wallet. The attacker used social engineering to induce multi-signature signers to sign a contract upgrade transaction, subsequently using the upgraded contract permissions to empty the assets in the wallet. This case highlighted the potential risks in managing permission configurations and operational transparency of multi-signature wallets, prompting deep reflection within the industry on internal risk control and security mechanisms.
For a detailed analysis of the incident and fund tracking, please read “Beosin | Analysis of the $235 Million Theft Incident at Indian Exchange WazirX”.
No.4 Gala Games
Loss Amount: $216 million
Attack Method: Access Control Vulnerability
On May 20, 2024, a privileged address of Gala Games was breached by hackers, who called the mint function in the token contract to mint 5 billion GALA tokens at once. The hackers then exchanged the minted tokens for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated a blacklist feature to block some hacker accounts and sought legal avenues to recover the losses.
No.5 Chris Larsen (Ripple's co-founder)
Loss Amount: $112 million
Attack Method: Private Key Leak
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were likely targeted due to the lack of dual protection from hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss Amount: $62.5 million
Attack Method: Social Engineering Attack
On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal infiltration attack. The attacker, disguised as a blockchain developer, was a North Korean hacker who gained access to core code and sensitive keys through long-term infiltration. Despite the significant losses, due to pressure from the community and team, the hacker ultimately returned all the stolen funds. This incident revealed the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss Amount: $55 million
Attack Method: Private Key Leak
On June 22, 2024, BtcTurk, Turkey's largest cryptocurrency exchange, suffered a private key leak attack, resulting in losses exceeding $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns about the private key management of centralized exchanges.
No.8 Radiant Capital
Loss Amount: $53 million
Attack Method: Private Key Leak
On October 17, 2024, Radiant Capital's multi-signature wallet was breached by hackers. Due to its low-threshold 3/11 signature verification model, hackers gained control of 3 signers' private keys to initiate off-chain signatures, transferring the wallet contract's ownership to a malicious address, ultimately leading to the theft of $53 million. This attack sparked industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost $4.5 million due to a contract vulnerability, with over 1,900 ETH stolen. Web3 projects need to enhance their focus on security.
No.9 Hedgey Finance
Loss Amount: $44.7 million
Attack Method: Contract Vulnerability
On April 19, 2024, Hedgey Finance faced an attack targeting multiple on-chain contracts. Hackers exploited an approval vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident underscored the importance of code auditing, especially for strict verification of token approval logic.
No.10 BingX
Loss Amount: $44.7 million
Attack Method: Private Key Leak
On September 19, 2024, BingX exchange's hot wallet was hacked, involving multiple chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, hackers successfully extracted assets worth $44.7 million. This attack reflects the high-risk nature of managing hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from security protection. From private key leaks to contract vulnerabilities, from internal management oversights to the escalation of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management standards, and risk prevention. In the future, we look forward to collaboratively establishing a more secure blockchain ecosystem through industry cooperation and technological innovation, providing more reliable protection for users and investors.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
