This article will review the top ten Web3 security incidents of 2024, helping the industry learn from these events and better respond to future security threats.
Written by: Beosin
In 2024, the blockchain industry faces increasingly severe security challenges alongside technological innovation and ecological expansion. According to monitoring by Beosin's Alert platform, as of the time of writing, the total losses in the Web3 space due to hacker attacks, phishing scams, and project rug pulls have reached $2.491 billion.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight potential risks in social engineering and internal management. This article will review the top ten Web3 security incidents of 2024, helping the industry learn from these events and better respond to future security threats.
No.1 DMM Bitcoin
Loss Amount: $304 million
Attack Method: Private Key Leak
On May 31, 2024, the long-established Japanese cryptocurrency exchange DMM Bitcoin suffered a historic attack. The attacker used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than ten different addresses. This attack exposed serious deficiencies in DMM Bitcoin's private key management and multi-layer security protection. Although the exchange attempted to track the hacker through on-chain monitoring and freezing funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges for tracking.
On December 24, Japanese police identified the DMM Bitcoin theft as the work of the North Korean hacker group Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and money laundering, you can read “Uncovering the Boldest Cryptocurrency Theft Gang in History: An Analysis of the Lazarus Group's Money Laundering”.
No.2 PlayDapp
Loss Amount: $290 million
Attack Method: Private Key Leak
On February 9, 2024, PlayDapp was severely impacted when hackers stole private keys to mint 2 billion PLA tokens, initially valued at $36.5 million. After unsuccessful negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens, worth $253.9 million, in a short period. Some of these tokens flowed into the Gate exchange, forcing PlayDapp to suspend the PLA contract and migrate to the PDA token contract. This incident highlighted the deficiencies in private key protection and emergency response for blockchain projects.
No.3 WazirX
Loss Amount: $235 million
Attack Method: Cyber Attack and Phishing
On July 18, 2024, WazirX, India's largest cryptocurrency exchange, experienced a targeted attack on its Safe Wallet multi-signature wallet. The attacker used social engineering to induce multi-signature signers to sign a contract upgrade transaction, subsequently using the upgraded contract permissions to empty the assets in the wallet. This case highlighted the potential risks in managing permission configurations and operational transparency of multi-signature wallets, prompting deep reflection within the industry on internal risk control and security mechanisms.
For a detailed analysis of this incident and fund tracking, you can read “Beosin | Analysis of the $235 Million Theft Incident at Indian Exchange WazirX”.
No.4 Gala Games
Loss Amount: $216 million
Attack Method: Access Control Vulnerability
On May 20, 2024, a privileged address of Gala Games was breached by hackers, who called the mint function in the token contract to mint 5 billion GALA tokens in one go. The hackers then exchanged the newly minted tokens for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated a blacklist feature to block some hacker accounts and sought legal avenues to recover the losses.
No.5 Chris Larsen (Ripple's co-founder)
Loss Amount: $112 million
Attack Method: Private Key Leak
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million in XRP. These wallets were likely targeted due to the lack of dual protection from hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of the funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss Amount: $62.5 million
Attack Method: Social Engineering Attack
On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, suffered a rare internal infiltration attack. The attacker, posing as a blockchain developer, infiltrated for an extended period to obtain core code and sensitive keys. Despite the significant losses caused by the attack, the hacker ultimately returned all stolen funds due to pressure from the community and the team. This incident revealed the importance of supply chain security, especially for blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss Amount: $55 million
Attack Method: Private Key Leak
On June 22, 2024, BtcTurk, Turkey's largest cryptocurrency exchange, suffered a private key leak attack, resulting in losses exceeding $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident deepened market concerns about the private key management of centralized exchanges.
BtcTurk officially announced the attack.
No.8 Radiant Capital
Loss Amount: $53 million
Attack Method: Private Key Leak
On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to its low-threshold 3/11 signature verification model, hackers gained control of the private keys of three signers to initiate off-chain signatures, transferring the ownership of the wallet contract to a malicious address, ultimately leading to the theft of $53 million. This attack sparked industry reflection on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost $4.5 million due to a contract vulnerability, with over 1,900 ETH stolen. Web3 project teams need to enhance their focus on security.
No.9 Hedgey Finance
Loss Amount: $44.7 million
Attack Method: Contract Vulnerability
On April 19, 2024, Hedgey Finance faced attacks on multiple on-chain contracts. Hackers exploited an approval vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident underscored the importance of code auditing, especially the strict verification of token approval logic.
No.10 BingX
Loss Amount: $44.7 million
Attack Method: Private Key Leak
On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hackers successfully extracted assets worth $44.7 million. This attack reflects the high-risk nature of managing hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.
The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from the protection of security. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management norms, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
