※This article has been automatically translated. Please refer to the original text for accurate content.
Crypto asset hacking remains a persistent threat, with over $1 Bit Bit stolen in each of 2018, 2021, 2022, and 2023. 2024 marks the 5th year since reaching this unfortunate milestone, highlighting how the proliferation and price appreciation of crypto assets has led to an increase in the amount stolen. In 2024, the stolen funds reached $2.2 Bit Bit, a 21.07% Year-over-Year (YoY) increase, and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024.
Interestingly, the intensity of crypto asset hacking shifted mid-year. As noted in our Mid-Year Crime Update, the cumulative stolen amount from January to July 2024 had already reached $1.58 Bit Bit, surpassing the same period in 2023 by about 84.4%. As shown in the figure below, as of the end of July, 2024 was on track to exceed the over $3 Bit Bit seen in 2021 and 2022. However, the upward trend in 2024 slowed significantly after July, and a relatively stable period followed. We'll explore the geopolitical reasons behind this shift in more detail later.
The pattern of stolen funds by the type of platform affected was also interesting in 2024. In most quarters from 2021 to 2023, the primary targets of crypto asset hacking were DeFi platforms. Developers' tendency to prioritize rapid growth and product deployment over implementing security measures has made DeFi platforms vulnerable and an attractive target for hackers.
In Q1 2024, the majority of stolen assets were from DeFi, but in Q2 and Q3, centralized services became the primary targets. The most notable centralized service hacks include DMM Bitcoin (May 2024, $305 Bit Bit) and WazirX (July 2024, $234.9 Bit Bit).
This shift in focus from DeFi to centralized services highlights the growing importance of private key protection, a mechanism commonly exploited in hacking. In 2024, 43.8% of stolen crypto assets were due to private key compromises. For centralized services, where they manage user assets, ensuring the security of private keys is crucial. The impact of a private key breach at a centralized exchange, which manages large amounts of user assets, can be devastating. The $305 Bit Bit DMM Bitcoin hack is one of the largest crypto asset breaches to date and may have been caused by private key management failures and lack of proper security measures.
After compromising private keys, malicious actors often use DEXs, mining services, or mixing services to obfuscate the transaction trail and complicate tracing efforts. In 2024, the money laundering activities of hackers who stole private keys will differ significantly from those who used other attack vectors. For example, these hackers were more likely to use bridges and mixing services after stealing private keys, while other attack vectors tended to rely more on DEXs for money laundering.
To learn more about the 2024 crypto asset hacking trends, North Korea's activities, and Hexagate's capabilities to proactively detect suspicious hacking behavior using machine learning models, please continue reading. Hexagate was recently acquired by Chainalysis.
North Korean Hacker Groups Responsible for Record-Breaking Crypto Exchange Thefts in 2024
Hacker groups with ties to North Korea are notorious for their sophisticated and persistent espionage activities, frequently using advanced malware, social engineering, and crypto asset theft to fund state-sponsored activities and evade international sanctions. The U.S. and international authorities assess that Pyongyang uses stolen crypto assets to finance weapons of mass destruction and ballistic missile programs, threatening international security. In 2023, North Korea-linked hackers stole about $660.5 Bit Bit in 20 incidents, and in 2024, they stole $1.34 Bit Bit in 47 incidents, a 102.88% increase. These figures account for 61% of the total amount stolen and 20% of the total number of incidents that year.
Here is the English translation of the text, with the specified terms retained and not translated: Last year's report stated that North Korea had stolen $1 Billion through 20 hacking incidents. Further investigation revealed that some of the large-scale hacking incidents previously attributed to North Korea may no longer be related, reducing the amount to $660.5 Million. However, other smaller hacking incidents specifically linked to North Korea were identified, keeping the total number of incidents unchanged. We will continue to re-evaluate our assessments of North Korea-related hacking incidents as we obtain new on-chain and off-chain evidence. Unfortunately, North Korea's cryptocurrency attacks appear to be becoming more frequent. The figure below shows that the average time for North Korea to successfully execute attacks has decreased across all scales of exploits compared to the previous year. Particularly, attacks between $50 Million and $100 Million, and those exceeding $100 Million, are occurring much more frequently in 2024 than 2023, suggesting North Korea is becoming more adept and quicker at executing large-scale exploits, in contrast to the previous two years when most exploits yielded less than $50 Million. Comparing North Korea's activities to all other hacking we have measured, it is clear that over the past 3 years, North Korea has consistently been responsible for most of the large-scale exploits. Interestingly, while North Korea's dominance of exploits continued in 2024, the number of lower-value hacks around $10,000 also increased. These events appear to be linked to North Korea's IT workers who are infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These workers often leverage advanced tactics, techniques, and procedures (TTPs) such as using false identities, third-party recruitment, and remote work opportunities to gain access. Recently, the U.S. Department of Justice (DOJ) indicted 14 North Korean nationals who were employed as remote IT workers by U.S. companies, stealing sensitive information and extorting their employers for over $88 Million. To mitigate these risks, companies should prioritize thorough employment due diligence, including background and identity verification, while maintaining robust key hygiene to protect critical assets as needed. These trends all suggest 2024 will be a very active year for North Korea, with the majority of activity occurring early in the year, and overall hacking activity tapering off in the third and fourth quarters, as shown in the figure. In late June 2024, Russian President Putin and North Korean leader Kim Jong-un held a summit in Pyongyang and signed a mutual defense treaty. Since the beginning of this year, the alliance between the two countries has deepened, with Russia releasing hundreds of millions of dollars from North Korean assets that were frozen under UN Security Council sanctions. In turn, North Korea has deployed troops to Ukraine, supplied Russia with ballistic missiles, and is reportedly seeking advanced space, missile, and submarine technology from Moscow. Comparing the average daily value lost to North Korean attacks before and after July 1, 2024, it is clear that the amount of funds stolen has decreased significantly, by around 53.73%, while non-North Korean theft has increased by about 5%. This suggests that in addition to redirecting military resources to the Ukraine conflict, North Korea may have also adjusted its cyber-criminal activities, likely due to its dramatically strengthened cooperation with Russia in recent years. The reduction in North Korean theft after July 1, 2024 is evident and the timing is striking, but it is important to note that this decrease is not necessarily directly related to President Putin's visit to Pyongyang. Additionally, some events are scheduled for December, which could alter the pattern by the end of the year, as attackers often launch attacks during holiday periods. Case Study: North Korea's Attack on DMM Bit A notable North Korea-related hacking incident in 2024 was the security breach at the Japanese cryptocurrency exchange DMM Bit, which lost approximately 4,502.9 BTC worth $305 Million at the time. The attackers targeted vulnerabilities in the infrastructure used by DMM, leading to the unauthorized withdrawals. In response, DMM was able to raise equivalent funds from its group companies and fully compensate customer deposits.We were able to analyze the on-chain flow of funds after the initial attack. We have divided this into two Chainalysis Reactor graphs shown below. The first stage shows that the attacker moved several million dollars' worth of cryptocurrencies from DMM Bitcoin to multiple intermediate addresses, ultimately reaching a Bitcoin CoinJoin mixing service.
After successfully mixing the stolen funds through the CoinJoin mixing service, the attacker sent a portion of the funds through multiple bridge services, ultimately sending them to Huione Guarantee, an online marketplace affiliated with the Cambodian conglomerate Huione Group, which has previously been identified as a key enabler of cybercrime.
Due to the scale of the hacking and the resulting operational challenges, DMM Bitcoin decided to shut down the exchange in December 2024. The company plans to migrate its assets and customer accounts to SBI VC Trade, a subsidiary of the Japanese financial conglomerate SBI Group, by March 2025. Fortunately, as we will explore in the next section, emerging tools and predictive technologies are opening the door to the possibility of preventing such devastating hacks.
Leveraging Predictive Models to Thwart Hacking
Advanced predictive technologies are transforming cybersecurity by enabling real-time detection of potential risks and threats, providing a proactive approach to protecting digital ecosystems. Chainalysis recently acquired Hexagate, a leading provider of Web3 security solutions that detect and mitigate threats such as cyber exploits, hacking, governance, and financial risks. Hexagate's customers are already preventing over $1 billion in customer asset losses by taking on-chain actions based on real-time notifications and automated responses to potential threats.
Hexagate leverages its proprietary detection technology and machine learning models to predict and detect anomalous transactions and malicious activities in real-time across blockchain networks. By continuously scanning smart contracts and transactions, Hexagate's system identifies suspicious patterns and potential risks and threats before they can cause financial losses. Let's look at the example of the decentralized liquidity provider UwU Lend.
On June 10, 2024, an attacker manipulated the price oracle system to exploit UwU Lend for around $20 million. The attacker initiated a flash loan attack to modify the price of Ethena Staked USDe (sUSDe) across multiple oracles, leading to inaccurate valuations. As a result, the attacker was able to borrow millions of dollars within 7 minutes. Hexagate had detected the attack contract 2 days before it was exploited.
While the attack contract was accurately detected in real-time, 2 days before the exploitation, its connection to the exploited contract was not immediately apparent due to the contract's design. Additional tools like Hexagate's security oracles could have further leveraged this early detection to mitigate the threat. Notably, the initial attack that caused $8.2 million in losses occurred just minutes before the subsequent attack, which is another critical indicator.
Services that can provide early warnings of such critical on-chain attacks have the potential to significantly transform the security landscape for industry stakeholders, enabling prevention of high-value hacking incidents rather than just responding to them.
The Chainalysis Reactor graph below shows that the attacker transferred the stolen funds through two intermediary addresses before reaching the OFAC-sanctioned Ethereum smart contract mixer Tornado Cash.
If you have access to Reactor, you can view this graph here.
However, it's important to note that simply having access to these predictive models does not guarantee the prevention of hacking, as protocols may not always be equipped with the appropriate tools to function effectively.
The Need for Robust Cryptocurrency Security
The increase in cryptocurrency thefts in 2024 highlights the need to address the evolving and increasingly complex threat landscape. While the scale of cryptocurrency thefts has not yet returned to the levels seen in 2021 and 2022, the resurgence underscores the gaps in existing security measures and the importance of adapting to new exploitation methods. Effective addressing of these challenges requires collaboration between the public and private sectors. Data-sharing initiatives, real-time security solutions, advanced tracing tools, and targeted training can empower stakeholders to quickly identify and neutralize malicious activities while building the resilience necessary to protect cryptocurrencies.
Furthermore, as the regulatory framework for cryptocurrencies continues to evolve, oversight of platform security and customer asset protection will likely become even more stringent. Industry best practices must keep pace with these changes, ensuring both prevention and accountability. The cryptocurrency industry can strengthen its defenses against theft by fostering stronger partnerships with law enforcement and assembling teams with the resources and expertise to respond swiftly. These efforts are essential not only to protect individual assets, but also to build long-term trust and stability within the digital ecosystem.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively "Chainalysis"). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient's use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
The post $2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July appeared first on Chainalysis.
