Source: Beosin
In 2024, while the Bit blockchain industry is experiencing technological innovation and ecosystem expansion, it also faces increasingly severe security challenges. According to the monitoring of the Alert platform under the security audit company Beosin, as of the time of writing, the total loss in the Web3 field due to hacker attacks, phishing scams, and Rug Pull by project parties reached $2.491 billion in 2024.
These events not only expose technical defects such as private key management and smart contract vulnerabilities, but also highlight the potential risks of social engineering and internal management. This article will review the top 10 Web3 security incidents in 2024, helping the industry learn lessons and better cope with future security threats.
No.1 DMM Bit
Loss amount: $304 million
Attack method: Private key leak
On May 31, 2024, the long-established cryptocurrency exchange DMM Bit in Japan suffered a historic attack. The attackers used the leaked private keys to directly transfer more than $304 million worth of Bit, and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed the serious deficiencies of DMM Bit in private key management and multi-layer security protection. Although the exchange tried to track the hackers through on-chain monitoring and freezing funds, the stolen Bit were dispersed and cleaned using mixing tools, posing a great challenge to the tracking work.
On December 24, the Japanese police determined that the DMM Bit theft incident was carried out by the North Korean hacker group Lazarus Group. For detailed analysis of Lazarus Group's past attacks and money laundering, please read《Uncovering the Most Daring Cryptocurrency Theft Syndicate, Analysis of Money Laundering by Hacker Group Lazarus Group》.
No.2 PlayDapp
Loss amount: $290 million
Attack method: Private key leak
On February 9, 2024, PlayDapp suffered a heavy blow, with hackers minting 2 billion PLA tokens by stealing private keys, with an initial value of $36.5 million. Due to the failure of negotiations between the project party and the hackers, the hackers further minted 15.9 billion PLA tokens within a short period of time, worth $253.9 million. Some of these tokens flowed into the Gate exchange, forcing PlayDapp to temporarily suspend the PLA contract and migrate to the PDA token contract. This incident highlights the deficiencies of Bit blockchain projects in private key protection and incident emergency response.
No.3 WazirX
Loss amount: $235 million
Attack method: Network attack and phishing
On July 18, 2024, the multi-signature wallet of India's largest cryptocurrency exchange WazirX was precisely attacked by hackers. The attackers used social engineering to induce the multi-signature signers to sign a contract upgrade transaction, and then used the upgraded contract permissions to transfer all the assets out of the wallet. This case highlights the potential risks of multi-signature wallets in terms of permission configuration and operational transparency, and has also triggered in-depth reflection in the industry on the internal risk control and security mechanisms of projects.
For detailed analysis and fund tracing of this incident, please read《Beosin | Analysis of the $235 million theft incident of Indian exchange WazirX》.
No.4 Gala Games
Loss amount: $216 million
Attack method: Access control vulnerability
On May 20, 2024, a privileged address of Gala Games was breached by hackers, who used the Mint function in the token contract to mint 5 billion GALA tokens at once. Subsequently, the hackers exchanged the issued tokens for ETH in batches, directly causing a loss of $216 million. The Gala Games team quickly activated the blacklist function to block some hacker accounts and recovered the losses through legal channels after the incident.
No.5 Chris Larsen (Ripple's co-founder)
Loss amount: $112 million
Attack method: Private key leak
On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were suspected of lacking the double protection of hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the vast majority of the funds had already been cleaned through decentralized exchanges and mixing services.
No.6 Munchables
Loss amount: $62.5 million
Attack method: Social engineering attack
On March 26, 2024, the Blast-based Web3 gaming platform Munchables encountered a rare internal penetration attack. The attacker was a North Korean hacker disguised as a Bit blockchain developer, who gained access to the core code and sensitive keys through long-term infiltration. Although the attack caused huge losses, the hacker eventually returned all the stolen funds due to pressure from the community and the team. This incident reveals the importance of supply chain security, especially for Bit blockchain projects that rely on third-party development.
No.7 BtcTurk
Loss amount: $55 million
Attack method: Private key leak
On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk was attacked through a private key leak, losing over $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of the stolen funds were successfully frozen, but the other assets have not been recovered yet. This incident has deepened market concerns about the private key management of centralized exchanges.
BtcTurk's official announcement of the attack
No.8 Radiant Capital
Loss amount: $53 million
Attack method: Private key leak
On October 17, 2024, Radiant Capital's multi-signature wallet was breached by hackers. Due to its adoption of a low-threshold 3/11 signature verification mode, the hackers were able to initiate an off-chain signature by obtaining the private keys of 3 signers, transferring the wallet contract ownership to a malicious address, ultimately resulting in a loss of $53 million. This attack has triggered industry reflections on the design and governance mechanisms of multi-signature wallets.
Before this attack, Radiant Capital had already lost $4.5 million due to contract vulnerabilities, with over 1,900 ETH stolen. The security awareness of Web3 project parties still needs to be improved.
No.9 Hedgey Finance
Loss amount: $44.7 million
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hackers exploited a vulnerability in the ClaimCampaigns contract to extract tokens from the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This event highlights the importance of code audits, especially the strict verification of token approval logic.
No.10 BingX
Loss amount: $44.7 million
Attack method: Private key leak
On September 19, 2024, the hot wallet of the BingX exchange was hacked, involving blockchains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freezing mechanisms, the hackers successfully extracted assets worth $44.7 million. This attack reflects the high-risk nature of centralized exchange hot wallet management, and further drives the industry to explore more secure asset storage solutions.
The frequent security attack incidents in 2024 once again remind us that the development of the blockchain industry cannot be separated from secure escort. From private key leaks to contract vulnerabilities, from internal management loopholes to the upgrading of external attack methods, each incident brings profound lessons. To cope with the increasingly complex attack threats, all parties in the industry need to continuously increase investment in technology R&D, management norms, and risk prevention and control. In the future, we look forward to the industry collaboration and technological innovation to jointly build a more secure blockchain ecosystem, providing more reliable guarantees for users and investors.
