In 2024, there were 410 security incidents, with losses reaching $2.013 billion.

Author: SlowMist AML Team, SlowMist Security Team

Last week, we released SlowMist Presents | 2024 Blockchain Security and Anti-Money Laundering Annual Report, and now we will break down the report into four articles to analyze the key content, helping readers to have a more comprehensive and in-depth understanding of the key security challenges and opportunities in the current blockchain ecosystem. This article mainly focuses on the security landscape of the blockchain ecosystem.

In the security field, 2024 continued the severe situation of the past. Hacker attacks occurred frequently, with attacks on centralized platforms being the dominant type. At the same time, smart contract vulnerabilities and social engineering attacks are still the main means of attack for hackers, while phishing attacks are becoming more hidden and complex, and the protection of user assets still faces major challenges. Supply chain security issues also attracted more attention in 2024, with several well-known projects being hit by malicious code injection attacks, resulting in the loss of a large amount of user assets.

According to the SlowMist Hacked database, there were 410 security incidents in 2024, with losses reaching $2.013 billion. Compared to 2023 (464 incidents, about $2.486 billion in losses), the losses decreased by 19.02% year-on-year.

Note: The data in this report is based on the token prices at the time of the incidents, and the actual losses should be higher than the statistics due to factors such as token price fluctuations and some unreported incidents not being included in the statistics.

Typical Attack Incidents

DMM Bitcoin

On May 31, 2024, the Japanese cryptocurrency exchange DMM Bitcoin reported that 4,502.9 BTC had been illegally transferred from its official wallet, resulting in a loss of approximately 48.2 billion yen. The DMM Bitcoin security incident ranks seventh in the history of cryptocurrency hacking attacks in terms of loss amount, and is the largest attack since December 2022. Previously, Japan had experienced two major cryptocurrency exchange hacking incidents, the Mt.Gox incident in 2014 and the Coincheck incident in 2018, with stolen amounts of $450 million and $534 million respectively. This DMM Bitcoin attack incident has become the third largest such case in Japan. On December 23, the FBI, the Department of Defense Cyber Crime Center (DC3), and the National Police Agency of Japan (NPA) warned the public that this theft was related to the TraderTraitor threat activity, which has also been tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor activities are typically characterized by social engineering attacks targeting multiple employees of the same company.

It is reported that in late March 2024, a North Korean hacker posing as a LinkedIn recruiter contacted an employee of Ginco, a Japan-based enterprise-level cryptocurrency wallet software company. The hacker sent the target employee a link to a malicious Python script hosted on GitHub, claiming it was a job interview test. The target employee copied the Python code to their own GitHub page, resulting in a breach. In mid-May, the TraderTraitor hackers used the session cookie information to impersonate the attacked employee and successfully access Ginco's unencrypted communication system. In late May, the hackers may have used this access to tamper with legitimate transaction requests by DMM Bitcoin employees, leading to the theft of 4,502.9 BTC. Finally, the stolen funds were transferred to wallets controlled by TraderTraitor.

PlayDapp

On February 9, 2024, the blockchain game platform PlayDapp was attacked, and hackers infiltrated the PlayDapp (PLA) token smart contract. The hackers illegally obtained the private key, thereby changing the ownership and minting permission of the smart contract, and transferring it to their own account. The hackers removed the authorization of the existing administrators and illegally minted 200 million PLA tokens. Shortly after the incident, PlayDapp sent a message to the hacker through an on-chain transaction, requesting the return of the stolen funds and offering a $1 million white hat reward, but the negotiations ultimately failed. On February 12, the hacker illegally minted another 1.59 billion PLA tokens, but the market circulation was stopped due to the exchange's freezing measures, and they were unable to circulate. On April 1, according to PlayDapp's disclosure, on January 16, 2024, the PlayDapp team received a forged email from the hacker, which was carefully designed and had the same title, sender email address (including username and domain name), and content as the regular information request emails they usually receive from major partner exchanges. Analysis showed that when the malicious code in the email attachment was executed, the victim's computer installed a tampered remote access multi-session tool, which was then remotely controlled by the hacker, leading to the theft of the administrator's private key.

WazirX

On July 18, 2024, multiple suspicious transactions were detected in the multi-signature wallet of the Indian cryptocurrency exchange WazirX. On July 19, according to WazirX's preliminary investigation results published on the X platform, one of their multi-signature wallets was subject to a cyber attack, resulting in a loss of over $230 million. The wallet had six signatories - five from the WazirX team and one from Liminal, responsible for transaction verification. Each transaction typically required approval from three WazirX team signatories (all using Ledger hardware wallets to ensure security) before being finally approved by the Liminal signatory. This cyber attack was due to a discrepancy between the data displayed on the Liminal interface and the actual transaction content, where the transaction information displayed on the Liminal interface did not match the content actually signed. WazirX suspects that the hackers, through payload substitution, transferred the wallet control to themselves.

BtcTurk

On June 22, 2024, the Turkish cryptocurrency exchange BtcTurk was attacked, resulting in a loss of approximately $90 million. BtcTurk stated in its June 22 announcement: "This cyber attack affected a portion of the balances of 10 cryptocurrencies in our hot wallet, while most of the assets stored in our cold wallet remain safe." According to Binance CEO Richard Teng, Binance has frozen $5.3 million worth of the stolen assets.

Munchables

On March 27, 2024, the Blast ecosystem project Munchables was attacked, resulting in a loss of approximately $62.5 million. On the same day, Blast founder Pacman tweeted: "The Blast core contributors have secured $97 million through multi-signature. Thanks to the former Munchables developers for choosing to ultimately return all funds without any ransom."

Radiant Capital

On October 17, 2024, Radiant Capital posted on X that they were aware of issues in the Radiant lending markets on BNB Chain and Arbitrum, and the Base and mainnet markets had been temporarily suspended. According to the analysis of the Slowmist security team, this incident was due to the hacker illegally controlling the 3 multi-signature permissions of Radiant, and then upgrading the malicious contract to steal the funds. On October 18, Radiant released an incident analysis report stating that this incident resulted in a loss of about $50 million, and the hacker successfully infiltrated the devices of at least three core contributors through complex malware injection technology, and these compromised devices were then used to sign malicious transactions. On December 6, Radiant released the latest progress on the attack incident, stating that the security company Mandiant hired by Radiant attributed this attack to UNC4736, commonly known as AppleJeus or Citrine Sleet. Mandiant strongly believes that UNC4736 is associated with the Democratic People's Republic of Korea (DPRK).

BingX

On September 20, 2024, according to an announcement by the cryptocurrency exchange BingX, around 4 a.m. Singapore time on September 20, BingX's security system detected an unauthorized intrusion into one of its hot wallets. According to the statistics of the Slowmist security team, this incident resulted in a loss of about $45 million. According to the analysis of MistTrack, there seems to be a connection between the Indodax hacker and the BingX hacker, as they used the same address to launder the stolen funds, and both were traced back to the North Korean hacker group Lazarus.

Hedgey Finance

On April 19, 2024, Hedgey Finance was attacked, and the hacker carried out a series of malicious transactions, resulting in a total loss of approximately $44.7 million on the Ethereum and Arbitrum chains. The root cause of this incident was the lack of verification of user parameter input, which allowed the hacker to manipulate and obtain unauthorized token approvals.

Penpie

On September 4, 2024, the decentralized liquidity mining project Penpie was attacked, and the hacker profited about $27.35 million. According to the analysis of the Slowmist security team, the core of this incident was that Penpie incorrectly assumed that all markets created by Pendle Finance were legitimate when registering a new Pendle market. However, the market creation process of Pendle Finance is open, allowing anyone to create markets, and the key parameters such as the SY contract address can be customized by the user. Exploiting this, the hacker created a market contract with a malicious SY contract, and used flash loans to artificially inflate the reward amount by adding a large amount of liquidity to the market and pool, thereby profiting.

FixedFloat

On February 16, 2024, according to on-chain data, the cryptocurrency trading platform FixedFloat was attacked, losing approximately 409 BTC (about $21.17 million) and 1,728 ETH (about $4.85 million). FixedFloat stated regarding this attack incident: This hacker attack was an external attack due to vulnerabilities in the security structure, and was not carried out by employees, and user funds were not affected. On April 2, FixedFloat posted on the X platform that it had been attacked again by the hackers from the February 16 attack incident. The hackers managed to exploit vulnerabilities in the third-party services used by FixedFloat. These two attack incidents caused a total loss of approximately $29 million for FixedFloat.

Rug Pull

Rug Pull is a scam where malicious project parties hype up and attract users to invest, and then "pull the rug" and run away with the funds when the timing is right. According to the statistics of the Slowmist Blockchain Hacking Incident Archive (SlowMist Hacked), there were 58 Rug Pull incidents in 2024, resulting in a loss of about $106 million.

With the advent of the Meme coin craze, many users, driven by speculation and FOMO, have overlooked the potential risks. Some issuers don't even need to describe their vision or provide a whitepaper to users, they can hype up the project and attract users to buy the tokens just with a concept or slogan, and the low cost of malicious behavior has led to a proliferation of rug pull incidents. Here are some common tactics used by malicious project parties:

• False propaganda and hype: Attracting user investment through exaggerating technical capabilities or market potential, as well as false partnerships or celebrity endorsements.
• Manipulation of token prices: Project parties often hold a large amount of tokens in advance, and create an illusion of prosperity by manipulating market prices to attract more capital.
• Vulnerabilities in token contracts: By reserving backdoors in smart contracts, project parties can withdraw funds or destroy liquidity pools at any time.
• Disappearance: Before running away, project parties often shut down official websites, social media accounts or disband communities, cutting off contact with investors.

After understanding the modus operandi of malicious project parties, we can find that these scams often exploit users' speculative mentality and desire for high returns. To avoid becoming victims of such scams, the key is to remain vigilant, enhance prevention and verification capabilities. The following methods can help users avoid participating in projects that may run away:

• Review project background: Pay attention to the authenticity and background of the team members, and check if they have any bad records in previous projects.
• Whether it has been audited: Check if the project has undergone professional security audits.
• Pay attention to community feedback: Join the project's social media or forums, observe the activity of the community and be wary of excessive praise or unreasonable promises.
• Diversify investments: Do not invest all your funds in one project to avoid major losses due to a single project.
• Beware of high-yield temptations: There is no free lunch, high returns often come with high risks. Be extra cautious about unrealistic promises such as "doubling quickly" or "zero risk".

The link to the full report is as follows, you can also click directly to read the original text, welcome to read and share 🙂

Chinese: https://www.slowmist.com/report/2024-Blockchain-Security-and-AML-Annual-Report(CN).pdf

English: https://www.slowmist.com/report/2024-Blockchain-Security-and-AML-Annual-Report(EN).pdf

Disclaimer: As a blockchain information platform, the articles published on this site only represent the personal views of the authors and guests, and are not related to the position of Web3Caff. The information in the articles is for reference only and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.