Source: Chainalysis
Compiled by: Tao Zhu, Jinse Finance
Cryptocurrency hacking attacks remain an ongoing threat, with over $1 billion in cryptocurrency stolen in four out of the past ten years (2018, 2021, 2022, and 2023). 2024 marks the fifth year reaching this concerning milestone, highlighting that as cryptocurrency adoption and prices rise, the amounts that can be stolen are also increasing.
In 2024, the stolen funds grew by approximately 21.07% year-over-year, reaching $2.2 billion, with the number of individual hacking incidents increasing from 282 in 2023 to 303 in 2024.
Interestingly, the intensity of cryptocurrency hacking attacks shifted around the middle of this year. In our mid-year crime update, we noticed that the cumulative value stolen from January 2024 to July 2024 had already reached $1.58 billion, up about 84.4% from the value stolen in the same period in 2023. As seen in the chart below, the ecosystem was on track to match or exceed the over $3 billion stolen in 2021 and 2022 by the end of July. However, the upward trend in cryptocurrency thefts in 2024 slowed noticeably after July, remaining relatively stable thereafter. We will explore the potential geopolitical reasons behind this shift later.
In terms of the stolen amounts by victim platform type, 2024 also saw some interesting patterns. In most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary targets of cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks because their developers tend to prioritize rapid growth and getting products to market over implementing security measures, making them prime targets for hackers.
While DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacks included DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).
This shift in focus from DeFi to centralized services highlights the growing importance of security mechanisms like private keys. In 2024, private key compromises accounted for the largest portion of stolen cryptocurrency at 43.8%. For centralized services, ensuring the security of private keys is crucial, as they control access to user assets. Given that centralized exchanges manage large amounts of user funds, the impact of private key compromises can be devastating; we need only look at the $305 million DMM Bitcoin hack, one of the largest cryptocurrency breaches to date, which may have been due to poor private key management or insufficient security.
After private keys are compromised, malicious actors often use decentralized exchanges (DEXs), mining services, or mixing services to launder the stolen funds, obfuscating the transaction trail and making tracing more complex. By 2024, we can see that the money laundering activities of private key hackers differ significantly from those using other attack vectors. For example, after stealing private keys, these hackers often turn to bridge and mixing services. For other attack vectors, decentralized exchanges are more commonly used for money laundering activities.
In 2024, the amount stolen by North Korean hackers from cryptocurrency platforms will be higher than ever before
North Korean hackers are notorious for their sophisticated and ruthless tactics, often leveraging advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored actions and evade international sanctions. U.S. and international officials assess that Pyongyang uses stolen cryptocurrency to finance its weapons of mass destruction and ballistic missile programs, posing a threat to international security. By 2023, North Korea-linked hackers had stolen approximately $660.5 million through 20 incidents; by 2024, this figure increased to $1.34 billion across 47 incidents, a 102.88% increase in stolen value. These numbers account for 61% of the total amount stolen that year and 20% of the total number of incidents.
Please note that in last year's report, we had published information about North Korea stealing $1 billion through 20 hacking attacks. After further investigation, we have determined that some of the larger hacks previously attributed to North Korea may no longer be relevant, reducing the amount to $660.5 million. However, the number of incidents remains unchanged, as we have identified other smaller hacks attributed to North Korea.
Unfortunately, North Korea's cryptocurrency attacks appear to be becoming more frequent. In the chart below, we examined the average time between successful DPRK attacks by the scale of the breach, and found that the frequency of attacks of various scales has decreased year-over-year. Notably, the frequency of attacks valued between $50 million to $100 million, as well as those over $100 million, is much higher in 2024 compared to 2023, indicating that North Korea is getting better and faster at executing large-scale attacks. This contrasts with the previous two years, where their typical profits were often less than $50 million per incident.
Comparing North Korea's activity to all other hacker activity we monitor, it is clear that North Korea has been responsible for the majority of the largest-scale attacks over the past three years. Interestingly, North Korean hackers are also increasing the density of smaller-scale attacks, around $10,000 in value.
Some of these incidents appear to involve North Korean IT workers increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often use sophisticated tactics, techniques, and procedures (TTPs), such as false identities, employing third-party recruiting intermediaries, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) on Wednesday charged 14 North Korean nationals working as remote IT workers in the U.S. The companies earned over $88 million through stealing proprietary information and extorting employers.
To mitigate these risks, companies should prioritize thorough hiring due diligence - including background checks and identity verification - while maintaining robust private key security to protect critical assets (if applicable).
Despite all these trends indicating North Korea's high activity this year, the majority of their attacks occurred in the early part of the year, with overall hacking activity stalling in the third and fourth quarters, as shown in the earlier charts.
In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong-un will also hold a summit in Pyongyang and sign a joint defense agreement. So far this year, Russia has released hundreds of millions of dollars in previously frozen North Korean assets in accordance with UN Security Council sanctions, marking the continued development of the two countries' alliance. At the same time, North Korea has deployed troops to Ukraine and provided ballistic missiles to Russia, and is reportedly seeking advanced space, missile and submarine technology from Moscow.
If we compare the average daily loss of DPRK vulnerabilities before and after July 1, 2024, we can see a significant decrease in the value of stolen assets. As shown in the figure below, the amount stolen by North Korea decreased by about 53.73% after that date, while the amount stolen by non-North Korean parties increased by about 5%. Therefore, in addition to diverting military resources to the conflict in Ukraine, North Korea's greatly increased cooperation with Russia in recent years may also have changed its cybercrime activities.
The decline in funds stolen by North Korea after July 1, 2024 is obvious and the timing is clear, but it is worth noting that this decline may not be related to Putin's visit to Pyongyang. In addition, some events in December may change this pattern by the end of the year, and attackers often launch attacks during holidays.
Case Study: North Korea's Attack on DMM Bitcoin
A notable example of a North Korea-related hacking attack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which was hit by a hack that resulted in the loss of about 4,502.9 bitcoins, worth $305 million at the time. The attackers exploited vulnerabilities in the infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM, with the support of its parent company, fully reimbursed customer deposits by finding equivalent funds.
We were able to analyze the on-chain flow of funds after the initial attack, and in the first stage we saw the attackers transfer millions of dollars worth of cryptocurrencies from DMM Bitcoin to several intermediate addresses, ultimately reaching a Bitcoin CoinJoin mixing service.
After successfully mixing the stolen funds using the Bitcoin CoinJoin mixing service, the attackers transferred some of the funds to Huioneguarantee, an online marketplace associated with the Cambodian conglomerate Huione Group, which is a major player in this field and facilitates cybercrime.
DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of the Japanese financial group SBI Group, with the transition scheduled to be completed by March 2025. Fortunately, emerging tools and predictive technologies are on the rise, which we will discuss in the next section to prepare for the prevention of such destructive hacking attacks.
Using Predictive Models to Prevent Hacking Attacks
Advanced predictive technologies are transforming cybersecurity by providing real-time detection of potential risks and threats, offering a proactive approach to protecting digital ecosystems. Let's look at an example involving the decentralized liquidity provider UwU Lend.
On June 10, 2024, attackers manipulated UwU Lend's price oracle system to obtain around $20 million in funds. The attackers launched a flash loan attack to change the prices of Ethena Staked USDe (sUSDe) on multiple oracles, leading to incorrect valuations. As a result, the attackers were able to borrow millions of dollars within seven minutes. Hexagate detected the attack contract and its similar deployments about two days before the vulnerability was exploited.
Although the attack contract was accurately detected in real-time about two days before the vulnerability was exploited, its connection to the exploited contract was not immediately apparent due to its design. With the help of other tools like Hexagate's security oracles, this early detection can be further leveraged to mitigate the threat. Notably, the first attack that caused $8.2 million in losses occurred just minutes before the subsequent attack, providing another important signal.
Such warnings issued before major on-chain attacks have the potential to change the security posture of industry participants, enabling them to fully prevent costly hacks rather than just respond to them.
In the figure below, we see the attacker transferring the stolen funds through two intermediate addresses before reaching the OFAC-approved Ethereum smart contract mixer Tornado Cash.
However, it is worth noting that merely accessing these predictive models does not guarantee the prevention of hacking attacks, as protocols may not always have the appropriate tools to take effective action.
The Need for Stronger Crypto Security
The increase in stolen cryptocurrencies in 2024 highlights the industry's need to address an increasingly complex and evolving threat landscape. While the scale of cryptocurrency thefts has not yet returned to the levels of 2021 and 2022, the resurgence highlighted above underscores the gaps in existing security measures and the importance of adapting to new exploitation methods. To effectively address these challenges, collaboration between the public and private sectors is crucial. Data-sharing initiatives, real-time security solutions, advanced tracking tools, and targeted training can empower stakeholders to quickly identify and eliminate malicious actors, while building the resilience required to protect crypto assets.
Furthermore, as the regulatory framework for cryptocurrencies continues to evolve, scrutiny of platform security and customer asset protection may intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. By establishing stronger partnerships with law enforcement and providing teams with the resources and expertise for rapid response, the cryptocurrency industry can strengthen its anti-theft capabilities. These efforts are not only critical for protecting individual assets, but also essential for building long-term trust and stability within the digital ecosystem.
