Taking stock of the top ten most influential attacks on Web3 in 2024

Original source: Beosin

In 2024, while the blockchain industry is experiencing technological innovation and ecological expansion, it will also face increasingly severe security challenges. According to monitoring by the Alert platform of the security audit company Beosin, as of press time, the total losses in the Web3 field due to hacker attacks, phishing scams and project parties' Rug Pulls in 2024 have reached 2.491 billion US dollars.

These incidents not only exposed technical flaws such as private key management and smart contract vulnerabilities, but also highlighted the potential risks of social engineering and internal management. This article will take stock of the top ten Web3 security incidents in 2024 to help the industry learn from them and better respond to future security threats.

No.1 DMM Bitcoin

Loss: $304 million

Attack method: Private key leakage

On May 31, 2024, DMM Bitcoin, a long-established Japanese cryptocurrency exchange, suffered a historic attack. The attackers used the leaked private keys to directly transfer more than $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed serious deficiencies in DMM Bitcoin’s private key management and multi-layered security protection. Although the exchange tried to track the hackers through on-chain monitoring and freezing funds, the stolen Bitcoins were dispersed and transferred and cleaned using currency mixing tools, which brought great challenges to the tracking work.

On December 24, Japanese police determined that the theft of DMM Bitcoin was caused by the North Korean hacker organization Lazarus Group.

No.2 PlayDapp

Loss: $290 million

Attack method: Private key leakage

On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens with an initial value of $36.5 million by stealing private keys. As negotiations between the project party and the hacker failed, the hacker minted a further 15.9 billion PLA tokens worth US$253.9 million in a short period of time. After some of these tokens flowed into the Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlighted the shortcomings of blockchain projects in private key protection and emergency response.

No.3 WazirX

Amount of loss: $235 million

Attack methods: network attacks and phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely attacked by hackers. The attacker induced the multi-signer to sign a contract upgrade transaction through social engineering, and then used the upgraded contract permissions to transfer all the assets in the wallet. This case highlights the potential risks in management permission configuration and operational transparency of multi-signature wallets, and also triggers in-depth reflection in the industry on the internal risk control and security mechanisms of projects.

For detailed analysis and fund tracking of this incident, you can read "Beosin | Analysis of $235 Million Stolen from Indian Exchange WazirX".

No.4 Gala Games

Loss: $216 million

Attack method: access control vulnerability

On May 20, 2024, a privileged address of Gala Games was compromised by a hacker. The attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker converted the newly issued tokens into ETH in batches, directly causing a loss of US$216 million. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered the losses through judicial channels.

No.5 Chris Larsen (Ripple's co-founder)

Amount of loss: $112 million

Attack method: Private key leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million in XRP. These wallets are suspected of being targeted due to the lack of dual protection of hardware devices. After the incident, Binance successfully froze XRP worth $4.2 million and assisted Larsen in tracking the stolen assets, but most of the funds had been laundered through decentralized exchanges and currency mixing services.

No.6 Munchables

Amount of loss: $62.5 million

Attack method: social engineering attack

On March 26, 2024, the Blast-based Web3 gaming platform Munchables suffered a rare internal penetration attack. The attacker is a North Korean hacker disguised as a blockchain developer. He obtained the core code and sensitive keys through long-term lurking. Although the attack caused huge losses, the hackers eventually returned all stolen funds due to pressure from the community and team. This incident sheds light on the importance of supply chain security, especially for blockchain projects that rely on third-party development.

No.7 BtcTurk

Amount of loss: $55 million

Attack method: Private key leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leak attack, losing more than $55 million in crypto assets. With the assistance of the Binance team, $5.3 million of stolen funds was successfully frozen, but other assets have not yet been recovered. This incident deepened the market’s concerns about the management of private keys in centralized exchanges.

 BtcTurk official announcement of being attacked

No.8 Radiant Capital

Amount of loss: $53 million

Attack method: Private key leakage

On October 17, 2024, Radiant Capital’s multi-signature wallet was compromised by hackers. Due to its low-threshold 3/11 signature verification mode, hackers initiated off-chain signatures by mastering the private keys of three signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. The attack triggered an industry rethink on multi-signature wallet design and governance mechanisms.

Before this attack, Radiant Capital had lost $4.5 million due to contract vulnerabilities, and more than 1,900 ETH had been stolen. Web3 project parties still need to pay more attention to security.

No.9 Hedgey Finance

Loss amount: $44.7 million

Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance suffered an attack on multiple on-chain contracts. Hackers exploited an approval vulnerability in its ClaimCampaigns contract and successfully withdrew tokens on both Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident shows the importance of code auditing, especially rigorous verification of token approval logic.

No.10 BingX

Loss amount: $44.7 million

Attack method: Private key leakage

On September 19, 2024, the hot wallet of the BingX exchange was hacked, and the chains involved included Ethereum, BNB Chain, Tron and other public chains. Although the exchange quickly initiated asset transfer and withdrawal freeze mechanisms, hackers were able to successfully withdraw assets worth $44.7 million. This attack reflects the high-risk nature of hot wallet management in centralized exchanges and further drives the industry to explore more secure asset storage solutions.

The frequent occurrence of security attacks in 2024 reminds us once again that the development of the blockchain industry is inseparable from the protection of security. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrade of external attack methods, every incident has brought profound lessons. In order to deal with increasingly complex attack threats, all parties in the industry need to continue to increase investment in technology research and development, management regulations, and risk prevention and control. In the future, we look forward to jointly building a safer blockchain ecosystem through industry collaboration and technological innovation to provide users and investors with more reliable protection.