Source: Chainalysis; Compiled by: Tao Zhu, Golden Finance

Cryptocurrency hacking remains an ongoing threat, with more than $1 billion worth of cryptocurrencies hacked in four of the past decade. Robbery (2018, 2021, 2022 and 2023). 2024 marks the fifth year since reaching this troubling milestone, highlighting that as cryptocurrency adoption and prices rise, so does the amount that can be stolen.

In 2024, stolen funds will increase by approximately 21.07% year-on-year to US$2.2 billion, and the number of individual hacking incidents will increase from 282 in 2023 to 303 in 2024.

Interestingly, the intensity of cryptocurrency hacking changed around the first half of this year. In our mid-year crime update, we noted that the cumulative value stolen between January and July 2024 has reached $1.58 billion, approximately 84.4% higher than the value stolen during the same period in 2023. As we can see in the chart below, the ecosystem is easily on track by the end of July, with the year rivaling 2021 and 2022's $3 billion-plus. However, the upward trend in cryptocurrency theft in 2024 slowed significantly after July and has remained relatively stable since then. Later, we will explore potential geopolitical reasons for this change.

Interesting patterns also emerged in 2024 in terms of the amount stolen by victim platform type. For most quarters from 2021 to 2023, decentralized finance (DeFi) platforms were the primary target for cryptocurrency hackers. DeFi platforms may be more vulnerable to attacks because their developers tend to prioritize rapid growth and bringing products to market rather than implementing security measures, making them prime targets for hackers.

While DeFi will still account for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in the second and third quarters. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).

This shift in focus from DeFi to centralized services highlights the increasing importance of security mechanisms commonly used by hackers, such as private keys. In 2024, private key compromises accounted for the largest share of stolen cryptocurrencies at 43.8%. For centralized services, keeping private keys secure is critical as they control access to user assets. Given the large amounts of user funds managed by centralized exchanges, the impact of a private key leak could be devastating; we need only look at the $305 million DMM Bitcoin hack, the largest cryptocurrency breach to dateOne, may occur due to poor private key management or lack of adequate security.

After private keys are leaked, malicious actors often launder stolen funds through decentralized exchanges (DEX), mining services, or mixing services to obfuscate transactions trajectories and complicate tracking. By 2024, we could see money laundering by private key hackers differ significantly from money laundering by hackers leveraging other attack vectors. For example, after stealing private keys, these hackers often turn to bridging and hybrid services. Among other attack vectors, decentralized exchanges are more commonly used for money laundering activities.

North Korean hackers will steal more from crypto platforms than ever in 2024

North Korea-linked hackers are notorious for their sophisticated and ruthless tactics, often Leveraging advanced malware, social engineering, and cryptocurrency theft to fund sponsored operations and circumvent international sanctions. U.S. and international officials have assessed that Pyongyang uses stolen cryptocurrency to fund its weapons of mass destruction and ballistic missile programs, jeopardizing international security. By 2023, North Korea-linked hackers would steal approximately $660.5 million across 20 incidents; by 2024, this number increased to $1.34 billion across 47 incidents, a 102.88% increase in stolen value. These figures accounted for 61% of the total amount stolen that year and 20% of the total number of incidents.

Please note that in last year’s report, we published information that North Korea stole $1 billion through 20 hacking attacks. After further investigation, we determined that certain large hacks previously attributed to North Korea may no longer be relevant, so the amount was reduced to $660.5 million. However, the number of incidents remained the same, as we discovered other smaller hacks attributed to North Korea. Our goal is to continually re-evaluate our assessment of North Korea-related hacking incidents as we obtain new on-chain and off-chain evidence.

Unfortunately, North Korea’s cryptocurrency attacks appear to be becoming more frequent. In the chart below, we examined the average time between successful DPRK attacks based on exploit size and found that attacks of all sizes declined year over year. Notably, attacks valued at $50 to $100 million and over $100 million will occur much more frequently in 2024 than in 2023, suggesting North Korea is getting better and faster at large-scale attacks. That's in stark contrast to the previous two years, where profits tended to be less than $50 million each time.

When comparing North Korea’s activities to all other hacking campaigns we monitor, it is clear that North Korea has been responsible for the majority of large-scale attacks over the past three years . Interestingly, North Korean hacks are lower in value, especially around $10,000, and the density of hacks is increasing.

Some of these incidents appear to be related to North Korean IT practitioners who are increasingly infiltrating cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These employees often use sophisticated tactics, techniques, and procedures (TTPs) such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In the latest case, the U.S. Department of Justice (DOJ) on Wednesday indicted 14 North Koreans working as remote IT practitioners in the United States. Companies made more than $88 million by stealing proprietary information and extorting employers.

To mitigate these risks, companies should prioritize thorough employment due diligence—including background checks and identity verification—while maintaining strong private key security to protect critical assets, where applicable.

While all of these trends point to North Korea being very active this year, most of its attacks occurred early in the year, with overall hacking activity stalling in the third and fourth quarters, as shown in the earlier chart.

In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong Un will also hold a summit in Pyongyang to sign a mutual defense agreement. So far this year, Russia has released millions of dollars in previously frozen North Korean assets under U.N. Security Council sanctions, signaling a growing alliance between the two countries. North Korea, meanwhile, has deployed troops to Ukraine, supplied ballistic missiles to Russia and reportedly sought advanced space, missile and submarine technology from Moscow.

If we compare the average daily losses from DPRK vulnerabilities before and after July 1, 2024, we can see a significant decrease in the amount of value stolen. As shown in the figure below, the amount stolen by North Korea subsequently dropped by approximately 53.73%, while the amount stolen by non-North Korea increased by approximately 5%. Therefore, in addition to shifting military resources to the conflict in Ukraine, North Korea, which has significantly increased its cooperation with Russia in recent years, may also have changed its cybercriminal activities.

The decline in North Korean theft after July 1, 2024 is clear and the timing is clear, but it is important to note that this decline does not necessarily coincide with Putin's visit to Pyongyang related. Additionally, some events in December may change this pattern at the end of the year, and attackers often launch attacks during the holidays.

Case Study: North Korea Attack on DMM Bitcoin

A notable example of a North Korea-related hack in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which suffered a hack that resulted in approximately 4,502.9 Bitcoins being lost losses, valued at the time at $305 million. Attackers targeted vulnerabilities in the infrastructure used by DMMs, resulting in unauthorized withdrawals. In response, DMM, with the support of the group company, fully paid customer deposits by finding equivalent funds.

We were able to analyze the flow of funds on the chain after the initial attack. In the first phase, we saw the attacker transfer millions of dollars worth of cryptocurrency from DMM Bitcoin to several intermediate addresses and then finally Reach the Bitcoin CoinJoin mixing server.

After successfully mixing the stolen funds using the Bitcoin CoinJoin mixing service, the attackers transferred some of the funds through some bridging services to Huioneguarantee, a company with Cambodian conglomerate Huione Group Related online marketplace, Huione Group is a significant player in this space. Facilitate cybercrime.

DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of Japanese financial conglomerate SBI Group, with the transition set to be completed in March 2025. Fortunately, emerging tools and predictive techniques, which we’ll explore in the next section, are on the rise to prepare you for preventing such destructive hacks from happening.

Use predictive models to stop hackers

Advanced predictive technologies are transforming cybersecurity by detecting potential risks and threats in real-time, providing a proactive approach to protecting digital ecosystems. Let’s look at the example below, involving decentralized liquidity provider UwU Lend.

On June 10, 2024, attackers obtained approximately $20 million in funds by manipulating UwU Lend’s price oracle system. The attacker launched a flash loan attack to change the price of Ethena Staked USDe (sUSDe) on multiple oracles, resulting in incorrect valuations. As a result, an attacker can borrow millions of dollars in just seven minutes. Hexagate detected the attack contract and its similar deployment approximately two days before the exploit.

Although the attacking contract was accurately detected in real time two days before the vulnerability was exploited, its connection to the exploited contract was not immediately apparent due to its design. This early detection can be further leveraged to mitigate threats with additional tools like Hexagate’s security oracles. Notably, the first attack, which resulted in $8.2 million in losses, occurred minutes before subsequent attacks, providing another important signal.

Such alerts issued before major on-chain attacks have the potential to transform the security of industry players, allowing them to completely prevent costly hacks rather than respond to them.

In the image below, we see the attacker moved the stolen funds through two intermediate addresses before the funds reached Tornado Cash, an OFAC-approved Ethereum smart contract mixer.

However, it is worth notingUnfortunately, simply having access to these predictive models does not ensure protection against hackers, as protocols may not always have the appropriate tools to take action effectively.

The need for stronger cryptographic security

The increase in stolen cryptocurrencies in 2024 highlights the need for the industry to respond to an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has yet to return to 2021 and 2022 levels, the resurgence noted above highlights gaps in existing security measures and the importance of adapting to new methods of exploitation. To effectively address these challenges, collaboration between the public and private sectors is crucial. Data sharing programs, real-time security solutions, advanced tracking tools, and targeted training can enable stakeholders to quickly identify and neutralize malicious actors while building the resiliency needed to protect crypto assets.

In addition, as the cryptocurrency regulatory framework continues to evolve, scrutiny of platform security and customer asset protection is likely to increase. Industry best practices must keep pace with these changes to ensure prevention and accountability. By building stronger partnerships with law enforcement and providing teams with the resources and expertise to respond quickly, the cryptocurrency industry can strengthen its theft prevention capabilities. These efforts are critical not only to protecting personal assets, but also to building long-term trust and stability in the digital ecosystem.