In 2024, the blockchain industry will face increasingly severe security challenges while experiencing technological innovation and ecological expansion. According to monitoring by the Alert platform of the security audit company Beosin, as of press time, the total losses caused by hacker attacks, phishing scams and project parties’ Rug Pull in the Web3 field in 2024 have reached 2.491 billion US dollars.

These incidents not only exposed technical flaws such as private key management and smart contract vulnerabilities, but also highlighted the potential risks of social engineering and internal management. This article will take stock of the top ten Web3 security incidents in 2024 to help the industry learn from them and better respond to future security threats.

No.1 DMM Bitcoin

Loss amount: US$304 million

Attack method: private key leak

On May 31, 2024, the old Japanese cryptocurrency exchange DMM Bitcoin encountered Historic attack. The attackers used the leaked private keys to directly transfer more than $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed serious deficiencies in DMM Bitcoin’s private key management and multi-layered security protection. Although the exchange tried to track the hackers through on-chain monitoring and freezing funds, the stolen Bitcoins were dispersed and transferred and cleaned using currency mixing tools, which brought great challenges to the tracking work.

On December 24, the Japanese police determined that the theft of DMM Bitcoin was caused by the North Korean hacker organization Lazarus Group.

No.2 PlayDapp loss: $290 million

Attack method: private key leak< /p>

On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of US$36.5 million. As negotiations between the project team and the hacker failed, the hacker minted a further 15.9 billion PLA tokens worth US$253.9 million in a short period of time. After some of these tokens flowed into the Gate exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlighted the shortcomings of blockchain projects in private key protection and emergency response.

No.3 WazirX

Loss amount: US$235 million

Attack method: cyber attack and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was precisely attacked by hackers. The attacker induced the multi-signer to sign a contract upgrade transaction through social engineering, and then used the upgraded contract permissions to transfer all the assets in the wallet. This case highlighted the potential risks in the management permission configuration and operational transparency of multi-signature wallets, and also triggered in-depth reflection in the industry on the internal risk control and security mechanisms of the project.

No.4 Gala Games

Loss amount: US$216 million

Attack method: access control vulnerability

2024 May 20, Gala Games A certain privileged address was compromised by a hacker. The attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker converted the newly issued tokens into ETH in batches, directly causing a loss of US$216 million. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered the losses through judicial channels.

No.5 Chris Larsen (Ripple's co-founder)

Amount of loss: $112 million

Attack method: private key leak

On January 31, 2024, Ripple co-founded Chris Larsen Four personal wallets were compromised by hackers, resulting in the theft of $112 million in XRP. thisSome wallets are suspected of being targeted due to lack of dual protection from hardware devices. After the incident, Binance successfully froze XRP worth $4.2 million and assisted Larsen in tracking the stolen assets, but most of the funds had been laundered through decentralized exchanges and currency mixing services.

No.6 Munchables

Loss amount: $62.5 million

Attack method: social engineering Attack

On March 26, 2024, the Blast-based Web3 game platform Munchables suffered a rare internal penetration attack. The attacker is a North Korean hacker disguised as a blockchain developer. He obtained the core code and sensitive keys through long-term lurking. Although the attack caused huge losses, the hackers eventually returned all stolen funds due to pressure from the community and team. This incident sheds light on the importance of supply chain security, especially for blockchain projects that rely on third-party development.

No.7 BtcTurk

Loss amount: US$55 million

Attack method: Private key leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk was attacked by a private key leak and lost more than $55 million in crypto assets. With the assistance of the Binance team, US$5.3 million in stolen funds was successfully frozen, but other assets have not yet been recovered. This incident deepened the market’s concerns about the management of private keys in centralized exchanges.

BtcTurk official announcement of being attacked

No.8 Radiant Capital

Loss amount: US$53 million

Attack method: private key leakage

October 17, 2024, Radiant Capital ’s multi-signature wallet was compromised by hackers. Due to its low-threshold 3/11 signature verification mode, hackers initiated off-chain signatures by mastering the private keys of three signers and transferred the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. this attackIt triggered industry reflection on multi-signature wallet design and governance mechanisms.

Radiant Capital had lost $4.5 million due to contract vulnerabilities before this attack, and more than 1,900 ETH were stolen. Web3 project parties still need to pay more attention to security.

No.9 Hedgey Finance

Loss amount: US$44.7 million

Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance encountered attacks targeting multiple on-chain contracts. The hacker exploited an approval vulnerability in its ClaimCampaigns contract and successfully withdrew tokens on both Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident shows the importance of code auditing, especially rigorous verification of token approval logic.

No.10 BingX

Loss amount: US$44.7 million

Attack method: Private key leak

On September 19, 2024, the hot wallet of the BingX exchange was hacked. The chains involved include Ethereum, BNB Chain, Tron Wait for multiple public chains. Although the exchange quickly initiated asset transfer and withdrawal freezing mechanisms, hackers have successfully withdrawn assets worth $44.7 million. This attack reflects the high-risk nature of hot wallet management in centralized exchanges and further drives the industry to explore more secure asset storage solutions.

The frequent security attacks in 2024 remind us once again that the development of the blockchain industry is inseparable from security escort. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrade of external attack methods, every incident has brought profound lessons. In order to deal with increasingly complex attack threats, all parties in the industry need to continue to increase investment in technology research and development, management regulations, and risk prevention and control. In the future, we look forward to jointly building a more secure blockchain ecosystem through industry collaboration and technological innovation to provide users and investors with more reliable protection.