Top 10 Security Incidents in Web3 of 2024

In 2024, the Web3 industry faces severe security challenges while innovating and developing. According to statistics, the total losses caused by hacker attacks, scams, and project failures this year have reached as high as $2.491 billion. These incidents have exposed technical flaws in areas such as private key management and smart contracts, while also highlighting potential risks in social engineering and internal management. This article will review the ten most influential security events in the Web3 field in 2024, with the aim of learning from them to better respond to future security threats.

1. DMM Bitcoin Incident

Loss Amount: $304 million Attack Method: Private Key Leakage

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin suffered a major attack. Hackers exploited leaked private keys to directly transfer over $300 million worth of Bitcoin, quickly dispersing the stolen funds to multiple addresses. This incident revealed serious flaws in the exchange's private key management and multi-layer security protection. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the tracking efforts faced significant challenges due to the dispersal of funds and their laundering through mixing tools.

At the end of the year, Japanese police confirmed that the attack was carried out by the North Korean hacker group Lazarus Group.

2. PlayDapp Encountered an Attack

Loss Amount: $290 million Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of 36.5 million dollars. After failed negotiations with the hackers, they subsequently minted an additional 15.9 billion PLA tokens, worth 253.9 million dollars. After some tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the inadequacies of blockchain projects in private key protection and emergency response.

3. Multi-signature wallet of an Indian exchange hacked

Loss Amount: $235 million Attack Methods: Cyber Attacks and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of a large cryptocurrency exchange in India was precisely attacked. The attackers used social engineering techniques to induce the multi-signature signers to sign a contract upgrade transaction, and then exploited the upgraded contract permissions to transfer all assets in the wallet. This incident revealed potential risks in the permission configuration and operational transparency of multi-signature wallets, sparking an in-depth reflection within the industry on internal risk control and security mechanisms of projects.

4. Gala Games Faces Token Minting Attack

Loss Amount: $216 million Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker called the mint function of the token contract to mint 5 billion GALA tokens at once. Subsequently, these newly minted tokens were exchanged for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. A well-known cryptocurrency founder's personal wallet was hacked.

Loss Amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of a co-founder of a well-known cryptocurrency project were hacked, resulting in the theft of $112 million in cryptocurrency. These wallets were targeted due to a lack of dual protection through hardware devices. After the incident, a large exchange successfully froze $4.2 million of the stolen assets and assisted in tracking them, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables Encounters Internal Infiltration

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Blast-based Web3 gaming platform Munchables suffered a rare internal infiltration attack. The attacker disguised themselves as a blockchain developer and obtained core code and sensitive keys through long-term infiltration. Although it caused huge losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Exchange Suffers Private Key Leak

Loss Amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, a large cryptocurrency exchange in Turkey suffered a private key leak attack, resulting in a loss of over $55 million in cryptocurrency assets. With the assistance of other exchanges, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has heightened market concerns over the private key management of centralized exchanges.

8. Radiant Capital Multisig Wallet Hacked

Loss Amount: 53 million USD Attack Method: Private Key Leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the adoption of a low-threshold 3/11 signature verification model, the hacker gained control of the private keys of 3 signers to initiate off-chain signatures, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in a theft of $53 million. This attack has triggered industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost $4.5 million due to a contract vulnerability before this attack, with over 1900 ETH stolen. This again emphasizes the importance of Web3 projects raising security awareness.

9. Hedgey Finance Suffers Contract Vulnerability Attack

Loss Amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract's approval process, successfully extracting tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous verification of token approval logic.

10. A certain exchange's hot wallet was hacked

Loss Amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of a cryptocurrency exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freezing mechanisms, the hackers successfully extracted assets worth $44.7 million. This attack reflects the high risks associated with the management of hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.

The frequent security incidents in 2024 remind us again that the development of the blockchain industry relies on security guarantees. From private key leaks to contract vulnerabilities, from internal management lapses to upgrades in external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen their investment in technology research and development, management standards, and risk prevention. In the future, we look forward to jointly building a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.