Top 10 Web3 Security Incidents of 2024

In 2024, the blockchain industry is facing increasingly severe security challenges during the process of technological innovation and ecological expansion. According to data from security monitoring platforms, as of now, the total losses in the Web3 field due to hacker attacks, phishing scams, and project exits have reached as high as $2.491 billion.

These incidents not only exposed vulnerabilities in technology areas such as private key management and smart contracts, but also highlighted the potential risks associated with social engineering attacks and internal management. This article will review the ten most influential security events in the Web3 field in 2024, hoping that the industry can learn from these lessons to better address future security threats.

1. DMM Bitcoin

Loss Amount: 304 million USD Attack Method: Private Key Leak

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin experienced a major security incident. Attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin, quickly dispersing the stolen funds to more than 10 different addresses. This incident exposed serious flaws in the exchange's private key management and multi-layer security measures. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the recovery efforts faced significant challenges due to the rapid dispersion of the stolen Bitcoin and the use of mixing tools to launder the funds.

On December 24, Japanese police confirmed that the attack was carried out by the North Korean hacker group Lazarus Group.

2. PlayDapp

Loss amount: 290 million USD Attack method: Private key leakage

On February 9, 2024, PlayDapp suffered a major blow. Hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of $36.5 million. After negotiations with the hackers failed, the attackers further minted 15.9 billion PLA tokens in a short time, worth $253.9 million. After some of the stolen tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. A certain Indian cryptocurrency exchange

Loss Amount: $235 million Attack methods: Cyber attacks and phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of India's largest cryptocurrency exchange was subjected to a targeted attack. The attacker used social engineering tactics to induce the multi-signature signers to approve a contract upgrade transaction, subsequently exploiting the upgraded contract's permissions to empty the assets in the wallet. This incident highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, and has sparked deep reflections within the industry on internal risk control and security mechanisms.

4. Gala Games

Loss amount: $216 million Attack method: access control vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens in one go by calling the mint function in the token contract. Subsequently, the hacker exchanged the minted tokens for ETH in batches, directly causing a loss of 216 million USD. After the incident, the Gala Games team urgently activated the blacklist function to block some hacker accounts and recovered part of the losses through legal means.

5. Co-founder of Ripple's personal wallet hacked

Loss Amount: 112 million USD Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets became targets of the attack reportedly due to a lack of dual protection from hardware devices. After the incident, an exchange successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had already been washed through decentralized exchanges and mixing services.

6. Munchables

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal infiltration attack. The attacker was a hacker disguised as a blockchain developer, who gained access to the core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and the team, the hacker ultimately returned all stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A certain Turkish cryptocurrency exchange

Loss amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leak attack, resulting in a loss of over $55 million in crypto assets. With the assistance of a certain exchange team, $5.3 million of the stolen funds was successfully frozen, but other assets have not yet been recovered. This incident has deepened the market's concerns over the private key management of centralized exchanges.

8. Radiant Capital

Loss amount: 53 million USD Attack method: Private key leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was breached by hackers. Due to its low-threshold 3/11 signature verification model, the hackers gained control of the private keys of 3 signers to initiate off-chain signatures, transferring ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry-wide reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital had already lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This once again emphasizes the urgent need for Web3 projects to improve their focus on security.

9. Hedgey Finance

Loss amount: 44.7 million USD Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident highlights the importance of code audits, particularly the rigorous validation of token approval logic.

10. Hot Wallet of a Certain Cryptocurrency Exchange Hacked

Loss amount: 44.7 million USD Attack method: Private key leakage

On September 19, 2024, the hot wallet of a certain cryptocurrency exchange was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth 44.7 million dollars. This attack reflects the high risk of hot wallet management in centralized exchanges and further drives the industry to explore more secure asset storage solutions.

The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry relies on secure protection. From private key leaks to contract vulnerabilities, from internal management oversights to upgrades in external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investments in technology research and development, management regulations, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.