Top Ten Security Incidents in the Web3 Field in 2024

In 2024, while the blockchain industry is innovating and developing, it also faces increasingly severe security challenges. According to monitoring data from platforms, as of now, the total losses in the Web3 sector due to hacking attacks, fraud, and project owners absconding have reached as high as $2.491 billion.

These events not only exposed technical flaws, such as private key management and smart contract vulnerabilities, but also highlighted potential risks in social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, to help the industry learn lessons and better respond to future security threats.

1. DMM Bitcoin

Loss Amount: $304 million Attack Method: Private Key Leakage

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin suffered a major attack. Hackers exploited leaked private keys to directly transfer over $300 million worth of Bitcoin, quickly dispersing the stolen funds to more than 10 different addresses. This incident exposed serious deficiencies in the exchange's private key management and multi-layer security protections. Although the exchange attempted to track the hackers through on-chain monitoring and freezing funds, the tracking efforts faced significant challenges due to the dispersal of funds and the use of mixing tools to launder them.

On December 24, Japanese police confirmed that the attack was carried out by a certain hacker organization.

2. PlayDapp

Loss Amount: $290 million Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a severe blow. The attackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.5 million USD. After failed negotiations with the hackers, they subsequently minted an additional 15.9 billion PLA tokens, worth 253.9 million USD. After some of the stolen tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and incident emergency response.

3. WazirX

Loss Amount: $235 million Attack Methods: Cyber Attacks and Phishing

On July 18, 2024, WazirX, India's largest cryptocurrency exchange, suffered a targeted attack on its multi-signature wallet. The attackers used social engineering tactics to induce the multi-signature signers to authorize a contract upgrade transaction, and then leveraged the upgraded contract permissions to transfer all assets from the wallet. This incident highlights the potential risks associated with the management of permission configurations and operational transparency in multi-signature wallets, and has sparked in-depth discussions within the industry regarding internal risk control and security mechanisms of projects.

4. Gala Games

Loss Amount: $216 million Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker called the mint function of the token contract and minted 5 billion GALA tokens in one go. Subsequently, these newly issued tokens were exchanged for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated the blacklist function to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. Ripple Co-founder Attacked

Loss Amount: 112 million USD Attack Method: Private Key Leak

On January 31, 2024, four personal wallets of Ripple's co-founder were hacked, resulting in the theft of $112 million worth of XRP. These wallets may have become targets for the attack due to the lack of dual protection from hardware devices. After the incident, a certain exchange successfully froze $4.2 million worth of XRP and assisted in tracking the stolen assets, but most of the funds have been washed through decentralized exchanges and mixing services.

6. Munchables

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal penetration attack. The attacker disguised as a blockchain developer and gained access to the core code and sensitive keys through prolonged infiltration. Although it resulted in significant losses, under pressure from the community and the team, the hacker ultimately returned all stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. BtcTurk

Loss Amount: 55 million USD Attack Method: Private Key Leak

On June 22, 2024, BtcTurk, Turkey's largest cryptocurrency exchange, suffered a private key leak attack, resulting in losses exceeding $55 million in crypto assets. With the assistance of a certain exchange team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has deepened market concerns about private key management in centralized exchanges.

8. Radiant Capital

Loss Amount: 53 million USD Attack Method: Private Key Leakage

On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Due to the use of a low-threshold 3/11 signature verification model, the hacker obtained the private keys of 3 signers to initiate an off-chain signature, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of 53 million dollars. This attack has sparked industry-wide reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1900 ETH stolen, indicating that Web3 project teams still need to improve their focus on security.

9. Hedgey Finance

Loss Amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both the Ethereum and Arbitrum chains, with total losses reaching $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous verification of token approval logic.

10. BingX

Loss amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of a certain exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker still successfully extracted assets worth $44.7 million. This attack reflects the high risks associated with the management of hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.

The frequent security attacks in 2024 remind us once again that the development of the blockchain industry cannot be separated from security guarantees. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen their investments in technology research and development, management standards, and risk prevention. In the future, we look forward to jointly building a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.