Top 10 Security Incidents in the Web3 Field of 2024

In 2024, while the Web3 industry is innovating and developing, it also faces increasingly severe security challenges. According to data platform monitoring, as of now, the total losses in the Web3 field due to hacker attacks, scams, and project operators absconding have reached as high as $2.491 billion.

These events not only exposed vulnerabilities in technical aspects such as private key management and smart contracts but also highlighted potential risks in social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, for the industry to learn from and better respond to future security threats.

1. DMM Bitcoin Incident

Loss Amount: 304 million USD Attack Method: Private Key Leakage

On May 31, 2024, DMM Bitcoin, a well-known cryptocurrency exchange in Japan, suffered a major attack. Hackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This incident exposed serious flaws in the exchange's private key management and multi-layer security protections.

Despite the exchange's efforts to track the hackers through on-chain monitoring and freezing funds, the stolen Bitcoin has been dispersed and laundered through mixing tools, significantly increasing the difficulty of tracking. On December 24, Japanese police confirmed that the incident was carried out by the North Korean hacking group Lazarus Group.

2. PlayDapp Attack Incident

Loss Amount: 290 million USD Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. After negotiations between the project team and the hackers failed, the hackers subsequently minted 15.9 billion PLA tokens, valued at $253.9 million. After some tokens flowed into trading platforms, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the inadequacies of blockchain projects in private key protection and emergency response.

3. WazirX Multi-Signature Wallet Attacked

Loss Amount: 235 million USD Attack Method: Network Attacks and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of WazirX, India's largest cryptocurrency exchange, was subjected to a targeted attack. The attackers used social engineering tactics to induce the multi-signature signers to sign a contract upgrade transaction, and subsequently exploited the upgraded contract permissions to transfer all assets from the wallet. This incident highlights the potential risks of multi-signature wallets in terms of permission configuration and operational transparency, and has sparked an in-depth reflection within the industry on internal risk control and security mechanisms.

4. Gala Games Token Issuance Event

Loss Amount: 216 million USD Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens at once by calling the mint function of the token contract. Subsequently, the hacker exchanged these tokens for ETH in batches, directly causing a loss of $216 million. The Gala Games team urgently activated the blacklist function to block some hacker accounts after the incident and recovered the losses through legal means.

5. Co-founder of Ripple's personal wallet stolen

Loss Amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to a lack of dual protection from hardware devices. After the incident, a certain trading platform successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds have been laundered through decentralized exchanges and mixing services.

6. Munchables Internal Penetration Attack

Loss Amount: 62.5 million USD
Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, suffered a rare internal infiltration attack. The attackers were North Korean hackers disguised as blockchain developers, who had obtained core code and sensitive keys through long-term infiltration. Despite causing massive losses, under pressure from the community and the team, the hackers ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. BtcTurk Private Key Leakage Incident

Loss Amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange BtcTurk suffered a private key leakage attack, resulting in losses exceeding $55 million in crypto assets. With the assistance of a certain trading platform, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has deepened market concerns about the private key management of centralized exchanges.

8. Radiant Capital Multisig Wallet Breached

Loss Amount: $53 million Attack Method: Private Key Leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the low-threshold 3/11 signature verification model, the hacker initiated an off-chain signature by gaining access to the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has triggered industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital had already lost $4.5 million due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This reflects that Web3 projects still need to improve their focus on security.

9. Hedgey Finance Contract Vulnerability Attack

Loss Amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, resulting in a total loss of $44.7 million. This incident highlights the importance of code audits, particularly the rigorous verification of token approval logic.

10. BingX Exchange Hot Wallet Hacked

Loss Amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Despite the exchange quickly initiating asset transfer and withdrawal freeze mechanisms, the hacker still successfully extracted assets valued at 44.7 million USD. This attack reflects the high risk of managing hot wallets in centralized exchanges and pushes the industry to explore safer asset storage solutions.

In 2024, security attack incidents are frequent, reminding us once again that the development of the blockchain industry is inseparable from security guarantees. From private key leaks to contract vulnerabilities, from internal management oversights to upgraded external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technology research and development, management norms, and risk prevention. In the future, we look forward to jointly building a safer blockchain ecosystem through industry collaboration and technological innovation, providing users and investors with more reliable protection.