Top 10 Security Incidents in the Web3 Field in 2024

In 2024, while the blockchain industry experiences technological innovation and ecological expansion, it also faces increasingly severe security challenges. According to data from security monitoring platforms, by the end of the year, the total losses in the Web3 space due to hacker attacks, phishing scams, and project team absconding reached as high as $2.491 billion.

These events not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, allowing the industry to learn lessons and better respond to future security threats.

1. DMM Bitcoin Incident

Loss amount: 304 million USD Attack Method: Private Key Leakage

On May 31, 2024, DMM Bitcoin, a well-known cryptocurrency exchange in Japan, suffered a significant attack. The attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This incident exposed serious vulnerabilities in the exchange’s private key management and multi-layer security protections. Although the exchange tracked the hackers through on-chain monitoring and freezing of funds, the tracking efforts faced enormous challenges due to the dispersed transfer of the stolen Bitcoin and the use of mixing tools to launder the funds.

At the end of the year, Japanese police confirmed that the theft was orchestrated by a North Korean hacker group.

2. PlayDapp Suffers Heavy Losses

Loss amount: $290 million Attack method: Private key leakage

On February 9, 2024, PlayDapp suffered a severe blow. Hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. After negotiations between the project team and the hackers failed, the hackers subsequently minted 15.9 billion PLA tokens, valued at $253.9 million. After some of the stolen tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. WazirX Multi-Signature Wallet Attacked

Loss amount: $235 million Attack Methods: Cyber Attacks and Phishing

On July 18, 2024, WazirX, India’s largest cryptocurrency exchange, experienced a targeted attack on its Safe Wallet multi-signature wallet. The attackers used social engineering techniques to lure the multi-signature signers into signing a contract upgrade transaction, and then exploited the upgraded contract permissions to transfer all assets from the wallet. This incident highlights the potential risks of multi-signature wallets in terms of permission management and operational transparency, and has sparked in-depth reflection within the industry on internal risk control mechanisms.

4. Gala Games Contract Vulnerability Exploited

Loss Amount: $216 million Attack method: Access control vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker called the mint function of the token contract and minted 5 billion GALA tokens in one go. Subsequently, the hacker exchanged the minted tokens for ETH in batches, directly leading to a loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. Ripple co-founder suffers hacker attack

Loss amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to the lack of dual protection from hardware devices. After the incident, a trading platform successfully froze $4.2 million worth of XRP and assisted in tracing the stolen assets, but most of the funds have been laundered through decentralized exchanges and mixing services.

6. Munchables Encounters Internal Infiltration

Loss Amount: 62.5 million USD Attack method: Social engineering attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal penetration attack. The attacker disguised as a blockchain developer and obtained core code and sensitive keys through long-term infiltration. Despite causing significant losses, under pressure from the community and the team, the hacker eventually returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. BtcTurk Private Key Leak Incident

Loss Amount: 55 million USD Attack method: Private key leakage

On June 22, 2024, BtcTurk, Turkey’s largest cryptocurrency exchange, suffered a private key leak attack, resulting in a loss of over $55 million in cryptocurrency assets. With the assistance of a certain trading platform, $5.3 million of the stolen funds was successfully frozen, but other assets remain unrecovered. This incident has deepened market concerns regarding the private key management of centralized exchanges.

8. Radiant Capital Multi-Sig Wallet Hacked

Loss amount: 53 million USD Attack Method: Private Key Leakage

On October 17, 2024, Radiant Capital’s multi-signature wallet was hacked. Due to the low-threshold 3/11 signature verification model, the hacker initiated an off-chain signature by obtaining the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is noteworthy that Radiant Capital lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1900 ETH stolen. This once again highlights that Web3 project teams still have room for improvement in their emphasis on security.

9. Hedgey Finance Contract Vulnerability Exploited

Loss amount: 44.7 million USD Attack method: contract vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both the Ethereum and Arbitrum chains, totaling a loss of $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous verification of token approval logic.

10. BingX Exchange Hot Wallet Hacked

Loss amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of BingX exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly initiated asset transfer and withdrawal freeze mechanisms, the hackers still successfully extracted assets worth $44.7 million. This attack once again highlights the high risk of centralized exchange hot wallet management and drives the industry to explore safer asset storage solutions.

The frequent security incidents in 2024 serve as a reminder that the development of the blockchain industry is inseparable from security guarantees. From private key leaks to contract vulnerabilities, from internal management oversights to the escalation of external attack methods, each incident brings profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management norms, and risk prevention. In the future, we hope to jointly build a more secure blockchain ecosystem through industry collaboration and technological innovation, providing users and investors with more reliable protection.