2024 Web3 Security Incident Review: Analysis of the Top Ten Attack Cases

In 2024, while the blockchain industry is experiencing technological innovation and ecological expansion, it is also facing increasingly severe security challenges. According to data from a security monitoring platform, by the end of the year, the total losses in the Web3 space due to hacker attacks, phishing scams, and project developers absconding amounted to as much as $2.491 billion.

These events not only exposed technical flaws such as private key management and smart contract vulnerabilities, but also highlighted the potential risks of social engineering and internal management. This article will review the top 10 security incidents in Web3 for 2024, with the aim of drawing lessons from them to provide references for future security protection in the industry.

1. DMM Bitcoin Incident

Loss amount: 304 million USD Attack method: Private key leakage

On May 31, 2024, the renowned Japanese cryptocurrency exchange DMM Bitcoin suffered a major security incident. Attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed serious vulnerabilities in the exchange's private key management and multi-layer security protections.

Despite the exchange's efforts to track the hacker through on-chain monitoring and freezing funds, the recovery efforts faced significant challenges as the stolen bitcoins were quickly dispersed and washed using mixing tools. By the end of the year, local law enforcement identified that the attack was carried out by an international hacker group.

2. PlayDapp Encounters Token Abuse

Loss amount: $290 million Attack method: Private key leakage

On February 9, 2024, the PlayDapp project suffered a serious blow. Hackers illegally minted 2 billion PLA tokens by obtaining the private key, with an initial value of $36.5 million. After failed negotiations between the project team and the hackers, the attackers further minted 15.9 billion PLA tokens in a short period, bringing the total value to $253.9 million. After some tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. An Indian Exchange Suffers a Targeted Attack

Loss amount: $235 million Attack methods: network attacks and phishing

On July 18, 2024, a large cryptocurrency exchange in India was precisely attacked by hackers targeting its multi-signature wallet. The attackers used social engineering techniques to induce the multi-signature signers to approve a contract upgrade transaction, and then exploited the upgraded contract permissions to transfer all assets from the wallet. This incident revealed potential risks in the permission configuration and operational transparency of multi-signature wallets, and sparked an in-depth reflection within the industry on the internal risk control mechanisms of projects.

4. Gala Games Token Contract Vulnerability

Loss Amount: 216 million USD Attack method: Access control vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker called the mint function in the token contract and minted 5 billion GALA tokens at once. Subsequently, these illegally minted tokens were exchanged for ETH in batches, resulting in a direct loss of $216 million. The Gala Games team urgently activated the blacklist function to block some hacker accounts after the incident and recovered part of the loss through legal means.

5. A well-known cryptocurrency founder's personal wallet was hacked.

Loss amount: 112 million USD Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of a co-founder of a well-known cryptocurrency project were hacked, resulting in the theft of $112 million in cryptocurrency. These wallets were targeted due to the lack of dual protection with hardware devices. After the incident, a major exchange successfully froze $4.2 million of the stolen assets and assisted in tracking the remaining funds, but most of the funds had already been washed through decentralized exchanges and mixing services.

6. Munchables Encounter Internal Penetration

Loss amount: $62.5 million Attack method: Social engineering attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal penetration attack. The attacker disguised as a blockchain developer, gaining access to core code and sensitive keys through long-term infiltration. Despite causing significant losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. Private Key Leak of a Certain Turkish Exchange

Loss amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, a large cryptocurrency exchange in Turkey suffered a private key leak attack, resulting in a loss of over $55 million in crypto assets. With the assistance of an international exchange, approximately $5.3 million of the stolen funds were successfully frozen, but the remaining assets have not yet been recovered. This incident has intensified concerns in the market regarding the private key management capabilities of centralized exchanges.

8. Radiant Capital Multisignature Wallet Breached

Loss amount: 53 million USD Attack method: Private key leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to the use of a lower threshold 3/11 signature verification model, the hacker obtained the private keys of 3 signers to initiate off-chain signatures, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital previously lost 4.5 million dollars due to a contract vulnerability, with over 1900 ETH stolen. This once again highlights that Web3 project teams still need to improve their emphasis on security.

9. Hedgey Finance Contract Vulnerability Exploited

Loss amount: 44.7 million dollars Attack method: Contract vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both the Ethereum and Arbitrum chains, with total losses reaching $44.7 million. This incident highlights the importance of code audits, particularly the rigorous verification of token approval logic.

10. Intrusion into the Hot Wallet of a Certain International Exchange

Loss amount: 44.7 million USD Attack method: private key leakage

On September 19, 2024, the hot wallet of an internationally renowned exchange was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freezing mechanisms, the hackers still managed to extract assets worth $44.7 million. This attack once again highlights the high risks associated with the management of hot wallets in centralized exchanges, prompting the industry to explore safer asset storage solutions.

Conclusion

The frequent security incidents in 2024 remind us once again that the healthy development of the blockchain industry relies on security guarantees. From private key management to contract vulnerabilities, from internal governance to the upgrading of external attack methods, each incident has sounded the alarm for the industry. In the face of increasingly complex security threats, the industry needs to continuously strengthen investment in technology research and development, management standards, and risk prevention and control. In the future, we look forward to collaboratively building a more secure and reliable blockchain ecosystem through industry cooperation and technological innovation, providing stronger protection for users and investors.