Top 10 Security Incidents in the Web3 Space in 2024

In 2024, while the blockchain industry is innovating technologically and expanding its ecosystem, it is also facing increasingly severe security challenges. According to data from a certain security monitoring platform, as of now, the total losses in the Web3 field in 2024 due to hacker attacks, phishing scams, and project parties absconding have reached as high as $2.491 billion.

These events not only exposed technical flaws in aspects such as private key management and smart contracts, but also highlighted the potential risks of social engineering and internal management. This article will review the top ten security incidents in Web3 for 2024, in the hope of drawing lessons from them to provide references for future responses to security threats.

1. DMM Bitcoin

Loss Amount: $304 million Attack Method: Private Key Leakage

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin suffered a major attack. Hackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This incident exposed serious vulnerabilities in the exchange's private key management and multi-layer security measures. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the tracking efforts faced significant challenges due to the dispersed transfer of the stolen Bitcoin and its laundering through mixing tools.

It is worth noting that on December 24, Japanese law enforcement confirmed that this attack was carried out by an international hacking organization.

2. PlayDapp

Loss Amount: $290 million Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a heavy blow. Hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of 36.5 million USD. After failing negotiations with the hackers, they subsequently minted another 15.9 billion PLA tokens, worth 253.9 million USD. After some of the stolen tokens flowed into a trading platform, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. A certain Indian cryptocurrency exchange

Loss Amount: $235 million Attack Methods: Cyber Attacks and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of India's largest cryptocurrency exchange was subjected to a targeted attack. The attackers used social engineering techniques to induce multi-signature signers to sign a contract upgrade transaction, and then utilized the upgraded contract's permissions to transfer all assets from the wallet. This incident highlights the potential risks of multi-signature wallets in terms of permission configuration and operational transparency, and has sparked deep reflections within the industry on internal risk control and security mechanisms.

4. Gala Games

Loss Amount: $216 million Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker called the mint function in the token contract to mint 5 billion GALA tokens at once. Subsequently, the hacker exchanged these newly minted tokens for ETH in batches, directly resulting in a loss of $216 million. The Gala Games team quickly enabled the blacklist feature to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. Co-founder of a cryptocurrency company

Loss Amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of a co-founder of a well-known cryptocurrency company were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to the lack of dual protection from hardware devices. After the incident, a major trading platform successfully froze $4.2 million worth of XRP and assisted in tracking the stolen assets, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, suffered a rare internal penetration attack. The attacker disguised himself as a blockchain developer and gained access to core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and the team, the hacker ultimately returned all stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects relying on third-party development.

7. A certain cryptocurrency exchange in Turkey

Loss Amount: 55 million USD Attack Method: Private Key Leakage

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leak attack, resulting in a loss of over $55 million in cryptocurrency assets. With the assistance of a major trading platform, $5.3 million of the stolen funds was successfully frozen, but other assets have yet to be recovered. This incident has heightened market concerns about the private key management of centralized exchanges.

8. Radiant Capital

Loss Amount: 53 million USD Attack Method: Private Key Leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was compromised by hackers. Due to the low-threshold 3/11 signature verification model, the hackers gained control of the private keys of 3 signers to initiate an off-chain signature, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital previously lost $4.5 million due to a contract vulnerability, with over 1,900 ETH stolen. This once again highlights the need for Web3 projects to place greater emphasis on security.

9. Hedgey Finance

Loss amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. Hackers exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident once again emphasizes the importance of code auditing, particularly the rigorous validation of token approval logic.

10. A Cryptocurrency Trading Platform

Loss Amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, the hot wallet of a well-known cryptocurrency exchange was hacked, affecting multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth $44.7 million. This attack once again highlights the high-risk nature of hot wallet management in centralized exchanges and further drives the industry to explore more secure asset storage solutions.

The frequent security incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from the protection of security. From private key leaks to contract vulnerabilities, from internal management oversights to the escalation of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen investment in technological research and development, management norms, and risk prevention. In the future, we look forward to collaboratively building a more secure blockchain ecosystem through industry cooperation and technological innovation, providing more reliable protection for users and investors.