Top 10 Security Incidents in the Web3 Industry of 2024

With the continuous innovation of blockchain technology and the expansion of the ecosystem, the Web3 industry faces increasingly severe security challenges in 2024. According to data platform monitoring, by the end of the year, the total losses in the Web3 sector due to hacker attacks, phishing scams, and project team exit scams reached as high as $2.491 billion. These incidents not only exposed technical flaws in areas such as private key management and smart contracts but also highlighted the importance of social engineering attacks and internal management risks.

This article will review the top ten most influential security events in the Web3 field in 2024, for the industry to learn lessons and better respond to future security threats.

1. DMM Bitcoin: Private key leak resulted in a loss of $304 million

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin experienced a significant security incident. Attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This incident exposed serious vulnerabilities in the exchange's private key management and multi-layer security protections.

Despite the exchange's attempts to track the hacker through on-chain monitoring and freezing funds, the recovery efforts face significant challenges as the stolen Bitcoin is quickly dispersed and laundered through mixing tools. By the end of the year, Japanese police confirmed that the incident was carried out by the North Korean hacker group Lazarus Group.

2. PlayDapp: $290 million loss due to private key leak

On February 9, 2024, PlayDapp suffered a severe attack. Hackers minted 2 billion PLA tokens by stealing private keys, initially valued at $36.5 million. After failing negotiations with the project team, the hackers subsequently minted another 15.9 billion PLA tokens, valued at $253.9 million. After some of the stolen tokens flowed into trading platforms, PlayDapp was forced to suspend the PLA contract and migrate to a new PDA token contract. This incident highlights significant flaws in blockchain projects regarding private key protection and emergency handling.

3. WazirX: Network Attacks and Phishing Caused $235 Million in Losses

On July 18, 2024, the Safe Wallet multi-signature wallet of India's largest cryptocurrency exchange, WazirX, was subjected to a targeted attack. The attackers used social engineering techniques to induce multi-signature signers to approve a contract upgrade transaction, then exploited the upgraded contract permissions to transfer all assets from the wallet. This incident revealed the potential risks of multi-signature wallets in managing permission configurations and operational transparency, while also prompting the industry to deeply reflect on internal risk control and security mechanisms.

4. Gala Games: Access Control Vulnerability Leads to $216 Million Loss

On May 20, 2024, a privileged address of Gala Games was hacked. The attacker minted 5 billion GALA tokens all at once by calling the mint function of the token contract. Subsequently, these newly minted tokens were exchanged in batches for ETH, resulting in a direct loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some hacker accounts after the incident and recovered part of the losses through legal means.

5. Ripple co-founder Chris Larsen: Private key leak caused $112 million loss

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to the lack of dual protection from hardware devices. After the incident, a trading platform successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables: Social engineering attacks caused a loss of $62.5 million

On March 26, 2024, the Blast-based Web3 gaming platform Munchables experienced a rare internal penetration attack. The attacker was a hacker disguised as a blockchain developer who had long been lurking to obtain the core code and sensitive keys. Although the attack resulted in significant losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. BtcTurk: Private Key Leak Leads to 55 Million Dollar Loss

On June 22, 2024, BtcTurk, Turkey's largest cryptocurrency exchange, suffered a private key leak attack, resulting in a loss of over $55 million in crypto assets. With the assistance of a certain trading platform team, $5.3 million of the stolen funds was successfully frozen, but other assets have yet to be recovered. This incident has deepened market concerns about the private key management of centralized exchanges.

8. Radiant Capital: Private Key Leak Causes $53 Million Loss

On October 17, 2024, Radiant Capital's multi-signature wallet was hacked. Due to the low-threshold 3/11 signature verification model, the hacker gained control of the private keys of 3 signers to initiate an off-chain signature, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost $4.5 million due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This further emphasizes the importance of Web3 projects raising security awareness.

9. Hedgey Finance: Contract vulnerabilities cause $44.7 million loss

On April 19, 2024, Hedgey Finance experienced an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract to successfully extract tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous verification of token approval logic.

10. A trading platform: Private key leak leads to a loss of $44.7 million

On September 19, 2024, the hot wallet of a certain trading platform was hacked, involving multiple public chains such as Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth $44.7 million. This attack once again exposed the high risks associated with the management of centralized exchange hot wallets, prompting the industry to further explore safer asset storage solutions.

Conclusion

The frequent security incidents in 2024 remind us once again that the development of the blockchain industry relies on security guarantees. From private key management to contract vulnerabilities, from internal management lapses to the upgrading of external attack methods, each incident brings profound lessons to the industry. To cope with increasingly complex security threats, all parties in the industry need to continuously increase investment in technology research and development, management standards, and risk prevention and control. In the future, we expect to collaboratively build a more secure and reliable blockchain ecosystem through industry collaboration and technological innovation, providing stronger protection for users and investors.