2024 Web3 Security Incident Review: Top Ten Attack Cases and Their Insights

In 2024, while the blockchain industry is experiencing technological innovations and ecosystem expansions, it is also facing increasingly severe security challenges. According to monitoring data, by the end of the year, the total losses in the Web3 sector due to hacker attacks, phishing scams, and project operators absconding reached as high as $2.491 billion.

These events not only exposed vulnerabilities in technical aspects such as private key management and smart contracts, but also highlighted potential risks in social engineering and internal management. This article will review the top ten security incidents in Web3 in 2024, hoping that the industry can learn from them and better address future security threats.

1. DMM Bitcoin: Private Key Leak Leads to $304 Million Loss

On May 31, 2024, the well-known Japanese cryptocurrency exchange DMM Bitcoin experienced a severe security incident. Attackers exploited leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to multiple different addresses. This attack exposed serious deficiencies in the exchange's private key management and multi-layer security protections.

Despite the exchange's attempts to track hackers through on-chain monitoring and freezing funds, the tracking work faces significant challenges as the stolen Bitcoin has been dispersed and laundered using mixing tools. By the end of the year, Japanese police confirmed that the incident was orchestrated by the North Korean hacking group Lazarus Group.

2. PlayDapp: $290 million loss due to private key leakage

On February 9, 2024, PlayDapp suffered a major blow. Hackers minted 2 billion PLA tokens by stealing private keys, with an initial value of 36.5 million USD. After negotiations between the project team and the hackers failed, the hackers minted an additional 15.9 billion PLA tokens in a short period, valued at 253.9 million USD. After some tokens flowed into exchanges, PlayDapp was forced to suspend the PLA contract and migrate to a new token contract. This incident highlights the shortcomings of blockchain projects in private key protection and emergency response.

3. An Indian Exchange: Social Engineering Attack Causes $235 Million Loss

On July 18, 2024, the Safe Wallet multi-signature wallet of India’s largest cryptocurrency exchange was precisely attacked by hackers. The attackers used social engineering techniques to induce multi-signature signers to sign a contract upgrade transaction, and then utilized the upgraded contract permissions to transfer all assets in the wallet. This case reveals the potential risks of multi-signature wallets in managing permission configurations and operational transparency, and has triggered an in-depth reflection within the industry on internal risk control and security mechanisms of projects.

4. Gala Games: Access control vulnerability leads to $216 million loss

On May 20, 2024, a privileged address of Gala Games was breached by hackers. The attackers called the mint function in the token contract and minted 5 billion GALA tokens at once. Subsequently, the hackers exchanged these tokens for ETH in batches, directly causing a loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some hacker accounts after the incident and recovered some losses through legal means.

5. Ripple Co-founder: Private Key Leak Caused $112 Million XRP Theft

On January 31, 2024, four personal wallets of Ripple's co-founder were hacked, resulting in the theft of $112 million worth of XRP. These wallets became targets of the attack due to a lack of dual protection from hardware devices. After the incident, a certain exchange successfully froze $4.2 million worth of XRP and assisted in tracking the stolen assets, but most of the funds had already been laundered through decentralized exchanges and mixing services.

6. Munchables: Internal penetration attack caused a loss of 62.5 million dollars.

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal infiltration attack. The attacker was a hacker disguised as a blockchain developer, who obtained the core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, under pressure from the community and the team, the hacker ultimately returned all the stolen funds. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. A Turkish Exchange: Private Key Leak Leads to $55 Million Loss

On June 22, 2024, Turkey's largest cryptocurrency exchange suffered a private key leak attack, resulting in a loss of over $55 million in crypto assets. With the assistance of a certain exchange's team, $5.3 million of the stolen funds were successfully frozen, but other assets have yet to be recovered. This incident has heightened market concerns over the private key management of centralized exchanges.

8. Radiant Capital: Multi-signature wallet compromised, resulting in a loss of $53 million

On October 17, 2024, the multi-signature wallet of Radiant Capital was hacked. Due to its adoption of a low-threshold 3/11 signature verification model, the hacker initiated an off-chain signature by controlling the private keys of 3 signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost $4.5 million due to a contract vulnerability before this attack, with over 1900 ETH stolen. This once again indicates that Web3 project teams still need to improve their emphasis on security.

9. Hedgey Finance: Contract Vulnerability Leads to $44.7 Million Loss

On April 19, 2024, Hedgey Finance encountered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract approval, successfully extracting tokens from both the Ethereum and Arbitrum chains, with a total loss amounting to 44.7 million USD. This incident highlights the importance of code audits, particularly the rigorous verification of token approval logic.

10. A Trading Platform: Hot Wallet Hacked, Losing $44.7 Million

On September 19, 2024, the hot wallet of a certain trading platform was hacked, involving multiple public chains including Ethereum, BNB Chain, Tron, and others. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth $44.7 million. This attack reflects the high risk of managing hot wallets in centralized exchanges and further drives the industry to explore safer asset storage solutions.

Conclusion

The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry relies on secure protection. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously strengthen their investment in technological research and development, management standards, and risk prevention. In the future, we look forward to establishing a more secure blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.