Top 10 Security Incidents in Web3 of 2024

In 2024, while the blockchain industry is experiencing technological innovation and ecosystem expansion, it also faces increasingly severe security challenges. According to relevant data, as of now, the total losses in the Web3 space due to hacking attacks, phishing scams, and project founders absconding have reached as high as $2.491 billion.

These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities, but also highlight potential risks in social engineering and internal management. Let's take a look back at the top ten most influential security events in the Web3 space in 2024, in hopes of drawing lessons from them to better prepare for future security threats.

1. A Major Attack on a Japanese Cryptocurrency Exchange

Loss Amount: $304 million Attack Method: Private Key Leak

On May 31, 2024, a well-known Japanese cryptocurrency exchange suffered a historic attack. The attackers exploited leaked private keys to directly transfer over $300 million worth of Bitcoin and quickly dispersed the stolen funds to more than 10 different addresses. This attack exposed serious shortcomings in the exchange's private key management and multi-layer security measures. Although the exchange attempted to track the hackers through on-chain monitoring and freezing of funds, the stolen Bitcoin was dispersed and laundered using mixing tools, posing significant challenges to the tracking efforts.

On December 24, Japanese police determined that the theft incident at the exchange was carried out by an international hacker organization.

2. PlayDapp Suffers Heavy Blow

Loss Amount: $290 million Attack Method: Private Key Leakage

On February 9, 2024, PlayDapp suffered a major blow as hackers minted 2 billion PLA tokens by stealing private keys, initially valued at 36.5 million USD. After unsuccessful negotiations between the project team and the hackers, the hackers further minted 15.9 billion PLA tokens in a short time, worth 253.9 million USD. After some of these tokens flowed into an exchange, PlayDapp was forced to suspend the PLA contract and migrate to the PDA token contract. This incident highlights the deficiencies in private key protection and emergency response measures in blockchain projects.

3. India's Largest Cryptocurrency Exchange Faces Targeted Attack

Loss Amount: $235 million Attack Methods: Cyber Attacks and Phishing

On July 18, 2024, the Safe Wallet multi-signature wallet of India’s largest cryptocurrency exchange was precisely attacked by hackers. The attackers used social engineering to lure multi-signature signers into signing a contract upgrade transaction, and then exploited the upgraded contract permissions to empty the assets in the wallet. This case highlights the potential risks of multi-signature wallets in managing permission configurations and operational transparency, and has sparked an in-depth reflection within the industry on internal risk control and security mechanisms.

4. Gala Games Encountered Privileged Address Attack

Loss Amount: $216 million Attack Method: Access Control Vulnerability

On May 20, 2024, a privileged address of Gala Games was hacked, and the attacker minted 5 billion GALA tokens at once by calling the mint function in the token contract. Subsequently, the hacker exchanged the minted tokens for ETH in batches, directly causing a loss of $216 million. The Gala Games team urgently activated the blacklist feature to block some of the hacker's accounts after the incident and recovered the losses through legal means.

5. Ripple co-founder's personal wallet hacked

Loss Amount: $112 million Attack Method: Private Key Leakage

On January 31, 2024, four personal wallets of Ripple co-founder Chris Larsen were hacked, resulting in the theft of $112 million worth of XRP. These wallets were targeted due to a lack of dual protection from hardware devices. After the incident, a major exchange successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, but the majority of the funds had already been washed through decentralized exchanges and mixing services.

6. Munchables Encountered Internal Penetration Attack

Loss Amount: 62.5 million USD Attack Method: Social Engineering Attack

On March 26, 2024, the Web3 gaming platform Munchables, based on Blast, experienced a rare internal infiltration attack. The attacker was a hacker disguised as a blockchain developer who obtained the core code and sensitive keys through long-term infiltration. Despite the attack causing significant losses, the hacker ultimately returned all stolen funds due to pressure from the community and the team. This incident highlights the importance of supply chain security, especially for blockchain projects that rely on third-party development.

7. Turkey's Largest Cryptocurrency Exchange Under Attack

Loss Amount: 55 million USD Attack Method: Private Key Leak

On June 22, 2024, Turkey's largest cryptocurrency exchange was attacked due to a private key leak, resulting in losses of over $55 million in crypto assets. With the assistance of a certain exchange team, $5.3 million of the stolen funds was successfully frozen, but other assets have yet to be recovered. This incident has deepened market concerns over the private key management of centralized exchanges.

8. Radiant Capital Multi-Signature Wallet Breached

Loss Amount: $53 million Attack Method: Private Key Leakage

On October 17, 2024, the multi-signature wallet of Radiant Capital was breached by hackers. Due to its low-threshold 3/11 signature verification model, the hackers initiated an off-chain signature by obtaining the private keys of three signers, transferring the ownership of the wallet contract to a malicious address, ultimately resulting in the theft of $53 million. This attack has sparked industry reflection on the design and governance mechanisms of multi-signature wallets.

It is worth noting that Radiant Capital lost 4.5 million dollars due to a contract vulnerability before this attack, with over 1,900 ETH stolen. This highlights the need for Web3 project teams to place greater emphasis on security.

9. Hedgey Finance Encounters Multi-Chain Contract Attack

Loss Amount: 44.7 million USD Attack Method: Contract Vulnerability

On April 19, 2024, Hedgey Finance suffered an attack targeting multiple on-chain contracts. The hacker exploited a vulnerability in its ClaimCampaigns contract, successfully extracting tokens from both the Ethereum and Arbitrum chains, with total losses amounting to $44.7 million. This incident highlights the importance of code auditing, particularly the rigorous validation of token approval logic.

10. A well-known exchange's hot wallet was hacked

Loss Amount: 44.7 million USD Attack Method: Private Key Leakage

On September 19, 2024, a well-known exchange's hot wallet was hacked, involving multiple public chains including Ethereum, BNB Chain, and Tron. Although the exchange quickly activated asset transfer and withdrawal freeze mechanisms, the hacker successfully extracted assets worth $44.7 million. This attack reflects the high risks associated with the management of hot wallets by centralized exchanges and further drives the industry to explore more secure asset storage solutions.

The frequent security attack incidents in 2024 remind us once again that the development of the blockchain industry cannot be separated from security support. From private key leaks to contract vulnerabilities, from internal management oversights to the upgrading of external attack methods, each incident has brought profound lessons. To cope with increasingly complex attack threats, all parties in the industry need to continuously enhance their investment in technological research and development, management norms, and risk prevention. In the future, we look forward to establishing a safer blockchain ecosystem through industry collaboration and technological innovation, providing more reliable protection for users and investors.