Web3 Security Risk Alert: The Top 10 Most Impactful Attacks of 2024
TechFlow Selected TechFlow Selected
Web3 Security Risk Alert: The Top 10 Most Impactful Attacks of 2024
This article reviews the top 10 Web3 security incidents of 2024, aiming to help the industry learn from these events and better prepare for future security threats.
Navigating Web3 tides with focused insightsWritten by: Beosin
In 2024, while the blockchain industry has seen technological innovation and ecosystem expansion, it has also faced increasingly severe security challenges. According to monitoring data from Alert, a platform under cybersecurity auditing firm Beosin, as of this writing, the total losses in the Web3 sector due to hacking attacks, phishing scams, and project team rug pulls have reached $2.491 billion in 2024.
These incidents not only expose technical flaws such as private key management and smart contract vulnerabilities but also highlight potential risks related to social engineering and internal governance. This article reviews the top ten Web3 security incidents of 2024, aiming to help the industry learn from these events and better prepare for future security threats.
No.1 DMM Bitcoin
Loss amount: $304 million
Attack method: Private key leak
On May 31, 2024, Japan's long-established cryptocurrency exchange DMM Bitcoin suffered a historic attack. Attackers used leaked private keys to directly transfer over $300 million worth of Bitcoin, quickly dispersing the stolen funds across more than 10 different addresses. This incident exposed serious deficiencies in DMM Bitcoin’s private key management and multi-layered security defenses. Although the exchange attempted to track the hackers through on-chain monitoring and fund freezing measures, the stolen Bitcoin was fragmented and laundered using mixing tools, posing significant challenges for tracking efforts.
On December 24, Japanese police confirmed that the DMM Bitcoin hack was carried out by the North Korean hacker group Lazarus Group. For a detailed analysis of Lazarus Group's past attacks and money laundering tactics, read "Uncovering the boldest crypto theft syndicate in history: A money laundering analysis of hacker group Lazarus Group."
No.2 PlayDapp
Loss amount: $290 million
Attack method: Private key leak
On February 9, 2024, PlayDapp suffered a devastating blow when hackers stole private keys and minted 2 billion PLA tokens, initially valued at $36.5 million. After failed negotiations between the project team and the hackers, the attackers further minted 15.9 billion PLA tokens worth $253.9 million within a short period. After some of these tokens flowed into Gate.io, PlayDapp was forced to suspend its PLA contract and migrate to the new PDA token contract. This incident highlighted weaknesses in blockchain projects' private key protection and emergency response mechanisms.
No.3 WazirX
Loss amount: $235 million
Attack method: Cyberattack and phishing
On July 18, 2024, WazirX, India's largest cryptocurrency exchange, had its Safe Wallet multisig wallet precisely targeted. The attacker used social engineering to trick one of the signers into approving a contract upgrade transaction, which then allowed them to exploit the upgraded contract permissions to drain all assets from the wallet. This case underscored potential risks in multisig wallet management, including permission configurations and operational transparency, prompting deep reflection within the industry on internal risk control and security mechanisms.
For a detailed analysis and fund tracking of this incident, read “Beosin | Analysis of the $235 Million Theft at Indian Exchange WazirX.”
No.4 Gala Games
Loss amount: $216 million
Attack method: Access control vulnerability
On May 20, 2024, a privileged address belonging to Gala Games was compromised. The attacker called the mint function in the token contract to create 5 billion GALA tokens in one go. Subsequently, the hacker exchanged the newly issued tokens for ETH in batches, resulting in a direct loss of $216 million. Following the incident, the Gala Games team urgently activated a blacklist feature to block some hacker accounts and pursued legal avenues to recover the lost funds.
No.5 Chris Larsen (Ripple's co-founder)
Loss amount: $112 million
Attack method: Private key leak
On January 31, 2024, four personal wallets belonging to Ripple co-founder Chris Larsen were breached, leading to the theft of $112 million worth of XRP. These wallets are suspected to have been targeted due to lack of dual protection via hardware devices. After the incident, Binance successfully froze $4.2 million worth of XRP and assisted Larsen in tracking the stolen assets, though the majority of the funds had already been laundered through decentralized exchanges and mixing services.
No.6 Munchables
Loss amount: $62.5 million
Attack method: Social engineering attack
On March 26, 2024, Munchables, a Web3 gaming platform built on Blast, experienced a rare internal infiltration. The attacker was a North Korean hacker who posed as a blockchain developer and gained access to core code and sensitive keys after prolonged covert operations. Despite the massive financial loss, under pressure from the community and the project team, the hacker eventually returned all stolen funds. This event revealed the importance of supply chain security, especially for blockchain projects relying on third-party developers.
No.7 BtcTurk
Loss amount: $55 million
Attack method: Private key leak
On June 22, 2024, Turkey’s largest cryptocurrency exchange BtcTurk suffered an attack due to a private key leak, losing over $55 million in digital assets. With assistance from Binance, $5.3 million of the stolen funds were successfully frozen, but the rest remain unrecovered. This incident intensified market concerns about private key management at centralized exchanges.
Official announcement from BtcTurk regarding the attack
No.8 Radiant Capital
Loss amount: $53 million
Attack method: Private key leak
On October 17, 2024, Radiant Capital’s multisig wallet was compromised. Due to its low-threshold 3-out-of-11 signature verification model, the hacker managed to obtain signatures from three signers off-chain, transferring ownership of the wallet contract to a malicious address, ultimately stealing $53 million. This attack triggered industry-wide reflection on multisig wallet design and governance mechanisms.
Prior to this attack, Radiant Capital had already lost $4.5 million due to a smart contract vulnerability, with over 1,900 ETH stolen. There remains a pressing need for Web3 projects to place greater emphasis on security.
No.9 Hedgey Finance
Loss amount: $44.7 million
Attack method: Contract vulnerability
On April 19, 2024, Hedgey Finance came under coordinated attacks targeting multiple on-chain contracts. Exploiting an approval flaw in its ClaimCampaigns contract, the hacker successfully withdrew tokens on both Ethereum and Arbitrum chains, causing total losses of $44.7 million. This incident underscores the critical importance of code audits, particularly rigorous validation of token approval logic.
No.10 BingX
Loss amount: $44.7 million
Attack method: Private key leak
On September 19, 2024, BingX exchange’s hot wallet was breached, affecting multiple public chains including Ethereum, BNB Chain, and Tron. Despite the exchange quickly initiating asset transfers and withdrawal freezes, the hacker had already withdrawn $44.7 million worth of assets. This attack highlighted the high risks associated with managing hot wallets at centralized exchanges and further pushed the industry toward exploring more secure asset storage solutions.
The frequent security breaches in 2024 serve as yet another reminder that the development of the blockchain industry cannot be separated from robust security safeguards. From private key leaks and contract vulnerabilities to internal mismanagement and increasingly sophisticated external attacks, each incident delivers profound lessons. To counter ever-more complex threats, stakeholders across the industry must continue strengthening investments in technology research, management standards, and risk prevention. In the future, we hope that through industry collaboration and technological innovation, we can jointly build a more secure blockchain ecosystem, providing users and investors with greater reliability and protection.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@Beosin_com
