- The biggest hacks this year were mostly due to private key leakage.
- Security experts warned that such attacks would happen.
- Investors lost $2.3 billion to crypto theft in 2024.
It wasn’t a secret.
Blockchain security experts shouted it from rooftops last year: Infrastructure attacks targeting private keys and smart contract ownership would cause major damage to crypto projects in 2024.
Private keys control access to crypto wallets and should be stored securely. If not, hackers can use them to steal funds from a victim’s wallet.
Some companies didn’t heed those warnings and failed to secure their private keys, leaving the door open for North Korean cybercriminals to steal $1.34 billion in crypto, according to blockchain forensics company Chainalysis.
According to Luciano Ciattaglia, vice president of services at blockchain security auditor Hacken, companies affected by private key leakage made “avoidable mistakes.”
“Victims often used third-party private key management platforms that lacked proper security practices such as encryption or distributed storage,” Ciattaglia told DL News.
This year’s biggest hacks were all due to access control vulnerabilities including private key leakage.
In a year where investors lost $2.3 billion to crypto theft, private key leakage and other infrastructure attacks account for 81% of that total, according to blockchain security firm Cyvers.
Here are the five biggest crypto hacks of 2024.
DMM Bitcoin $308 million in May
Japanese crypto exchange DMM Bitcoin was the hardest hit this year.
The platform lost 4,502.9 Bitcoin worth $308 million in May.
Six months after the hack, the details are still unclear, but security researchers suspect North Korean hackers accessed the platform’s private keys.
They based their claim on the similarities between the laundering techniques used by the hackers to that of the dreaded North Korean cybercrime syndicate Lazarus Group.
DMM Bitcoin was unable to recover from the hack. The platform shuttered earlier this month and transferred its assets to trading platform SVI VC Trade.
PlayDapp: $290 million
PlayDapp, a South Korean blockchain gaming app, managed to avert disaster despite suffering a massive hack in February.
The saga began when a hacker hijacked control of PlayDapp’s smart contract for minting tokens and created 200 million PLA tokens.
At the time, the tokens were worth $26 million.
PlayDapp acted swiftly by contacting exchanges to freeze the tokens which prevented the attacker from cashing out.
Undaunted, the hacker minted 1.6 billion PLA tokens worth $264 million days later but they were unable to sell them.
PlayDapp has since migrated to a new token contract.
WazirX: $235 million
At first glance, WazirX was a secure platform.
India’s largest crypto exchange used a multisig wallet with four out of six signers, address whitelisting configured to an offsite interface, and signing keys domiciled in a hardware wallet.
Still, the platform lost almost half of its assets in one fell swoop.
Hackers breached one of the platform’s multisig wallets in July and stole $235 million in various cryptocurrencies including Ether and the Shiba Inu memecoin.
The hackers used complex attack vectors to trick WazirX wallet administrators into ceding access control over to the bad actors.
They used this access control to bypass other security measures and syphon funds from the platform’s wallet.
Police in India arrested a suspect allegedly connected to the hack in November.
Radiant Capital: $62.5 million
Cybercriminals attacked cross-chain DeFi lending protocol Radiant Capital twice this year, in January and October.
In January, an attacker manipulated the protocol’s smart contract to steal $4.5 million from versions of Radiant Capital deployed on Arbitrum and BNB Chain.
Then in October, the platform lost $58 million in an attack where hackers compromised the protocol developer’s private keys to steal funds.
That second attack has been linked to North Korean cybercriminals.
The attacker posed as a former team member and sent a malware-laced digital file to the project’s developer.
The malware gave the hackers access to Radiant Capital’s computers where private keys were stored.
Munchables $62.5 million
External actors aren’t the only threats to crypto projects; sometimes, the bad guys are within.
That was the case in March for Munchables, a non-fungible token project on the Blast blockchain.
The Munchables team had a bad actor in its midst.
The hacker, suspected to be from North Korea, used their access to introduce a vulnerability in the project’s smart contract.
That allowed the attacker to steal $62.5 million in Ether from the Munchables project in March.
However, the attacker returned the private keys needed to recover $60.5 million to the team.
Looking ahead
The uptick in private key leakage attacks this year contributed to investors suffering greater losses in 2024 than the previous year.
At $2.3 billion, crypto thefts in 2024 exceeded last year’s total by 40% — but is lower than the $3.8 billion record of 2022.
Crypto crime fighters say new and more dangerous attack vectors are looming.
Cyvers said in its report that that advances in quantum computing and artificial intelligence could drive more complex attacks next year.
Other security experts are also converging on that possibility.
“Next year, crypto investors might see more risks from AI-driven attacks, which are likely to make phishing scams more convincing and help attackers find vulnerabilities in smart contracts faster,” Ciattaglia said.
The Hacken executive said these sophisticated threats will require crypto developers to upgrade their operational security protocols.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.