Hackers and scammers are having a field day in 2024, with numerous exploits yielding over $200m in stolen assets from exchanges and DeFi protocols in Q1 so far.
Introduction
With the 2024 crypto bull season in full flow, it’s no surprise to see the usual motley crew of hackers and scammers return to the space to pillage the wallets of investors, DeFi protocols and centralized exchanges once again.
Web3 is moving faster than ever and as shiny new layer-1 and layer-2 networks launch and degen traders dive headfirst into new trends like Crypto AIs, DePIN, Airdrop Season and uhmmm, full-blown memecoin mania (see Slerf this week), bad actors are rubbing their hands in glee as they relieve ill-prepared investors and protocols of hundreds of millions in crypto.
In the first quarter of 2024 alone, we’ve seen over $200 million worth of digital assets stolen across 32 incidents, according to a report by blockchain security firm Immunefi. That’s a 15% increase compared to the same period in 2023.
With crypto crime surging again, using a top hardware wallet like CoolWallet is no longer a luxury, but a necessity. Our cold storage solutions have been protecting crypto assets like Bitcoin since 2014, and provide complete peace of mind in crypto. Read or scroll down to the end to find out why.
Still not worried?
OK, then let’s take a closer look at the biggest crypto hacks of Q1 2024, break down the month-by-month incidents, and explore the lessons we can learn from these costly attacks. Remember, if you own crypto, you are a TARGET.
The Biggest Crypto Hacks of Q1 2024
Ethereum Takes the Hardest Hit
No prizes for guessing that Ethereum was the most targeted blockchain yet again, with 12 attacks accounting for over 85% of the total value lost in Q1. The Bitcoin network and Binance’s BNB Chain each suffered one major incident. Below is Immunefi’s list of hacks in February alone.
PlayDapp – $32.3 million ($290 million lost)
The largest hack of the year so far targeted PlayDapp, a crypto gaming platform, on 9 and 12 February 2024, resulting in a loss of $32.3 million converted while $290 million were stolen. The exact details of the attack method have not been disclosed.
The attacker managed to mint 200 million PLA tokens (worth around $36.5 million) in the first attack on February 9th. The root cause of the exploit was an access control vulnerability in PlayDapp’s smart contract, which allowed the attacker to gain unauthorized minting privileges. By exploiting this vulnerability, the attacker could create new tokens out of thin air, effectively devaluing the existing tokens.
The total number of PLA tokens minted by the attacker (1.8 billion) significantly exceeded the pre-exploit circulating supply of 577 million, making it challenging for the hacker to sell the tokens at their original market value.
FixedFloat – $26.1 million
Decentralized exchange FixedFloat suffered the second-largest theft according to Immunefi, losing $26.1 million. The hack was carried out by exploiting a vulnerability in the exchange’s smart contract.
The cryptocurrency exchange, which does not require user registration or Know Your Customer (KYC) verifications, initially attributed the massive outflow of funds to “minor technical problems” and switched to maintenance mode.
However, the team later denied insider involvement and claimed that a third party had exploited vulnerabilities and security gaps in its infrastructure, allowing the attacker to access sensitive functionality within the protocol.
FixedFloat’s handling of the incident has been criticized for its lack of timely and transparent communication with its users, leading to accusations of a potential exit scam.
Orbit Chain ($80 million)
On January 2, 2024, Orbit Chain, a South Korean blockchain project, fell victim to a hack that resulted in a loss of over $80 million. The breach was attributed to compromised multisig signers, allowing the attacker to drain various cryptocurrencies, including stablecoins, wrapped Bitcoin (WBTC), and Ether (ETH). The stolen funds were then transferred through mixers in an attempt to obfuscate the trail.
This incident is part of a series of security issues plaguing Ozys’ projects, including previous hacks on KlaySwap and Belt Finance. The Orbit Chain hack highlights the persistent risks associated with crypto security, particularly in relation to multisig wallets and private key management, emphasizing the need for improved safeguards and lessons learned from past breaches.
Shido Hack ($35 million)
On March 5, 2024, Shido, a Layer-1 Proof-of-Stake (PoS) blockchain, experienced an exploit that resulted in the theft of approximately $35 million worth of SHIDO tokens. The attacker managed to drain around 4.3 billion SHIDO tokens, which constituted nearly half of the token’s circulating supply. The exploit was made possible by a change in the contract’s ownership to a new address, which then upgraded the staking contract using a hidden withdrawToken() function to steal the funds.
This incident led to a steep 94% drop in SHIDO token prices within the first 30 minutes of the attack. In response, the Shido team replaced the compromised deployer address, temporarily closed liquidity provisioning on all DEXs, and contacted CEXs to disable deposits and freeze tokens linked to the hack,which helped to limit the damage.
Notable Crypto Hacks So Far in 2024 (Month by Month)
January 2024
Project | Date | Value Stolen | Hacking Method | Lessons Learned |
Orbit Chain | Jan 2 | $80 million | Compromised multisig signers | Improve multisig security and private key management |
Radiant Capital | Jan 3 | $4.5 million | Price manipulation exploiting rounding error | Careful consideration when forking existing codebases |
Gamma Strategies | Jan 8 | $3.4 million | Flash loan attack manipulating price thresholds | Set conservative price change thresholds |
CoinsPaid | Jan 8 | $7.5 million | Unauthorized withdrawals, method unknown | Ongoing investigations, no comment from CoinsPaid |
February 2024
Project | Date | Value Stolen | Hacking Method | Lessons Learned |
PlayDapp | Feb 9, 12 | $290 million | Unauthorized minting using compromised private key | Secure private keys, monitor for suspicious activity |
Abracadabra Finance | Feb 20 | $6.5 million | Rounding error exploitation | Thorough testing and auditing of smart contracts |
Blueberry Protocol | Feb 23 | $1.34 million | Exploitation of upgradable contracts | Carefully manage upgradable contracts and access control |
FixedFloat | Feb 16, 17 | $25.95 million | Method under investigation | Ongoing investigation, website in maintenance mode |
Miner (@minerercx) | Feb 14 | $463,400 | Vulnerability in ERC-X token standard | Careful consideration when using experimental token standards |
Narwhal | Feb 5, 6 | $1.5 million | Compromised signer key or exit scam | Ongoing investigation into true nature of incident |
DELIVERED EVERY WEEK
Subscribe to our Top Crypto News weekly newsletter
March 2024
Project | Date | Value Stolen | Hacking Method | Lessons Learned |
Mozaic Finance | Mar 15 | $2.5 million | Compromised private key on Arbitrum chain | Swift action and transparency in addressing security incidents |
GAMEE Token | Mar 22 | $7 million | Lack of access control, compromised deployer | Implement robust access controls and secure development practices |
Shido | Mar 5 | $35 million | Ownership change and hidden withdraw function | Regularly audit and monitor smart contracts for vulnerabilities |
7 Top Tips Stay Safe From Hacks in 2024
- Secure your keys: Many hacks stemmed from compromised private keys or multisig setups. Implementing robust key management practices is crucial. CoolWallet enables users to set up their recovery seed phrase completely offline if needed, and it’s strongly recommended to NEVER create or keep a digital copy of it.
- Audit, test, and monitor: Regular audits, thorough testing, and continuous monitoring can help identify and mitigate vulnerabilities before they’re exploited.
- Be cautious with upgradable smart contracts and experimental standards: While useful, these features can introduce new attack vectors if not managed carefully.
- Swift action and transparency matter: Projects that quickly acknowledged incidents, took corrective measures, and communicated openly with their communities fared better in the aftermath of a hack.
- Diversify your holdings: by using different devices and wallets if you’re going to actively trade your crypto and interact with a number of decentralized applications.
- Protect Your Privacy: Where possible, use a VPN to hide your IP address from hackers and scammers.
- Stay Safe From Stranger Danger: Do not click on any suspicious links on any site or email or approve any blind signing requests when transacting.
CoolWallet- Cold Storage’s Smartest Choice Since 2014
In an industry built on trustless technology, there are still some areas where trust matters above all else, namely which crypto wallet to keep your digital assets on.
CoolWallet is celebrating its 10th year in 2024, and still holds an undefeated safety record in the blockchain security businesses, unlike some of our more esteemed peers.
Users can choose from two battle-tested models, the CoolWallet S ($99) for HODLers and newbies, as well as our flagship CoolWallet Pro model ($149) for more sophisticated investors who like a cold wallet that’s portable and ultra-secure.
Elite safety features include an EAL6+ secure element, military-grade encrypted Bluetooth, a tamper proof and waterproof casing, biometric verification and our anti-phishing Web3 transaction screener, SmartScan. And of course, open-source coding for full transparency.
As the crypto space continues to evolve, so do the tactics of hackers and exploiters. By learning from these incidents and implementing best practices in security and smart contract development, projects can better protect themselves and their users from falling victim to the next big hack.
Stay safe out there, fellow crypto enthusiasts! And remember, when in doubt, always do your own research and never invest more than you can afford to lose.
Don’t trust your precious crypto on exchanges or unsecured software wallets. Not Your Keys, Not Your Crypto!