Last week, we released the SlowMist | 2024 Blockchain Security and Anti-Money Laundering Annual Report. Next, we will interpret the report in four articles, analyze the key contents of the report, and help readers have a more comprehensive and in-depth understanding of the key security challenges and opportunities in the current blockchain ecosystem. This article mainly focuses on the security situation of the blockchain ecosystem.
In the field of security, 2024 continued the previous severe situation. Hacker attacks occurred frequently, especially attacks on centralized platforms dominated. At the same time, smart contract vulnerabilities and social engineering attacks are still the main means of hackers, while phishing attacks are more covert and more complex, and the protection of user assets still faces major challenges. Supply chain security issues also attracted more attention in 2024. Many well-known projects suffered malicious code injection attacks, resulting in the loss of a large number of user assets.
According to the SlowMist Hacked Archive, there were 410 security incidents in 2024, with losses of up to $2.013 billion. Compared with 2023 (464 incidents in total, with losses of approximately $2.486 billion), the losses decreased by 19.02% year-on-year.
Note: The data in this report is based on the token price at the time of the incident. Due to factors such as currency price fluctuations and the fact that losses from some undisclosed incidents are not included in the statistics, the actual losses should be higher than the statistical results.
(https://hacked.slowmist.io/statistics/?c=all&d=2024)
(2024 Top 10 security attack events with the highest losses)
On May 31, 2024, Japanese cryptocurrency exchange DMM Bitcoin The DMM Bitcoin hack is the seventh-largest cryptocurrency exchange hack in history, according to a report from the US Federal Bureau of Investigation (FBI). The DMM Bitcoin hack is the third-largest such case in Japan. The FBI, the Department of Defense Cyber Crime Center (DC3), and the National Police Agency (NPA) of Japan reminded the public that the theft was related to the TraderTraitor threat activity, which has also been tracked as Jade Sleet, UNC4899, and Slow Pisces, according to a report from the FBI on December 23. TraderTraitor activity is often characterized by social engineering attacks against multiple employees of the same company.
It is reported that in late March 2024, a North Korean hacker posing as a LinkedIn recruiter contacted employees of Ginco, an enterprise-level cryptocurrency wallet software company based in Japan. The hacker sent a link to a malicious Python script hosted on GitHub to the target employee, claiming that it was an onboarding test. The target employee copied the Python code to his own GitHub page and was hacked. After mid-May, the TraderTraitor hacker used session cookie information to impersonate the hacked employee and successfully accessed Ginco's unencrypted communication system. At the end of May, the hacker may have used this access to tamper with the legitimate trading requests of DMM Bitcoin employees, resulting in the theft of 4,502.9 BTC. Ultimately, the stolen funds were transferred to a wallet controlled by TraderTraitor.
On February 9, 2024, the blockchain gaming platform PlayDapp was attacked and hackers hacked into the PlayDapp (PLA) token smart contract. The hacker illegally obtained the private key, thereby changing the ownership and minting authority of the smart contract and transferring it to his own account. The hacker removed the authorization of the existing administrator and illegally minted 200 million PLA tokens. Shortly after the incident, PlayDapp sent a message to the hacker through an on-chain transaction, demanding the return of the stolen funds and providing a $1 million white hat reward, but the negotiations ultimately failed. On February 12, the hacker again illegally minted 1.59 billion PLA tokens, but because the exchange had taken freezing measures, the market circulation had been stopped and could not be circulated. On April 1, PlayDapp disclosed that on January 16, 2024, the PlayDapp team received a forged email from hackers. The email was carefully designed with the same title, sender email address (including username and domain name) and content as the regular information request emails they often received from major cooperative exchanges. Analysis shows that when the malicious code in the email attachment was executed, the victim's computer installed a tampered remote access multi-session tool, which was then remotely controlled by hackers, resulting in the theft of the administrator's private key.
On July 18, 2024, the multi-signature wallet of the Indian cryptocurrency exchange WazirX was monitored to have multiple suspicious transactions. On July 19, according to the preliminary investigation results of the cyber attack released by WazirX on the X platform, one of their multi-signature wallets suffered a cyber attack, with losses exceeding US$230 million. The wallet has six signatories - five from the WazirX team and one from Liminal, who is responsible for transaction verification. Each transaction usually requires the approval of three signatories from the WazirX team (all of whom use Ledger hardware wallets for security) before the final approval by Liminal's signatories. The cyber attack stemmed from the difference between the data displayed on the Liminal interface and the actual transaction content. At the time of the attack, the transaction information displayed on the Liminal interface did not match the actual signed content. WazirX suspects that the hacker transferred control of the wallet to himself by replacing the payload.
On June 22, 2024, the Turkish cryptocurrency exchange BtcTurk was attacked and lost about $90 million. "The cyberattack affected a portion of our 10 cryptocurrency balances in hot wallets, and most of the assets stored in cold wallets remain safe," BtcTurk said in a statement on June 22. According to Binance CEO Richard Teng, Binance has frozen $5.3 million worth of the stolen assets.
On March 27, 2024, the Blast ecosystem project Munchables was attacked and lost approximately $62.5 million. On the same day, Blast founder Pacman tweeted: "Blast core contributors have received $97 million in funds through multi-signature. Thanks to the former Munchables developer for choosing to eventually return all funds without any ransom."
On October 17, 2024, Radiant Capital posted on X that it was aware of problems with the Radiant lending market on BNB Chain and Arbitrum, and that Base and the mainnet market had suspended trading. According to the analysis of the SlowMist security team, the incident was caused by Radiant hackers illegally controlling 3 multi-signature permissions and upgrading malicious contracts to steal funds. On October 18, Radiant released an incident analysis report stating that the incident caused a loss of approximately $50 million. Hackers successfully hacked into the devices of at least three core contributors through complex malware injection techniques, and these hacked devices were then used to sign malicious transactions. On December 6, Radiant released the latest progress of the attack. Mandiant, a security company hired by Radiant, attributed the attack to UNC4736, commonly known as AppleJeus or Citrine Sleet. Mandiant highly believes that UNC4736 is related to the Democratic People’s Republic of Korea (DPRK).
On September 20, 2024, according to the announcement of the cryptocurrency exchange BingX, at about 4 am on September 20, Singapore time, BingX’s security system detected an unauthorized intrusion into a hot wallet. According to the statistics of the SlowMist security team, the loss caused by this incident was about US$45 million. According to the analysis of MistTrack, there is a suspected connection between the Indodax hacker and the BingX hacker. The hackers of these two attacks used the same address to launder money, and both pointed to the North Korean hacker Lazarus Group.
On April 19, 2024, Hedgey Finance was attacked, and hackers conducted a series of malicious transactions, resulting in a total loss of approximately $44.7 million on both Ethereum and Arbitrum chains. The root cause of the incident was the lack of verification of user parameter input, which enabled hackers to manipulate and obtain unauthorized token approval.
On September 4, 2024, the decentralized liquidity yield project Penpie was attacked, and hackers made a profit of approximately $27.35 million. According to the analysis of the SlowMist security team, the core of this incident was that Penpie mistakenly assumed that all markets created by Pendle Finance were legal when registering a new Pendle market. However, Pendle Finance's market creation process is open, allowing anyone to create a market, and key parameters such as the SY contract address can be customized by users. Taking advantage of this, the hacker created a market contract containing a malicious SY contract, and took advantage of the mechanism that the Penpie pool needs to call an external SY contract when obtaining rewards, and used flash loans to add a lot of liquidity to the market and pool, artificially magnifying the amount of rewards and making profits.
On February 16, 2024, according to on-chain data, the cryptocurrency trading platform FixedFloat was attacked and lost about 409 BTC (about $21.17 million) and 1,728 ETH (about $4.85 million). FixedFloat said in response to the attack: This hacker attack was an external attack caused by a vulnerability in the security structure, not by employees, and user funds were not affected. On April 2, FixedFloat said on the X platform that it was attacked again by the hackers of the February 16 attack. The hackers managed to exploit a vulnerability in a third-party service used by FixedFloat. The two attacks caused a total loss of about $29 million to FixedFloat.
Rug Pull is a scam. Its essence is that malicious project parties create momentum to attract user investment, and then "pull the blanket" and run away with the money when the time is right. According to the SlowMist Hacked Archive, there were 58 Rug Pull incidents in 2024, resulting in a loss of about $106 million.
(2024 Top10 Loss Runaway Events)
With the advent of the Meme coin craze, many users, driven by speculation and FOMO emotions, ignored the potential risks. Some coin issuers do not even need to describe their vision or provide white papers to users. With just a concept or slogan, they can hype up the popularity and attract users to buy tokens, and the low cost of doing evil has led to endless runaway events. The following are common operations of malicious project parties:
False propaganda and hype: Attract user investment by exaggerating technical strength or market potential, as well as false cooperation or celebrity endorsements.
Manipulation of token prices:Project parties usually hold a large number of tokens in advance, and manipulate market prices to create a false illusion of prosperity and attract more funds to enter the market.
Token contract setting loopholes:By reserving a backdoor in the smart contract, the project party can withdraw funds or destroy the liquidity pool at any time.
Evaporation:Before running away, the project party often closes the official website, social accounts or disbands the community to cut off contact with investors.
Review project background:Pay attention to the authenticity and background of team members, and check whether their past projects have a bad record.
Whether it has been audited:Check whether the project has undergone a professional security audit.
Pay attention to community feedback:Join the project's social media or forums, observe the community's activity and discussion content, and be wary of excessive hype or unreasonable promises.
Diversify investments:Don't invest all your funds in one project to avoid major losses from a single project.
Beware of the temptation of high returns:There is no such thing as a free lunch. High returns are often accompanied by high risks. Be extra cautious about unrealistic promises such as "quickly double" and "zero risk".
The link to the full report is as follows. You can also click to read the original text directly. Welcome to read and share :)
Chinese: https://www.slowmist.com/report/2024-Blockchain-Security-and-AML-Annual-Report(CN).pdf
English: https://www.slowmist.com/report/2024-Blockchain-Security-and-AML-Annual-Report(EN).pdf
SM Entertainment and LG Uplus have partnered to launch Nævis, an AI-powered virtual artist, using LG's ixi-GEN technology to create music, videos, and merchandise. The collaboration aims to revolutionise digital entertainment but raises concerns about potential impacts on beauty standards and the traditional music industry.
JoyGoogle's Gemini AI is set to be integrated into Android Auto, offering enhanced, personalised interactions compared to Google Assistant. The update will bring advanced conversational features and potentially elevate the in-car AI experience, although details on full feature access and rollout timing are still unclear.
WeatherlySolana-based Pump.fun reached $100 million in revenue just eight months after its January launch, sparking mixed reactions in the crypto community as other blockchain networks quickly adopt similar strategies.
Catherine
AlexAlexMany major publishers, including The New York Times and Condé Nast, are blocking Applebot-Extended to prevent their data from being used in AI training. This trend reflects growing concerns about data rights and the evolving role of AI in content usage.
AnaisCrypto miners in China, the United States and even the world are facing the risk of shutting down and surrendering, and analysts warn that $56,000 is their last line of defense.
MiyukiZhao Changpeng will be released from prison on September 29. There have been major changes in the lawsuit between Binance and the U.S. Securities and Exchange Commission. Ten lawyers have resigned from their positions and will no longer serve as Zhao Changpeng's lawyers.
WeiliangElon Musk-themed Telegram crypto game, X Empire, will end its "mining phase" on 30 September. The upcoming token airdrop is expected in late September or early October. With similar mechanics to Hamster Kombat, will X Empire outshine its predecessor?
CatherineToncoin (TON) has struggled with a bearish trend following Telegram CEO Pavel Durov's arrest but is showing signs of recovery as investor sentiment improves. With the TON blockchain surpassing 1 billion transactions, will TON maintain its bullish momentum or will bearish trends dominate?
Kikyo