Hackers and scammers are having a field day in 2024, with numerous exploits yielding over $200m in stolen assets from exchanges and DeFi protocols in Q1 so far.
Introduction
With the 2024 crypto bull season in full flow, it’s no surprise to see the usual motley crew of hackers and scammers return to the space to pillage the wallets of investors, DeFi protocols and centralized exchanges once again.
Web3 is moving faster than ever and as shiny new layer-1 and layer-2 networks launch and degen traders dive headfirst into new trends like Crypto AIs, DePIN, Airdrop Season and uhmmm, full-blown memecoin mania (see Slerf this week), bad actors are rubbing their hands in glee as they relieve ill-prepared investors and protocols of hundreds of millions in crypto.
In the first quarter of 2024 alone, we’ve seen over $200 million worth of digital assets stolen across 32 incidents, according to a report by blockchain security firm Immunefi. That’s a 15% increase compared to the same period in 2023.
With crypto crime surging again, using a top hardware wallet like CoolWallet is no longer a luxury, but a necessity. Our cold storage solutions have been protecting crypto assets like Bitcoin since 2014, and provide complete peace of mind in crypto. Read or scroll down to the end to find out why.
Still not worried?
OK, then let’s take a closer look at the biggest crypto hacks of Q1 2024, break down the month-by-month incidents, and explore the lessons we can learn from these costly attacks. Remember, if you own crypto, you are a TARGET.
The Biggest Crypto Hacks of Q1 2024
Ethereum Takes the Hardest Hit
No prizes for guessing that Ethereum was the most targeted blockchain yet again, with 12 attacks accounting for over 85% of the total value lost in Q1. The Bitcoin network and Binance’s BNB Chain each suffered one major incident. Below is Immunefi’s list of hacks in February alone.
PlayDapp — $32.3 million ($290 million lost)
The largest hack of the year so far targeted PlayDapp, a crypto gaming platform, on 9 and 12 February 2024, resulting in a loss of $32.3 million converted while $290 million were stolen. The exact details of the attack method have not been disclosed.
The attacker managed to mint 200 million PLA tokens (worth around $36.5 million) in the first attack on February 9th. The root cause of the exploit was an access control vulnerability in PlayDapp’s smart contract, which allowed the attacker to gain unauthorized minting privileges. By exploiting this vulnerability, the attacker could create new tokens out of thin air, effectively devaluing the existing tokens.
The total number of PLA tokens minted by the attacker (1.8 billion) significantly exceeded the pre-exploit circulating supply of 577 million, making it challenging for the hacker to sell the tokens at their original market value.
FixedFloat — $26.1 million
Decentralized exchange FixedFloat suffered the second-largest theft according to Immunefi, losing $26.1 million. The hack was carried out by exploiting a vulnerability in the exchange’s smart contract.
The cryptocurrency exchange, which does not require user registration or Know Your Customer (KYC) verifications, initially attributed the massive outflow of funds to “minor technical problems” and switched to maintenance mode.
However, the team later denied insider involvement and claimed that a third party had exploited vulnerabilities and security gaps in its infrastructure, allowing the attacker to access sensitive functionality within the protocol.
FixedFloat’s handling of the incident has been criticized for its lack of timely and transparent communication with its users, leading to accusations of a potential exit scam.
Orbit Chain ($80 million)
On January 2, 2024, Orbit Chain, a South Korean blockchain project, fell victim to a hack that resulted in a loss of over $80 million. The breach was attributed to compromised multisig signers, allowing the attacker to drain various cryptocurrencies, including stablecoins, wrapped Bitcoin (WBTC), and Ether (ETH). The stolen funds were then transferred through mixers in an attempt to obfuscate the trail.
This incident is part of a series of security issues plaguing Ozys’ projects, including previous hacks on KlaySwap and Belt Finance. The Orbit Chain hack highlights the persistent risks associated with crypto security, particularly in relation to multisig wallets and private key management, emphasizing the need for improved safeguards and lessons learned from past breaches.
Shido Hack ($35 million)
On March 5, 2024, Shido, a Layer-1 Proof-of-Stake (PoS) blockchain, experienced an exploit that resulted in the theft of approximately $35 million worth of SHIDO tokens. The attacker managed to drain around 4.3 billion SHIDO tokens, which constituted nearly half of the token’s circulating supply. The exploit was made possible by a change in the contract’s ownership to a new address, which then upgraded the staking contract using a hidden withdrawToken() function to steal the funds.
This incident led to a steep 94% drop in SHIDO token prices within the first 30 minutes of the attack. In response, the Shido team replaced the compromised deployer address, temporarily closed liquidity provisioning on all DEXs, and contacted CEXs to disable deposits and freeze tokens linked to the hack,which helped to limit the damage.
