Top 10 Crypto Losses of 2024: Hacks, Frauds, and Exploits

The cryptocurrency market faced a difficult year in 2024 with centralized exchanges and DeFi protocols losing billions of dollars to fraud, weaknesses, and breaches. In an exclusive report shared with BeinCrypto, Cyvers reveals that over $2.1 billion in bitcoin losses were reported in just the first three quarters alone.

While the previous year was dominated by investment fraud, 2024 has seen an increase in attacks on centralized exchanges (CeFi) and decentralized finance (DeFi) protocols, underscoring the ongoing vulnerabilities within the industry.

Join us for a recap of the most significant losses so far:

1. Orbit Chain Bridge Exploit ($82 Million)

On New Year’s Eve of 2023, hackers gained access to Orbit Chain, a blockchain platform that provides cross-chain solutions, by taking advantage of its bridge and stealing assets valued at about $82 million. $30 million USDT, $10 million USDC, $10 million DAI, 231 wrapped Bitcoin (WBTC) valued at $10 million, and 9,500 ETH valued at $21.5 million were all removed from the chain as a result of the attack. 

Although the precise method of attack is unknown, it is most probable that a flaw in the bridging procedure—which permits assets to be created on one chain without being burnt on the original chain—was used to steal the money.

The hacker just started transferring money despite months of inactivity. Using Tornado Cash, US sanctioned mixing service that permits anonymous transactions by hiding some blockchain transaction details, the hacker moved $47.7 million in Ether. The fact that this transaction is the biggest activity seen since the first exploit suggests that the hacker is trying to disguise the source of the money. The hacker still has over $71 million worth of cryptocurrency in spite of everything.

Following the hack, Orbit Chain has since struggled with a reduced total value locked (TVL) and declining user trust. Orbit Chain responded by offering a $8 million reward for information that could help identify the hacker. The prize hasn’t been claimed and the hacker’s most recent actions have rekindled efforts to find these funds.

2. DMM Bitcoin Private Key Hack ($305 Million)

On May 31, 2024, DMM Bitcoin, a prominent Japanese cryptocurrency exchange, experienced a massive security breach that led to the unauthorized transfer of 4,502.9 Bitcoin, valued at approximately $305 million at the time of the attack. This event has become one of the most significant cryptocurrency heists globally and has highlighted the vulnerabilities present within crypto exchanges, especially in Japan.

DMM Bitcoin detected the unauthorized transfer from its main wallet and responded by suspending all Bitcoin withdrawals and restricting spot-buying activities. The stolen Bitcoin was further distributed across multiple wallets.

Further investigation revealed that the infamous Lazarus Group, a North Korean-linked hacking syndicate, is suspected of orchestrating the attack. The group reportedly began laundering the stolen funds, with over $35 million already processed through an online marketplace known as Huione Guarantee, a platform frequently associated with money laundering activities. 

The laundering process involved mixing services and conversions across various blockchain networks, with some funds converted into Tether and subsequently blacklisted by Tether itself.

Although DMM Bitcoin has not disclosed the specifics of the breach, the incident has raised alarms about the exchange’s security measures and the potential exposure of both hot and cold wallets

3. BtcTurk Hot Wallet Hack ($55 Million)

On June 22, 2024, a significant security breach occurred at BtcTurk, Turkey’s largest cryptocurrency exchange. Hackers exploited a vulnerability in the exchange’s hot wallets, leading to the theft of approximately $55 million in cryptocurrencies. While the majority of BtcTurk’s assets were safely stored in cold wallets (which are offline and less susceptible to attacks), the hack affected ten different cryptocurrencies stored in hot wallets, which are more vulnerable due to their constant online connectivity.

In order to reduce additional risks, BtcTurk stopped accepting Bitcoin deposits and withdrawals after the incident. Major cryptocurrency exchange Binance responded by helping to freeze over $5.3 million of the stolen cash and collaborating closely with BtcTurk to look into the situation and locate the assets.

4. UwU Lend Exploit ($19.3 Million)

On June 10, 2024, UwU Lend, a DeFi protocol founded by Quadriga CX co-founder Michael “Sifu” Patryn, fell victim to an exploit resulting in a loss of $19.3 million. A number of blockchain security firms reported a problem with the network, stating that it looked like someone was stealing $19.3 million worth of Ethereum.

UwU Lend is a decentralized, non-custodial lending protocol within the DeFi space that allows users to deposit assets, earn interest, and take out overcollateralized loans.

Just three days later, another hack resulted in an additional loss of $3.72 million.

The latest hack was identified by Slowmist, a blockchain security firm. Slowmist shared a screenshot of on-chain data from EtherScan showing that a single wallet made off with multiple tokens from UwU Lend, including Wrapped Ether WETH and stablecoins DAI, USDC, LUSD, and FRAX.

The price of UWU, UwU Lend’s governance token, is down 14.5% over the past seven days amid the turmoil, according to CoinGecko. The token has shed 81% of its value down to a $26 million market cap in the past year.

5. WazirX Compromised ($230 Million)

On July 18, 2024, WazirX fell victim to a sophisticated cyberattack, resulting in the unauthorized transfer of around $235 million in assets from the exchange’s multi-signature wallets. 

The sophisticated attack involved compromising a multi-signature wallet through a combination of phishing tactics and a wallet upgrade to a malicious version, allowing the attackers to drain funds swiftly. WazirX had three of the six signatures needed for transaction approvals under this method, which was designed for increased security. Liminal, the custodian of the keys, held the remaining one.

By reportedly coercing Liminal and WazirX into approving a smart contract, the attackers took advantage of this configuration and were able to take control of the wallet and make significant withdrawals.

The North Korean state-sponsored hacker group Lazarus, well-known for its sophisticated persistent threat capabilities and track record of attacking financial institutions and cryptocurrency platforms worldwide, was blamed for this incident.

After using the exploit, the attacker quickly spent all of the money in the compromised wallet and distributed it among several addresses. A fraction of the stolen assets were secured when some of the cash was sent to exchanges including Binance and ChangeNOW, who quickly stopped accepting further transactions. Even with these precautions, it would be difficult to collect the entire amount because the majority of the money has already been distributed and changed into other cryptocurrencies.

6. Hedgey Finance Exploit ($44 Million)

On the DeFi network Hedgey Finance, there was a security breach that recently cost about $44.7 million in losses across two blockchains. Over $42.8 million worth of ARB tokens were successfully taken over by an attacker on the Arbitrum network.

It was discovered by the on-chain security company Cyvers that some of this stolen money had been transferred to the Bybit cryptocurrency exchange. In addition, in a prior attack on the Ethereum network, several coins valued at $1.9 million were seized.

In a statement issued after these breaches were detected, Hedgey Finance later admitted the situation and said it is collaborating with security auditors to investigate the underlying problems.

7. BingX Exchange Hack ($26 Million)

On September 20, 2024, BingX, a Singapore-based cryptocurrency exchange, suffered a substantial security breach resulting in the theft of over $52 million. This attack targeted one of BingX’s hot wallets. Initially reported as a loss of $26 million, further analysis by cybersecurity firms, such as PeckShield and Cyvers, revealed that the total amount stolen spanned multiple blockchains, including Ethereum, Binance Smart Chain, Avalanche, Optimism, and Polygon.

The attack was discovered on September 20, around 4:00 AM Singapore time, thanks to unusual network traffic that the BingX engineering team noticed. In addition to using the platform’s security features, the exchange staff took proactive steps and moved money into cold storage wallets, stopping withdrawal possibilities.

The hackers took significant amounts during the hack, including over $13 million in Ethereum (ETH), $4.4 million in Tether (USDT), and $2.3 million in Binance Coin (BNB). In reaction, BingX immediately halted withdrawals in order to stop further losses and hired security professionals to look into the issue. Since then, the exchange has been able to freeze about $1 million of the stolen assets; however, most of the money had already been transferred or distributed among many locations, making recovery efforts more complicated.

8. PlayDapp Security Breach ($290 Million)

The PlayDapp security breach, occurring between February 9 and 12, 2024, cost the blockchain gaming platform staggering financial losses. Attackers exploited a private key vulnerability, gaining unauthorized access to PlayDapp’s contract deployer address. This allowed them to add their wallet as a minter for the platform’s native token, PLA, and mint 200 million tokens, initially valued at approximately $31–36.5 million. 

On February 12, the attackers struck again, minting an additional 1.59 billion PLA tokens worth $253.9 million, bringing total losses to over $290 million in token value. However, the hacker only managed to convert about $32 million due to liquidity challenges posed by the vast token supply increase.

Following the attack, PlayDapp quickly suspended the PLA token’s smart contract and reached out to the hacker with a $1 million reward offered for the return of the stolen assets, but the offer went unanswered. The breach led to a sharp drop in PLA’s market value, as the token’s price plunged by over 10% within hours. 

9. Penpie Breach ($27 Million)

On September 3, 2024, at 6:23 PM UTC, a sophisticated attacker exploited a security vulnerability within the Penpie platform, seizing control of users’ funds and draining over $27,348,259 worth of assets across the Arbitrum and Ethereum networks. The attacker manipulated a fake Pendle market to maximize rewards. 

The attack’s timeline demonstrates a quick evolution, starting with the installation of malicious contracts and ending with the targeted pools being completely drained. Pendle halted its Ethereum platform at 6:45 PM UTC in order to stop additional losses, and shortly after, identical measures were implemented on Arbitrum. The Penpie team, Pendle Finance, and other security partners exchanged messages. Throughout the night, Penpie continued monitoring the attacker’s activity, including attempts to transfer stolen assets to new wallets and across multiple addresses.

Penpie stopped working on all of its chains in reaction to the incident, preventing further exploitation. Penpie filed a lawsuit and worked with law enforcement and blockchain security companies to monitor the attacker’s movements. 

10. Indodax Hack ($22 Million)

On September 11, 2024, Indodax, a major Indonesian cryptocurrency exchange, reported a significant security breach that led to the loss of approximately $22 million in digital assets. The hack specifically targeted the platform’s hot wallets. The stolen assets included a variety of tokens, such as Bitcoin, Ethereum, Tron, Polygon, and Shiba Inu. Blockchain forensics firms like PeckShield, Cyvers, and SlowMist flagged over 150 suspicious transactions connected to the attack, suggesting a sophisticated, multi-chain breach that spanned several cryptocurrency networks.

In response, Indodax temporarily disabled both its mobile and web applications to secure its systems and prevent further losses. The company assured users that their balances, including those in both crypto and Indonesian Rupiah, were secure, emphasizing that the affected funds were only a small portion of its total reserves — exceeding $369 million. 

Indodax also announced a system maintenance period, during which they would conduct a comprehensive investigation to assess and address the security vulnerabilities exploited in the attack.

Indonesian authorities, particularly the Commodity Futures Trading Regulatory Agency (Bappebti), are closely monitoring the situation and have summoned Indodax representatives for further explanation.

While no official confirmation has been provided, there is speculation that the attack may be linked to the North Korean Lazarus Group, known for its role in previous cryptocurrency heists. 

Phishing Scams Prevail And Cause $498 Million in Losses

Certik’s H1 2024 report on blockchain security incidents highlighted phishing as a leading cause of financial loss, with almost $498 million stolen across 150 incidents. Phishing attacks exploit human vulnerabilities, often deceiving users into revealing private keys or other sensitive information.

Vigilance and caution are a must for individuals and businesses in the cryptocurrency industry. Illicit actors are actively seeking vulnerabilities in platforms as well as individuals with limited knowledge of safety measures to get away with fortunes.