Original author: Beosin research team Mario, Tian Daxia Donny
Original source: Beosin
1. Overview of Web3 blockchain security situation in Q1 2024
According to Beosin Alert monitoring and early warning,In the first quarter of 2024, the total losses in the Web3 field due to hacker attacks, phishing scams, and project parties’ Rug Pulls reached US$778 million.Among them, there were 39 major attack incidents, with a total loss of approximately US$617 million; 43 Rug Pull incidents involving project parties, with a total loss of approximately US$75.5 million; and phishing scams, with a total loss of approximately US$86.24 million.
The total loss in the first quarter of 2024 was approximately US$778 million, a year-on-year increase of approximately 126% and a month-on-month increase of approximately 72%. Among them, the amount of losses from hacker attacks is higher than any quarter in 2023.
Total losses in February reached $422 million, the highest loss month in the first quarter of 2024.
Judging from the types of projects being attacked,For the first time, gaming platforms have become the project type with the highest losses. Six attacks against the Web3 gaming platform caused a total loss of US$365 million, accounting for 59% of all attack losses.
Judging from the amount of losses in each chain,Ethereum is still the chain with the highest amount of losses and the most attacks. 18 attacks on Ethereum caused losses of US$342 million, accounting for 55.4% of the total losses.
From the perspective of attack methods,A total of 13 private key leaks occurred this quarter, causing losses of US$458 million, accounting for 74.3% of the total attack losses, making it the highest proportion of attack types.
From the perspective of capital flow,The majority of stolen assets were frozen and recovered during the quarter. Approximately US$303 million (49.2%) of stolen funds were frozen, and US$79.45 million (12.9%) of stolen funds were recovered.
Judging from the audit situation,Among the projects that were attacked, the proportion of audited project parties has increased.
2. Overview of Q1 attacks in 2024
39 major attacks resulting in a total loss of $616.7 million
In the first quarter of 2024, Beosin Alert detected a total of 39 major attacks in the Web3 field, with a total loss of US$616.7 million. Among them, there were 2 security incidents with losses exceeding US$100 million, 5 incidents with losses between US$10 million and US$100 million, and 21 incidents with losses between US$1 million and US$10 million.
Attacks with losses exceeding 10 million US dollars (sorted by amount):
PlayDapp - $290 million
Attack method: Private key leak chain platform: Ethereum
On February 9, the blockchain gaming platform PlayDapp was attacked, and the hackers address minted 200 million pla tokens worth $36.5 million. Negotiations between PlayDapp and the hacker failed, and the hacker minted another 1.59 billion PLA tokens worth $253.9 million on February 12, and sent part of the funds to the Gate.io exchange. Afterwards, the project team suspended the PLA contract and migrated the PLA tokens to PDA tokens.
Chris Larsen (co-founder of Ripple) - $112 million
Attack method: Private key leak Chain platform: XRP
On January 31, Ripple co-founder Chris Larsen said that four of his wallets were hacked and a total of approximately $112 million was stolen. The Binance team has successfully frozen $4.2 million worth of XRP stolen by attackers.
Munchables - $62.3 million
Attack method: social engineering chain platform: Blast
On March 26, Munchables, a Blast-based Web3 gaming platform, suffered an attack, resulting in a loss of approximately US$62.5 million. It is suspected that the project team was attacked because it hired North Korean hackers as developers. All stolen funds were later returned by the hackers.
FixedFloat - $26.1 million
Attack method: Security structure vulnerability chain Platform: Ethereum
On February 17, the crypto exchange FixedFloat suffered an attack and lost approximately US$26.1 million. The hackers had transferred most of the stolen funds to the eXch exchange. On February 20, FixedFloat stated that the attack was not the work of our employees, but an external attack caused by a vulnerability in our security structure.
Curio Ecosystem – $16 million
Attack method: Contract vulnerability - Access control vulnerability chain Platform: Ethereum
On March 23, the RWA infrastructure Curio Ecosystem was attacked, causing a loss of approximately US$16 million.
Somesing - $11.58 million
Attack method: Private key leak chain platform: Klaytn
On January 27, South Koreas Web3 social music service was attacked and lost 730 million native tokens SSX, worth $11.58 million.
Jihoz.ron (Co-founder of Ronin) - $10 million
Attack method: Private key leak chain platform: Ronin
On February 23, two addresses of jihoz.ron, the co-founder of Ronin, lost approximately US$10 million due to the leak of their private keys.
3. Types of attacked projects
For the first time, gaming platforms became the project type with the highest amount of losses
The project type with the highest losses this quarter was the gaming platform. Six attacks against the Web3 gaming platform caused a total loss of US$365 million, accounting for 59% of all attack losses. For the first time, gaming platforms became the type of attacked projects with the highest losses.
The second most common victim type is personal wallets. Two personal wallet thefts resulted in $122.5 million in losses. Both cases of personal wallet theft were stolen from the co-founders of well-known project parties (Ripple Lianchuang and Ronin Lianchuang).
Among the 39 hacker attacks, a total of 17 incidents occurred in the DeFi field, accounting for approximately 43.6%. These 17 DeFi attacks resulted in a total loss of US$39.96 million, ranking third among all project types.
Other types of projects that were attacked include: DEX, infrastructure, payment platform, Web3 music platform, etc.
4. The amount of losses in each chain
Ethereum is the chain with the highest amount of losses and the most attacks.
The same as in 2023, Ethereum is still the public chain with the highest amount of losses. 18 attacks on Ethereum caused losses of US$342 million, accounting for 55.4% of the total losses.
The public chain with the second largest loss amount was XRP, which came from a stolen wallet of Ripple co-founder Chris Larsen.
The public chain with the third largest loss amount is Blast. Three attacks on the Blast chain caused a total loss of $67.5 million.Blast chain ranks first among the major emerging public chains in terms of loss amount.
Only 4 major security incidents occurred in BNB Chain this quarter, with losses of approximately US$8.01 million. Both the amount of losses and the number of incidents ranked have dropped significantly compared with 2023.
5. Analysis of attack techniques
74.3% of losses come from private key leaks
A total of 13 private key leaks occurred this quarter, causing losses of US$458 million, accounting for 74.3% of the total attack losses. As in 2023, the losses caused by private key leaks still rank first among all attack types. Private key leaks that caused large losses include: PlayDapp (USD 290 million), Ripple co-founder Chris Larsen (USD 112 million), Somesing (USD 11.58 million), and Ronin co-founder Jihoz.ron (USD 10 million).
Among the 39 attacks, 21 came from contract vulnerability exploitation, with total losses reaching US$65.56 million, ranking second.
The attack method with the third highest amount of losses was social engineering attacks, with three social engineering attacks causing losses of approximately US$65 million.
Broken down by vulnerabilities, the top three vulnerabilities causing losses are: algorithm flaws (USD 22.78 million), access control vulnerabilities (USD 16.32 million), and business logic vulnerabilities (USD 11.28 million). The vulnerabilities with the highest frequency of occurrence are business logic vulnerabilities, and 7 of the 21 contract vulnerability attacks are business logic vulnerabilities.
6. Analysis and review of typical anti-money laundering incidents
Atom Asset (AAX) Evades Anti-Money Laundering (AML) Analysis
Recently, Atom Asset (AAX), a defunct Hong Kong exchange, began moving funds from its wallet to various decentralized exchanges and centralized platforms, allegedly to evade anti-money laundering (AML) controls. Before being discovered, the last known transactions involving AAX exchange wallets occurred in October 2023 and November 2022. Before its collapse, AAX was one of the largest cryptocurrency exchanges in Hong Kong, with more than 2 million users.
According to the analysis of the Beosin team, it was found that since January 29, 2024, the AAX exchange began to transfer 25,100 ETH out of its exchange wallet. The transfer funds were divided into three transactions, namely one 500 ETH, one 600 ETH per transaction and 24,000 ETH per transaction. The transfer translates to over $74 million based on current prices.
The whole story of the AAX exchange incident
On November 13, 2022, just two days after cryptocurrency exchange FTX filed for bankruptcy, AAX also stopped withdrawals and cleared all social channels due to counterparty risk exposure. Initially, AAX attributed the freeze to security measures against an alleged malicious attack.
On November 15, 2022, the AAX exchange issued a statement stating that its platform required maintenance and that in addition to suspending withdrawals, derivatives would be automatically liquidated. Since then, AAX has ceased platform operations and social media updates.
The strange thing is: after 426 days of silence, the AAX exchange wallet began to become active, and large amounts of funds began to be transferred out to other addresses, trying to avoid the identification and monitoring of AML tools!
link: https://etherscan.io/address/0x56c1319b31a5316a327bd889d58c8633b204536c
Analysis of funds on the AAX exchange event chain
The Beosin KYT anti-money laundering analysis platform conducted an in-depth study of recent on-chain activities on the AAX exchange wallet and discovered a series of risky activities. First, all 25,100 ETH have been transferred. The operators took various means to convert part of the ETH into USDT, and then transferred the funds to different blockchains through cross-chain bridges to clean the funds.
Beosin KYT anti-money laundering platform
Most of the funds were transferred to the Tron blockchain, transferred through some addresses, and then settled in some addresses without ever being transferred. This behavior demonstrates a clear attempt to evade AML and conceal the true origin and destination of the funds.
Beosin KYT anti-money laundering platform
Hong Kong police acted swiftly against the scam, arresting two people associated with AAX and are currently working to chart the path of the transferred funds and recover the assets of affected users.
AAX Exchange uses technical means such as decentralized exchanges, cryptocurrency exchanges, and cross-chain bridges to try to obscure the paths and sources of capital flows. This creates significant challenges for regulators and AML analytics platforms.
7. Analysis of the Fund Flow of Stolen Assets
Most of the stolen assets were frozen and recovered
According to analysis by the Beosin KYT anti-money laundering platform, of the funds stolen in the first quarter of 2024, approximately US$303 million (49.2%) of the stolen funds were frozen, and US$79.45 million (12.9%) of the stolen funds were recovered. This ratio is significantly higher than in 2023.
Approximately US$105.5 million of stolen funds were transferred to various exchanges, accounting for approximately 17.1%. Compared with 2023, the proportion of hackers transferring stolen funds to exchanges has increased significantly this year. This puts forward higher requirements for exchanges’ anti-money laundering and compliance.
A total of $30.12 million (4.9%) was transferred to mixers: $29.9 million was transferred to Tornado Cash; $216,000 was transferred to other mixers. Compared with last year, the number of stolen funds laundered through currency mixing in the first quarter of 2024 decreased significantly.
8. Analysis of project audit situation
The proportion of audited project parties has increased
Among the 39 attack incidents, the project parties of 12 incidents were not audited, and the project parties of 24 incidents were audited. The proportion of audited project parties is slightly higher than in 2023, which shows that project parties in the entire Web3 industry have increased their emphasis on security.
Among the 12 projects that were not audited, contract vulnerability incidents accounted for 8 cases (66.7%). In comparison, contract vulnerability incidents accounted for 13 (54.2%) of the 24 audited projects. This shows that auditing can improve project security to a certain extent.
9. Rug Pull Analysis
43 Rug Pull incidents cost $75.5 million
In the first quarter of 2024, a total of 43 Rug Pull incidents by project parties were detected, involving a total amount of US$75.5 million.
The top five Rug pull events with the largest loss amount are: Bitforex ($56.5 million), Hector Network ($2.7 million), MangoFarm ($2 million), OrdiZK ($1.4 million), RiskOnBlast ($1.3 million). These five Rug Pull events are distributed in four chains: Ethereum, Fantom, Solana and Blast.
The total amount involved in Rug Pull on the Ethereum chain reached 59.68 million US dollars, accounting for 79% of the total losses. The largest number of Rug Pull events occurred on the BNB Chain chain, with a total of 29 times, accounting for 67.4% of the total number of events.
10. Summary of Web3 blockchain security situation in Q1 2024
Compared with the previous quarter, the total losses caused by hacker attacks, phishing scams, and project parties’ Rug Pulls in the first quarter of 2024 increased significantly, reaching US$778 million. The increase in currency prices this quarter has a certain impact on the increase in the total amount, but overall, the situation in the Web3 security field is still not optimistic.
The most harmful type of attack this quarter was private key leakage.About 74.3% of the losses come from private key leaks, a trend consistent with the 2023 data.From the perspective of project types, private key leaks occur in various fields of Web3: gaming platforms, DeFi, personal wallets, infrastructure, NFT, payment platforms, gambling platforms, data storage platforms, etc.All Web3 project parties/individual users need to be more vigilant, store private keys offline, use multi-signatures, use third-party services with caution, and conduct regular security training for privileged employees.
Most assets were frozen and recovered this quarter.This marks the improvement of the global regulatory system and the strengthening of anti-money laundering efforts. This quarter, the proportion of hackers transferring stolen funds to exchanges has also increased significantly. This requires exchanges to promptly identify hacking behaviors and actively cooperate with law enforcement agencies and project parties to freeze funds and conduct verification.At present, the cooperation between the exchange and law enforcement agencies, project parties, and security teams has achieved significant results. It is believed that more stolen funds will be recovered in the future.
Of the 39 attacks this quarter,There are still 21 cases from contract vulnerability exploitation. It is recommended that the project team seek a professional security company for audit before going online.As a world-leading blockchain security company, Beosin is committed to the safe development of the Web3 ecosystem. It has audited more than 3,000 smart contracts and public chain mainnets. As a trustworthy blockchain security company, Beosin can provide project parties with excellent services. security audit services.
