Total losses from hacker attacks in April reached $101 million

It's time for the monthly security inventory again! According to the monitoring of blockchain security audit company Beosin Alert, in April 2024, the amount of losses from various security incidents continued to decline compared with March. In April 2024, more than 23 typical security incidents occurred, and the total loss caused by hacker attacks, phishing scams and Rug Pulls reached 101 million US dollars, a decrease of about 36% from March. Among them, the attack incidents were about 52.56 million US dollars, a decrease of about 55%; the phishing scam incidents were about 11.4 million US dollars, a decrease of about 69%; and the Rug Pull incidents were about 37.05 million US dollars, an increase of about 624%.

The biggest security incident this month was that Hedgey Finance was attacked due to a contract vulnerability, with a loss of about 44.7 million US dollars, which accounted for 85% of the total losses from hacker attacks that month. This month, a Rug Pull incident involving more than 10 million US dollars occurred: the decentralized betting platform ZKasino transferred about 33 million US dollars of user assets. The number of crypto crime cases has increased this month, involving fraud, pyramid schemes, money laundering and other types.

In terms of policy, on April 30, the Hong Kong Exchanges and Clearing Limited (HKEX) said that it welcomes the listing of the first batch of virtual asset spot ETFs in Asia, increasing the product variety of the Hong Kong market and providing investors with more choices, consolidating Hong Kong's position as Asia's leading ETF market.

Hacker Attacks

A total of '11' typical security incidents occurred

No.1 On April 1, the DeFi protocol OpenLeverage was attacked due to a contract vulnerability, resulting in a loss of approximately US$230,000.

No.2 On April 1, the ATM token on the BNB Chain was attacked due to a contract vulnerability, resulting in a loss of approximately $180,000.

No.3 On April 2, the decentralized exchange FixedFloat was attacked again, resulting in a loss of approximately $2.8 million. FixedFloat said that hackers exploited a vulnerability in its third-party service.

No.4 On April 12, the BASE ecological project SumerMoney was attacked due to a contract vulnerability, resulting in a loss of approximately $350,000.

No.5 On April 12, the Zest Protocol project on the Stacks chain was attacked by price manipulation, resulting in a loss of approximately $1 million.

No.6 On April 15, the BASE ecological RWA project Grand Base lost approximately $2 million due to the leak of the deployer's private key.

No.7 On April 19, the Hedgey Finance project was attacked due to a contract vulnerability on the Ethereum and Arbitrum chains, with a loss of $44.7 million.

No.8 On April 24, the YIEDL project on the BNB Chain was attacked due to a contract vulnerability, with a loss of about $300,000.

No.9 On April 24, Saita Chain's cross-chain bridge project Xbridge was attacked due to a contract vulnerability, with a loss of at least $200,000.

No.10 On April 25, the NGFS token on the BNB Chain was attacked due to a contract vulnerability, with a loss of about $190,000.

No.11 On April 26, the cross-chain lending agreement Pike Finance was attacked, with a loss of about $300,000. Hackers drained USDC on Ethereum, Arbitrum, and Optimism chains through forged CCTP messages.

Phishing/Rug Pull

A total of 『6』 typical security incidents

No.1 On April 2, a Rug pull occurred on Solareum on the Solana chain, and the deployer made a profit of $520,000.

No.2 On April 4, a Rug pull occurred on CondomSOL on the Solana chain, and the deployer made a profit of $920,000.

No.3 On April 11, a certain address starting with 0x5ea8 lost about $840,000 on the Base chain due to a phishing scam.

No.4 On April 11, a certain address starting with 0x05f4 lost about $1.2 million on the Base chain due to a phishing scam.

No.5 On April 19, a certain address starting with 0x5789 lost about $770,000 due to a phishing scam.

No.6 On April 20, the decentralized betting platform ZKasino had a Rug pull, and users were unable to withdraw funds, and the project party deposited $33 million of user funds into the staking protocol Lido.

In terms of crypto crimes

A total of 『6』 typical security incidents occurred

No.1 On April 6, Beijing police cracked a serial money laundering case involving virtual currency, involving more than 2 billion yuan.

No.2 On April 12, the United States convicted hackers for attacking smart contracts for the first time. SHAKEEB AHMED was sentenced to three years in prison for attacking Nirvana Finance and Crema Finance and stealing more than $12 million worth of cryptocurrency.

No.3 On April 16, the Jiangsu Court sentenced Wang Mou for organizing a pyramid scheme. Wang Mou was sentenced for allegedly conducting online pyramid schemes through a virtual currency platform called moom, involving an amount of more than 100 million yuan.

No.4 On April 20, an Indian man pleaded guilty in the United States for creating a fake Coinbase website and stealing more than $9.5 million in cryptocurrency.

No.5 On April 24, the co-founder of the crypto-currency mixing service Samourai Wallet was arrested on suspicion of laundering $100 million from Silk Road and other illegal markets.

No.6 On April 27, the founder of Taiwan's crypto exchange ACE Exchange and 32 others were indicted for suspected fraud and money laundering, involving an estimated amount of NT$800 million (US$24.56 million).

Regulation, compliance, and policy

No.1 On April 30, the first six virtual asset spot ETFs issued in Hong Kong were officially listed on the Hong Kong Stock Exchange and opened for trading. The Hong Kong Exchanges and Clearing Limited (HKEX) welcomes the listing of the first batch of virtual asset spot ETFs in Asia, increasing the product variety of the Hong Kong market and providing investors with more choices, consolidating Hong Kong's position as Asia's leading ETF market.

No.2 Last week, the Bank of Japan released a mid-term report on its work on central bank digital currency. It revealed that the CBDC API sandbox was launched this month. The Bank of Japan had previously conducted two proofs of concept (PoC) for the digital yen, the most recent of which ended a year ago. The Bank of Japan has not yet decided to launch a CBDC. Given that Japanese consumers have extremely low awareness of the concept, promotion may be difficult. The Bank of Japan is also involved in the Agora project, a project of the Bank for International Settlements that uses tokenization for cross-border payments. Meanwhile, the first Japanese tokenized deposit solution, DCJPY, is expected to be launched in the coming months.

No.3 On April 22, the Hong Kong Securities and Futures Professionals Association published a letter to the Hong Kong Treasury Bureau on its official website, "Proposing the Establishment of an Independent Self-Regulatory Organization for the Development of the Securities, Futures, Asset Management and Virtual Assets Industries", which pointed out that in the case of Hong Kong, the Association recommends that the SFC still retain the power to regulate market behavior (for example: prohibiting insider trading, fraud, and market manipulation transactions, etc.), but split the licensing power to a self-regulatory organization composed solely of the securities, futures, asset management and virtual asset industries (and generally refers to licensed intermediaries for regulated activities currently defined by the Hong Kong SFC).

No.4 Recently, the Thai authorities have decided to block "unauthorized" cryptocurrency platforms to improve the efficiency of law enforcement in solving cybercrime problems. Following a meeting of the Technology Crime Prevention and Suppression Committee, the Securities and Exchange Commission of Thailand or SEC was ordered to submit information on unauthorized digital asset service providers to the Ministry of Digital Economy and Society in order to block access to these platforms. 

No.5 On April 17, members of the British Parliament unanimously called on the government to invest in developing skills to meet employment needs in the cryptocurrency, blockchain and artificial intelligence (AI) industries. Lisa Cameron, a member of Parliament who chaired a debate on the topic on Tuesday, urged the government to ensure that digital skills are taught from the early stages of education and even in the workplace. "While the UK is well positioned to take advantage of the opportunities presented by the growth of the digital economy, it still requires significant preparation and investment in education, training and skills to fully capitalize on these opportunities and ensure that the UK has the necessary talent."

In view of the new situation in the current blockchain security field, 『Beosin』 summarizes here:

Overall, the amount of losses from various blockchain security incidents in April 2024 continued to decline for two consecutive months. In this month's attack incidents, 88% of the losses still came from contract vulnerability exploits, involving business logic vulnerabilities, reentrancy vulnerabilities, input validation vulnerabilities and other issues. It is recommended that project parties find professional security companies for audits before the project goes online. There have been several Rug pull incidents involving large amounts of money this month. It is recommended that users do a good job of background checks on the project. For example, ZKasino had multiple warnings from the security community before the Rug pull occurred, exposing the historical deception and unethical behavior of the founder team.