Source: Chainalysis; Compiled by Tao Zhu, Golden Finance
Cryptocurrency hacks remain a persistent threat, with more than $1 billion worth of cryptocurrency stolen in four of the past decade (2018, 2021, 2022, and 2023). 2024 marks the fifth year that this troubling milestone has been reached, highlighting that as cryptocurrency adoption and prices rise, the amount that can be stolen is also increasing.
In 2024, stolen funds increased by approximately 21.07% year-on-year to $2.2 billion, and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024. Interestingly, the intensity of cryptocurrency hacks has changed around the first half of the year. In our mid-year crime update, we noted that the cumulative value stolen between January and July 2024 had reached 1.58 billion yuan, about 84.4% higher than the value stolen during the same period in 2023. As we can see in the chart below, by the end of July, the ecosystem is easily on track for a year comparable to the more than $3 billion stolen in 2021 and 2022. However, the upward trend in cryptocurrency thefts in 2024 slowed significantly after July and remained relatively stable thereafter. We will explore potential geopolitical reasons for this change later. 2024 also saw interesting patterns in terms of stolen amounts by victim platform type. Decentralized finance (DeFi) platforms were the primary target of cryptocurrency hackers in most quarters from 2021 to 2023. DeFi platforms may be more vulnerable because their developers tend to prioritize rapid growth and bringing products to market rather than implementing security measures, making them prime targets for hackers.
While DeFi still accounted for the largest share of stolen assets in Q1 2024, centralized services were the most targeted in Q2 and Q3. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).
This shift in focus from DeFi to centralized services highlights the growing importance of security mechanisms commonly used by hackers, such as private keys. In 2024, private key compromises accounted for the largest share of stolen cryptocurrencies at 43.8%. Securing private keys is critical for centralized services, as they control access to user assets. Given that centralized exchanges manage large amounts of user funds, the impact of private key compromise can be devastating; we only need to look at the $305 million DMM Bitcoin hack, one of the largest cryptocurrency breaches to date, which likely occurred due to poor private key management or lack of adequate security.
After compromising private keys, malicious actors often launder stolen funds through decentralized exchanges (DEXs), mining services, or mixing services, obfuscating transaction trails and complicating tracking. By 2024, we could see money laundering by private key hackers differ significantly from money laundering by hackers leveraging other attack vectors. For example, after stealing private keys, these hackers often turn to bridging and mixing services. For other attack vectors, decentralized exchanges are more commonly used for money laundering.
In 2024, North Korean hackers will steal more money from crypto platforms than ever before
Hackers associated with North Korea are notorious for their sophisticated and ruthless methods, often using advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and circumvent international sanctions. U.S. and international officials assess that Pyongyang is using stolen cryptocurrency to fund its weapons of mass destruction and ballistic missile programs, endangering international security. By 2023, hackers linked to North Korea will steal approximately $660.5 million through 20 incidents; by 2024, that number increases to $1.34 billion in 47 incidents, a 102.88% increase in the value stolen. These figures represent 61% of the total amount stolen that year and 20% of the total number of incidents.
Note that in last year's report, we published information that North Korea stole $1 billion through 20 hacks. Upon further investigation, we determined that some of the large hacks previously attributed to North Korea may no longer be relevant, so the amount was reduced to $660.5 million. However, the number of incidents remained the same as we discovered other smaller hacks attributed to North Korea. Our goal is to continually reevaluate our assessments of hacking incidents linked to North Korea as we obtain new on-chain and off-chain evidence.
Unfortunately, North Korea’s cryptocurrency attacks appear to be becoming more frequent. In the chart below, we examine the average time between successful DPRK attacks by exploit size and find that attacks of all sizes are down year-over-year. Notably, attacks valued at $50-$100 million and $100 million+ occur much more frequently in 2024 than in 2023, suggesting that North Korea is getting better and faster at large-scale attacks. This is in stark contrast to the previous two years, when profits were often less than $50 million per attack.
When comparing North Korean activity to all other hacker activity we monitor, it is clear that North Korea has been responsible for the majority of large-scale attacks over the past three years.Interestingly, the density of North Korean attacks for lower dollar amounts, especially those valued at around $10,000, has also been increasing.
Some of these incidents appear to be linked to North Korean IT workers, who have increasingly infiltrated cryptocurrency and Web3 companies, compromising their networks, operations, and integrity. These workers often use sophisticated tactics, techniques, and procedures (TTPs), such as false identities, hiring third-party recruitment agencies, and manipulating remote work opportunities to gain access. In one recent case, the U.S. Department of Justice (DOJ) on Wednesday indicted 14 North Korean nationals who worked as remote IT workers in the U.S. and made more than $88 million by stealing proprietary information and extorting their employers.
To mitigate these risks, companies should prioritize thorough hiring due diligence — including background checks and identity verification — while maintaining strong private key security to protect critical assets, where applicable.
While all of these trends suggest that North Korea has been very active this year, the majority of its attacks occurred at the beginning of the year, with overall hacker activity stagnating in the third and fourth quarters, as shown in the earlier chart.
In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong Un will also hold a summit in Pyongyang to sign a mutual defense agreement. So far this year, Russia has released millions of dollars in North Korean assets previously frozen under UN Security Council sanctions, a sign of the two countries’ growing alliance. Meanwhile, North Korea has deployed troops to Ukraine, supplied Russia with ballistic missiles, and reportedly sought advanced space, missile, and submarine technology from Moscow.
If we compare the average daily losses from the DPRK breach before and after July 1, 2024, we can see a significant drop in the amount of value stolen. As shown in the chart below, the amount stolen by North Korea has since dropped by about 53.73%, while the amount stolen by non-North Koreans has increased by about 5%.Thus, in addition to redirecting military resources toward the conflict in Ukraine, North Korea, which has significantly increased its cooperation with Russia in recent years, may have also changed its cybercrime activities.
The decline in North Korean theft after July 1, 2024 is clear and the timing is obvious, but it is worth noting that this decline is not necessarily related to Putin’s visit to Pyongyang. In addition, some events in December may change this pattern at the end of the year, and attackers often attack during holidays.
Case Study: North Korea’s Attack on DMM Bitcoin
A notable example of a hack linked to North Korea in 2024 involved the Japanese cryptocurrency exchange DMM Bitcoin, which suffered a hack that resulted in the loss of approximately 4,502.9 Bitcoins, worth $305 million at the time. The attackers targeted vulnerabilities in the infrastructure used by DMM, which resulted in unauthorized withdrawals. In response, DMM, with the support of group companies, paid out customer deposits in full by finding funds of equal value.
We were able to analyze the flow of funds on-chain following the initial attack, and in the first phase we saw the attackers move millions of dollars worth of cryptocurrency from DMM Bitcoin to several intermediate addresses before ultimately arriving at the Bitcoin CoinJoin mixing server. After successfully mixing the stolen funds using a Bitcoin CoinJoin mixing service, the attackers transferred some of the funds through a number of bridging services to Huioneguarantee, an online marketplace associated with Cambodian conglomerate Huione Group, a major player in the field that facilitates cybercrime.
DMM Bitcoin has transferred its assets and customer accounts to SBI VC Trade, a subsidiary of Japanese financial conglomerate SBI Group, with the transition scheduled to be completed in March 2025. Fortunately, emerging tools and predictive technologies are emerging, which we will explore in the next section, to prepare to prevent such destructive hacks from happening.
Thwarting Hacker Attacks with Predictive Models
Advanced predictive technologies are transforming cybersecurity by detecting potential risks and threats in real time, providing a proactive approach to protecting the digital ecosystem. Let's take a look at the example below involving decentralized liquidity provider UwU Lend.
On June 10, 2024, an attacker obtained approximately $20 million in funds by manipulating the price oracle system of UwU Lend. The attacker launched a flash loan attack to change the price of Ethena Staked USDe (sUSDe) on multiple oracles, resulting in incorrect valuations. As a result, the attacker was able to borrow millions of dollars in seven minutes. Hexagate detected the attack contract and similar deployments approximately two days before the exploit.
Although the attack contract was accurately detected in real time two days before the exploit, its connection to the exploited contract was not immediately apparent due to its design. With the help of other tools such as Hexagate's secure oracle, this early detection can be further leveraged to mitigate the threat. Notably, the first attack that resulted in a loss of $8.2 million occurred minutes before subsequent attacks, providing another important signal.
Such alerts issued before major on-chain attacks have the potential to transform the security of industry participants, allowing them to prevent costly hacks entirely instead of responding to them. In the image below, we see that the attacker moved the stolen funds through two intermediary addresses before the funds reached Tornado Cash, an OFAC-approved Ethereum smart contract mixer. However, it is worth noting that simply having access to these predictive models does not ensure protection against hacks, as protocols may not always have the proper tools to effectively act.
Stronger Crypto Security Needed
The increase in stolen cryptocurrency in 2024 highlights the need for the industry to respond to an increasingly complex and evolving threat landscape. While the scale of cryptocurrency theft has not yet returned to the levels seen in 2021 and 2022, the resurgence described above highlights gaps in existing security measures and the importance of adapting to new exploitation methods.To effectively address these challenges, collaboration between the public and private sectors is critical. Data sharing programs, real-time security solutions, advanced tracking tools, and targeted training can enable stakeholders to quickly identify and eliminate malicious actors while building the resilience needed to protect crypto assets.
In addition, as the regulatory framework for cryptocurrency continues to evolve, scrutiny of platform security and protection of customer assets is likely to intensify. Industry best practices must keep pace with these changes to ensure prevention and accountability. The cryptocurrency industry can strengthen its anti-theft capabilities by building stronger partnerships with law enforcement and providing teams with the resources and expertise to respond quickly. These efforts are critical not only to protecting personal assets, but also to building long-term trust and stability in the digital ecosystem.