The 10 worst crypto hacks and exploits of 2024

2024 continued to be a challenging year for cryptocurrency users and companies in terms of cybersecurity, marked by several prominent hack incidents.

Hackers appropriated nearly $2.2 billion in cryptocurrencies by December 2024, according to Chainalysis data . This increased from the $1.8 billion stolen in 2023, indicating a jump in hack volumes by more than 22% year-over-year.

In 2024, large exploits targeted centralized exchanges like DMM Bitcoin, WazirX and BingX. Flaws in DeFi protocol designs remained another focus for attackers, who exploited them to siphon funds.

While financial gain remains the principal motive behind most cryptocurrency hacks, other elements also contribute. For instance, incidents attributed to the alleged Lazarus Group on WazirX and Radiant Capital hint at state-sponsored attacks.

This article explores the most notable cryptocurrency hacks of 2024, analyzing the reasons behind them and the strategies used by hackers.

DMM Bitcoin: $300 million

In May 2024, DMM Bitcoin, a Japanese cryptocurrency exchange, suffered the largest crypto hack of the year. It lost over 4,500 BTC, valued at over $300 million at the time.

While the exact cause of the DMM Bitcoin attack remains unclear, experts suggest potential vulnerabilities such as stolen private keys or address poisoning. The latter is a deceptive tactic where attackers send tiny amounts of cryptocurrency to a victim’s wallet, creating a fake transaction history to confuse users and potentially trick them into sending funds to the wrong address.

The incident was the eighth-largest crypto theft ever and the largest exploit since FTX's $477 million hack in November 2022.

In December, DMM Bitcoin announced that it had agreed with Japan's SBI Group to transfer customer accounts and custodial assets to the latter by March 2025.

WazirX: $230 million

On July 18, 2024, WazirX, one of India’s largest cryptocurrency exchanges, experienced a massive hack, losing about $230 million in investor funds.

The hackers leveraged a sophisticated scheme to compromise WazirX’s multi-signature wallet, which needed multiple signatures to authorize transactions. By exploiting discrepancies in how transactions were shown on the Liminal interface, a crypto custody platform used by WazirX, the attackers could deceive authorized signatories into approving a malicious transaction. This allowed them to bypass security measures and drain the exchange's crypto wallet.

Experts suspect the Lazarus Group, a North Korean hacking group notorious for its involvement in previous high-profile crypto heists, was involved.

WazirX immediately took steps to mitigate the damage, including temporarily halting cryptocurrency and fiat withdrawals.

An investigation into the hack is currently underway.

Munchables: $62 million

In March 2024, Munchables, a play-to-earn game built on the Blast Layer 2 blockchain, was the victim of a large security exploit. An unknown attacker exploited a critical vulnerability in the game’s smart contracts, siphoning off $62.5 million worth of crypto. The project’s smart contracts granted the developer in question the power to transfer funds at their discretion — a misused capability.

The heart of the attack was the project’s use of an upgradeable proxy contract. While this type of contract offers flexibility, it can also introduce vulnerabilities if not handled carefully, Rob Behnke, a security analyst at Halborn, explained . In this case, the rogue developer took control of the smart contract’s deployment address, gaining the power to change the contract’s code.

Exploiting this privilege, the attacker subtly inserted a malicious backdoor into the contract. Over time, they waited until large amounts of ether were deposited into the contract. When the time was right, they triggered the exploit, siphoning off millions of dollars in cryptocurrency.

Later, Munchables updated us that the developer had agreed to unconditionally relinquish the private keys to the wallet holding Munchables’ assets, resulting in the full recovery of the assets. It’s not fully clear why the attacker decided to do that.

Dai whale exploit: $55 million 

In August, a crypto whale was the victim of a sophisticated phishing attack, which resulted in the loss of $55 million worth of Dai stablecoins.

The attacker exploited a vulnerability to access the victim’s crypto wallet account, also called an externally owned account, which controlled a vault on Maker protocol. This type of vault allows users to borrow Dai stablecoins by depositing collateral.

By leveraging the compromised EOA, the attacker transferred ownership of the victim’s Decentralized Service Proxy (DSProxy) to a newly created address under their control. A DSProxy is a smart contract that enables users to execute multiple contract calls in a single transaction.

The DSProxy, a tool for automating complex transactions, was the key to the whale’s digital vault. By gaining control over the DSProxy, the attacker acquired the ability to manipulate the whale’s Maker Vault. With control over the DSProxy, the hacker set himself as the protocol’s owner address and minted 55,473,618 Dai stablecoins into their wallet.

Security firm Halborn explained that the attacker likely used a phishing attack against the whale to trick them into signing a transaction transferring ownership of the proxy to them. Another possibility is that the phishing attack compromised the private keys for the wallet account that controlled the DSProxy.

Radiant Capital: $51 million

In October 2024, Radiant Capital was hit by a second severe attack within the year, leading to a loss of about $51 million .

The initial incident, a flash loan exploit, stripped the protocol of roughly $4.5 million. However, this event was minor compared to the later, more complex attack. This subsequent attack targeted a flaw in the protocol’s multi-signature mechanism, leveraging a highly sophisticated tactic. Radiant Capital used a 3-of-11 multi-sig setup, which needed three private keys to approve crucial transactions.

Nonetheless, the attackers, believed to be associated with the North Korean Lazarus group, bypassed this security feature. The attackers manipulated the signing process, deceiving the signers into endorsing malicious transactions that appeared legitimate. This manipulation involved sophisticated malware that altered the transaction data shown on the Gnosis Safe wallet interface. In contrast, malicious transactions were forwarded to the hardware wallets for signing and implementation.

The attackers took advantage of occasional transaction failures, typically overlooked as normal. By embedding malicious transactions within these failures, they obtained valid signatures without alerting anyone.

Once these malicious transactions received approval, the attackers seized control of one of Radiant's smart contracts, which oversaw various lending pools. This breach enabled them to replace the pool contracts with malicious versions, thus accessing user funds.

BingX: $43 million

In another alarming incident highlighting the vulnerability of centralized cryptocurrency exchanges, Singapore-based BingX fell victim to a large security exploit. The attack, which occurred on September 20, 2024, compromised the exchange’s hot wallet.

While BingX downplayed the incident as “minor,” security analysts estimated the total loss to be around $43 million . The stolen funds were siphoned off in multiple tranches, suggesting a well-coordinated attack.

This incident is part of a disturbing trend of CEX hacks that have plagued the cryptocurrency industry throughout 2024. In this incident, the attackers gained unauthorized access to multiple blockchains and used numerous exploit addresses to collect a diverse range of cryptocurrencies. Subsequently, these stolen funds were converted into ether, a common practice among the North Korean Lazarus Group.

Penpie: $27 million

In September 2024, the Penpie protocol, a yield farming platform operating on Pendle Finance, was compromised, leading to a loss of around $27 million.

The root cause of the Penpie hack was a critical vulnerability known as a reentrancy attack. This type of exploit allows malicious actors to manipulate the execution flow of a smart contract, leading to unintended consequences. 

By crafting a deceptive market on Pendle, the attacker created fake versions of Pendle’s "standardized yield" token and linked them to Pendle's "liquidity provider" tokens. This manipulation allowed the attacker to call a vulnerable function repeatedly, inflating their reward balance with these fabricated tokens. The smart contract, lacking strong validation mechanisms, mistakenly accepted these fake tokens, enabling the attacker to drain significant funds.

Despite the severity of the attack, the Penpie team extended an olive branch to the attacker, offering a bounty in exchange for the return of the stolen funds. The attacker chose to ignore this plea and launder the illicit gains through the Tornado Cash mixer.

UwU Lend: $20 million

In June 2024, UwU Lend, a decentralized lending platform, suffered a $20 million exploit due to a flaw in its price oracle, which relies on real-time data from Curve Finance’s liquidity pools. An attacker exploited this vulnerability and manipulated the price of the USD-pegged stablecoin, sUSDE, through a series of calculated trades.

The attack began with the attacker taking a substantial flash loan and swapping a large portion of these assets for sUSDE in a Curve pool, drastically lowering its price. The attacker then borrowed large amounts of undervalued sUSDE tokens from UwU Lend, using other cryptocurrencies as collateral. Subsequently, the attacker traded within the Curve pool to restore the sUSDE price to normal, boosting the value of their holdings.

The attacker liquidated these positions to regain the initially borrowed cryptocurrencies, which were now more valuable and redeposited the sUSDE into UwU Lend to borrow more, ultimately profiting $19.3 million in ether. This incident highlights critical vulnerabilities in using spot prices for decentralized finance oracles.

Sonne Finance: $20 million

In May 2024, Sonne Finance, a decentralized lending protocol operating on the Optimism Layer 2 chain, encountered a $20 million exploit caused by a vulnerability in its system — derived from Compound v2 forks. This vulnerability typically targets the protocol’s design flaws, especially in markets with low liquidity or newly established ones.

Creating a new market on a Compound v2 fork like Sonne requires initial liquidity to deter price manipulation. Without this, the market is prone to attacks. Precision or rounding errors in smart contract calculations, particularly decimal values, can be manipulated.

In Sonne Finance's case, an attacker injected a small amount of the underlying asset into an empty market, significantly altering the exchange rate between the underlying asset and its tokenized counterpart.

This led to a rounding error, which the Sonne Finance attacker exploited to withdraw more underlying assets than deposited initially, resulting in a total loss of about $20 million. This event underscores a recurring issue with Compound v2 forks, exploited in similar attacks on platforms like Hundred Finance and the Onyx Protocol.

M2 exchange: $14 million

In October, the UAE-based M2 cryptocurrency exchange fell victim to a cyberattack that resulted in the theft of $13.7 million worth of crypto.

The malicious actor exploited vulnerabilities in the exchange’s security systems, gaining unauthorized access to several “hot wallets” — digital wallets connected to the internet and used for frequent transactions. The hacker could siphon off a substantial amount of cryptocurrency by compromising these wallets.

Following the incident, M2 acknowledged the security breach and assured its users that the situation had been “fully resolved.” However, rather than recovering the stolen funds, the exchange opted to restore customer balances using its own assets.