Crypto hacking remains a persistent threat, with four years in the past decade individually seeing more than a billion dollars’ worth of crypto stolen (2018, 2021, 2022, and 2023). 2024 marks the fifth year to reach this troubling milestone, highlighting how, as crypto adoption and prices rise, so too does the amount that can be stolen.
In 2024, funds stolen increased by approximately 21.07% year-over-year (YoY) to $2.2 billion, and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024.
Interestingly, the intensity of crypto hacking shifted about halfway through the year. In our mid-year crime update, we noted that cumulative value stolen between January 2024 and July 2024 had already reached $1.58 billion, approximately 84.4% higher than the value stolen over the same period in 2023. As we see in the chart below, through the end of July, the ecosystem was easily on track for a year that could rival the $3 billion+ years of 2021 and 2022. However, 2024’s upward trend slowed considerably after July, after which it remained relatively steady. Later, we’ll explore a potential geopolitical reason for this change.
In terms of amount stolen by victim platform type, 2024 also saw interesting patterns. In most quarters between 2021 and 2023, decentralized finance (DeFi) platforms were the primary targets of crypto hacks. It’s possible that DeFi platforms were more vulnerable because their developers tend to prioritize rapid growth and bringing their products to market over implementing security measures, making them prime targets for hackers.
Although DeFi still accounted for the largest share of stolen assets in the first quarter of 2024, centralized services were the most targeted in Q2 and Q3. Some of the most notable centralized service hacks include DMM Bitcoin (May 2024; $305 million) and WazirX (July 2024; $234.9 million).
This shift in focus from DeFi to centralized services highlights the increasing importance of securing mechanisms commonly exploited in hacks, such as private keys. Private key compromises accounted for the largest share of stolen crypto in 2024, at 43.8%. For centralized services, ensuring the security of private keys is critical, as they control access to users’ assets. Given that centralized exchanges manage substantial amounts of user funds, the impact of a private key compromise can be devastating; we only have to look at the $305 million DMM Bitcoin hack, which is one of the largest crypto exploits to date, and may have occurred due to private key mismanagement or lack of adequate security.
After compromising private keys, malicious actors often launder stolen funds by funneling them through decentralized exchanges (DEXs), mining services, or mixing services to obfuscate the transaction trail and complicate tracing. In 2024, we can see that the laundering activity of private key hackers differs meaningfully from that of hackers exploiting other attack vectors. For instance, after stealing private keys, these hackers often turned to bridges and mixing services. For other attack vectors, DEXs were more popular for laundering.
Keep reading to learn more about crypto hacking trends in 2024, the DPRK’s activities, and Hexagate’s use of machine learning models to proactively detect suspicious hacking behaviors, a capability recently acquired by Chainalysis.
In 2024, North Korean hackers stole more from crypto platforms than ever before
Hackers linked to North Korea have become notorious for their sophisticated and relentless tradecraft, often employing advanced malware, social engineering, and cryptocurrency theft to fund state-sponsored operations and circumvent international sanctions. U.S. and international officials have assessed that Pyongyang uses the crypto it steals to finance its weapons of mass destruction and ballistic missiles programs, endangering international security. In 2023, North Korea-affiliated hackers stole approximately $660.50 million across 20 incidents; in 2024, this number increased to $1.34 billion stolen across 47 incidents — a 102.88% increase in value stolen. These figures represent 61% of the total amount stolen for the year, and 20% of total incidents.
Note that, in last year’s report, we published that the DPRK stole $1.0 billion across 20 hacks. Upon further investigation, we determined that certain large hacks we had previously attributed to the DPRK are likely no longer related, hence the decrease to $660.50 million. However, the number of incidents remains the same, as we identified other smaller hacks attributed to the DPRK. We aim to constantly re-evaluate our assessment of DPRK-linked hacking events as we acquire new on-chain and off-chain evidence.
Unfortunately, it appears that the DPRK’s crypto attacks are becoming more frequent. In the below chart, we examined the average time between successful DPRK attacks depending on the size of the exploit and found that there was a decline YoY in attacks of all sizes. Notably, attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits. This is in stark contrast to the previous two years, during which its exploits more often each yielded profits below $50 million.
When examining the DPRK’s activity in comparison to all other hacks we measured, it is clear that the DPRK has been consistently responsible over the last three years for most large-size exploits. Interestingly, the DPRK’s dominance of the high end of the exploitation ladder continued in 2024, but there is also a growing density of DPRK hacks at lower amounts, most notably around $10,000 in value.
Some of these events appear to be linked to North Korean IT workers, who have been increasingly infiltrating crypto and Web3 companies, and compromising their networks, operations, and integrity. These workers often use sophisticated Tactics, Techniques, and Procedures (TTPs), such as false identities, third-party hiring intermediaries, and manipulating remote work opportunities to gain access. In a recent case, the U.S. Department of Justice (DOJ) indicted 14 DPRK nationals who obtained employment as remote IT workers at U.S. companies and generated more than $88 million by stealing proprietary information and extorting their employers.
To mitigate these risks, companies should prioritize thorough employment due diligence — including background checks and identity verification — while maintaining robust private key hygiene to safeguard critical assets, if applicable.
Although all of these trends suggest a very active year for the DPRK, most of its exploits occurred at the beginning of the year, with overall hacking activity stagnating in Q3 and Q4, as shown in this chart from earlier.
In late June 2024, Russian President Vladimir Putin and North Korean leader Kim Jong Un met in Pyongyang at a summit to sign a mutual defense pact. So far this year, their growing alliance has been marked by Russia releasing millions of dollars in North Korean assets previously frozen in compliance with UNSC sanctions. Meanwhile, North Korea has deployed troops to Ukraine, supplied Russia with ballistic missiles, and reportedly sought advanced space, missile, and submarine technology from Moscow.
If we contrast the average daily value lost from DPRK exploits before and after July 1, 2024, we can see a significant decrease in the amount of value stolen. Specifically, as shown in the chart below, amounts stolen by the DPRK dropped by approximately 53.73% after the summit, whereas non-DPRK amounts stolen rose by approximately 5%. It is therefore possible that, in addition to redirecting military resources toward the conflict in Ukraine, the DPRK — which has dramatically increased its cooperation with Russia in recent years — may have altered its cybercriminal activity as well.
The decline in funds stolen by the DPRK after July 1, 2024 is clear and the timing is conspicuous, but it is nevertheless important to note that this decline is not necessarily associated with Putin’s visit to Pyongyang. Additionally, a few events in December could alter the pattern by the end of the year, and attackers often strike over holidays.
Case study: The DPRK’s DMM Bitcoin exploit
One notable example of a North Korea-affiliated hack in 2024 involved Japanese cryptocurrency exchange, DMM Bitcoin, which suffered a security breach resulting in the loss of approximately 4,502.9 Bitcoin, valued at $305 million at the time. The attackers targeted vulnerabilities in infrastructure used by DMM, leading to unauthorized withdrawals. In response, DMM fully covered customer deposits by sourcing equivalent funds with the support of group companies.
We were able to analyze the flow of funds on-chain after the initial attack, which we’ve broken down into two Chainalysis Reactor graphs below. In the first phase, we see that the attacker moved millions of dollars’ worth of crypto from DMM Bitcoin to several intermediary addresses before eventually reaching a Bitcoin CoinJoin Mixing Service.
After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers moved a portion of the funds through a number of bridging services, and finally to Huione Guarantee, an online marketplace tied to the Cambodian conglomerate, Huione Group, which was previously exposed as a significant player in facilitating cybercrimes.
The scale of the breach and the subsequent operational challenges led DMM to decide to shut down the exchange in December 2024. DMM Bitcoin transferred its assets and customer accounts to SBI VC Trade, a subsidiary of the Japanese financial conglomerate, SBI Group, with the transition set to be finalized by March 2025. Fortunately, emerging tools and predictive technologies, as we’ll explore in the next section, are paving the way to potentially prevent such devastating hacks before they occur.
Leveraging predictive models to thwart hacks
Advanced predictive technologies are transforming cybersecurity by enabling real-time detection of potential risks and threats, offering a proactive approach to safeguarding digital ecosystems. Chainalysis recently acquired Hexagate, the leading provider of Web3 security solutions that detect and mitigate threats including cyber exploits, hacks, and governance and financial risks. Hexagate’s customers have already saved more than $1 billion in customer funds by taking on-chain actions based on real-time notifications and automated responses to potential threats.
Hexagate leverages proprietary detection technology and machine learning models to proactively predict and detect unusual transactions and malicious activities across blockchain networks in real-time. By continuously scanning smart contracts and transactions, Hexagate’s system identifies suspicious patterns, and potential risks and threats before they can cause financial losses. Let’s look at an example below, involving decentralized liquidity provider, UwU Lend.
On June 10, 2024, an attacker exploited UwU Lend for approximately $20 million by manipulating its price oracle system. The attacker initiated a flash loan attack to alter the price of Ethena Staked USDe (sUSDe) across multiple oracles, leading to incorrect valuations. Consequently, the attacker could borrow millions of dollars within seven minutes. Hexagate’s detection of the attack contract and similar deployments of it occurred approximately two days before the exploit.
Although the attack contract was accurately detected in real-time two days before the exploit, its connection to the exploited contract wasn’t immediately apparent due to its design. With additional tools, such as Hexagate’s security oracle, this early detection could have been further leveraged to mitigate the threat. Notably, the first attack, which resulted in $8.2 million in losses, occurred just minutes before subsequent attacks, providing another significant signal.
These types of alerts before major on-chain attacks have the potential to transform industry players’ security, empowering them to prevent costly hacks altogether, rather than respond to them.
In the Chainalysis Reactor graph below, we see that the attacker transferred the stolen funds through two intermediary addresses before the funds reached OFAC-sanctioned Ethereum smart-contract mixer, Tornado Cash.
Are you a Reactor user? View this graph for yourself here.
It is important to note, however, that simply having access to these predictive models doesn’t ensure hack prevention, as protocols may not always possess the proper tools to act effectively.
The need for stronger crypto security
The rise in stolen crypto in 2024 underscores the need for the industry to address an increasingly complex and evolving threat landscape. While the scale of crypto theft has not yet returned to the levels of 2021 and 2022, the resurgence described above highlights gaps in existing security measures and the importance of adapting to new exploit methods. To combat these challenges effectively, a collaborative approach between the public and private sectors is essential. Data-sharing initiatives, real-time security solutions, advanced tracing tools, and targeted training can empower stakeholders to quickly identify and neutralize malicious actors while building the resilience needed to safeguard crypto assets.
Additionally, as crypto regulatory frameworks continue to develop, the scrutiny on platform security and customer asset protection will likely intensify. Industry best practices must keep pace with these changes, ensuring both prevention and accountability. By fostering stronger partnerships with law enforcement and equipping teams with the resources and expertise to respond rapidly, the crypto industry can reinforce its defenses against theft. Such efforts are not only critical for protecting individual assets, but also for building long-term trust and stability in the digital ecosystem.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.