De.Fi REKT Report 2024: Over $1.45 Billion Lost to Crypto Exploits

The year 2024 once again proved that while the broader crypto ecosystem surged with Bitcoin passing $100,000, vulnerabilities in DeFi, CEXes, and token-based protocols remained an immense threat. In total, $1,457,287,820 was lost to hacks, exploits, and other malicious activities in 165 recorded incidents over the course of the year. Of this figure, despite efforts to recover stolen money, $128,625,932-or about 8.8%-was recovered, a slight improvement over the 10% recovery rate seen in 2023. However, the overall losses this year were 25.6% lower than the $1.96 billion recorded in 2023, indicating that while threats still persist, the overall impact is slightly less severe.

Monthly Breakdown: Trends in 2024 Losses and Recoveries

2024 started with a really volatile first quarter: January started off the quarter with significant losses of $173.5 million, while February followed with $149.3 million in losses highly influenced by phishing attacks and smart contract vulnerabilities. In March, the total losses decreased to $94.7 million, though this month became the holder of the largest single recovery for this year-amounting to $62.5 million.

Losses in the second quarter were not uniform: April had a relatively modest loss of $27.8 million, underlining a temporary lull in major attacks. The tranquility was short-lived as May surged to $353.6 million, marking it as the most damaging month in 2024. June closed the quarter with $50.6 million in losses, marking a significant drop from the month before.

The third quarter saw the return of high-value exploits, especially in July, with losses amounting to $250.3 million—the second-largest total for the year. August was a sharp drop to $68.9 million, with recoveries of $12 million, indicating some success in post-incident asset recovery efforts. Losses increased again in September, reaching $114.4 million, driven by a spate of attacks targeting lending platforms and token-based protocols.

In the final quarter, the losses began to stabilize: October recorded $94.4 million in damages, while November’s total dropped to $69.8 million, aided by the successful recovery of $25 million – the largest recovery effort since March. December concluded the year with a relatively subdued $9.88 million in losses, marking the lowest monthly total in 2024.

Analysis of Exploit Trends in 2024

Access Control Breaches Dominate Losses

Access control exploits were by far the most impactful attack vector of 2024, accounting for $946,076,803 (65% of total losses) across 35 incidents. These attacks often targeted large platforms and centralized exchanges, such as DMM Bitcoin ($300 million) and WazirX ($230 million), exploiting private key management failures and multisig vulnerabilities.

Rise of Exploits in Token-Based Projects

Token-related exploits emerged as the second-largest target, with $711.4 million lost across 47 incidents. Projects like PlayDapp ($32.35 million) and Penpie ($27 million) highlight issues in smart contract logic, liquidity pools, and tokenomics mechanisms. Flash loan attacks, which primarily targeted token projects, caused losses of $32.4 million across 23 recorded events.

Other Exploits and Gaming Sector Attacks

Other exploit types, including cross-chain vulnerabilities and reward distribution logic flaws, contributed $267,286,980 in losses from 46 incidents. The gaming and metaverse sector also suffered notable attacks, with $116,284,522 lost across 14 incidents, reflecting growing risks in GameFi and NFT-driven economies.

Phishing and Rug Pulls Persist

Phishing attacks remained a consistent threat, causing $92,576,936 in losses across 14 incidents, including the high-profile $55 million Ethereum phishing event. Meanwhile, rug pulls—a longstanding problem in crypto—accounted for $80,541,379 across 27 cases, with Gifto’s $10 million incident on Binance Smart Chain being one of the largest.

Funds Lost by Chain/Platform

In 2024, losses were concentrated across major blockchain networks and centralized platforms:

1. Centralized Platforms: 8 cases totaling $655,400,000, primarily driven by breaches like DMM Bitcoin and BingX.
2. Ethereum: 71 incidents caused losses of $596,502,163, cementing Ethereum’s role as the most targeted blockchain for exploits, including access control breaches and phishing scams.
3. Other Chains: 10 incidents led to losses of $172,400,000, with Chris Larsen’s XRP access control breach ($112.5 million) being a standout event.
4. Binance Smart Chain (BSC): 38 cases contributed $169,313,948, driven by the continued targeting of BSC-based tokens and liquidity pools.
5. Arbitrum: 19 cases resulted in $101,342,577 in losses, driven by attacks like the Radiant Capital breach.

By Category of Target

Token-based projects became the most affected category in 2024, with 47 incidents resulting in losses of $711.4 million. Tokens are still pretty vulnerable because they are often utilized in liquidity pools, minting mechanisms, and poorly designed burn functions, which are exploited by hackers for price manipulation or fund drainage. The high losses from incidents such as the PlayDapp exploit and multiple flash loan attacks have really highlighted the challenges in securing token ecosystems.

Other popular targets with major losses in 2024 are as follows:

1. Tokens: 47 cases, losses of $711,400,000.
2. Other Protocols: 38 cases, losses of $324,548,601.
3. Borrowing and Lending Platforms: 20 cases, losses of $139,876,732.
4. Gaming and Metaverse: 14 cases, losses of $116,284,522.
5. Yield Aggregators: 12 cases, losses of $77,995,409.

Top 10 Exploits of 2024

1. DMM Bitcoin Hack — $300,000,000 Lost

In May 2024, DMM Bitcoin, a centralized cryptocurrency exchange, suffered a catastrophic hack, resulting in a $305 million loss. The breach was first detected through the movement of 4,502.9 BTC, which was quickly dispersed to multiple addresses. While the exact exploit method remains unconfirmed, potential causes include compromised private keys or vulnerabilities in the signing process. DMM Bitcoin’s response included securing remaining deposits and initiating an investigation, but no recoveries have been reported.

2. WazirX Multisig Exploit — $230,000,000 Lost

On July 19, 2024, WazirX, one of India’s largest exchanges, suffered a $230 million exploit due to a compromised multisig wallet. Attackers gained control of the Externally Owned Accounts (EOAs) of the wallet signers and used a delegate call to redirect the wallet’s proxy implementation to a malicious contract. This allowed unauthorized fund transfers, siphoning assets across multiple addresses. Despite swift detection, the assets remain unrecovered, and the incident exposed vulnerabilities in custodial wallet management.

3. Chris Larsen’s XRP Account Breach — $112,500,000 Lost

On January 30, 2024, Ripple co-founder Chris Larsen’s personal XRP account was hacked, resulting in the loss of 213 million XRP tokens, valued at approximately $112.5 million. The stolen funds were dispersed across major exchanges, including Binance, Kraken, KuCoin, and others. Blockchain investigator ZachXBT flagged the suspicious movement, prompting Larsen to clarify that the attack impacted his personal wallet and not Ripple’s corporate reserves. Efforts to recover the stolen assets have been unsuccessful.

4. Munchables Blast Exploit — $62,500,000 Lost (Recovered)

In March 2024, the Munchables protocol on the Blast blockchain was exploited, leading to the draining of 17,400 ETH (worth $62.5 million). The attacker exploited an upgradeable proxy contract with unverified source code to withdraw all funds. However, in a rare outcome, the attacker voluntarily returned the stolen assets to the project’s multisig wallet, marking a full recovery. The unverified nature of the proxy contract raised questions about the project’s security practices.

5. Radiant Capital Breach — $58,000,000 Lost

On October 16, 2024, Radiant Capital, a DeFi lending protocol operating on BSC and Arbitrum, fell victim to an access control exploit. Attackers compromised three of the protocol’s eleven private keys, enabling unauthorized upgrades to smart contracts. Liquidity pools holding USDC, WBTC, WETH, and BNB were drained, with $18 million stolen from BSC and the remainder on Arbitrum. Radiant suspended operations on affected chains and collaborated with security firms for investigation.

6. BitForex Exit Scam — $56,000,000 Lost

On February 23, 2024, centralized exchange BitForex abruptly halted withdrawals following suspicious outflows totaling $56 million across multiple blockchains, including Ethereum and TRON. The incident was deemed an exit scam rather than an external attack, as the funds were traced to addresses controlled by the exchange’s operators. Users reported being unable to access their accounts, and the platform has remained unresponsive, solidifying suspicions of insider foul play.

7. Phishing Attack on DeFi Saver Proxy — $55,000,000 Lost

On August 21, 2024, a phishing incident resulted in the loss of $55.4 million in DAI. The victim inadvertently signed a transaction that transferred ownership of their DeFi Saver Proxy to a phishing address. This allowed the attacker to seize control of the proxy contract and drain its contents. Six hours after the compromise, the attacker executed a series of withdrawals, converting the funds to Ethereum. This incident highlighted ongoing risks associated with phishing in the DeFi space.

8. BingX Hot Wallet Hack — $52,000,000 Lost

In September 2024, BingX, a Singapore-based centralized exchange, suffered a $52 million hot wallet breach. Attackers accessed the exchange’s wallets across multiple chains and swiftly swapped stolen assets to Ethereum. Initial estimates were around $26 million but were later revised upwards as investigations continued. Analysts linked the incident to the Lazarus Group, a notorious hacking entity known for targeting centralized exchanges through social engineering tactics.

9. PlayDapp Exploit — $32,350,000 Lost

On February 9-12, 2024, PlayDapp, an Ethereum-based P2E gaming platform, suffered a $32.35 million exploit caused by compromised private keys. Attackers minted 1.79 billion PLA tokens, significantly inflating the supply. Although the tokens were valued at $287 million, only $32 million could be liquidated. Funds were transferred across Ethereum, Binance, and Polygon, with some remaining in the attacker’s wallet. PlayDapp offered a $1 million reward for the return of stolen assets.

10. Penpie Reentrancy Attack — $27,000,000 Lost

On September 3, 2024, Penpie, a yield aggregator protocol, lost $27 million due to a reentrancy vulnerability. Attackers deployed malicious contracts that mimicked Pendle’s liquidity pools and used them to claim real rewards using valueless yield-bearing tokens. The exploit targeted Pendle’s rewards system, allowing attackers to siphon ETH and stablecoins. Despite the team’s quick response to pause the contracts, the attackers successfully withdrew assets across three transactions.

Conclusion 

While 2024 saw total losses decline to $1.457 billion from 2023’s $1.96 billion, the persistence of attacks in all categories-from centralized exchanges to DeFi protocols-sets the bar high for security improvements. Access control continued as the most damaging issue, while token-based exploits and those against lending systems highlighted specific shortcomings of current smart contract design and oracle systems, respectively.

The year also showed that even as fund recoveries improved to $128.6 million from $202 million in 2023, the majority of stolen assets remain unrecovered. With exploits becoming increasingly complex and attackers getting wiser, proactive auditing, aggressive testing, and sophisticated monitoring remain key to reducing financial losses in the crypto space as the industry proceeds into 2025.