Carlito Perschky

Crypto and DeFi Hacks Q1 2024

Senior Threat Intelligence Analyst Carlito Perschky provides an overview of the most noteworthy crypto-related hacks of Q1, which saw multiple attacks against DeFi institutions.

Crypto-Focused Attacks on the Rise

Earlier this year we published a blog looking at cyberattacks against decentralized financial (DeFi) institutions and cryptocurrency services in 2023, noting that tens of millions of dollars were lost last year to attackers.

However, in terms of sheer volume of attacks, what we saw in 2023 is nothing compared to what we have already seen in the first quarter of 2024. In the month of January alone, it was reported that the total amount of money lost due to hacks and fraud related incidents is close to $127m – representing a 6x increase across the sector when compared to the total lost in January 2023 due to hacks and fraud related incidents.

The majority of these incidents are following the 2023 trend we highlighted of targeting DeFi institutions. For example, there were no major attacks or fraud incidents being reported for Centralized Finance (CeFi) institutions, such as cryptocurrency exchanges.

In this blog I am going to give a short overview of some of the most noteworthy attacks of the first quarter of the year and the attack techniques that were used.

Orbit Chain

South Korean-based Orbit Chain, a platform that communicates between and conducts transactions on multiple blockchains, was the victim of an attack in January that targeted the platform’s cross chain bridge. Orbit Chain released an official statement regarding the incident via Twitter/X, which outlined that within a 30 minute window the attacker/s moved approximately $81.5m in ETH, WBTC, USDT, USDC and DAI to eight separate wallets. The statement also said that the attack methodology used closely resembled that of the North Korean state sponsored hacking group Lazarus, who have been attributed to thefts valued at $1,903,600,000 between 2021 and 2023.

Gamme (GMME Token)

Gamme is a mobile gaming platform powered by its own GMEE token, allowing individuals to play their games and earn tokens via the gameplay or by watching advertisements. On January 23rd, attacker(s) gained unauthorized access to an older version of the project’s Gitlab via an exploit, which allowed them to identify the private key for the project’s deployer address. This allowed the attacker to use the “recoverERC721” function to steal roughly 600 million GMEE tokens and place it in wallets they control.


During 2023 a sophisticated social engineering attack against Coinspaid (attributed once again to the Lazarus group) resulted in a loss of $37m. Unfortunately, moving into 2024, the Estonian crypto-payments service was attacked again resulting in an additional loss of roughly $7.5m. Blockchain cybersecurity firm Cyvers detected the illicit transactions and posted them on X/Twitter. It has been reported that the attack technique was similar to that which took place in 2023 but there has been no official statement from Coinspaid regarding this matter. Crypto exchange WhiteBit reached out to crypto journalists with the following statement regarding the incident: “We are aware of attempts to deposit funds stolen in the Coinspaid incident to WhiteBIT. Security and compliance with AML standards is one of WhiteBIT’s main priorities. Therefore, we have frozen the funds in question and are conducting the relevant procedures.”

Gamma Strategies

The De-Fi project Gamma Strategies was the victim of an exploit that resulted in a loss of roughly 1500 ETH (approximately $3.4m). Gamma Strategies leverages active liquidity management and market-making strategies within decentralized hypervisors on Ethereum and other blockchains, enabling users to generate yield on their deposited assets. The root cause of the exploit was a flash loan attack against the price change threshold, enabling the attacker to manipulate the prices and generate an unusually large amount of tokens. After the attack, it was observed that roughly $2.2m has been sent directly to TornadoCash. Gamma Strategies reached out to the attackers, asking to negotiate.

Radiant Capital

The cross-chain lending project Radiant Capital also found itself victim to a flash loan attack on January 2, totaling a $4.5m loss. Blockchain security company Peckshield explained the incident via X/Twitter, detailing that a known rounding issue in the Aave codebase allowed the attackers to exploit a short time window in which a new market is activated within a lending market. The attack took place within six seconds of the new market being activated. It was also reported that after the incident took place there were numerous accounts on social media posing as Radiant Capital or its team members, using the chaos to spread phishing messages. A more technical breakdown of this attack can be found here.

Concentric Finance

Concentric Finance – a group that provides liquidity aggregation, sourcing its liquidity across multiple DEXs with the objective of providing additional returns on the amount of crypto that you have decided to stake – was the victim of a “targeted social engineering attack” in which the private key for the project’s deployer wallet was compromised. Due to the protocol’s use of upgradeable contracts once the deployer key had been compromised, the attacker was able to execute multiple unintended actions such as using the adminMint function to burn LP tokens and then mint them for themselves. Doing this repeatedly allowed them to drain the contracts of their funds. The funds were originally being held at this address but were moved in the following days. The resulting loss for this incident is estimated to be $1.8m.


In February 2024, hackers targeted PlayDapp, a blockchain game platform. They found errors in PlayDapp’s smart contracts and were able to mint an estimated $290 million worth of PLA tokens. This happened in two separate attacks, on February 9th and 12th.

The attack was conducted using an access control vulnerability, which allowed the attackers to grant themselves minting privileges with regards to the project. In the initial attack conducted on February 9, a total of $36.5m was minted and the attacker was able to cash these out on various exchange services, crashing the price of the token. After this initial breach the PlayDapp team attempted to negotiate with the attacker/s to no avail. The attacker then proceeded to mint a further 1.59 billion tokens, valued at $253m.

The attacker minted a substantial quantity of PLA tokens, totaling approximately 1.8 billion. This represents a significant increase compared to the pre-attack circulation of 577 million tokens. This substantial dilution of the token supply makes the task of selling the tokens for near-market value impossible. The situation is further compounded by the fact that exchanges are actively tracking and potentially freezing these newly minted tokens to hinder the attacker’s ability to convert them into other assets.

Defi Institutions in the crosshairs

These attacks show that criminals are systematically and mercilessly targeting DeFi institutions, no doubt motivated by the success of previous attacks. They are actively searching for vulnerabilities, utilizing a range of techniques, and when they find them they exploit them quickly. The losses have racked up into the hundreds of millions and many institutions are left with no alternative but to try to negotiate to recoup some of the lost assets and offset the risk of the projects going under.

It is hard to profile the adversaries responsible as they are using a range of methods to obfuscate where the funds are being deposited to. In some cases, it has been linked to state-backed activity, most notably with several of these incidents being likely related to the North Korean Lazarus group. What the first quarter of 2024 has also made clear is that, if an attack is successful, the attackers will often return to the same target and exploit the institution again.

Illicit cryptocurrency activity is intrinsically linked to the cybercriminal world and the underground markets of the dark web. to find out more about how, listen to carlito’s episode of the dark dive podcast – CRYPTOMIXERS, LINKSITES, AND DARK WEB SEARCH ENGINES.