In December, the losses due to hacker attacks amounted to $28.6 million, making it the month with the fewest hacker attacks of the year.
The monthly security incident highlights of Zero Hour Technology have begun! According to statistics from some blockchain security risk monitoring platforms, the amount of losses from various security incidents in December 2024 has dropped significantly compared to November. More than 23 typical security incidents occurred in December, and the total loss amount caused by hacker attacks, phishing scams and rug pulls reached 28.6 million US dollars, a decrease of about 55% from November.
Hacker attack
7 typical security incidents
(1) On December 1, @shoucccc, co-founder of security agency fuzzland, tweeted that the decentralized trading platform Clipper was hacked due to an API vulnerability (such as private key leakage). The current loss is more than US$500,000, and US$6.5 million is at risk. Users are advised to withdraw their funds immediately. The next day, the decentralized exchange (DEX) Clipper clarified that a vulnerability in its withdrawal function caused its protocol to be hacked recently, with a loss of US$450,000, rather than a private key leakage as claimed by a “third party”.
(2) On December 3, according to monitoring by the SlowMist security team, RunWay (BYC) was suspected to have been attacked on BSC, resulting in a loss of approximately US$100,000.
(3) On December 4, Chaofan Shou, co-founder of security company Fuzzland, said on the X platform: “Vestra DAO has just been hacked and the attack is still ongoing. $480,000 has been lost and more may be lost in the future. It is recommended to withdraw the stake and liquidity immediately.”
(4) On December 10, the Lingshi Technology project team monitored an on-chain attack against the project CloberDEX on Base. The cause of this vulnerability was mainly because the CloberDEX project contract did not perform reentrancy detection and protection in the code for obtaining and destroying LP Tokens, and the state variables were updated after the contract was called, which eventually led to the attacker using the reentry vulnerability to empty the project’s WETH. For a detailed attack analysis, please click this link:
https://mp.weixin.qq.com/s/ff0YJBuZiaVBIIUZlarXRQ
(5) On December 15, the Lingshi Technology project team monitored an on-chain attack against the project DCFToken on BnbSmartChain. The attacked project was DCFToken, and the attacker made a profit of approximately USD 8,800 through this attack. The main cause of this vulnerability is that the DCFToken project contract uses a single source, PancakeSwapV2, to calculate the price of DCFToken, which causes the price to be manipulated by the attacker, and ultimately arbitrage using the price difference. For a detailed attack analysis, please click this link:
https://mp.weixin.qq.com/s/DDadR1nOyYl-dPi5zwLLSQ
(6) On December 24, according to Scam Sniffer monitoring, a victim lost $1 million due to fake Zoom malware, which was related to the us04-zoom[.]us threat actor. Currently, cases of private key theft malware are on the rise, and the source should be strictly verified and a security scan should be performed before installation. Previously, X platform user Lsp (@lsp8940) posted a message saying, “My wallet was stolen and I lost 1 million Usd0++. The hacker disguised a Twitter account and pretended to be my friend through my Twitter interaction information. Then the other party said that he wanted to have a meeting with me to discuss the project development and sent me a zoom link. I have zoom on my computer, but there were always problems when I used zoom before, so I needed to reinstall it. So when the webpage prompted me to reinstall it, I reinstalled it, and when I woke up, I found that my account had been stolen.”
(7) On December 29, the FEG project was attacked and lost about 1 million US dollars. According to analysis, the root cause of the incident seems to be a composability problem when integrating with the underlying Wormhole cross-chain bridge, which is used to transmit cross-chain messages and tokens.
Rug Pull / Phishing Scam
9Typical Security Incidents
(1) On December 1, the address 0x32b8 lost $1.45M in Aave USDC after signing a phishing “License” signature.
(2) On December 3, the address 0x95d1 lost $1.41M after signing a phishing “Approval” transaction.
(3) On December 5, the address 0x30f8 lost 2.77 BTC ($284K+) due to a phishing attack less than an hour after exiting MEXC and falling for the “Increase Approval” phishing signature.
(4) On December 8, the address 0x16f5 with $PEPE holders lost $135 by signing a malicious “increaseAllowance” transaction.
(5) On December 9, a victim lost $2.2M after clicking on a phishing link from a compromised WallStreetBets X account. According to analysis, some websites’ XSS vulnerabilities were used in the phishing websites.
(6) On December 11, the address starting with 0x7a12 lost $7.8M worth of SolvBTC after signing the phishing transaction.
(7) On December 18, the address starting with 0xae4f lost $492K worth of aEthWETH and aPolWMATIC after signing the “License” phishing signature.
(8) On December 20, the address starting with 0x8458 lost 1 Doodles after signing the “setApprovalForAll” phishing transaction.
(9) On December 20, the address starting with 0x61ccc lost $200K after signing the “increaseAllowance” phishing transaction.
Summarize
In the last few months of 2024, the losses caused by cryptocurrency scams, vulnerabilities and hacker attacks gradually decreased, and December was the month with the least hacker attacks throughout the year. Vulnerabilities caused most of the losses, and attackers stole $26.7 million in December. The Zero Time Technology Security Team recommends that project owners always remain vigilant and remind users to beware of phishing attacks. It is recommended that users fully understand the background and team of the project before participating in the project, and carefully choose investment projects. In addition, internal security training and permission management should be carried out, and professional security companies should be found to conduct audits and conduct project background checks before the project goes online.
