Losses from blockchain security incidents dropped in April, with losses due to hacker attacks reaching US$101 million

8 min readMay 7, 2024

Noneage’s monthly security incident highlights have begun! According to statistics from some blockchain security risk monitoring platforms, in April 2024, the amount of losses from various security incidents continued to decrease compared with March. More than 32 typical security incidents occurred in April, and the total losses caused by hacker attacks, phishing scams and rug pulls reached US$101 million, a decrease of approximately 36% from March. Among them, attack incidents amounted to approximately US$52.56 million, a decrease of approximately 55%; phishing fraud incidents amounted to approximately US$11.4 million, a decrease of approximately 69%; Rug Pull incidents amounted to approximately US$37.05 million, an increase of approximately 624%. In addition, there are some specific security incidents and new news, which will be described in detail below.

Hacker Attacks

11 Typical Security Incidents

(1) On April 1, the DeFi protocol OpenLeverage was attacked due to a contract vulnerability, resulting in a loss of approximately US$230,000.

(2) On April 1, the ATM token on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately US$180,000.

(3) On April 2, the decentralized exchange FixedFloat was attacked again, causing a loss of approximately US$2.8 million. FixedFloat said hackers exploited vulnerabilities in its third-party services.

(4) On April 12, the BASE ecological project SumerMoney was attacked due to a contract vulnerability, resulting in a loss of approximately US$350,000.

(5) On April 12, the Zest Protocol project on the Stacks chain suffered a price manipulation attack, and the attacker removed 324,000 STX (approximately US$1 million) from the protocol. Zest Protocol stated that this part of the loss will be compensated by the protocol treasury, and users will be fully compensated.

(6) On April 15, BASE ecological RWA project Grand Base lost approximately US$2 million due to the leak of the deployer’s private key.

(7) On April 19, the Hedgey Finance project was attacked due to contract vulnerabilities on both Ethereum and Arbitrum chains, resulting in losses of US$44.7 million.

(8) On April 24, the YIEDL project on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately US$300,000.

(9) On April 24, Saita Chain’s cross-chain bridge project Xbridge was attacked due to a contract vulnerability, resulting in a loss of at least US$200,000.

(10) On April 25, the NGFS token on the BNB Chain chain was attacked due to a contract vulnerability, resulting in a loss of approximately US$190,000.

(11) On April 26, the cross-chain lending protocol Pike Finance was attacked, resulting in a loss of approximately US$300,000. Hackers drained USDC on Ethereum, Arbitrum and Optimism chains via fake CCTP messages.

Rug Pull / Phishing Scam

6 Typical Security Incidents

(1) On April 2, a rug pull occurred in Solareum on the Solana chain, and the deployer made a profit of US$520,000.

(2) On April 4, a Rug pull occurred on CondomSOL on the Solana chain, and the deployer made a profit of US$920,000.

(3) On April 11, an address starting with 0x5ea8 lost approximately US$840,000 on the Base chain due to phishing scams.

(4) On April 11, an address starting with 0x05f4 lost approximately US$1.2 million on the Base chain due to phishing scams.

(5) On April 19, an address starting with 0x5789 lost approximately US$770,000 due to phishing fraud.

(6) On April 20, a Rug pull occurred on the decentralized betting platform ZKasino. Users were unable to withdraw funds, and the project party deposited US$33 million in user funds into the pledge agreement Lido.

Crypto Crime

15 Typical Security Incidents

(1) On April 20, Hong Kong Customs successfully dismantled a money laundering syndicate involving more than HK$1.8 billion, and three people were arrested. According to the investigation, the gang processed more than 1,000 transactions by opening multiple local companies and multiple bank accounts, including funds transferred from virtual currency trading platforms.

(2) On April 23, the Public Security Bureau of Linyi County, Shandong Province successfully destroyed a criminal gang that used the purchase of virtual currencies to launder money for overseas fraudsters. A total of 6 criminal suspects were arrested, and the funds involved exceeded 2 million yuan.

(3) On April 16, the People’s Court of Dantu District, Zhenjiang City pronounced its verdict on the online pyramid scheme organized and led by Wang. Wang is the first “red notice” officer sentenced by the Zhenjiang Public Security Bureau in Jiangsu Province. In March 2021, the Zhenjiang Dantu Public Security Bureau discovered that a virtual currency platform called moom was suspected of online pyramid schemes. Subsequently, the police arrested 12 suspects involved in the case in many places. The principal criminal, Wang, absconded abroad, but in May 2023, under the continuous pursuit and persuasion of the police to surrender, Wang surrendered and returned to China. At the time of the incident, the platform had more than 100,000 registered members, with 1,000 levels, and the amount involved exceeded 100 million yuan.

(4) On April 7, four countries, Italy, Austria, Romania and Slovakia, conducted a joint operation to arrest 22 people and accused them of participating in the EU COVID-19 Recovery Fund fraud. During this arrest operation, the police seized and confiscated more than 600 people. billion euros in assets, including luxury sports cars, watches, jewelry and virtual currencies.

(5) On April 19, a jury in Manhattan, New York, convicted Mango Markets attacker Avi Eisenberg of fraud and market manipulation. New York District Court Judge Arun Subramanian will sentence him on July 29. He is expected to face up to 20 years. of imprisonment. It is reported that in October 2022, Mango Markets was attacked by Avi Eisenberg, losing $110 million in crypto assets.

(6) Taiwanese prosecutors have recommended at least 20 years in prison for the four main suspects in a fraud and money laundering case related to cryptocurrency trading platform ACE Exchange. Prosecutors now believe more than 1,200 people were defrauded, with losses estimated to total NT$800 million (US$24.56 million).

(7) On April 25, Jebara Igbara, known as “Jay Mazini,” was sentenced to seven years in prison by U.S. District Judge Frederic Block and required to forfeit $10 million for his involvement in multiple cryptocurrency-related fraud cases. Igbara, 28, ran a Ponzi scheme targeting Muslims through his company, Halal-Capital LLC. He claimed to be a successful cryptocurrency millionaire on social media such as Instagram and deceived investors by offering cryptocurrency prices higher than the market and sending fake wire transfer confirmation images, ultimately defrauding at least $8 million.

(8) Shanxi police uncovered a major case of infringement of citizens’ personal information and eradicated a new type of cybercrime gang that used virtual currency to buy and sell citizens’ information on overseas platforms. A total of 7 suspects were arrested, more than 30 million yuan of funds involved in the case were frozen, and mobile phones and computers involved were seized. More than 30 units.

(9) Charles O. Parks III, 45, is suspected of stealing $3.5 million worth of cloud computing services and mining $1 million worth of cryptocurrency through a so-called “cryptojacking” scheme, according to the U.S. Department of Justice. Parks allegedly defrauded two “well-known” cloud computing providers, committing wire fraud, money laundering and illegal currency transactions, according to official government releases.

(10) On April 14, Russian police seized more than 3,200 encryption mining equipment in raids on four large “illegal” data centers in Siberia, and the police have filed criminal charges against the operators of the mining centers. The miners are estimated to have stolen a total of $2.1 million worth of electricity from the Novosibirsk power grid.

(11) On April 13, according to Xinmin Evening News, a man defrauded three “friends” of more than 1 million yuan in the name of investing in virtual currencies.

(12) On April 12, the U.S. Attorney for the Southern District of New York announced that hacker SHAKEEB AHMED was formally sentenced to three years in prison by a U.S. District Judge for hacking into two independent decentralized cryptocurrency exchanges and stealing more than $12 million worth. of cryptocurrency.

(13) On April 12, according to Korean media YTN, a suspect in his 40s met a victim near Samseong Station in Seoul, offered to sell tokens at a price lower than the market price, and then brandished a blunt object He stole 500 million won in cash and escaped. Previously, three men in their 30s were arrested in Yeoksam-dong, Seoul, for stealing 550 million won in cash using token transactions as bait, but the police believe they have no connection with this suspect.

(14) In October 2023, a wealthy Chinese businessman was kidnapped at gunpoint at a well-known golf course in the UK. He was threatened with a knife, beaten and locked in a cage for more than 30 hours by a crypto extortion gang, and demanded $15 million in Bitcoin. . Recently, the suspects in the case are on trial.

(15) On April 24, the co-founder of the crypto currency mixing service Samourai Wallet was arrested on suspicion of laundering US$100 million from Silk Road and other illegal markets.


Judging from the analysis of the above multiple events, although the amount of losses from various blockchain security incidents continued to decline in April, there was still a loss of US$46.93 million from contract vulnerability exploitation. Among them, the largest security incident this month was that Hedgey Finance was attacked due to a contract vulnerability, resulting in a loss of approximately US$44.7 million. This incident accounted for 85% of the total losses from hacking attacks that month. The zero-hour technology security team recommends that project parties always remain vigilant and find a professional security company to conduct audits and conduct project background investigations before the project goes online.

💬 Website 🐦Twitter




Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.