The cryptocurrency industry suffered over $120 million in losses from more than 20 hacking incidents in September 2024, according to data from blockchain security firm PeckShield. With Bitcoin trading at approximately $60,837 and Ethereum around $2,449, the scale of these thefts underscores a persistent reality: as the crypto market grows, so does the sophistication of malicious actors targeting it.
The Threat Landscape
September’s losses paint a sobering picture. Three incidents alone accounted for more than 77% of total losses. The BingX exchange suffered a devastating $44 million breach, DeFi protocol Penpie lost $27 million, and Indonesian platform Indodax was drained of $22 million. Smaller but still significant losses hit DeltaPrime ($5.98 million), Truflation ($5.6 million), Shezmu ($4.9 million), Onyx ($3.8 million), BananaGun ($3 million), Bedrock ($1.75 million), and CUT ($1.4 million). An additional $32.4 million worth of spWETH was stolen through a Permit signature phishing attack, a figure not included in the headline total.
According to Immunefi, the broader third quarter of 2024 saw over $413 million in losses from 34 hacking and fraud incidents. The pattern is clear: centralized exchanges, DeFi protocols, and individual wallet holders all face substantial and evolving threats.
Core Principles
Protecting your crypto assets starts with understanding the attack vectors that repeatedly surface. Phishing attacks, particularly those exploiting signature-based approvals like the Permit2 vulnerability, remain the primary entry point for individual losses. The spWETH theft demonstrated that even technically proficient users can be tricked into signing malicious transactions.
The principle of minimum exposure is fundamental. Keep only what you actively need for trading on exchanges. The BingX and Indodax breaches prove that even established platforms are not immune to sophisticated attacks. Hardware wallets remain the gold standard for storing significant holdings, with devices from Ledger and Trezor providing air-gapped transaction signing that eliminates most remote attack vectors.
Smart contract approval hygiene represents another critical defense layer. Many users unknowingly grant unlimited token approvals to decentralized applications, creating persistent vulnerability even after they stop using a platform. Regularly revoking unnecessary approvals through tools like Revoke.cash or Etherscan’s token approval checker dramatically reduces your attack surface.
Tooling and Setup
A robust security setup begins with a hardware wallet configured with a freshly generated seed phrase, never entered on any internet-connected device. Supplement this with a dedicated browser profile for crypto activities, free from unnecessary extensions that could compromise your session. Use a password manager to generate and store unique credentials for every exchange and platform.
For DeFi users, consider employing a dedicated “burner” wallet for interacting with new or untested protocols. This limits potential losses to the funds in that specific wallet rather than exposing your entire portfolio. Multi-signature wallets like Safe (formerly Gnosis Safe) add an extra layer of protection for larger holdings by requiring multiple approvals before any transaction executes.
Enable every available security feature on exchanges: two-factor authentication via authenticator apps (not SMS), withdrawal whitelist restrictions, and anti-phishing codes in email communications. The few minutes spent configuring these settings can prevent catastrophic losses.
Ongoing Vigilance
Security is not a one-time setup but a continuous practice. Monitor your wallets and approved contracts regularly. Set up transaction alerts through block explorers or portfolio trackers. Stay informed about emerging threats by following reputable security researchers and firms like PeckShield, CertiK, and Trail of Bits on social media or through their newsletters.
Be particularly cautious during market volatility. Attackers often ramp up phishing campaigns during price swings, exploiting fear and urgency to trick users into hasty decisions. Verify every URL before connecting your wallet, and never trust links sent via direct messages or emails without independently confirming them.
Final Takeaway
The $120 million lost in September 2024 represents real people’s savings and investments. While no security system is perfect, layered defenses dramatically reduce your risk profile. Hardware wallets for storage, minimum exchange balances, regular approval audits, and constant vigilance form the foundation of responsible crypto asset protection. In an ecosystem where you are your own bank, treating security as a practice rather than a product is not optional — it is essential.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making decisions about your digital assets.
BingX losing $44m is wild for a top 20 exchange. what happened to their cold wallet procedures?
rekt_tracker bingX losing 44M from a top 20 exchange means their hot wallet was holding way too much. basic cold storage hygiene would have capped that at 5M max
$44m from a top 20 exchange and barely anyone talks about it. if this was a tradfi institution itd be front page for weeks
Penpie $27m and Indodax $22m in the same month. DeFi + CEX getting hit simultaneously is not a great look for the industry security posture
the $32.4m spWETH phishing via Permit signatures is the one that scares me most. no code exploit needed, just social engineering
^ Permit signature scams are becoming the default attack vector for retail. blinded signed messages are basically giving away your keys
permit signatures are the new approve() scam. users see a wallet popup and blindly sign. the UX has to change
the fix is simple too. wallets should show exactly what youre signing in plain text instead of hex data. EIP-712 helps but most dapps still use generic permit frontends
Bibek R. EIP-712 exists but dapps still use generic permit frontends that show hex. wallets need to parse the calldata and show plain text or this keeps happening