September 2024 delivered a brutal reminder of the persistent risks in cryptocurrency storage and trading. With over $120 million stolen across more than 20 separate incidents, including the $44 million BingX breach, the $27 million Penpie reentrancy exploit, and the $21 million Indodax hot wallet compromise, the month ranks among the costliest of the year for crypto security. As Bitcoin hovers around $64,300 and Ethereum trades near $2,650, the stakes have never been higher for everyday users seeking to protect their digital wealth.
The Threat Landscape
The September 2024 attacks revealed three dominant attack vectors that every cryptocurrency user should understand. First, centralized exchange hot wallet breaches remain the single largest source of stolen funds, with $636 million of the $1.19 billion stolen in 2024 originating from CeFi vulnerabilities. Exchanges like BingX and Indodax house substantial liquidity in internet-connected wallets, creating high-value targets that attract sophisticated criminal operations.
Second, DeFi protocol exploits continue to plague the ecosystem. The Penpie incident demonstrated how a reentrancy vulnerability in a staking contract function — specifically the harvestBatchMarketRewards function — could be exploited to artificially inflate reward balances and drain $27 million. The DeltaPrime hack, which netted $5.98 million through an admin proxy compromise, showed that even recently audited codebases remain vulnerable to administrative key attacks.
Third, permit phishing signatures emerged as a growing threat to individual users. Unlike traditional phishing that aims to steal credentials, permit phishing tricks users into approving malicious transactions through seemingly legitimate wallet prompts. Once approved, attackers gain the ability to drain wallets at will. This vector has been responsible for increasing individual losses throughout 2024.
Core Principles
Effective cryptocurrency security rests on three foundational principles: minimal trust, redundant protection, and operational discipline. Minimal trust means never relying on a single entity — whether an exchange, a protocol, or a wallet provider — to safeguard your assets entirely. Redundant protection involves layering multiple security measures so that the failure of any one control does not result in total loss. Operational discipline requires maintaining consistent security practices even when convenience tempts shortcuts.
The fundamental question every crypto holder must answer is: who controls the private keys? If the answer is anyone other than you, you are accepting counterparty risk. This does not mean exchanges have no role — they provide essential liquidity and trading services — but their role should be limited to active trading capital, not long-term storage.
Tooling and Setup
For self-custody, hardware wallets remain the gold standard. Devices from established manufacturers provide offline key storage and require physical confirmation for transactions, making remote exploitation virtually impossible. Setup should include recording the recovery seed phrase on durable physical media — never digitally — and storing it in a secure location, ideally across multiple geographic locations for redundancy.
Software wallets serve as an intermediate layer for assets that require more frequent access. When selecting a software wallet, prioritize open-source options that have undergone independent security audits. Always verify downloads through checksums or GPG signatures to guard against supply chain attacks.
For exchange usage, configure every available security feature: hardware two-factor authentication using an authenticator app rather than SMS, withdrawal address whitelisting with time-locked additions, and anti-phishing codes in all exchange communications. These measures significantly reduce the attack surface even if your exchange credentials are compromised.
Ongoing Vigilance
Security is not a one-time setup — it requires continuous attention. Regularly review wallet permissions, particularly token approvals on Ethereum and EVM-compatible chains. Tools exist to visualize and revoke active approvals, preventing dormant permissions from being exploited months after they were initially granted. This is especially relevant in the context of permit phishing, where victims often discover unwanted approvals only after funds have been drained.
Stay informed about protocol incidents and security advisories. The September 2024 hacks affected users who had no direct interaction with the compromised platforms — contagion effects from DeFi exploits can impact connected protocols and liquidity pools. Understanding which protocols hold your assets and how they interact with the broader ecosystem is essential for risk management.
Transaction verification should become second nature. Before signing any transaction, verify the recipient address, the amount, and the function being called. Hardware wallets provide an additional verification layer by displaying transaction details on their secure screens, independent of the potentially compromised computer to which they are connected.
Final Takeaway
The $120 million lost in September 2024 was not an anomaly — it was a continuation of a trend that has seen over $1.1 billion stolen from cryptocurrency platforms in 2024 alone. The threats are real, evolving, and increasingly sophisticated. But the tools and practices to defend against them are also mature and accessible. Hardware wallets, multi-signature arrangements, careful permission management, and disciplined operational security can reduce individual risk to near zero. The question is not whether these measures are worth the effort — the cumulative losses prove they are. The question is whether you will implement them before or after an incident affects you personally.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
$120 million in one month across 20+ incidents and somehow people still think defi is safer than banks. the penpie reentrancy was textbook too, same vulnerability that has been known for years
segfault $636M from CeFi alone in 2024 and people still keep funds on exchanges for convenience. the $44M BingX breach was totally preventable with basic multisig
the Penpie reentrancy was basically a copy of attacks from 2021. same exploit pattern, different protocol. auditors keep missing the same class of bugs
Kira same class of bug literally named after the 2016 DAO hack. protocols deploy in 2024 without checks-effects-interactions pattern. some lessons never stick
auditors find what they are paid to find. a reentrancy check takes 5 minutes with slither. the problem is protocols skip audits entirely or treat them as checkboxes
nullref_ slither catches reentrancy in 5 min but protocols skip audits or treat them as checkboxes. Penpie is what happens when you do security theater instead of security
the hardware wallet section of this guide is solid. anyone reading this who does not have one yet, just get one. trezors are like 70 bucks
^ this. a $70 device protecting five or six figures of crypto is the highest roi purchase you can make in this space
Lena a $70 Trezor is cheaper than the gas fees on a single DeFi transaction. no excuse really
been saying this since 2021. a trezor costs less than a single sushi order and people still keep 5 figs on exchange. blows my mind every time
kosam83 a trezor costs less than a sushi order but people would rather risk 5 figs on an exchange than wait 3 days for shipping. human nature
BingX losing $44M to a hot wallet compromise is pure negligence. multisig + time-locks have been standard since 2019. there is no excuse at that scale
$636M from CeFi in 2024 and BingX could have been prevented with multisig. the negligence is almost worse than the hacks themselves