September 2024 delivered a brutal lesson in cryptocurrency security. With over $120 million stolen across more than 20 separate hacking incidents, the month became one of the most damaging periods for digital asset security in recent memory. From the Penpie reentrancy exploit on September 3, which drained $27 million from a DeFi yield protocol, to the Indodax hot wallet breach on September 10 that cost $21 million, to the catastrophic $44.7 million BingX exchange hack on September 19, the pattern is unmistakable: funds held on centralized platforms remain dangerously exposed.
The Threat Landscape
The numbers tell a sobering story. According to security researchers, approximately $636 million of the $1.19 billion stolen across all of 2024 originated from centralized finance (CeFi) vulnerabilities. That means exchanges and custodial platforms—not DeFi protocols—are the primary targets for sophisticated attackers. The reason is simple: exchanges concentrate enormous pools of assets behind a single security perimeter, creating high-value targets that justify the resources required for advanced attacks.
With Bitcoin trading around $60,000 and Ethereum near $2,420 in mid-September, the notional value of even small percentage losses from exchange reserves runs into tens of millions of dollars. Attackers employ increasingly sophisticated methods, including social engineering of exchange employees, exploitation of hot wallet key management systems, and supply chain attacks on third-party services. The rise of permit phishing attacks—where users are tricked into signing malicious transaction approvals—adds another layer of risk that even technically savvy users struggle to defend against.
Core Principles
Understanding the fundamental difference between hot and cold storage is the foundation of any serious crypto security strategy. Hot wallets are connected to the internet and designed for frequent transactions. They offer convenience but sacrifice security. Cold storage keeps private keys completely offline, typically on hardware devices or paper wallets, making them immune to remote attacks. The tradeoff is usability—every transaction requires physical access to the signing device.
The core principle is straightforward: never store more funds in hot wallets than you can afford to lose. For exchanges, this means keeping the vast majority of user deposits in cold storage and only maintaining enough hot wallet liquidity to cover typical daily withdrawal demand. For individual users, it means keeping only trading funds on exchanges and storing long-term holdings in personal cold storage solutions.
Tooling and Setup
Setting up robust cold storage does not require technical expertise. Hardware wallets from established manufacturers like Ledger and Trezor offer user-friendly interfaces backed by battle-tested security architectures. The setup process involves initializing the device, recording the recovery seed phrase on a durable physical medium (never digitally), and verifying the first transaction. For maximum security, the seed phrase should be stored in a fireproof safe or split across multiple secure locations using metal backup plates.
For users who interact with DeFi protocols, consider using a dedicated hardware wallet that connects only to well-known interfaces. Services like Rabby Wallet or Frame provide hardware wallet integration that makes signing transactions relatively painless while maintaining the security benefits of offline key storage. Multi-signature solutions like Gnosis Safe add another layer of protection by requiring multiple approvals for any transaction, distributing trust across several devices or individuals.
Ongoing Vigilance
Security is not a one-time setup—it is an ongoing discipline. Regularly audit which contracts and applications have been approved to spend your tokens using tools like Revoke.cash. Update hardware wallet firmware when new versions are released, but only by downloading directly from the manufacturer’s official website. Be skeptical of unsolicited messages, even those appearing to come from legitimate platforms, and never enter your seed phrase on any website or application.
The devastating hacks of September 2024 should serve as a wake-up call for anyone holding significant cryptocurrency on exchanges. The convenience of keeping funds online comes with a risk that, as Indodax, Penpie, and BingX users discovered, can materialize without warning. The cost of a hardware wallet—typically between $50 and $200—is trivial compared to the potential loss from an exchange breach.
Final Takeaway
The crypto security landscape in 2024 makes one thing abundantly clear: if you do not hold your own keys, you do not truly hold your own coins. The tools for self-custody are more accessible than ever, and the consequences of ignoring this fundamental principle are measured in hundreds of millions of dollars. Take control of your security today, because the next exchange hack is not a question of if, but when.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
$120M stolen in one month and people still keep their entire stack on exchanges. Hardware wallet is $60, people.
The $636M from CeFi out of $1.19B total stolen in 2024 is the stat that matters. Not your keys, not your coins isnt just a meme.
Chen W people keep their stack on exchanges for convenience. hardware wallets are cheaper than ever but the ux gap is still the bottleneck
the BingX $44.7M hack was wild. centralized exchanges are juicy targets no matter how secure they claim to be
Penpie reentrancy on Sept 3 then BingX losing 44.7M barely two weeks later. if that doesnt convince you to get a hardware wallet nothing will
636M from CeFi in 2024 alone. the Penpie and BingX hacks happened within 2 weeks. if you still keep significant funds on exchanges thats on you at this point
ledger_convert 636M from CeFi in 2024 is staggering. the Penpie exploit used a reentrancy bug that was well documented. basic security hygiene would have caught it
the 120M stolen in september 2024 was spread across 20 incidents. its not one big hack thats the problem, its the constant drip of smaller ones that adds up
exactly, 20 separate incidents means its not one bad actor, its systematic. CeFi is structurally vulnerable no matter how many audits they run
20 separate hacks in one month means attackers are running playbook operations against exchanges. the Indodax $21M heist was barely a week after Penpie