The cryptocurrency industry suffered devastating losses in the second quarter of 2024, with a total of $572.7 million lost to hacks and fraud across 72 incidents, according to a comprehensive report published by Web3 bug bounty platform Immunefi on June 27. The figures represent a staggering 112% increase compared to the same period in 2023 and a 70.3% jump from Q1 2024, underscoring a dramatic escalation in the scale and sophistication of attacks targeting digital asset platforms.
The Exploit Mechanics
The Q2 2024 attack landscape was dominated by two massive centralized finance (CeFi) breaches that together accounted for more than 62% of all losses. Japanese cryptocurrency exchange DMM Bitcoin suffered the single largest exploit of the quarter, losing approximately $305 million in a sophisticated infrastructure compromise. Shortly after, Turkish exchange BtcTurk was hit by a cyberattack resulting in $55 million in losses.
These CeFi incidents marked a notable shift in attacker focus. While decentralized finance (DeFi) protocols had previously been the primary target, centralized platforms bore the brunt in Q2, accounting for 70% of total losses — $401.4 million across just five incidents. This represents a 984% surge in CeFi losses year-over-year, highlighting how a single infrastructure compromise at a centralized entity can cascade into nine-figure damages.
The attack vectors ranged from private key compromises and social engineering to direct infrastructure breaches. In the case of DMM Bitcoin, attackers exploited vulnerabilities in the exchange’s hot wallet infrastructure, draining funds before security teams could respond. The speed and precision of these operations suggest well-resourced threat actors, potentially with nation-state backing.
Affected Systems
Ethereum remained the most targeted blockchain network, experiencing 34 individual incidents that accounted for 46.6% of total losses across targeted chains. BNB Chain followed with 18 incidents representing 24.7% of losses. Smaller networks including Arbitrum, Blast, and Optimism also reported incidents, though at a lower frequency.
On the DeFi side, losses totaled $171.3 million across 62 incidents — actually a 25% decrease from the previous year, suggesting that DeFi protocols are gradually improving their security postures through audits, bug bounties, and formal verification processes. However, the sheer volume of incidents (62 in DeFi versus 5 in CeFi) indicates that the long tail of smaller vulnerabilities remains a persistent challenge.
The hacking category dominated losses entirely, with $564.2 million stolen across 53 incidents — a 155% increase year-over-year. In contrast, fraud, scams, and rug pulls accounted for just $8.5 million across 19 incidents, an 81% decline from the prior year. This disparity suggests that the crypto security threat is increasingly technical rather than social in nature.
The Mitigation Strategy
Only $26.7 million in stolen funds was recovered during Q2, representing approximately 5% of total losses. These recoveries occurred across four specific incidents: Bloom, ALEX Lab, Gala Games, and YOLO Games. While the recovery rate improved slightly from 3.9% in Q2 2023, it remains alarmingly low.
Mitchell Amador, founder and CEO of Immunefi, emphasized that infrastructure compromises are particularly devastating because they can lead to significant financial losses in a single event, especially when CeFi infrastructure is involved. The concentration of losses in so few incidents — two attacks representing nearly $400 million — demonstrates the systemic risk posed by centralized custody solutions.
The report’s findings reinforce the critical importance of multi-layered security architectures: cold storage for the vast majority of assets, hardware security modules (HSMs) for key management, real-time transaction monitoring, and comprehensive incident response plans. Platforms that invested in these measures fared significantly better than those relying on simpler security models.
Lessons Learned
With Bitcoin trading at approximately $61,600 and Ethereum near $3,445 on June 27, the overall crypto market capitalization remains substantial, making it an attractive target for sophisticated attackers. The Q2 data reveals several key patterns that the industry must address.
First, the shift toward CeFi targeting means that exchanges and custodians must treat infrastructure security as an existential priority. The 984% year-over-year increase in CeFi losses is not a statistical anomaly — it reflects a deliberate strategic pivot by threat actors who recognize that centralized platforms offer higher-value targets with single points of failure.
Second, the dramatic decline in DeFi losses (down 25%) while CeFi losses skyrocketed suggests that the security investments made by DeFi protocols are paying off. Bug bounty programs, formal audits, and gradual decentralization of key management are producing measurable improvements.
Third, the near-zero recovery rate means that prevention is overwhelmingly more effective than remediation. Once funds leave a compromised platform, the probability of recovery drops precipitously, particularly when attackers use cross-chain bridges and mixing services to launder stolen assets.
User Action Required
For individual crypto users, the Q2 report carries several actionable implications. Diversifying custodial exposure across multiple platforms reduces the impact of any single exchange compromise. Maintaining personal wallets with private key control — using hardware wallets for significant holdings — eliminates reliance on third-party security entirely.
Users should also monitor platform security disclosures and track whether their preferred exchanges maintain active bug bounty programs, regular third-party audits, and transparent proof-of-reserves. Platforms that invest in these measures demonstrate a security-first culture that materially reduces the likelihood of catastrophic losses.
As the industry processes the lessons of Q2 2024, the message from Immunefi’s data is unambiguous: the threat landscape is intensifying, the stakes are rising, and security investment is no longer optional — it is the single most important determinant of platform survival in an increasingly hostile environment.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment decisions or choosing a crypto platform.
DMM Bitcoin losing 305 million in a single exploit and somehow its barely talked about anymore. crypto goldfish memory is wild
305M from DMM alone and crypto twitter moved on in 3 days. if a traditional bank lost that it would be front page for a month
CeFi taking 70% of losses while DeFi gets all the FUD is telling. your keys your coins isnt just a meme, its risk management
the fact that 5 incidents caused 401 million of the losses means this isnt a systemic issue, its a few catastrophically bad security postures at centralized exchanges
Nadia K. 5 incidents causing 401M means the other 67 events averaged under 3M each. the long tail of DeFi exploits is small but loud
CeFi takes 70% of losses but DeFi gets all the regulatory scrutiny. makes zero sense from a risk perspective
Igor P. DeFi gets scrutiny because regulators dont understand it. CeFi gets a pass because it looks familiar. completely backwards incentives
112% increase YoY and BtcTurk gets hit for 55M right after DMM. the timing suggests these werent isolated, someone was running playbooks on exchanges with weak infra
$572.7M in one quarter and most of it from 2 exchanges. centralized hot wallets are the weakest link in crypto, not smart contracts
hotwallets_ 2 exchanges accounting for 62% of losses confirms this isnt systemic. its a few platforms with garbage security postures dragging the whole industry down