2024 年 10 月的 Web3 安全事件導致 1.47 億美元損失

2024 年 10 月，Web3 安全事件導致總損失約 1.47 億美元。據慢霧區塊鏈綜合報道

Web3 Security Incidents in October: Analysis and Key Events

10 月份 Web3 安全事件：分析與關鍵事件

In October of 2024, Web3 security incidents led to total losses of approximately $147 million. According to the comprehensive SlowMist Blockchain Hack Archive, 28 separate attacks resulted in about $129 million in losses, with $19.3 million later recovered. These incidents are said to have involved various abusive tactics, including so-called exit scams, account takeovers, as well as price manipulation.

2024 年 10 月，Web3 安全事件導致總損失約 1.47 億美元。根據綜合慢霧區塊鏈駭客檔案，28 次單獨的攻擊導致約 1.29 億美元的損失，後來恢復了 1,930 萬美元。據稱，這些事件涉及各種濫用手段，包括所謂的退出詐騙、帳戶接管以及價格操縱。

In addition, Web3 anti-fraud platform Scam Sniffer has reportedly recorded 12,058 phishing victims, with losses totaling a substantial $18.04 million during just this last month.

此外，據報導，Web3反詐騙平台Scam Sniffer在上個月記錄了12,058名網路釣魚受害者，損失總額高達1,804萬美元。

Here are some of the most notable Web3 security incidents that occurred in October, as reported by MistTrack:

根據 MistTrack 報導，以下是 10 月發生的一些最引人注目的 Web3 安全事件：

EIGEN Token Theft

自己的代幣被盜

On October 5, EigenLayer announced on X that an isolated attack occurred in which a “communication thread between an investor and a custodian was compromised, leading to the unauthorized transfer of 1,673,645 EIGEN tokens to the attacker.” The attacker then exchanged the tokens “through decentralized platforms, transferring the proceeds to centralized exchanges.” Collaborative efforts with these platforms and law enforcement have “led to partial funds being frozen.”

10 月 5 日，EigenLayer 在 X 上宣布發生了一次孤立的攻擊，其中“投資者和託管人之間的通信線程遭到破壞，導致 1,673,645 個 EIGEN 代幣未經授權轉移給攻擊者。”然後，攻擊者「透過去中心化平台交換代幣，將收益轉移到中心化交易所」。與這些平台和執法部門的合作「導致部分資金被凍結」。

SlowMist was invited as an independent investigator, concluding that the incident was initiated by a phishing attack “on the investor's employee email account, allowing the attacker to impersonate both the investor and custodian to redirect the token transfer.” EigenLayer expressed gratitude to SlowMist for their “thorough and timely investigation.”

慢霧受邀作為獨立調查員，得出的結論是，該事件是由「針對投資者員工電子郵件帳戶的網路釣魚攻擊發起的，該攻擊允許攻擊者冒充投資者和託管人來重定向代幣轉移」。 EigenLayer 對慢霧的「徹底、及時的調查」表示感謝。

Radiant Capital Attack

光芒四射的資本攻擊

On October 17, Radiant Capital reported a security issue on BNB Chain and Arbitrum, “leading to the suspension of its Base and mainnet markets.” SlowMist analysis also notably revealed that after “taking control of three multisig permissions, the attacker upgraded a malicious contract to steal funds.”

10 月 17 日，Radiant Capital 報告了 BNB Chain 和 Arbitrum 的安全問題，「導致其 Base 和主網市場暫停」。慢霧分析也特別揭示，在「控制了三個多重簽名權限後，攻擊者升級了惡意合約以竊取資金」。

By October 18, Radiant Capital released an incident report, “confirming around $50 million in losses due to a complex malware injection, which compromised devices of three core contributors, enabling malicious transaction signing.”

截至 10 月 18 日，Radiant Capital 發布了一份事件報告，“確認由於複雜的惡意軟體注入造成了約 5000 萬美元的損失，該注入破壞了三個核心貢獻者的設備，導致惡意交易簽名。”

Tapioca DAO Exploit

木薯 DAO 漏洞利用

On October 18, Tapioca DAO suffered a security breach, “losing around $4.7 million through a social engineering attack.” Attackers gained access to a key developer's private keys through an infectious “interview” tactic. The hacker group, identified as a North Korean entity, infiltrated the developer's device “with malware to acquire the private key.”

10 月 18 日，Tapioca DAO 遭遇安全漏洞，「透過社會工程攻擊損失了約 470 萬美元」。攻擊者透過富有感染力的「採訪」策略獲得了關鍵開發人員的私鑰。該駭客組織被認定為北韓實體，「利用惡意軟體滲透開發者的設備以獲取私鑰」。

This “infectious interview” approach involved disguising as job candidates or recruiters, “luring targets into downloading malicious files.”

這種「傳染性面試」方法涉及偽裝成求職者或招募人員，「引誘目標下載惡意檔案」。

SHARPEI Token Price Crash

SHARPEI 代幣價格暴跌

Launched on October 23, the meme token SHARPEI (SHAR) saw its market cap surge “to $54 million, only to drop 96% after a sudden $3.4 million sell-off by project insiders.” Leaked promotional documents “exposed several false claims, including fake endorsements from KOLs who later denied involvement, as well as fictitious partnerships.” The token's value continued to fluctuate “as these deceptions were revealed.”

迷因代幣 SHARPEI (SHAR) 於 10 月 23 日推出，其市值飆升「至 5,400 萬美元，但在專案內部人士突然拋售 340 萬美元後又下跌了 96%」。洩露的宣傳文件“揭露了一些虛假說法，包括後來否認參與的 KOL 的虛假認可，以及虛構的合作夥伴關係。” “隨著這些欺騙行為被揭露”，代幣的價值繼續波動。

U.S. Government-Controlled Wallet Suspicious Activity

美國政府控制的皮夾可疑活動

On October 25, MistTrack reported “unusual” or suspicious outflows from a U.S. government-controlled wallet at address 0x88d5f, amounting to roughly $20 million in tokens, which included 5.4 million USDC, 1.12 million USDT, 13.7 million aUSDC, and 178 ETH. Most of these tokens were swapped for ETH. Following the transaction, “approximately $19.3 million was returned to the government address.”

10 月25 日，MistTrack 報告稱，美國政府控制的錢包地址0x88d5f 出現「異常」或可疑資金流出，金額約為2000 萬美元代幣，其中包括540 萬USDC、112 萬USDT、1370 萬aUSDC 和178 ETH 。這些代幣大部分被兌換成 ETH。交易完成後，“大約 1930 萬美元被退回政府地址。”

Event Analysis and Security Recommendations

事件分析和安全建議

In October, attack methods became increasingly “sophisticated, including contract vulnerabilities, account takeovers, and new tactics like supply chain attacks, multisig theft, and price manipulation.” Two major exit scams resulted in multimillion-dollar losses, highlighting the need for “due diligence on project backgrounds and teams before investing.”

10 月份，攻擊方法變得越來越「複雜，包括合約漏洞、帳戶接管以及供應鏈攻擊、多重簽名盜竊和價格操縱等新策略」。兩起重大退出騙局導致數百萬美元的損失，凸顯了「投資前對專案背景和團隊進行盡職調查」的必要性。

There was also an “uptick” in account compromise incidents, especially on platform X. Users and project teams can follow SlowMist's X Account Security Guidelines to review “permissions and bolster security settings.”

帳戶外洩事件也“增加”，尤其是在 X 平台上。

SlowMist advises increased vigilance against social engineering attacks, which, while technically “unsophisticated, can discreetly compromise assets.” Even though there was a decline in phishing-related losses compared to last month, “the number of victims has risen.” Users are urged to exercise caution, “routinely verify permissions, and avoid clicking unknown links or entering private keys/seed phrases.” Installing antivirus software (such as Kaspersky, AVG) and anti-phishing plugins (like Scam Sniffer) can “enhance device security.”

慢霧建議提高對社會工程攻擊的警覺性，雖然技術上「不複雜，但可以謹慎地損害資產」。儘管與上個月相比，與網路釣魚相關的損失有所下降，但“受害者人數卻有所增加。”敦促用戶謹慎行事，“定期驗證權限，避免點擊未知連結或輸入私鑰/助記詞。”安裝防毒軟體（如卡巴斯基、AVG）和反網路釣魚外掛程式（如 Scam Sniffer）可以「增強設備安全性」。