All Major Crypto Hacks To Date (Updated List)

118 Entries to date. Last updated in Jan 2024.

In this post, I collected data from various sources to compile a comprehensive list of all the hacks that we know of, from the early days of crypto, to most recent times.

Crypto exchanges (both centralized and decentralized) get hacked all the time, which is why I always advise my friends and followers to keep their long term holdings in HD wallets (cold storage) instead of risking their hard-earned money being stolen.

The total amount of money lost in cryptocurrency hacks in 2023 is approximately $3.7 billion, which dropped by 51% compared to 2022. Vulnerabilities in exchanges accounted for over 22% of the overall amount. Exchanges are no longer the main victim of hacks and exploits. An estimated $6B, worth of cryptocurrency had been stolen in more than 13 cross-chain bridge attacks, just in 2022.

This is why I feel it’s important to highlight the risks we are facing when investing in, and using cryptocurrencies.

This list keeps being updated and new entries are added regularly.

---

Jan 2024 – Abracadabra ($6.4 M)

DeFi platform Abracadabra confirmed that it has been hit by a security attack, resulting in a loss of approximately $6.4 million. According to blockchain security firm Blocksec, the attack involved a malicious actor draining funds from the project’s smart contracts by taking advantage of a rounding issue, which resulted in what is known as a ‘precision loss’. The incident also caused the MIM stablecoin to depeg briefly to $0.7, and has since recovered to the $0.97 range.

Sep 2023 – CoinEx ($31 M)

On 12 September CoinEx hot wallets lost more than $31 million due to a hack. The hot wallets were drained of $19M worth of ETH, $11.5M in TRON and MATIC, amounting to $295,000.

Sep 2023 – Stake ($41 M)

On 4 September crypto gambling site Stake suffered an attack with over $41million being withdrawn in confirmed hack. Withdrawals were reportedly made from Stake to an account with no previous activity, with funds stolen including Tether and Eth.

Aug 2023 – Exactly Protocol ($7.3 M)

On 18 August Exactly Protocol suffered a security exploit that resulted in approx. 4300 ETH (around $7.3 million) in losses. The EXA token also suffered from this hack and lost 20% of its value as a result.

July 2023 – Curve Finance ($42 M)

Curve, a stablecoin exchange at the heart of decentralized finance (DeFi) on Ethereum, became a victim of an exploit on 30 July 2023. They shared the news in a tweet and according to BlockSec, a blockchain auditing firm, the estimated total losses were above $42 million.

July 2023 – CoinsPaid ($37 M)

On 22 July 2023 hackers linked to Lazarus Group staged a sophisticated social engineering attack on the crypto payments provider CoinsPaid. The attack involved a six-month long social engineering campaign that culminated in a malicious software download that allowed the crooks to syphon $37.3 million, according to a report in DL News.

July 2023 – Multichain Bridge ($125 M)

On 6 July cross-chain bridge protocol Multichain suffered what appeared to be a hack or a rug pull. It caused losses of more than $125 million, making it “one of the biggest crypto hacks on record,” according to crypto research firm Chainalysis.

June 2023 – Atomic Wallet ($50 M)

Reportedly $50 million (USD) in various crypto assets were drained from users accounts from the decentralized Atomic Wallet on 2 June 2023. Elliptic attributed the attack to cybercrime syndicate Lazarus Group, which is a state-sponsored North Korean hackers team. The company operating Atomic Wallet was slammed with a class-action lawsuit in the aftermath of the attack. Some sources claim the attack amounted to nearly $100 million in total.

Apr 2023 – Bitrue ($23 M)

On 14 April 2023 Singapore-based Bitrue’s hot wallets were hacked and around $23 million was stolen, an amount Bitrue claimed was less than 5% of its reserves.

Apr 2023 – Yearn ($11.5 M)

DeFi protocol Yearn had $11.5 million stolen on 13 April when someone discovered a vulnerability in an old version of one of the protocol’s contracts. Yearn lost $2.8 million to a different vulnerability in 2021 (see below.)

Apl 2023 – Sushi Swap ($3.3 M)

Decentralized exchange SushiSwap was exploited on 9 April 2023 allowing hackers to steal more than $3.3 million in crypto from wallets that had previously interacted with the platform. Reports indicate that only users who interacted with SushiSwap in the four days prior to the exploit were at risk.

Apr 2023 – GDAC ($13.9 M)

On April 9 users of the leading South Korean exchange GDAC woke up to the following message:
“Around 7 am, a hack occurred at Gdak Hot Wallet, where assets in the following quantities were transferred to an unidentified wallet: 60.80864074 BTC | 350.50 ETH | 10,000,000 WEMIX | 220,000 USDT. This is currently about 23% of total storage assets”. The exchange halted all deposits and withdrawals after the hack.

Mar 2023 – Euler Finance ($197 M)

DeFi lending platform Euler Finance lost roughly $197 million on March 13 in a flash loan attack. The incident was recorded as the biggest loss for crypto in Q1, 2023. As CryptoPotato reported, the exploiter stole $8.7 million worth of the decentralized stablecoin DAI, $34 million worth of USD Coin (USDC), $19 million wrapped bitcoin (WBTC), and $136 million worth of staked Ether (ETH). The attacker borrowed the assets through a flash loan and drained them from the protocol.
Days later, it was reported that majority of the funds were returned by the hacker (minus a few million bounty).

Feb 2023 – Opensea ($1.7 M)

On Feruary 18, NFT marketplace Opensea became a victim of an exploit causing the theft of non-fungible tokens worth over $1.7 million from its users. The NFT marketplace has been subject to numerous attacks over the past years. It was later determined that an attacker had successfully phished 17 OpenSea users into signing a malicious contract, which allowed the attacker to take the NFTs and then flip them. Bizarrely, the hacker returned some of the NFTs to their original owners, and one victim inexplicably received 50 ETH ($130,000) from the attacker as well as some of his stolen NFTs back. 
OpenSea users reportedly lost a total of $3.9 billion to fraudulent activities in 2022 alone.

Feb 2023 – BonqDAO ($120 M)

Decentralized borrowing protocol BonqDAO suffered $120M loss after oracle hack on February 1. This hack allowed the exploiter to manipulate the price of the AllianceBlock token, leading to an estimated $120 million loss, according to Peckshield. During the exploit a Polygon wallet accessed 112 million ALBT tokens, bridging them from the Polygon blockchain to the Ethereum blockchain. The hacker also got 500,000 USDC from dumping bonq euro (BEUR) tokens.

---

Oct 2022 – Mango Markets ($100 M)

Solana-based crypto exchange Mango Markets was hit with an exploit of over $100 million on October 12. The incident saw the hackers manipulate price oracle data, which enabled them to take out under-collateralized cryptocurrency loans. At the same time, the network has suffered several outages that appear to deter investors. The most recent outage was recorded on October 1, lasting at least six hours. Overall, in 2022 alone, the network suffered at least five significant outages all due to attacks on the network, with some running into days. 

Oct 2022 – BNB Smart Chain ($586 M)

While this was not an exchange hack, I include it here as it is of huge magnitude, one of the biggest single hacks to date. BNB Smart Chain was hacked for 2 million BNB, its native cryptocurrency, worth approximately $586 million at the time of the incident (October 6). The attacker only managed to bridge a fraction of the stolen tokens (around 100 million USdollars’ worth) to other chains before validators halted the network, blocking access to the $430 million remaining in the hacker’s BNB chain address. The chain was promptly re-activated, but the incident sparked many complains about centralization of the blockchain network.

Sept 2022 – Wintermute ($160 M)

Market-maker Wintermute has lost $160 million in a hack on September 20, relating to its decentralized finance (DeFi) operation. the company’s CEO confirmed the attack in this tweet.

Aug 2022 – Curve ($570 K)

On 9 August DeFi protocol Curve Finance gets hacked and approx $570,000 in ETH is stolen. 3 days later, Binance freezes wallets associated with the hack and recovers almost 80% of the funds.

Aug 2022 – Nomad Bridge ($200 M)

On 2 August the cross-chain token bridge Nomad suffered a hack amounting to nearly $200 million (USD). Nomad, like other cross-chain bridges, allows users to send and receive tokens between different blockchains. The company acknowledged the incident in a tweet.

June 2022 – Harmony Bridge ($100 M)

On 24 June, the Horizon Bridge to the Harmony layer-1 blockchain was exploited for $100 million in altcoins which were swapped for Ether. Eleven transactions were made from the bridge for various tokens and then sent to different wallets for swaps into ETH on Uniswap. In January 2023, the FBI released a report, revealing that Lazarus Group, the North Korean state hacking group, was behind this operation and 11 addresses were identified. The criminal organization laundered more than $60 million worth of Ethereum (ETH) on January 13, 2023 via RAILGUN – a privacy protocol.

June 2022 – Osmosis DEX ($5 M)

On 8 June, Osmosis, a decentralized exchange built on Cosmos, was hacked for roughly $5 million, forcing developers to halt the network.

May 2022 – Mirror Protocol ($2 M)

On 28 May, Mirror Protocol, a decentralized finance platform on the Terra network – had more than $2 million drained from it due to an issue affecting how its price-setting software reacted to the historic Luna cryptocurrency crash and the rushed decision to create a new version of it. This was not a hack per se, but an exploit of a bug in the system that allowed attackers to take out more than $1 million in loans with just $1,000 in collateral. 

Apr 2022 – Saddle Finance ($10 M)

On 30 April Saddle Finance, a decentralized exchange for trading stablecoins, was hacked in a DeFi exploit. Saddle Finance confirmed the incident, saying its team was investigating a “possible exploit.” BlockSec was able to rescue $3.8 million from the exploiters with an “internal system” that can detect and front-run hacking incidents using off-chain arbitrage bots called flashbots. Still, the hacker made off with more than $10 million in ETH from Saddle’s liquidity pools. Saddle Finance said it was in the process of recovering the $3.8 million from BlockSec.

Apr 2022 – Fei & Rari ($80 M)

On 28 April, DeFi platforms Rari Capital and Fei Protocol suffered more than $80 million loss due to a hack. The hacker exploited a reentrancy vulnerability in Rari’s Fuse lending protocol and according to a tweet from Blockchain security firm PeckShield, the same vulnerability has been used to attack other forks of the Compund DeFi protocol.

Apr 2022 – Beanstalk Protocol ($182 M)

On 17 April, Ethereum DeFi protocol Beanstalk was hacked for $182 Million in Ethereum, BEAN stablecoin, and other assets. The hacker used a flash loan, which allows people to borrow an asset to make a quick trade and then repay the asset—all in just one complex transaction that involves multiple protocols.

Mar 2022 – Cashio ($52 M)

On March 23, 2022, Cashio, a Solana-based stablecoin protocol, was exploited in an “infinite glitch” attack, allowing the hacker to manipulate Cashio’s smart contracts and mint an infinite supply of CASH without providing any liquidity in return. The hacker used the newly minted tokens to exchange them for stablecoins on Cashio’s liquidity pools, and blockchain data shows over 2 billion CASH were minted without any USDC or USDT backing. The hacker was able to steal around $52 million worth of assets, reportedly.

Mar 2022 – Ronin Network ($625 M)

This was at the time, the second biggest crypto hack ever: $600 Million in ETH was stolen from NFT gaming blockchain Ronin Network – an Ethereum-linked blockchain platform for non-fungible token-based video game Axie Infinity. The incident that took place on 23 March 2022, greatly affected many users of the platform and tanked the AXS token in the aftermath.

Feb 2022 – Wormhole ($320 M)

On 2 February, Wormhole Portal, a bridge between Solana (SOL) and other blockchains, was exploited for approximately 120k wrapped ETH. The total value of the stolen crypto assets stands at around $320 million at the time. Later, a Chicago trading firm Jump Crypto, in collaboration with Oasis and other whitehat hackers, counter-exploited the hacker and recovered around $140 million worth of assets that were stolen during the attack. The recovery was initiated via the Oasis Multisig, and the funds were returned to a court-authorized third party. This recovery has been described as setting a “very dangerous precedent” for decentralized finance, as it challenges the founding assumptions of DeFi, particularly the idea that all transactions are final and that no crypto can ever leave a user’s wallet.

Jan 2022 – Qubit Finance ($80 M)

On 28 January DeFi protocol Quibit revealed in a tweet, that it had been exploited by an attacker who stole 206,809 BNB from its QBridge protocol. In total, the tokens were valued at $80 million.

Jan 2022 – Crypto.com ($30 M)

On 17 January more than $30 million was stolen by hackers from wallet and exchange app Crypto.com. The company said that 4,836 ETH and 443 BTC were taken. According to the report released by the company, 483 users had their accounts compromised.

---

Dec 2021 – Grim Finance ($30 M)

On 18 December DeFi protocol Grim Finance lost $30 million in 5x re-entrancy hack. This security flaw in the Grim Finance protocol allowed the attacker to fake five additional deposits.

Dec 2021 – Vulcan Forged ($140 M)

On 13 December, a cyberattack on The NFT marketplace Vulcan Forged saw 96 wallets compromised and a loss of $140 million was reported.

Dec 2021 – AscendEX ($77 M)

On 12 December, Crypto exchange AscendEX — formerly known as BitMax — was hacked for an estimated $77.7 million. That is according to the exchange, which acknowledged the hack, and security researchers PeckShield who have estimated its losses. Coins and tokens stolen include USDT, USDC, TARA, SHIB, AAVE, COMP.

Dec 2021 – Bitmart ($200 M)

On 5 December 2021, reportedly, close to $200 million worth of crypto was stolen in this hack according to security firm Peckshield. Bitmart promised to use its own money to reimburse users and claims the hack is worth $150 million.

Dec 2021 – BadgerDao ($120 M)

$120 million was stolen from the BadgerDAO decentralized finance protocol by a hacker targeting the protocol on the Ethereum network on 2 December 2021. One user’s account suffered a $90 million loss and later it was confirmed that the account belongs to crypto lending platform Celsius. This was one of many heavy blows to Celsius, which later went into insolvency.

Nov 2021 – bZx ($55 M)

On November 5, the defi protocol bZx was hacked when its private key was compromised, allowing the attacker to steal $55 million. Both chains used by bZx : BSC and Polygon, were affected by the hack.

Oct 2021 – Cream Finance ($130 M)

In October 2021, CREAM Finance was hacked in the third-largest DeFi hack to date with losses of over $130 million.  The attacker used a flash loan attack to exploit vulnerabilities within the protocol. The attacker exploited a flash loan attack, draining over $260 million in funds. The attacker used a complex transaction that involved 68 different assets and cost over 9 ETH in gas. 

Sep 2021 – Compound ($147 M)

Compound Finance, an Ethereum-based lending and borrowing protocol, had an exploit and the protocol erroneously paid out vast sums in its native cryptocurrency COMP to some users who provided only miniscule levels of collateral in ETH, USDC, and DAI. An error in the protocol’s smart contract was suspected as the cause of the malfunction. It is rumoured that the total of funds amounted to $147 million. Other glitches were also reported around the same time. A faulty Compound Finance contract intended to disburse liquidity mining rewards over time was topped off with $66 million in tokens and the same bug drained $80 million in tokens throughout the month of September. 

Sep 2021 – pNetwork ($12 M)

The Defi protocol, pNetwork alerted the community of a 277 Bitcoin (BTC) hack, which amounts to 12.67 million in USD. The network revealed that the attacker installed a bug on the Binance Blockchain codebase of pNetwork. However, the protocol confirmed safety for other funds as no more bridges had to bear the burn of the attack.

Sep 2021 – Vee Finance ($35 M)

Just a week after lending platform Vee Finance celebrated a milestone of $300 million in total value of assets locked, it suffered an exploit that remains one of the largest on the Avalanche network. A total of approx. $35 million was lost.

Aug 2021 – CREAM Finance ($19 M)

On August 30, 2021, decentralized lending protocol CREAM Finance was the victim of a flash loan hack.  PeckShield specified that the hacker exploited the Amp token by reborrowing assets during its transfer before updating the first to borrow in 17 separate transactions. Providing an example transaction, the security firm stated, “The hacker makes a flashloan of 500 ETH and deposit the funds as collateral. Then the hacker borrows 19M AMP and makes use of the reentrancy bug to re-borrow 355 ETH inside AMP token transfer. Then the hacker self-liquidates the borrow.”

Aug 2021 – Liquid Exchange ($97 M)

On August 18th 2021, Japanese exchange Liquid reportedly suspended asset deposits and withdrawals as its hot wallets have been hacked in a security breach. Affected coins in this hack were Bitcoin, Ethereum, Tron and XRP to the total amount of approximately $97 million (according to Elliptic’s analysis)

Aug 2021 – Poly Network ($600 M)

Reportedly, over $600 million was stolen on August 10, 2021 by a ‘white hat’ hacker making this the biggest single crypto hack to date. Ethereum, Binance Smart Chain and Polygon tokens were stolen but the claim is that this hack was only committed in order to highlight the vulnerabilities of the Poly Network platform and most of the funds were later returned. Around $200 million is still outstanding and Poly Network reportedly promised the hacker a $500,000 bounty for the restoration of user funds, and even invited them to become its “chief security advisor.” In the end, all funds were recovered eventually.

May 2021 – Belt Finance ($6.3M)

Belt Finance, a DeFi project based on the BNB Smart Chain (BSC) fell victim to a flash loan attack that netted the attacker about $6.3 million in cryptocurrency.

May 2021 – PancakeBunny ($200 M)

PancakeBunny, a yield management platform operating on BSC and Polygon, became a victim of a flash loan attack that resulted in $200 million loss. Originally it was thought that only $45 million of value were lost according to one source. The attack caused the price of its native BUNNY token to plummet by 95% in the aftermath.

Apr-May 2021 – Coinbase (Data Breach)

As reported by Reuters in October 2021, this hack took place between March and May 20th 2021. At least 6000 customers have been victims of unauthorized third parties exploiting a flaw in the company’s SMS account recovery process to gain access to multiple accounts, and transfer funds to crypto wallets not associated with Coinbase. The amounts are undisclosed.

Apr 2021 – Uranium Finance ($50 M)

In late April, Uranium Finance is a decentralized exchange (DEX) on Binance Smart Chain (BSC) suffered a loss of $50 million during its token migration process. Mostly BNB and BUSD tokens were targeted, but also USDT, BTC, ETH, DOT, ADA, and U92, Uranium’s native crypto.

Apr 2021 – EasyFi ($81 M)

On April 19 EasyFi, a DeFi Polygon Network-powered protocol, was the victim of a hack. The attacker was able to extract 2.98 million EASY tokens and $6 million in USD, DAI, and USDT for a total value of about $81 million.

Apr 2021 – Thodex ($2 B)

The largest Turkish crypto exchange vanished after reports about suspicious transactions. Allegedly, the founder took off with $2 billion USD of customers money and fled to Albania. He was later captured and was sentenced to 11,196 years in prison by a Turkish court on charges of “establishing, managing and being a member of an organization,” “qualified fraud,” and “laundering of property values.”

Mar 2021 – Meerkat Finance ($31 M)

Binance Smart Chain-based lending protocol Meerkat Finance lost $31 million in user funds just a day after it launched in March 2021.

Mar 2021 – Paid Network ($100 M)

On March 5, 2021, the PAID Network smart contract was compromised.  By exploiting flaws in how the smart contract was secured and managed, the attacker was able to extract approximately $100 million worth of $PAID tokens, and converted about $3 million of it to Ether before being blocked by the PAID Network team.

Feb 2021 – Yearn ($11 M)

On Feb 4 a hack of the Yearn DAI v1 vault caused a loss of approx. $11 million to the vault that resulted in a $2.8 million profit for the hacker. Reportedly, by responding within eleven minutes, the team was able to protect the remaining $24 million stored in the vault from the attacker.

Feb 2021 – Cryptopia ($45 K)

Even as it is being liquidated following a previous breach that stole NZ$24 million (approx. US$15.5 million), this exchange gets hacked again.
According to a Stuff report a creditor, U.S. firm Stakenet, has been told that about NZ$62,000 (US$45,000) in the XSN cryptocurrency had been transferred out of its cold wallet on Feb. 1.

---

Dec 2020 – Livecoin (Data Breach)

On Christmas Eve (23 December), Livecoin, a Russian cryptocurrency exchange, suffered a hack that resulted in the loss of control of some of its servers, warning customers to stop using its services. The attackers modified the price of BTC to $300,000, rather than the $24,000 market value at the time. This exchange is now shut down. It never recovered from this incident and court proceedings are in place to supposedly recover some of the users funds but so far not much has come out of this.

Nov 2020 – Liquid Exchange (Data Breach)

On 13 Nov 2020, Liquid, a cryptocurrency exchange based in Japan, suffered a hack that was mostly data breach that gave the attacker the ability to change DNS records and in turn, take control of a number of internal email accounts. No funds were stolen in this incident, but a year later the exchange was hacked again and a loss of $94 million was reported.

Sep 2020 – Kucoin ($281 M)

Singapore-based crypto exchange Kucoin suffered a hack that resulted in the loss of around $281 million worth of cryptocurrencies. KuCoin worked with international law enforcement to investigate the hack and recover the stolen funds and with the help of the developers of some of these projects and combined efforts of other exchanges and was able to recover about $239 million. The remaining losses of $45.55 million were covered by the exchange’s insurance fund.

Sep 2020 – Eterbase Hack ($5.4 M)

 September 2020, Eterbase, a cryptocurrency exchange based in Bratislava, Slovakia, suffered a hack that resulted in the loss of $5.4 million worth of cryptocurrency. The incident involved the theft of various cryptocurrencies from the company’s hot wallets, including Bitcoin, Ether, ALGO, Ripple, Tezos, and TRON assets.

July 2020 – Cashaa ($3.1 M)

On July 11, fraudsters hacked into digital payment platform Cashaa’s over-the-counter desk, which serves Indian customers, and stole 336 Bitcoin, worth about $3.1 million at the time. The attacker may have implanted malware into one of the exchange’s computers. As an employee accessed the affected machine to make two transfers, the attack was launched. It’s suspected to have been an inside job.

June 2020 – Balancer ($500 K)

An attacker stole over $500,000 in Ether, Wrapped Bitcoin, Chainlink, and Synthetix tokens. Balancer CTO Mike McDonald explains that the attacker had borrowed $23 million in WETH tokens in a flash loan from dYdX. They then traded against themselves with Statera (STA), a token that uses a transfer fee model and burns 1% when traded. The attacker repeated this back and forth 24 times, draining the STA liquidity pool. Because Balancer thought it had the amount of STA remained unchanged, it released WETH in the amount of the original balance, giving the attacker a larger margin for every trade. The attacker then repeated this attack with WBTC, LINK and SNX, all against Statera tokens.

May 2020 – Coincheck (Data Breach)

In May 2020, Coincheck, a Japanese cryptocurrency exchange, suffered a data breach after attackers accessed one of its domain name accounts and used it to impersonate the exchange. Coincheck stated that certain personal information like names, registered addresses, birth dates, phone numbers, and ID Selfies was exposed in the incident. Digital assets, however, were not affected.

In 2018, Coincheck lost $500 million in NEM coins after hackers compromised the exchange platform (see below).

Apr 2020 – Uniswap ($25 M)

On 18 April, Uniswap, a decentralized cryptocurrency exchange, and Lendf.me, a decentralized lending platform, were hacked, resulting in the loss of $25 million worth of cryptocurrency. The hacker(s) used an exploit published in July 2019 on GitHub by OpenZeppelin, a company that performs security audits for cryptocurrency platforms. The hackers first used the exploit against Uniswap and then used it again the next day against Lendf.me.

Feb 2020 – Altsbit ($70 K)

Altsbit, a small Italian cryptocurrency exchange, suffered a hack that resulted in the loss of almost all of its funds. On February 6, the exchange announced that it had lost 6.929 BTC and 23 ETH, among losses in other cryptocurrencies such as Pirate Chain (ARRR), VerusCoin (VRSC), and Komodo (KMD). The total amount lost was estimated to be only about $70,000 but Altsbit explained that it cannot compensate losses and intends to return untouched amounts as some percentage to users. Despite a significant part of Altsbit’s crypto funds being stored on cold storage, the exchange still terminated its services on May 8, 2020.

---

Nov 2019 – Upbit ($49 M)

On November 27, 2019, hackers attacked Upbit (a South Korean exchange) and made off with 342,000 ETH (nearly $50 million at the time of the hack). Upbit promised users that it would cover the losses.

Nov 2019 – VinDAX ($500 K)

on 5 November 2019, Vietnam-based exchange VinDAX lost half a million U.S. dollars’ worth of funds in various cryptocurrencies. The exact details of the hack were not disclosed.

July 2019 – Bitpoint ($32 M)

On July 11, BitPoint (Japanese exchange) suffered a loss of 3.5 billion yen, 2.5 billion of which belonged to customers. In a followup, the company found that actual losses from the breach came to around 3.02 billion yen (US$32 million) – roughly $500 million less than originally thought. The company told reporters that the 50,000 customers affected will receive refunds on a 1:1 basis.

June 2019 – Bitrue ($4.2 M)

On 27 June 2019, Bitrue, a Singapore-based cryptocurrency exchange, suffered a hack that resulted in the loss of around $4.2 million in user assets. In a series of tweets, Bitrue announced the loss of 9.3 million XRP and 2.5 million ADA. For the 90 users affected, Bitrue has promised to repay them in full.

June 2019 – GateHub ($9.5 M)

In June 2019, GateHub, a cryptocurrency wallet service, suffered a hack that resulted in the loss of 23.2 million XRP, worth nearly $9.5 million, from its users’ wallets. The company announced the news on its website.

May 2019 – Binance ($40 M)

On 7 May 2019 Binance, one of the world’s largest cryptocurrency exchanges, suffered a hack that resulted in the loss of over $40 million worth of bitcoin. In a statement, Binance shared that hackers used a variety of techniques, including phishing, viruses and other attacks to withdraw 7000 BTC in a single transaction. Binance announced it would use the #SAFU fund to cover the incident in full.

Mar 2019 – Bithumb ($13 M)

Bithumb, a South Korean cryptocurrency exchange, suffered a hack that resulted in the loss of $13 million worth of EOS and $6 million worth of Ripple (XRP) from its wallets.
In an official statement, Bithumb shared that the stolen funds were owned by the exchange and it’s alleged that it could have been an inside job.

Mar 2019 – DragonEx ($7 M)

Hackers made off with nearly $7 million worth of cryptocurrency. DragonEx has shared that it intends to repay those who were directly affected. DragonEx was able to recover from the hack and continued operating.

Mar 2019 – CoinBene ($100 M)

Following a maintenance announcement and signs of assets moving to new addresses, suspicions that CoinBene fell victim to hackers rose among the public. While it’s believed that over $100 million worth of cryptocurrency was stolen, CoinBene (Singapore-based cryptocurrency exchange) denied the hack, but the exchange’s website remained in maintenance mode for an extended period.

Feb 2019 – Coinmama (Data Breach)

Coinmama, an Israel-based cryptocurrency brokerage, suffered a major data breach that affected 450,000 of its users. The breach was part of a global attack that affected 24 companies including gaming, travel booking, and streaming sites and a total of 841 million user records. No financial losses, but a lot of personal data.

Jan 2019 – LocalBitcoins ($28 K)

On January 26, 2019, clients of peer-to-peer bitcoin trading service LocalBitcoins were the targets of a phishing scam which resulted in the theft of $28,200 worth of bitcoin. During a 5-hour window, users reported that when accessing the LocalBitcoins forum, they would be redirected to a page mimicking the LocalBitcoins login page. In the background, the hacker(s) would collect the login credentials from users.

Jan 2019 – Cryptopia ($16 M)

In January 2019, Cryptopia, a New Zealand-based cryptocurrency exchange, experienced two back-to-back hacks within a single month. According to reports, as much as ~$16 million worth of Ethereum and ERC20 tokens were stolen, which the exchange estimated to be around 9.4% of total holdings. The exchange was hacked again in 2021 and closed doors as a result.

---

Dec 2018 – QuadrigaCX ($190 M)

While technically not a hack, QuadrigaCX’s sensational story is simply too controversial to ignore. The largest bitcoin exchange in Canada lost $190 million in crypto following the death of its founder and CEO Gerald Cotten, the sole controller of the exchange’s cold storage wallets.

Oct 2018 – MapleChange ($6 M)

In October 2018, MapleChange, a Canadian cryptocurrency exchange, experienced a hack that resulted in the loss of approximately $6 million worth of BTC. Following the incident MapleChange announced it could not refund customers and was closing its doors.

Sep 2018 – Zaif ($60 M)

In September 2018, Zaif, a Japan-based cryptocurrency exchange, suffered a hack that resulted in the loss of various cryptocurrencies, including 6,000 BTC. According to Zaif’s investigation, $60 million in Bitcoin, Bitcoin Cash, and MonaCoin was stolen from the exchange.

July 2018 – Bancor ($23.5 M)

In June 2018, Bancor, an Israeli-Swiss decentralized cryptocurrency exchange, suffered a hack that resulted in the loss of $23.5 million of cryptocurrency tokens belonging to its users. According to Bancor, “A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract in the amount of 24,984 ETH. ($12.5M). The same wallet also stole ~$1M in other alts and 3,200,000 BNT ($10M)”
Bancor was able to freeze its tokens to mitigate some of the damage. The exchange claimed that no user wallets were compromised.

June 2018 – Bithumb ($31 M)

Roughly $31 million in cryptocurrency was stolen by hackers from the South Korea-based exchange with XRP being the main target. The personal details of 30,000 users were stolen, leading to the subsequent theft of their funds.

June 2018 – Coinrail ($40 M)

In June 2018, Coinrail, a cryptocurrency exchange based in South Korea, suffered a hack that resulted in the loss of cryptocurrencies totaling as much as $40 million. The hackers stole altcoins and ICO-issued tokens that weren’t Bitcoin or Ethereum. Coinrail was able to recover from the hack and continue operating.

Apr 2018 – CoinSecure ($3.4 M)

In April 2018, Coinsecure, an India-based cryptocurrency exchange, suffered a hack that resulted in the loss of 438.318 BTC, worth around $3.4 million at the time. The private keys of the wallet were leaked online, and all data logs were erased, indicating that it was an inside job. The exchange accused its Chief Strategy Officer (CSO), Dr. Amitabh Saxena, of being involved in the theft.

Feb 2018 – Bitgrail ($170 M)

Hackers made off with roughly 17 million units of Nano (XRB), the coin formerly known as RaiBlocks amounting to about $170 million (USD). The BitGrail hack was the second major cryptocurrency hack in 2018, following the $530 million hack of Japanese exchange Coincheck. In 2019, Owner and Founder Francesco Firano was accused of fraudulent activity related to the hack and was sentenced to return as much of the assets to customers as possible.

Jan 2018 – Coincheck ($530 M)

Hackers stole nearly $530 million in NEM coins from Coincheck, the then leading exchange in Japan. The hack was the largest in the history of cryptocurrencies at the time.
One of Coincheck’s major security lapses, it admits, is that the exchange kept customer assets in a hot wallet. In January 2021, around 30 people were formally charged in Japan with trading almost $100 million worth of digital assets while knowing they had been stolen in the Coincheck hack.

---

Dec 2017 – EtherDelta ($1.4 M)

In December 2017, EtherDelta, a decentralized cryptocurrency exchange, suffered a hack that resulted in the theft of at least $1.4 million worth of cryptocurrency. Hackers hijacked EtherDelta’s DNS server and diverted traffic to a malicious duplicate of the site. The scam netted the hackers 308 ETH and a number of ERC20 tokens. A UK and a US individuals were later indicted on this offence. EtherDelta was able to recover from the hack and continue operating.

Dec 2017 – NiceHash ($64 M)

In December 2017, a Slovenian-based cryptocurrency mining platform NiceHash, suffered a hack that resulted in the loss of 4,736.42 BTC (over $64 Million at the time).

Dec 2017 – Youbit (N/A)

In December 2017, Youbit, a South Korean cryptocurrency exchange, suffered a hack for the second time in less than eight months. Following the hack that cost 17% of the exchange’s holdings, Youbit announced it was closing down. The exact amount of the theft was not disclosed.

Sep 2017 – Coinis ($2.2 M)

$2,190,000 was stolen in this hack. South Korea’s spy agency alleges that North Korea is behind this and other hacking attacks on Coinis, a crypto-currency exchange in South Korea.

Sep 2017 – DragonEx ($7 M)

In September 2017, DragonEx, a Singapore-based cryptocurrency exchange, suffered a hack that resulted in the loss of nearly $7 million worth of cryptocurrencies. The lost funds include 135 BTC | 2,738.12 ETH | 247,000 XRP | 1,464,319.32 USDT | 64,121.00 XEM | 426,314.70 EOS, among others.

Sep 2017 – LiteBit (N/A)

In September 2017, LiteBit, a Dutch Bitcoin exchange, suffered two hacks in two months. The first hack occurred in August 2017, and the second hack took place in September 2017. The details of the hacks are unclear from the available search results. However, the exchange stated that no user funds were lost in either hacks.

July 2017 – CoinDash ($7 M)

In July 2017, CoinDash, an Israeli start-up, suffered a hack during its initial coin offering (ICO), resulting in the loss of more than $7 million worth of Ethereum in about half an hour. The hacker altered the Ethereum address that CoinDash was using to solicit funds, resulting in the ETH going to another source.

Apr 2017 – Yapizon ($5 M)

Before becoming Youbit, Yapizon a South Korean Bitcoin exchange, suffered a hack that resulted in the loss of 3,831 BTC, equivalent to $5 million at the time. The hack occurred during the early hours of April 22, 2017, and the unknown hackers were able to compromise the security of the platform. Yapizon shared that it would dock remaining customer balances by the same amount to spread the burden of the losses.

---

Oct 2016 – Bitcurex ($1.5 M)

Hackers were able to perform an automated data collection on the site, resulting in the loss of over 2300 BTC. Bitcurex promised to refund its users, but the exchange never resumed services, and people lost all their money. This is not the first time Bitcurex was targeted. In 2014, the exchange temporarily shut down its site following a hack that targeted its users’ funds.

Aug 2016 – Bitfinex ($72 M)

On August 2, 2016, the Bitfinex cryptocurrency exchange, based in Hong Kong, announced that it had suffered a security breach. Around 2,000 approved transactions were sent to a single wallet from users’ segregated wallets. As a result, the trading price of Bitcoin plunged by 20%. The exchange lost  119,756 Bitcoin, worth about US$72 million at the time. To compensate users, Bitfinex generalized the losses across all accounts and credited customers with BFX tokens at a ratio of 1 BFX to every dollar stolen.
In 2019, Bitfinex shared that 27.66270285 BTC or 0.023% of the total taken in the attack, had been recovered by US law enforcement efforts. As promised, the returned funds were converted to US dollars and paid to holders of its RRT token.
In 2021 two Israeli individuals were captured and charged in relation to this hack. US officials seized $3.6 billion in relation to this hack – their biggest seizure of cryptocurrencies ever. However, it remains unclear how these funds will be shared with customers who were forced to share the losses and were only compensated via the RRT token and to the amounts of their fiat value, rather than the crypto they initially lost.

May 2016 – GateCoin ($2.1 M)

In a breach that took place between the night of May 9, 2016 (HKT) and the evening May 12, 2016, Gatecoin lost 250 BTC and 185,000 ETH, an amount worth roughly $2.14 million at the time. It was 15% of its crypto asset deposits. 3 years later, in March 2019, Gatecoin received a liquidation order following banking problems and was declared dead.

Apr 2016 – ShapeShift ($230 K)

In April 2016, ShapeShift, a digital currency exchange, suffered a hack that resulted in the loss of $230,000 in three separate thefts over the course of a month. The hack was believed to be an inside job by a former employee, whose name and position was not disclosed. ShapeShift was able to recover from the hack and continue operating.

---

Feb 2015 – KipCoin ($720 K)

In February 2015, KipCoin, a Chinese Bitcoin exchange, shut down after claiming that it had lost 3,000 BTC to hackers. The announcement also shared that the hacker had gained access to Kipcoin’s server and downloaded the wallet.dat file months before the attack. The hacker laid low and did nothing with the funds before beginning to move them in December 2014.

Feb 2015 – BTER ($1.7 M)

According to BTER, a China-based digital currency exchange, a hack on its cold wallets resulted in the loss of roughly $1.75 million in Bitcoin (7,170 BTC). BTER shared that they were working with law enforcement to resolve this matter, and outlined a plan to pay back users after inking a deal with security firm Jua.com.

Jan 2015 – LocalBitcoins ($5 K)

LocalBitcoins Vice President Nikolaus Kangas acknowledged a hack and a loss of 17 BTC in a forum post. Kangas shared that the attacker used LiveChat to spread undetected malware to access the various accounts of victims. Affected users were granted refunds after taking steps to address security vulnerabilities

Jan 2015 – Bitstamp ($5 M)

Hackers stole just under 19,000 BTC from the Slovenia-based company Bitstamp. The hack followed repeated phishing attempts aimed at Bitstamp employees. The hackers used Skype and email to communicate with the employees and distribute files containing malware, appealing to their personal histories and interests.

Jan 2015 – 796 ($230 K)

In January 2015, Chinese Bitcoin exchange 796 was hacked resulting in the loss of 1,000 BTC, worth around $230,000 at the time. The exchange’s major shareholders covered the loss with unpaid dividends.

---

Oct 2014 – MintPal “2.0” ($1.3 M)

Following an earlier breach, MintPal was purchased by Moolah. After a failed relaunch of MintPal, Moolah announced it was shutting down but MintPal would remain in operation following an offline period to address infrastructure security. However, 3,700 BTC soon went missing along with Moolah’s CEO. In 2022, the ex-CEO of MintPal, Ryan Kennedy, was arrested in the UK over non-compliance with a court order requiring him to repay 750 BTC to one of his customers who took legal action.

July 2014 – MintPal ($1.9 M)

Using a vulnerability in Mintpal exchange’s withdrawal system, a hacker was able to withdraw 8 million VRC from the Vericoin wallet. At the time, this amounted to around $1,933,000 in USD value.

July 2014 – Cryptsy ($9.5 M)

In July 2014, Cryptsy, an online cryptocurrency exchange company, was hacked by an unidentified party. The hack cost the exchange approximately 13,000 BTC ($7.5m at the time) and 300,000 LTC (then $2.08m). The exchange continued to operate for six months after the hack, including soliciting new customers, without disclosing to its customers that the website’s security had been compromised. Three years later, US District Judge Kenneth Marra ordered Paul Vernon, the former CEO of Cryptsy, to pay $8.2M in damages to customers. He was was indicted by the U.S. Department of Justice for stealing $1 million from wallets and was charged with tax evasion, wire fraud, money laundering, computer fraud, and destruction of records in a federal investigation, among other charges.

Mar 2014 – Poloniex ($64 K)

According to Poloniex owner Tristan D’Agosta, on 4 March 2014 97 BTC was stolen in the following method:
“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”
This was estimated to be around 12.3% of the total BTC on the platform and the company has since reimbursed its customers.

Mar 2014 – CryptoRush ($470 K)

CryptoRush, a virtual currency exchange, suffered a hack attack that resulted in the loss of  950 BTC (approx. $427,500) and 2500 LTC (approx. $42,500). The exchange issued a “Debt Management Plan” which outlined plans and potential refunds for victims. The exchange never managed to get the money back from the hacker.

Feb 2014 – Mt.Gox ($600 M)

The victim of a massive and prolonged hack, Mt. Gox lost about 740,000 BTC. An additional $27M was also missing from the company’s bank accounts. 200,000 bitcoins have since been recovered.
Investigations revealed that the hack may have begun as early as September 2011. Prior to September 2011, Mt. Gox’s unencrypted private key appears to have been copied. The hacker(s) used the file to access and gradually steal funds associated with Mt. Gox’s private keys without detection. The shared keypool led to address re-use, with the Mt. Gox systems misinterpreting the transfers as deposits being moved. Whenever the wallets emptied, Mt Gox credited an additional 40,000 bitcoins to multiple user accounts.

---

Nov 2013 – PicoStocks ($3+ M)

Second attack in one year caused this exchange to go bust. This time a total of 5,896 BTC were missing from both its “hot” and “cold” wallets. Because cold wallets can’t be accessed in online attacks, the theft was most likely an inside job. The amount in dollar value was not shared, but in November 2013 the bitcoin price jumped from $199 to a whopping $1100, so it is hard to put a figure on this theft. I estimate it to be upwards of $3,000,000.

Nov 2013 – BIPS ($1 M)

Hackers launched two DDoS attacks to overload a Danish Bitcoin payment processor and free online wallet service BIPS’ servers. They gained access to several online wallets, allowing them to steal 1,295 BTC worth over $1 million at the time.

Nov 2013 – BitCash ($100 K)

About $100,000 were stolen from 4,000 wallets. According to BitCash, their server was hacked and disabled. The hackers then used bitcash.cz email addresses to phish BitCash users.

Oct 2013 – Inputs ($836 K)

In 2013, Inputs.io was compromised on October 23 and then again on October 26, with hackers making off 4,100 BTC in total. The loss was a result of a social engineering attack that compromised a chain of email accounts. Eventually, the attacker gained access to reset the password for the Linode server.

June 2013 – Picostocks ($143 K)

PicoStocks suffered a 1300 BTC theft as a result of the result of PicoStocks using duplicate passwords for multiple accounts – a practice the founder himself described as “just extremely stupid” and “clearly our fault”, according to reports.

Jan 2013 – Vicurex ($320 K)

Vicurex has not confirmed the amount lost in two hacks but reported that it was near insolvency in 2014. As a result of the hacks and subsequent fund withdrawals by spooked users, Vicurex froze withdrawals and declared mitigation plans. Several customers filed a lawsuit against the company for withholding their funds. According to some reports, the theft accounted for 1,454 BTC (approx. $29,000), 225,263 TRC (approx. $220,000) and 23,400 LTC (approx. $70,000.) 

---

Dec 2012 – Bitmarket ($240 K)

BitMarket.eu was hacked several times with the most infamous incident taking place in 2012. Bitmarket developer Maciej Trębacz announced the exchange had lost 18,787 BTC as a result of his using Bitcoinica to set up a Bitcoin hedge fund. Unfortunately, Bitcoinica had also gotten hacked (see below), losing all of BitMarket’s funds along the way.

Three months following the announcement, Trębacz notified users that Yevgeniy Nikulin, a Russian national who was arrested for hacking Dropbox, Formspring, and LinkedIn, had stolen 620 BTC from the exchange by using an SQL injection to gain access to BitMarket’s servers.

Sep 2012 – BitFloor ($250 K)

Following an attack that lost the exchange over $250,000 in cryptofunds, BitFloor Founder Roman Shtylman shared that hackers targeted the exchange’s servers. Although BitFloor encrypted the wallet keys needed to conduct transactions, it also kept an unencrypted backup. The attacker(s) likely gained access to this backup.

Mar 2012 – Bitcoinica ($688 K)

Three separate incidents led to Bitcoinica’s downfall which resulted in around 102,101 BTC loss, amounting to approx. $688,845 being stolen in total.
On March 1, Linode, a web hosting provider whose clients included Bitcoinica, was hacked. The unknown intruder successfully stole 43,000 BTC (approx. $228,845 worth) from Bitcoinica.
On May 11, attackers used a compromised email account to lift 18,500 BTC (approx. $87,000 worth) from Bitcoinica’s hot wallet.
On July 13, another attacker gained access to a LastPass account containing passwords needed to access the MtGox account. The LastPass account used the same password as the MtGox API key used by the Bitcoinica server when Bitcoinica was still live. The attacker withdrew 40,000 BTC and 40,000 USD (approx. $350,000 in total).

---

Oct 2011 – Bitcoin7 ($30 K)

Bitcoin7 exchange reported a theft of 5,000 BTC and shared that attacks originating from Russia and Eastern Europe targeted Bitcoin7’s server, compromising wallets and user data. The exact amount of this theft is unconfirmed but it comes to roughly $30,000 as BTC was around $6 at the time.

June 2011 – Mt.Gox ($400 K)

A hacker got hold of Mt. Gox exchange auditor’s computer and changed the price of bitcoin to 1 cent. Then the attacker started buying bitcoin at this artificial price using the private hot wallet keys of Mt. Gox customers, obtaining about 2,000 bitcoin. The hacker managed to steal around 25,000 BTC (roughly US$400,000 at the time) from 478 accounts. In 2014 the exchange suffered another major exploit that ultimately caused its collapse (see above).

---

Related Posts: