A History of Crypto Hacks and Exploits

Written by

August 18, 2022 - 23 Min Read

The history of crypto hacks is surprisingly full of drama. Millions and millions worth of crypto have been stolen— some hackers have returned it all, other hacks led to bankruptcy, and a few incidents may have been an inside job.

The Bitcoin blockchain itself has never been hacked. The transparency behind each transaction and the constant network review keeps blockchain technology fairly secure. But that doesn’t mean everything crypto is invulnerable. Digital wallets, marketplaces, and exchanges can all be victims of hacking.

Decentralized finance remains vulnerable to the internet’s brightest and most sinister. There’s even a North Korean hacking group that’s been made famous for their exploits — including the largest crypto hack to date where the group stole $624 million.

Top 8 hacks of 2022

2022 has been a busy year for major DeFi hacks. Our list contains eight significant heists, including the largest DeFi hack in history.

Ronin, $624M

On March 29, 2022, over $624 million was taken from the Ronin Network. It was an exploit hack by the North Korean hacking group called Lazarus Group. Ronin is a gaming-focused blockchain network best known for the Axie Infinity crypto game published by Sky Mavis. The hackers attacked Sky Mavis’s and Axie DAO Ronin validator nodes—the system used to verify crypto transactions.

In a nutshell, the group hacked users' private keys and made false withdrawals. The hack took advantage of a backdoor vulnerability in the decentralized validation key scheme, using a gas-free RPC node to fake the signatures needed to validate false transactions. In just two transactions, 173,600 ETH and $25.5 million were stolen. 

loading 1512765006156283906

Axie Infinity reimbursed affected players, but funds were not immediately recovered from the hacker.

Wormhole, $326M

Wormhole is a DeFi service that acts as a bridge between blockchains, like the Solana and Ethereum blockchains. Cross-chain bridges allow users to exchange one type of currency for another one. On Wormhole, users often send Ether to the bridge protocol to be locked in a collateral contract on the Ethereum blockchain. Those users are then issued an equivalent amount of wETH on the Solana blockchain.

In February 2022, hackers exploited a Wormhole security vulnerability after an update to the software. The hacker found a code exploit and managed to mint 120,000 wETH (worth $326 million) without first depositing any Ether funds as collateral. The hacker then exchanged the wETH for $250 million in Ethereum and sent it to their account.

Wormhole offered the hacker $10 million to return the funds and details about the bug they exploited. The hacker did not respond and has not been identified.

loading 1489001949881978883

Nomad Bridge, $190M

Nomad is a cross-chain bridge similar to Wormhole, allowing users to exchange tokens to different blockchains. In early August 2022, a total of $190 million was stolen from Nomad in just under three hours. A recent update to Nomad’s smart contracts made it easy for users to spoof transactions. However, there was no single hacker behind the exploit. Any user with mediocre coding skills could authorize withdrawals to their account. It was basically a digital mob looting as users replicated the original hack for themselves.

loading 1554252024723546112

The mob of hackers was able to pose as Nomad to validate transactions without depositing any money to back that exchange.

Nearly $33 million in funds were returned by white hat hackers. Nomad stated that if hackers returned 90% of their stolen funds, they could keep the other 10% and would not be legally prosecuted. Users that voluntarily returned funds would be declared white hat hackers and considered “testers” of the vulnerability.

Beanstalk, $181M

Beanstalk, an Ethereum-based stablecoin protocol, lost $181 million in a flash loan scheme on April 18, 2022. Flash loans allow people to borrow crypto for a quick trade and then repay it all in one transaction.

The hacker used a flash loan to purchase enough voting power on Beanstalk’s governance protocol to approve smart contracts that sent a deposit to their account. For smart contract proposals to be approved, there needs to be a 2/3 majority vote. The hacker used the flash loan to hold nearly 80% voting power.

After paying off the flash loan and other fees, the hacker had a profit of $76 million. Four months later, Beanstalk relaunched its project after raising funds from private investors and auditing its code.

loading 1515747114894065664

Harmony Bridge, $100M

The Harmony Horizon Bridge was hacked on June 23, 2022 for $100 million. People can use Harmony’s Horizon bridge to move digital and fiat currencies between blockchains. The bridge only needs two validating accounts to approve transactions. The hackers compromised private keys and were able to approve the transfer to their accounts.

Stolen tokens included Ethereum, Binance Coin, USD Coin, Dai, Frax Share, Wrapped Ether, Aave, SushiSwap, Wrapped BTC, and Tether — but have now all been swapped for Ether.

loading 1540110924400324608

Elliptic, a blockchain analytics firm, identified the Lazarus Group (a North Korean hacking group) as likely responsible for the bridge hack.

Harmony paused the Horizon Bridge following the attack.

Mirror Protocol, $90M

Mirror Protocol is a finance platform on the Terra network where users create digital synthetics that will track the price of the real-world asset.

On May 17th, a bug was discovered in Mirror Protocol’s code. A hacker had been exploiting the bug for seven months before it was discovered. The hacker had been gradually siphoning funds since October, totaling $90 million stolen.

loading 1531703993109561345

The Mirror Protocol bug allowed the hacker to access other users’ collateral and withdraw it to their own account. Mirror Protocol has not issued an official statement but did fix the bug shortly before community members discovered the hack.

Fei Rari, $80M

Rari Capital is a digital lending market that recently merged with stablecoin Fei Protocol.

In late April, $80 million was stolen from the Rari Capital stable pool. The hacker exploited a reentrancy vulnerability in the lending protocol. Hackers were able to deploy attacking smart contracts that exploited code in a vulnerable contract to drain its funds.

loading 1520344430242254849

Fei Rari offered the hacker a $10 million bounty if they returned remaining funds, but the hacker has not responded.

Rari Capital had previously lost $11 million in a hack the previous year.

Crypto.com, $33.7M

Cypto.com is one of the largest CeFi crypto exchange platforms. On January 17 2022, a hacker was able to make withdrawals totaling $33.7 million in a variety of currencies. Crypto.com reported that 483 users were affected.

The hacker was able to approve transactions without the usual two-factor authentication (2FA) control. Crypto.com didn’t disclose details of how the hacker was able to bypass 2FA.

loading 1483050866894868484

Crypto.com suspended withdrawals for 14 hours while it investigated and underwent additional security auditing. Crypto.com has reimbursed all the impacted accounts and rolled out more intensive security measures.

Top 6 crypto hacks of 2021

White hat hackers took responsibility for the largest crypto hack in 2021. Most of 2021’s crypto hacks were due to bugs found in platforms’ codes.

Poly Network, $611M

Poly Network is a cross-chain protocol network that allows users to trade one digital currency for another across various blockchains.

On August 10, 2021, the Poly Network faced a major attack. Hackers were able to transfer $611 million to three addresses after exploiting a vulnerability in the network’s code. The next day, the hackers announced they planned to return the tokens and that they had been taken in order to reveal the vulnerabilities of Poly Network. All assets were returned to the Poly Network over 15 days following the attack.

Poly Network offered the hackers a $500,000 bug bounty and the position of chief security advisor.

loading 1430170278915629065

Compound, $147M

Compound is an Ethereum-based lending protocol, with its own currency called COMP. On September 30 2021, the Compound protocol paid out large amounts of COMP to users who provided small levels of collateral in ETH, USDC, and DAI. It was an error in Compound’s Comptroller Contract that caused the malfunction.

It’s unclear if it was a planned attack or a mistake by Compound’s protocol developers. The distribution is being credited to a bug.

loading 1446865360448278534

Compound founder, Robert Leshner, posted on Twitter asking recipients to return funds — promising 10% of the amount as a reward. Leshner also sweetened the deal by threatening to report those who didn’t return funds to the IRS. It’s unknown exactly how much was recovered in total.

BitMart, $196M

BitMart is a cryptocurrency exchange where users can transact, participate in futures trading, and access lending services. On December 4, 2021 hackers stole $196 million from BitMart.

The hacker stole a private key that allowed them to access Ethereum and Binance hot wallets. A mix of 20 different tokens were stolen and then transferred off the platform. Hackers used an exchange aggregator called 1inch to transfer stolen tokens for Ether.

loading 1557481174922059777

BitMart announced plans to reimburse victims … eventually. But stolen funds were not recovered. Now, the FTC is investigating BitMart operators over the incident and whether BitMart has effectively protected customer data.

Vulcan Forged, $140M

Vulcan Forged is a play-to-earn NFT gaming platform. It’s built on the Polygon network and has blockchain games, a decentralized exchange, and NFT marketplace. The platform was hacked on December 13, 2021.

The hacker stole 96 private keys to wallets belonging to the largest Vulcan Forged users. About $140 million was stolen in total — 23.7% of the project’s token supply. Vulcan Forged CEO said the hacker exploited servers to get Venly credentials and access the private keys. Venly is a semi-custodial wallet service that holds private key information for Vulcan users. Vulcan Forged has since announced it’ll move to a decentralized wallet system.

loading 1470365117774770180

Vulcan Forged refunded users just a day after the platform was hacked. Refunds came from the Vulcan Forged treasury, a fund reserved for crises.

Cream Finance, $130M & $37M & $18.8M

Cream Finance is an Ethereum-based lending protocol. Users can borrow or lend on the platform using a variety of currencies. In October 2021, Cream Finance faced a $130 million hack. The hack was a complex flash loan attack, involving 68 different assets and a series of borrowing and lending actions that manipulated prices.

loading 1453525999115804672

Cream Finance claimed to fix the bug that allowed the attack just six hours later. Though the hacker’s initial wallet was identified, stolen funds were already moved to new accounts.

Cream Finance had been hacked two other times earlier in 2021. In February, $37 million was stolen and in August $18.8 million. Both hacks were once again flash loan exploits.

Badger, $120M

Badger is a decentralized autonomous organization (DAO) that allows users to put up Bitcoin as collateral across a variety of DeFi platforms. On December 1, 2021 the Badger network was hacked for $120 million.

loading 1466263899498377218

The hack was a phishing incident from Cloudflare (an app that runs on Badger’s cloud network.) The hacker was able to use a compromised API key to periodically inject malicious code that approved withdrawals. The phishing hack drained funds from dozens of users’ wallets.

About $9 million was recovered and Badger has patched the exploit. New accounts must verify their email address before they can view API keys.

Top 3 crypto hacks of 2020

2020 was a tough year for many people, but a comparatively quiet year for crypto hacks. We’ve highlighted the three biggest digital heists, including an incident where hackers returned everything they stole.

KuCoin, $285M

KuCoin is a popular digital asset exchange and in September 2020 they were hacked for $285 million.

The hackers were able to obtain private keys to hot wallets and make withdrawals from the platform. They then attempted to exchange assets across platforms to hide their trace.

KuCoin abandoned old hot wallets and froze customer transactions. KuCoin was able to also freeze some of the hacker’s transactions in progress and reverse others. KuCoin coordinated with other exchanges, DeFi projects, and law enforcement to recover funds and prevent the identified hacker’s address from making any further transactions.

loading 1312359615091277824

All but $16 million was recovered from the incident. That remaining amount was covered by insurance and users were unaffected.

Lendf.me, $25M

In April 2020, lending platform Lendf.me was drained of nearly 99.5% of its funds. Lendf.me is on the Ethereum blockchain and the website was taken down immediately to prevent further hacks.

Hackers were able to use bugs and features chained together from other blockchains to conduct a reentrancy attack. Smart contracts are targeted in a reentrancy attack, and the hackers were able to withdraw funds repeatedly before the initial transaction was validated.

loading 1254738662039752704

In a surprising turn of events, the hackers returned all stolen funds. The funds were returned after the hacker accidentally leaked an IP address during the hack.

Harvest finance, $24M

Harvest Finance is a site that allows users to invest crypto and then farm the price variations for a small profit. In October 2020, a hacker stole $24 million from the platform.

The hacker used a flash loan to invest large amounts of crypto in Harvest and then used a cryptographic exploit to steal funds from the platform. They were able to manipulate the prices of one money lego with the input of their flash loan to drain funds from another money lego.

loading 1320763394660716545

Just two minutes later, the hacker returned $2.5 million. Harvest shared that the attack occurred due to an engineering mistake and that allowed the hacker to return the $2.5 million without any consequences.

Harvest Finance announced that the hacker had left identifiable information and was a well-known figure in the space. Harvest Finance offered a $100,000 reward for anyone who can return the remaining funds.

Top 5 crypto hacks of 2019

Our list of 2019 DeFi hacks include a few companies who were forced to liquidate following a major hack. The largest amount stolen that year was $105 million.

CoinBene, $105M

In March 2019, crypto exchange CoinBene had $105 million drained from the crypto exchange. CoinBene claimed the missing $105 million was due to maintenance. But the internet was skeptical and analysts reported that funds were stolen and dumped.

There were outbound transactions from CoinBene hot wallet to a new unknown wallet. Following the incident, CoinBene ceased activity for eight hours. CoinBene never responded to accusations that the maintenance claims were covering for a hack.

CoinBene was permanently closed and liquidated in 2021. Users were asked to withdraw all assets to another exchange.

loading 1507296380154482690

UpBit, $49M

UpBit is a crypto exchange popular in South Korea. In November 2019, the exchange lost $49 million to an unknown hacker. The loss did not come from user funds, and UpBit promised to reimburse the stolen funds with corporate assets.

The hack occurred when UpBit was moving assets between hot and cold wallet storage. UpBit suspended all functions for two weeks and transferred assets to a cold wallet.

loading 1199654088830373888

A weird bug on the blockchain allowed people to message the hacker via micro transactions to the hacker’s wallet address. People began sending the hacker requests for some of their stolen loot.

Binance, $40M

Binance, one of the world’s largest cryptocurrency exchanges, lost $40 million in an attack in May 2019.

The hacker not only stole 7,000 bitcoins in one transaction, but also some user information like two-factor authentication codes and API tokens.

Binance reported that the hacker used multiple methods to steal the funds, including phishing and viruses. Funds were stolen from Binance’s hot wallet, which stored about 2% of Bianance’s total bitcoin holdings. The structure of the attack was sophisticated and slipped by Binance’s security checks.

loading 1125976643674214405

Binance reimbursed the incident with its own assets and insurance, and no user funds were impacted.

BitPoint, $32M

BitPoint is a Japanese crypto exchange platform. Hackers stole $32 million worth of Bitcoin, Bitcoin Cash, Ripple, Ethereal, and Litecoin from the platform in July 2019.

Hackers stole private keys to access hot wallets, but more details of the cyber attack were not disclosed. BitPoint paused all services and didn’t detect any vulnerabilities to its cold wallets.

Most of the stolen crypto were user funds ($23 million) and the rest belonged to the BitPoint exchange. About 50,000 BitPoint users lost funds in the hack. BitPoint confirmed it would reimburse users.

loading 1149604381416755200

Cryptopia, $16M

Cryptopia was a New Zealand-based exchange platform that suffered a $16 million hack in January 2019.

The hacker used a variety of wallets to conduct the transfers in smaller amounts, making the breach harder to detect. Cryptopia estimated that 9.4% of their holdings were stolen over five days. Cryptopia froze operations and then secured each wallet individually before resuming its service months later.

Cryptopia didn't disclose many details following the attack, deferring the investigation to the authorities. The New Zealand Police even conducted an inspection of Cyptopia’s headquarters.

In 2021, Cyptopia exchange was hacked again and eventually liquidated.

loading 1085084168852291586

Notable crypto hacks of all time

Across the history of cryptocurrency, there are three legacy hacks worth noting. Some of these led to the dissolution of major crypto players and others became some of the most dramatic crypto heists in history.

Mt. Gox, $460M

In 2014, a whopping $460 million was stolen from Mt. Gox, a Tokyo-based bitcoin exchange. The hackers had been skimming money for years with stolen private keys. Former employees claim weak security software and mismanagement allowed the hack to slip by. Mt. Gox paused all withdrawals on its platform and a few weeks later, the site went offline and the company removed all posts from its Twitter account.

Mt. Gox filed for bankruptcy shortly after the hack, and some customers have yet to be compensated, but are expected to receive funds this year. In 2015, CEO Mark Karpelès was arrested by Japanese police for fraud and embezzlement.

loading 1559346630175952896

Prior to its bankruptcy, the company had a history of trouble. In 2013, U.S. federal agents seized $5 million from Mt. Gox for failing to register as a money transmitter. Mt. Gox was also being sued for $75 million by an old business partner. And Mt. Gox had previously lost $8.75 million in a 2011 hack.

Coincheck, $532M

In 2018, Coincheck, Japanese bitcoin wallet and cryptocurrency exchange platform, set the world record for largest crypto hack

Hackers stole $532 million worth in Coincheck’s native currency, NEM, and distributed it to 19 different addresses. The stolen NEM coins were held in a single hot wallet — which is typically less secure because it is connected to the internet. Coincheck also didn’t have any multi-signature contract security in place.

Authorities arrested 30 people accused of trading the stolen crypto in 2021. Coincheck did eventually reimburse all of the impacted users, and continues to operate its exchange.

loading 1352562921231015936

BitGrail, $170M

BitGrail was an Italian exchange focused on trading more obscure cryptocurrencies.

In 2018, the company’s wallets were hacked and $170 million was stolen. Investigations found that the majority of stolen funds were taken from BitGrail’s cold wallets. Because cold wallets are an offline storage solution, investigators began to believe the hack was an inside job.

Preceding the attack, withdrawal limits had suddenly been reduced and non-European users were banned. This led to assumptions that BitGrail had detected suspicious activity before the hack took place.

Stolen funds were not recovered and BitGrail filed for bankruptcy. In 2020, the BitGrail founder, Francesco Firano, faced multiple charges of fraud and money laundering.

loading 1090074799303467008

Final thoughts on crypto hacks

Cryptocurrency is still breaking its way into mainstream society and remains highly unregulated. There are little insurances to safeguard incidents and many victims have to rely on the good faith of the crypto company to reimburse them.

One thing to take away from this history of crypto hacking is savvy storage for your assets. It’s generally best not to store your assets on exchange platforms, but rather personal wallet solutions. You should also always ensure security protocols like 2FA and multi-signature contracts are in place when working with a crypto platform.