Over the years, the cryptocurrency and blockchain
industries have earned somewhat of a reputation for being frequent victims of cyberattacks
. Cryptocurrency exchanges are the most common target of ridicule in this regard, supposedly putting their customers’ funds under undue risk all the time and losing hundreds of millions of dollars on a regular basis. How deserved is that reputation?
One might argue that the critics were entirely correct in the early years of crypto
. The Mt. Gox exchange
, one of the earliest and largest crypto thefts, still remains an example of gross negligence and incompetence that resulted in massive security breaches and subsequent loss of over $400 million worth of Bitcoins.
However, today we’ll look at the history of the largest crypto hacks
of all time, and it will become clear that the situation is improving. Government involvement and self-regulatory initiatives
across the industry have significantly enhanced security measures at all major crypto exchanges.
However, that is not to say that cryptocurrency investors should start or continue storing their funds on crypto exchanges. Regardless of how airtight any particular platform might be, it is almost by definition more vulnerable to attack than the more secure storage methods
, such as cold wallets
When hackers do manage to break through the improved defenses, closer cooperation between major actors in the crypto space, advances in blockchain forensics tools, and implementation of insurance policies have often resulted in the quick recovery of stolen funds or, absent that, in full compensation of losses. So, let’s see how the largest crypto heists in history came to pass and what they resulted in.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
Date of attack: Aug. 10, 2021
Value of assets lost: $610 million
The hack of Poly Network, a cross-chain
interoperability protocol for Bitcoin (BTC
), Ethereum (ETH
), Neo (NEO
), and other cryptocurrencies, is the largest confirmed crypto heist in history
— as well as one of the most recent ones. Poly Network’s cross-chain transactions feature allows users to send assets among different blockchains without converting them via an exchange.
As explained by software engineer Kelvin Fichter, the protocol creates digital self-managing lockboxes on two different blockchains. It then allows a user to withdraw funds from one lockbox only after it receives a message from the other lockbox that the corresponding amount of assets has been deposited into it.
A hacker, or group of hackers, has managed to find a way to trick a lockbox into releasing the funds stored in it without receiving legitimate permission from another blockchain. They exploited this vulnerability on Aug, 10
, with a total of over $612 million stolen by the hackers.
Fortunately, this story has a happy ending. The Poly Network team reached out
to the hacker and established communication soon after the attack, which ultimately resulted in the recovery
of all $610 million worth of stolen assets in the hack
Date of attack: Jan. 26, 2018
Value of assets lost: $534 million
is a fairly popular Japanese cryptocurrency exchange
that unknown hackers attacked in January 2018. Around 523 million NEM (XEM) tokens
, worth over $530 million at the time
, were illicitly sent from its address on Jan. 26,
followed by an abnormal decrease in the exchange’s balance.
By Coincheck’s own admission
, the attack was enabled by the technical difficulties and a shortage of employees faced by the company
, resulting in poor security practices. The stolen NEM were stored on a hot wallet
that was connected to the internet, instead of an offline cold wallet, which is the standard industry practice as it provides an extra layer of protection from remote attacks.
Japan’s Financial Services Agency (FSA) ordered
Coincheck to improve its security practices in the aftermath. Still, they did not shut it down, hoping that the exchange would manage to refund its users and return to regular operation. The FSA’s judgment has since been proven correct, as Coincheck used its own capital to reimburse all 260,000 affected customers and remains a highly active trading platform with almost $100 million in daily trading volume as of August 2021.
Date of attack: Late 2011 - February 2014
Value of assets lost: $460 million
Mt. Gox was initially set up in 2007 by U.S. programmer Jed McCaleb to serve as a card trading platform for a highly popular Magic: The Gathering Online card game. McCaleb never fully realized the initial plan, having requalified it into a Bitcoin exchange in 2010. Later, as the company started snowballing in popularity and cash flows, he sold it to a French-born Japanese programmer and entrepreneur, Mark Karpeles.
Karpeles’ subsequent mismanagement proved disastrous for the business. While the trading platform grew to become the largest crypto exchange globally
, at one point handling as much as 70% of all BTC transactions
, the development of its backend mechanisms stagnated, making it an ideal target for hackers looking to siphon off large sums with relative ease.
In an interview
with Wired, anonymous Mt. Gox insiders reported that the exchange’s development cycle lacked such basic features as version control software and test environment,
resulting in the sluggish implementation of updates and leaving security vulnerabilities unpatched for weeks at a time. Naturally, hackers have taken advantage of those exploits, stole 744,408 bitcoins
, worth about $460 million then and $37 billion now
, over several years, starting in late 2011
Mt. Gox finally imploded on Feb. 24, 2014, and filed for bankruptcy soon after. The lost funds have never been fully refunded to the exchange’s customers, with dubious plans
to do so still flying around from time to time. Mt. Gox stood as the most significant crypto heist for years until Coincheck surpassed it four years later, as well as a lesson that the crypto industry has grown large enough to warrant professional security measures to protect customers’ money.
Date of attack: Sept. 25, 2020
Value of assets lost: $280 million
Next up on our list is KuCoin
, another major cryptocurrency exchange
that was hacked for about $275-$285 million worth of users’ assets on Sept. 25, 2020
. This case is notable because quick, calculated action
on the part of the exchange, coupled with close cooperation with other companies in the cryptocurrency industry, allowed KuCoin to survive the incident successfully.
Within a week from the day of the hack, blockchain data firm Chainalysis tracked
all of the stolen funds and established a trail of evidence. The use of its Reactor crypto forensics tool allowed the money to be monitored despite the criminals’ attempt to mask the movement of funds through coin mixers and decentralized exchanges (DEXs),
which don’t leave an audit trail by default.
Through smart use of blockchain tools and cooperation with fellow exchanges and law enforcement agencies, KuCoin has recovered 84% of the stolen tokens
, and it covered the remaining losses through its own capital and insurance fund
. Moreover, in the wake of the attack, the exchange has established its Safeguard Program
, which was designed to take advantage of their invaluable experience dealing with the hack to help other cryptocurrency businesses that might end up in a similar situation.
KuCoin’s skillful handling of the incident has earned it the respect of its customers and a rightful sixth place among the top cryptocurrency exchanges
, with about $1.92 billion in daily trading volume as of August 2021
Date of attack: January 2018 - Up to today
Value of assets lost: from $200 million to $1.75 billion
The story of the CryptoCore hacking group is similar to that of Mt. Gox in that the attack was not a single event but instead took place gradually over several years. The difference, however, is that it targeted at least five different exchanges.
Research published by the ClearSky cybersecurity firm in June 2020
revealed that a group of hackers had been targeting various cryptocurrency exchanges with elaborate phishing
attacks since as early as May 2018, resulting in the loss of at least $200 million in cryptocurrency.
ClearSky dubbed the group “CryptoCore,” determined with a medium level of certainty that it was based in Russia, Ukraine, or Romania, and revealed that the affected exchanges were primarily based in Japan and the U.S.
Here’s where it gets interesting, though: further research by ClearSky has revealed a connection with another hacking group. In May 2021, the cybersecurity company published a report
, attributing the CryptoCore attacks with a medium-high likelihood to Lazarus, a collective of hackers suspected to be based in North Korea and working for its government, and designated as an advanced persistent threat by the U.S.
If ClearSky’s assessment is correct, it will make the combined CryptoCore/Lazarus hacks one of the largest crypto theft operations of all time.
by the already mentioned Chainalysis firm revealed in February 2021 that Lazarus had stolen as much as $1.75 billion in cryptocurrency
. The attacks started around January 2018
and are likely continuing to this day — the group still hasn’t been definitively identified and apprehended.
Date of attack: Feb. 10, 2018
Value of assets lost: between $140-195 million
The case of Bitgrail was the exact opposite of the success stories of KuCoin and Bitfinex (more about that one later). The exchange was attacked in January-February 2018, and 17 million Nano (NANO) tokens were stolen
, worth between $140 and $195 million.
One could argue that the company’s founder and sole director, Francesco Firano handled everything wrong. Even though the hackers began siphoning off Nano in January, the exchange did not cease operations or notify the authorities until February 10
, when it was already too late. Afterward, Firano tried, unsuccessfully, to shift the blame
on the Nano team, who justifiably refused to alter the coin’s blockchain to cover for Bitgrail’s faulty security.
Even worse, as the investigation into the hack proceeded, the Italian police uncovered evidence of Firano’s “clear” personal involvement in the attack.
Although the authorities weren’t sure whether he was actively participating in the theft or just criminally negligent, they did charge Firano with computer fraud, fraudulent bankruptcy, and money laundering.
As of August 2021, the situation remains unresolved: the Italian court
has ordered Bitgrail to refund as much of the stolen assets as possible, and victims’ claims remain under process until the deadline of Sept. 17, 2021, listed on the exchange’s own website
Date of attack: Aug. 2, 2016
Value of assets lost: $78 million
is another cryptocurrency exchange that has lost a large sum of its customer funds in a hack but ultimately made a spectacular recovery. It was targeted in an attack on Aug. 2, 2016
, resulting in the loss of almost 120,000 Bitcoins
from users’ wallets, worth as much as $78 million
at the time.
The exchange announced the hack in a blog post
and halted all BTC withdrawals and trading immediately after. All of the stolen funds were soon blacklisted
(preventing the possibility of cashing them out through any crypto exchange) but never recovered, and the hackers themselves have never been tracked down despite the efforts to do so.
To repay the attack’s victims, Bitfinex issued BFX cryptocurrency tokens to them at a 1:1 ratio to their losses
, promising to redeem the tokens at 100% of their price with its own profits later down the line. The exchange had successfully fulfilled its obligation within a year of the attack, announcing full redemption of BFX in April 2017.
Bitfinex’s graceful handling of the initially disastrous incident has allowed it to remain of the most popular crypto exchanges. In August 2021, it is the eighth largest platform with about $900 million in daily trading volume
Date of attack: April 13, 2021
Value of assets lost: from $100 million to $3.6 billion
Last but not least on our list is the perplexing case of Africrypt. The South African Bitcoin investment firm, founded in 2019 by brothers Raees and Ameer Cajee, halted all operations on April 13, 2021
, citing a breach in its system, client accounts, client wallets, and nodes
The brothers then recommended their customers not to pursue the “legal route," as it would delay the process of tracking down and recovering the funds lost in the attack. Refusing to heed the Cajees’ sage advice, several victims of the incident had contacted the Hanekom Attorneys law firm. They filed a complaint with the police, claiming a loss of $3.6 billion worth of bitcoins and asserting that the supposed hack was an exit scam.
In response, Raees and Ameer hired their own lawyer, John Oosthuizen, who then proceeded to deny the brothers’ involvement in the heist. Oosthuizen also revealed that the Cajees had not contacted the police following the hack, citing their lack of age and life experience in an absurdist defense (they were 18 and 20 at the time, and most likely aware of the existence and purpose of law enforcement agencies).
Perhaps unsurprisingly, Africrypt’s website went down and its founders mysteriously vanished
soon after the incident. It is, as of yet, unclear whether the victims’ estimation of $3.6 billion of losses is correct. It seems the company may have never managed that much money, to begin with, but if it is legitimate, it would make Africrypt the largest crypto theft in history so far.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators. This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice. The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap. CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.