Education logo

Top 5 of the biggest cryptocurrency thefts in history

smart contract audit

By cyphershieldtechPublished about a year ago 8 min read

Hundreds of millions of dollars missing: the five biggest heists in cryptocurrency history.

Cryptocurrency is the ideal target for cybercriminals: there are many ways to steal it, and it is very difficult for victims to get it back. And some hackers go on outright killing sprees: they make tens or sometimes hundreds of millions of dollars from a crypto exchange attack. In this post we analyze the 5 biggest thefts in the relatively short history of cryptocurrencies. And there is a final bonus: the incredible story of a cryptocurrency heist worthy of a Netflix series…

5. The master key

Victim: KuCoin Cryptocurrency Exchange

Date: September 26, 2020

Loss: about $285 million

On the night of September 25 to 26, 2020, security officers of the Singapore-based company KuCoin detected several abnormal transactions from different hot wallets . To stop suspicious transactions, they transferred all remaining assets from the compromised hot wallets to cold storage . The entire incident took approximately two hours from detection to completion. During this time, the attackers managed to withdraw approximately $285 million in various cryptocurrencies.

The investigation revealed that the cybercriminals had accessed the private keys of the hot wallets. One of the main suspects is the Lazarus group, a North Korean APT cyber gang . This is because the attackers used a multi-stage algorithm to launder the loot, similar to the schemes used in previous attacks by the Lazarus group. First, they ran equal amounts of cryptocurrency through a tumbler , or mixer, (a tool for mixing cryptocurrency funds with others to hide the trail), then they transferred the cryptocurrency through decentralized platforms .

Despite the scale, this attack was not the end of the cryptocurrency exchange. The next day, KuCoin CEO Johnny Lyu, during a live broadcast, promised to repay the stolen funds. Lyu was true to his word, and in November 2020, he tweeted that 84% of the affected assets had been returned to their owners . The remaining 16% was covered by the KuCoin insurance fund.

4. Money out of thin air

Victim: Wormhole Cross-chain Bridge

Date: February 2, 2022

Loss: $334 million

The next number in our Top 5 is a heist that used a vulnerability in Wormhole, the cross-chain bridging protocol . Cybercriminals benefited from the fact that the developers of the platform made the code of their program public. But first things first...

Wormhole is a mediator tool for cryptocurrency transactions. Specifically, it allows users to move tokens between the Ethereum and Solana networks. Technically, the exchange works like this: tokens are frozen on one chain, while so-called “wrapped tokens” of the same value are issued on the other.

Wormhole is an open source project with its own repository on GitHub. Shortly before the theft, the developers put code around to fix a vulnerability in the protocol. But the attackers managed to exploit the vulnerability before the changes took effect.

This bug allowed them to bypass transaction verification on the Solana side and issue 120,000 “wrapped ETH” (worth around $334 million at the time of the attack) without freezing the equivalent collateral on the Ethereum blockchain. The cybercriminals transferred two-thirds of the total amount to an Ethereum wallet and used the rest to buy other tokens.

Wormhole publicly appealed for the attackers to return the stolen funds and detail their actions for a $10 million reward . Cybercriminals ignored this generous offer.

The day after the robbery, Wormhole tweeted that all funds had been restored and the bridge was working as before. The financial hole was closed by Jump Trading, the company that had bought Wormhole's developer six months before the incident. Judging by open source information, the culprits are still unknown.

3. Theft three years

Victim: Mt.Gox Crypto Exchanges

Date: February 2014

Loss: $480 million

Mt.Gox's story begins in 2007, when it was a trading platform for the game Magic: The Gathering . Three years later, amid the growing popularity of cryptocurrencies, Jed McCaleb, an American programmer and owner of the site, decided to turn it into a cryptocurrency exchange , but later sold the service to French developer Mark Karpelès in 2011. Just two years later , Mt.Gox traded about 70% of the world's bitcoin.

This rapid climb was followed by a crippling crash. On February 7, 2014, the exchange suddenly blocked all bitcoin withdrawals. The company blamed it on technical problems. Outraged customers rallied outside Mt.Gox's Tokyo headquarters, demanding their money back. His protest fell on deaf ears.

What is notable about this story is that the Mt.Gox heist began in 2011. Back then, unknown hackers got hold of the private passwords of a hot wallet on the exchange and gradually began siphoning bitcoins. By 2013, cybercriminals had deposited 630,000 BTC into their accounts.

Mt.Gox was ultimately delisted on February 28, 2014, when Karpelès filed for bankruptcy and apologized for “weaknesses in the system” that had removed approximately 750,000 BTC of client funds, as well as 100,000 Own BTC. The amount of stolen funds is usually estimated to be around $480 million; this is the value of the total amount of tokens stolen at the exchange rate of one day before the exchange filed for bankruptcy on February 27.

However, keep in mind that in the time after Mt.Gox went out of business and before it filed for bankruptcy, the price of bitcoin fell considerably. If calculated at the February 6 exchange rate (the day before the stock market closes), the loss would be around $660 million. However, both figures are provisional: they do not take into account the three-year duration of the heist, during which time the exchange rate fluctuated wildly. Therefore, it is difficult to determine the exact amount of damage.

How was the attack possible? According to former employees , the company's management was quite negligent in several important matters. For example, Mt.Gox had serious problems with financial reporting. In addition, there was never a proper audit of code quality and security: for example, there was no version control system.

Prosecutors charged Karpelès, owner of Mt.Gox, with embezzlement of approximately $3 million worth of customer funds. But this could not be proven in court. In the end, Karpelès only received a suspended sentence of two years and six months for data manipulation and was cleared of other charges.

2. Almost half a billion

Victim: Coincheck Cryptocurrency Exchange

Date: January 26, 2018

Loss: $496 million

Coincheck is one of the largest cryptocurrency exchanges in Japan. In 2018, cybercriminals managed to steal more than 500 million NEM tokens worth about the same dollar amount.

The company claimed its security system was robust and did not disclose exactly how the intruders carried out the attack. That said, some experts believe that cybercriminals may have gained access to the private passwords of Coincheck hot wallets with the help of malware embedded in a computer at the company's office.

The attackers also created their own site where they sold NEM tokens for bitcoin and other cryptocurrencies at a 15% discount. As a result, the NEM exchange rate fell sharply and Coincheck lost around $500 million, however this did not force the exchange to shut down. Furthermore, the criminals could not be traced. The exchange had to suspend operations for a while and promised to compensate clients with their own funds

1. Surprise job offer included

Victim: Ronin Network Blockchain Platform

Date: March 23, 2022

Loss: $540 million

Ronin Network was created by Sky Mavis for the game Axie Infinity , which allows players to purchase Smooth Love Potion (SLP) in-game currency . In late March 2022, unknown attackers stole a record $540 million worth of cryptocurrency from Ronin. They were aided by spyware and the magic of social engineering.

The targeted attack targeted Sky Mavis employees, one of whom took the bait (probably on LinkedIn). After going through a “selection process”, one of the senior engineers received a “job offer” in the form of a PDF file with spyware inside. This allowed the thieves to take control of four of the network's validation private keys .

To gain access to company assets, they needed to compromise at least five of the nine validators. As we mentioned, the spyware helped them get four keys. The fifth was achieved due to an oversight by the company itself, which had authorized the Axie DAO (Decentralized Autonomous Organization) to sign transactions to help Ronin Network mitigate user volume, and then they forgot about it. revoke permission.

However, Sky Mavis quickly recovered from the incident. In June 2022, it relaunched the blockchain platform and started compensating affected players.

Bonuses. A hack with refund

Target: Poly Network cross-chain protocol

Date: August 10, 2021

Loss (later recovered): $610 million

As a side story, let's end with another major cryptocurrency heist, which ended with every penny of the loot being returned. This is what happened…

Poly Network is yet another protocol for implementing blockchain interoperability. In the summer of 2021, he witnessed one of the biggest heists in cryptocurrency history. An unknown hacker, exploiting a vulnerability in the Poly Network, stole over $600 million worth of various cryptocurrencies .

Poly Network appealed to the perpetrator on Twitter to return the stolen tokens. To everyone's astonishment, the hacker got in touch and agreed. They proceeded to transfer the stolen tokens bit by bit, dividing them into several unequal parts.

The online exchange between the hacker and the Poly Network went on for quite some time. During it, the attacker stated that he was not interested in the money and that he had only carried out the robbery for "ideological reasons." As a token of gratitude, the Poly Network dropped the claims against him, guaranteed his anonymity, offered a $500,000 reward, and even invited him to become his top security consultant. He also launched a $500,000 bug bounty program .

There is no moral as such, but...

We have listed the top 5 major cryptocurrency heists, where they all targeted major organizations. But, sure, many minor incidents affect common users all the time. Therefore, all investors must take steps to protect their assets. Here are some useful tips:

Choose your platforms for trading and other operations carefully: check comments and reviews and, if possible, consult with experienced users you trust.

Do not give your exchange account login details or wallet credentials to anyone. Remember to keep secret not only passwords and private keys, but also your seed phrase .

Keep your main cryptocurrency savings in cold wallets : unlike hot ones, they don't need to be permanently online and are therefore more secure in general.

If you're using a hot wallet, make sure you enable two-factor authentication.

Beware of phishing.

Use a trusted solution that protects your financial transactions, prevents malware from stealing your wallet password or private key, and warns you about fraudulent sites.


As vulnerabilities exist in the web3 spaces, Cypershield is one of the kinds of Security and Smart Contract audit company rendering exceptionally professional smart contract auditing services for varied Crypto projects. In the process of rendering your projects, full-on auditing services help you come over your smart contract vulnerabilities and reach a higher scale in the market.

product review

About the Creator

Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights


There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.