Crypto Exchange Hacks: 2009–2023 Chronological List

Control Your Keys Control Your Future

The crypto industry has had its fair share of hacking, scams, and collapses since the very early Bitcoin days.

Most exchange hacks were peculiar in the way the teams corresponded with the public, with public speculation immediately emerging for inside involvement.

Besides the cases of hacking, we include scam exchanges, data leaks, exchanges that mismanaged funds and went bankrupt, DeFi exploits and more obscure cases.

While centralized exchanges pose a threat to our cryptocurrency, rug pulls, and vulnerabilities in the code of trustless DEXs and decentralized finance smart contracts can lead to vast damages.

Subscribe (for free) to get email notifications whenever I publish:

A Long List Of Hacks And Security Flaws

2011

• MyBitcoin (undisclosed amount): Hacked for an unknown amount
• MtGox (80,000BTC in 2011, 650,000 BTC in total): On June 19th, MtGox suffered the first of a series of hacks that followed, and the price of Bitcoin dropped to 0! Rumors suggest the exchange could have been hacked for 80,000 BTC even before Karpeles bought it from Jed McCaleb (Ripple’s and Stellar founder). (source)

Here’s what happened with the price of Bitcoin that day as the hacker was trying to sell the BTC from the compromised accounts:

• Bitcoin 7 (undisclosed amount): This exchange claimed it was hacked in October 2011, although the obscure excuses and methods pointed to an exit scam. After announcing it was hacked, the exchange asked for financial details of customers to reimburse them, but it never did (source).

2012

• Bitcoinica( 120,000 BTC): Bitcoinica Suffered multiple hacks resulting in 120,000 BTC being stolen (source).

After suffering a third hack within a few months, Bitcoinica’s founder Zhou Tong decided to exit the cryptocurrency industry. Vitalik Buterin published the Bitcoinica obituary in Bitcoin Magazine (link).

• Bitfloor (24,000 BTC): source
• Silk Road (51,000BTC): The notorious darknet marketplace suffers the theft of 51,000BTC. The culprit was arrested ten years later, relinquishing control of his BTC, which he had not spent but held all this time. (source).

2013

• Vircurex (1,454 BTC): A shady exchange that nobody knows a lot about its whereabouts. The exchange froze withdrawals after an alleged hack and delayed refunds. (source) The exchange was hacked several more times in the future for an unknown total amount until it seized operations in early 2021 (source).
• Blockchain.info (50 BTC): The popular web wallet was hacked in 2013 due to a bug in its RNG. Blockchain.info issued a refund to theft victims and fixed the bug (source).
• Inputs.io (4,100 BTC) (source)
• Bitcointalk Forum Gets Hacked (Not an exchange, so no funds were lost)

In October 2013, the Bitcoin forum created by Satoshi Nakamoto was hacked and defaced:

• Bitcash (4,000 BTC): source

2014

• MtGox (650,000 BTC): The hack everybody is talking about. Mt.Gox suffered multiple hacks starting in 2011 with approximately 650,000 BTC lost and still remaining unaccounted for (source).

In 2017, Greek police arrested Russian national Alexander Vinnik. Vinnik is accused of laundering stolen Bitcoins from Mt Gox using his exchange BTC-e. Currently, he is in US custody.

The original estimate by Mt Gox was 850,000 BTC, however, during the investigation, Mt. Gox CEO Mark Karpelès “discovered” a “forgotten” wallet containing 200,000 BTC, an amount that will be used to partially reimburse creditors.

However, MtGox creditors are still waiting for the release of 15–20% of the BTC held in the exchange after reaching an agreement several years ago.

• Picostocks (7200 BTC): Another obscure exchange that suffered two consecutive hacks before shutting down (source)
• Flexcoin (890 BTC): (source) Interesting name since another exchange called Coinflex went down due to mismanagement eight years later.
• Poloniex (97 BTC): Poloniex repaid its customers within months (source)
• Crypto Rush (950 BTC & 2500 LTC): source
• MintPal (8m Vericoin ~$2m): source
• Cryptsy (13,000 BTC & 300,000 LTC): Cryptsy announced it was hacked and (source). In 2022 the CEO of Cryptsy, Paul Vernon, was “indicted for defrauding company’s customers, destroying evidence, and tax evasion” (source).

2015

• Bitstamp 19,000 BTC: Bitstamp is one of the earliest exchanges still active, yet it also suffered a breach that resulted in the loss of 19,000 BTC. The customers’ balances were not affected. (source)
• 796 (1,000 BTC): A Chinese exchange that apparently lost 1,000 BTC after its systems were compromised. (source)
• BTER (2 hacks: 50m NXT & 7,170 BTC): Also a Chinese exchange, BTER suffered two hacks within two months. (source).
• CBE Kipcoin (3,000+ BTC): A third Chinese exchange was attacked within just a few months. Customers of Kipcoin were in disbelief of the exchange excuses and called it a Ponzi scheme. (source)
• Bitcointalk Forum (data breach): Bitcoin forum bitcointalk gets hacked with the attackers stealing credentials (login, passwords, and other information) of accounts.
• Bitfinex (1400 BTC): The first hack on notorious exchange Bitfinex (source)

2016

• Gatecoin (250 BTC & 185,000 ETH): source
• ShapeShift (350BTC): An inside job according to Erik Voorhes (source)
• Bitcurex (2,300 BTC): A Polish exchange that was hacked (source)
• Ethereum’s DAO Hack (3,600,000 ETH!) The DAO incident was actually an exploit of a vulnerability in Ethereum’s Solidity. Not actually a hack since no system was compromised but 5% of Ethereum’s total supply was stolen as a result. With coordinated (centralized) intervention Ethereum developers reversed the ETH by rewriting the transactions. No funds were lost: (source)
• 2016 Bitfinex: 120,000 BTC. This was the famous Bitfinex hack, with the alleged culprits discovered several years later.

The whole ordeal still raises several questions, as with anything that has to do with the Bitfinex/Tether team.

2017

• YouBit 1st hack (4,000 BTC): Korean exchange Youbit will suffer a second hack months later. (source)
• Yapizon (3,831 BTC): This Korean Exchange spread the loss from the hack to all of its customers… (source)
• Bithumb 1st Hack (an unknown amount of BTC and ETH): On July 3rd, 2017, several accounts were affected in this hack of Korean exchange Bithumb. The total amount is unknown (source).
• YouBit 2nd hack (undisclosed amount): The South Korean exchange stopped operating right after the second hack. Not a great year for South Korean exchanges (source)
• EtherDelta ($1,4m): The first DEX on Ethereum suffered a Server DNS compromise. Two suspects were indicted (source).
• NiceHash (4,736 BTC): Cryptocurrency mining market Nicehash was hacked by the North Korean team called Lazarus Group (source1, source2).

2018

• CoinCheck ($500 million in XEM tokens): At the peak of the 2017 crypto bubble, Japanese exchange CoinCheck was hacked for half a billion dollars worth of popular at the time XEM tokens.

This was one of the biggest hacks in crypto history yet Coincheck refunded the entirety of its customers’ balances (source).

• Bitgrail (17m Nano-XRB, ~170m USD): One of the most bizarre cases of hacking with the CEO of the obscure exchange Bitgrail somehow losing $170 million worth of Nano (former Railblocks) and accusing Nano of vulnerabilities and double spending attacks. (source)

We should keep from this case the following part published in Nano’s Medium response to the case:

An option suggested by Firano was to modify the ledger to cover his losses — which is not possible, nor is it a direction we would ever pursue.

This was the first time an exchange owner made this request, but not the last one. The precedent with Ethereum’s DAO hack seemed like a reasonable solution in the case of hacking, but in fact, it defied the purpose of blockchain’s immutability.

• CoinSecure (438 Bitcoin): source
• Coinrail (ETH & ERC20 tokens worth $40 million): source
• Bithumb 2nd Hack (XRP tokens worth $35 million): source
• Bancor (Various tokens worth $23,5 million): source
• Zaif (6,000 BTC and various tokens worth $60m): source
• MapleChange (crypto worth $5m): Possibly an exit scam according to various sources (source)

2019

• Quadrica CX ($250 million in crypto): A bizarre event that led to customers losing access to their funds since the only person controlling the keys (CEO Gerald Cotten) was announced dead in 2018. Apparently, no one else had access to the keys, but the circumstances led many to believe that the exchange was a running Ponzi scheme and Cotten changed his identity and faked his death (source).
• LocalBitcoins (7.9 BTC): source
• Cryptopia 1st Hack (19,391ETH and various other cryptocurrencies) (source)
• Coinmama (data breach): 450,000 users data stolen (source)
• DragonEx 1st Hack (7 million): In March 2019 the Singaporean exchange suffered another hack and lost $7 million to hackers that Chainalysis identified as the North Korean state-sponsored Lazarus Group (source)
• Coinbene (ERC20 tokens worth $100 million): A suspicious case with Coinbene initially announcing it wasn’t hacked but undergoing maintenance (source).
• Bithumb 3rd Hack (EOS & XRP worth at least $13 million): A suspected inside job. The customers’ balances were not affected. (source)
• Binance (7,000 BTC): No user funds were affected but the exchange took a $40 million hit.

• Gatehub (data breach): source
• Bitrue (XRP & Cardano worth $4 million): source
• Bitpoint ($32 million worth of crypto): source
• Vindax ($500,000 worth of tokens): source
• Upbit Hack (342.000 ETH): Ethereum worth $50,000,000 at the time was transferred from the exchange to an address it didn’t control. The hacker split the funds and probably used mixing services to try to hide their trace. Funds of customers of the exchange were not affected by the hack. (source)

2020

• AltsBit (6,9 BTC, 23 ETH, and other crypto): A small Italian exchange called AltsBit was emptied by hackers at a heist worth $70,000. (source)
• DForce Exploit ($25 million): source
• Etana Custody (data breach): Kraken’s fiat services provider was hacked in April resulting to user’s data compromise. (source)
• Uniswap ($500,000 in tokens): source
• Lendf.me Hack ($24,5 million): source
• Balancer Hack ($500,000): source
• BlockFi (data breach): Customer’s data stolen (source)
• BuyUCoin (data breach): Customer’s data stolen and leaked on the dark web (source)
• Eterbase Hack ($5,3 million worth of crypto): source
• Kucoin Hack ($280 million worth of crypto): Customers funds were not affected (source)

Kucoin was one of the largest exchange hacks, yet the exchange managed to recover most of the stolen cryptocurrencies within a year.

• Cashaa ($3,1 million): Inside job suspected (source)
• Liquid (data breach): source
• BTC Markets (data leak): The personal data of 270,000 users was accidentally leaked by the Australian exchange (source)
• EXMO ($4 million): source
• Livecoin (undisclosed amount): Livecoin declared it was hacked, although many expected something like that from this obscure exchange. (source)

2021

• Cryptopia 2nd Hack ($45.000 worth of cryptocurrency $XNS): Somehow, Cryptopia managed to get hacked again, even when it was not operational and under liquidation proceedings. (source)
• HotBit 1st Hack (data breach): Apparently, no funds were stolen in this “hack” but customers’ data was breached. (source)
• Liquid Hack ($80 million): source
• BitMart ($150 million): source
• AscendEX ($78 million): source

2022

• Crypto.com ($34 million): source
• Axie Infinity Hack ($620 million in Axie Tokens): Again the Lazarus Group was identified as the culprit organization (source).

• LCX ($6,8 million): source
• Deribit ($28 million): source
• Binance Smart Chain Exploit (2,000,000 BNB): Since BSC is a centralized chain, validators froze 2 million BNB (source).
• Harmony Hack ($100 million worth of ETH): According to reports, the Lazarus group was behind this hack as well (source)
• FTX Hack ($415 million): FTX claimed it was hacked for $415 million while on liquidation (source)

2023

• DragonEx 2nd Hack (undisclosed amount): source
• GDAC ($13 million in various coins): source
• Atomix Wallet Hack ($35 million): Again, the Lazarus Group is suspected of being behind the theft. (source)
• Coinspaid Payment Provider Hack ($37m in crypto): The Estonian-based platform blames the Lazarus Group for the cyber attack (source)
• Alphapo Payment Provider Hack ($60 million in crypto): Lazarus Group again (source).
• The list will not end here.

In Conclusion

While centralized exchanges are a constant target of hackers, with the rise of DeFi, hackers are now focused on exploiting vulnerabilities in smart contracts.

It is also important to mention that top exchanges are constantly the target of state-sponsored hacking groups that operate with members operating without fear of getting caught or arrested.

Furthermore, white hat hackers have several times undermined their attempts successfully.

We recognize that not much is safe, and KYC is perhaps the worst practice ever enforced to protect the customers of cryptocurrency exchanges.

Education will be the only approach to reduce the massive scale of fraud and scams in the cryptocurrency industry.

Also Read:

My Links:

● read.cash ● noise.app ● Medium ● Hive ● Twitter ● LinkedIn ● Me.dm ● CashRain ● YouTube

Don’t forget to Subscribe and Like if you enjoyed this article!