Since bitcoin’s debut, its price has skyrocketed to prices that few imagined. As recently as 2010, the estimated value of a single bitcoin was less than a penny. Now, one bitcoin is worth thousands of dollars. Many early crypto investors became fabulously rich during bitcoin’s eye-popping ascent, which is why cryptocurrency enthusiasts half-jokingly use slang like “LAMBO!” (short for lamborghini) and “to the moon” when there’s an actual or expected crypto price spike.
On the other side of the coin, the fact that cryptocurrency transactions are irreversible makes investing in cryptocurrency a potentially perilous endeavor. Once a crypto is stolen, there’s no way to get a refund. The largest crypto exchanges– virtual marketplaces that traders use to buy and sell cryptocoins– contain vast amounts of digital cash. This makes them very attractive targets for hackers.
Over the years, digital intruders have stolen millions of dollars worth of cryptocoins from various exchanges. Some of the crypto exchanges that were successfully raided by hackers managed to recover. However, others went bankrupt– and several have even been plundered multiple times.
Read on for an extensive history of all the known cryptocurrency exchange hacks.
The Six Worst Cryptocurrency Cyber Attacks of All Time
This year’s series of record-setting hacks seem to indicate that crypto exchanges have a long way to go when it comes to protecting their customers’ assets. Three out of the top six crypto exchange hacks occurred in 2018– and it’s only June.
- In January, Coincheck announced that hackers had plundered over $500 million dollars’ worth of NEM coins. The half-a-billion-dollar heist was not only the most devastating crypto exchange hack ever, it was also called the biggest theft in the history of the world. Shortly after the hack, Coincheck admitted that it’s own shoddy security practices allowed the hackers to transfer millions out of Coincheck’s hot e second biggest crypto exchange hack of all time happened in the early years of bitcoin, back in February of 2014. Hackers targeted first-generation exchange Mt. Gox and made off with the equivalent of $460 million dollars in bitcoin. Because the crypto market was much smaller then compared to what it is now, the Mt. Gox hack had a far greater impact on the market compared to the aftermath of the Coincheck’s record-setting loss.
- The second biggest crypto exchange hack of all time happened in the early years of bitcoin, back in February of 2014. Hackers targeted first-generation exchange Mt. Gox and made off with the equivalent of $460 million dollars in bitcoin. Because the crypto market was much smaller then compared to what it is now, the Mt. Gox hack had a far greater impact on the market compared to the aftermath of the Coincheck’s record-setting loss.
- Just one month after the Coincheck incident, BitGrail earned the dubious distinction of being the victim of the third worst crypto exchange hack ever. In February of 2018, the Italian exchange reported that it had lost a whopping $187 million dollars’ worth of Nano. In the wake of the hack, finger pointing ensued. Nano developers said that BitGrail’s practice of storing all its funds in hot wallets (in other words, wallets connected to the internet) allowed the hackers easy access to the exchange’s funds. BitGrail’s CEO Francesco Firano disputed that claim and argued that the hackers had somehow exploited Nano’s blockchain.
- An equally controversial security incident occurred in August of 2016, when Bitfinex reported a loss of over $77 million dollars’ worth of bitcoin. Bifinex’s initial investigation failed to reveal the cause of the alleged hack. Then, in October of the same year, the FBI began started an investigation after a Bitfinex user reported that over a million dollars worth of bitcoin was removed from his account during the attack. Despite the FBI’s involvement, no further information has been revealed to the press to date. However, more questions around Bitfinex arose just a few weeks ago, when researchers at University of Texas discovered that entities associated with Bitfinex or traders with Bitfinex accounts may have artificially ballooned the price of bitcoin to record-breaking heights in 2017.
- The most recent crypto exchange to get hacked is Japan-based Zaif. Hackers made off with $60 million worth of cryptos in September. The company immediately suspended operations following the break-in, but it was already too late. The Zaif hack followed efforts by Japanese regulators to force crypto exchanges to shore up their defenses in the wake of the massive Coincheck hack.
- The sixth most severe crypto exchange hack also occurred in 2018, when the South Korean exchange Coinrail announced that hackers had made away with $40 million dollars’ worth of cryptos. This particular attack was unusual because it involved the theft of not one but several different cryptocoins.
The recap above summarizes all the biggest crypto exchange hacks. However, many other notable smaller hacks have occurred. Keep reading for an exhaustive list of every known cryptocurrency hack.
- Amount stolen: $8.75 million
- Date: June 2011
Mt. Gox– the largest and most important first-generation crypto exchange– suffered through the first known cryptocurrency exchange hack. After news of the successful theft broke, cryptocurrency thought leaders Jesse Powell and Roger Ver were called in to assist with the cleanup. Though the incident was significant enough to cause the value of bitcoin to plummet, Mt. Gox CEO Mark Karpeles didn’t seem to take the incident very seriously. Powell told Wired that Karpeles went as far as to take the weekend off while the rest of the Mt. Gox team was attempting to revive the site.
“I thought that [Karpeles’s absence] was completely insane and demoralizing for the rest of the team.”
- Amount stolen: $50,000
- Date: October 2011
In 2011, Bitcoin7 was the third-largest BTC/USD exchange in the world. However, the company’s early success proved to be short lived. On October 5, the company reported that a group of Russian hackers had stolen 5,000 BTC from its coffers. Bitcoin7 was forced to shut down shortly after the hack.
- Amount stolen: $228,000
- Date: March 2012
The bitcoin exchange known as Bitcoinica was one of the hardest-hit victims of an early bitcoin cyber attack involving an exploitation of a webhost known as Linode. Even though Bitcoinica’s CEO and founder Zhou Tong was just 17 years old when he started the exchange, traders flocked to Bitcoinica because it was one of the only platforms that allowed its users to take short positions on (or in other words, bet against) bitcoin.
After the hackers compromised Linode, they lifted bitcoin funds from a handful of unencrypted “hot wallets” that were stored on Linode’s servers. Bitcoinica’s initial statement indicated that the exchange lost 10,000 bitcoin, but later on Bitcoinica CEO Zhou Tong admitted to Ars Technica that the actual number of coins stolen was 43,554. In addition to Bitcoinica, several individuals that were using Linode to store their bitcoin hot wallets lost their funds as well.
- Amount stolen: $87,000
- Date: May 2012
Bitcoinica was raided by hackers again in May, just weeks after the first attack. Along with the bitcoins, the hackers made away with Bitcoinica’s user database, which included user names, email addresses, passwords and other sensitive data.
The exchange posted the following statement to its official blog following the attack. The Bitcoinica website is no longer online, but Ars Technica quoted the statement in an article about the attack.
“It is with much regret that we write to inform our users of a recent security breach at Bitcoinica. The overwhelming majority of our bitcoin deposits were not stolen. The thief stole from us not you. All withdrawal requests will be honored.”
- Amount stolen: $300,000
- Date: July 2012
Bitcoinica was robbed for the third time in July. This time, the cryptocurrency community suspected that the hack may have been an inside job.
According to blockchain analysis posted by YouTube user Hal 1000, Bitcoinica CEO Zhou Tong may have been the beneficiary of the alleged theft. Roberto Gutierrez— the General Manager of AurumXchange– also believed that Tong was involved in the robbery. Tong responded to the accusations in a forum post, in which he claimed to have been framed.
“I’m willing to co-operate with any ongoing investigation and obviously I’m not trying to run away from this. I have already provided Mt. Gox with my certified copy of passport in an attempt to unlock my account with some Bitcoin balance.”
- Amount stolen: $250,000
- Date: September 2012
Before Bitfloor got hacked, it was one of the major crypto exchanges that offering USD-to-bitcoin trades. All that changed in September of 2012, when hackers gained access to Bitfloor’s system following a manual upgrade. Bitfloor founder Roman Shtylman issued this statement following the attack:
“Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand.”
- Amount stolen: $160,000
- Date: May 2013
Initially, the Vicurex hack of 2013 didn’t attract much attention from the press. In fact, cryptocurrency publications barely mentioned the hack at all until the following year, when the exchange had to freeze digital currency withdrawals. Apparently, the hacker used a Ruby on Rails based attack to gain access to Vicurex’s systems. A Vicurex report from May of 2013 provides some more details about the attack:
“The attacker has acquired login credentials to our VPS control account with our hosting service provider and has then asked for the root password reset of all servers which – unfortunately – the service provider has then done and posted the credentials in their helpdesk ticket, rather than the standard process of sending it to our email address.”
Source: Vircurex May 2013 Report
- Amount stolen: $130,000
- Date: June 2013
PicoStocks– a first-generation crypto stock exchange headquartered in the Marshall Islands– suffered the first of two hacks in June. On the BitcoinTalk forum, a representative from the company revealed that sloppy security practices allowed hackers to gain easy access to the exchange’s coffers.
“We will refund the loss because we are operating the account for some of our bigger customers that don’t know much about bitcoins and we had the same password on few accounts which was just extremely stupid. This is clearly our fault. The system seems fine. This is clearly a human error.”
- Amount stolen: $3 million
- Date: November 2013
The second PicoStocks hack of 2013 involved a much larger sum than the first. 5,896 bitcoins were stolen, according to Wired.
PicoStocks posted an odd “frowny face” filled announcement about the hack to Reddit following the loss. Because some of the wallets that were hacked were cold wallets that weren’t supposed to be accessible via the internet, some commenters suggested that the hack was actually an inside job.
“We will open the system when we have positively reviewed the security and collected the funds for the users 🙁 Maybe in 1 week from now :-(“
- Amount stolen: $460 million
- Date: February 2014
Though the first Mt. Gox hack was significant, it was a mere blip on the radar compared to the devastating breach that took place in 2014. Commenting on the massive hack that would topple his exchange for good, Karpeles gave a characteristically glib statement at a Tokyo press conference:
“We had weaknesses in our system, and our bitcoins vanished. We’ve caused trouble and inconvenience to many people, and I feel deeply sorry for what has happened.”
- Amount stolen: $570,000
- Date: March 2014
While the cryptocurrency community was still reeling in the wake of the Mt. Gox hack of 2014, a smaller exchange called Cryptorush announced that it had been robbed as well. Cryptorush’s leadership blamed the incident on a bug that occurred when an altcoin called BlackCoin released an unannounced fork. Apparently, the fork enabled owners of BlackCoin to withdraw more funds than they actually held in their wallets.
Though Cryptorush shut down shortly after the hack, a copy of the statement can be found on the BitcoinTalk forum:
“BlackCoin was stolen from us by users, caused by a bug in the BlackCoin daemon. This bug came from the way stake coins work and how they respond to RPC calls and getbalance [accountname] queries, something which we rely on to operate our exchange.”
- Amount stolen: $64,000
- Date: March 2014
Poloniex founder Tristan D’Agosta didn’t have much business experience before he started his exchange. D’Agosta was a freelance fiction writer and music specializing in “orchestral, operatic, and chamber” music, according to his LinkedIn page. The issue that caused the incident was allegedly a bug in Poloniex’s code.
D’Agosta explained the problem on the BitcoinTalk forum:
“The hacker discovered that if you place several withdrawals all in practically the same instant, they will get processed at more or less the same time. This will result in a negative balance, but valid insertions into the database, which then get picked up by the withdrawal daemon.”
- Amount stolen: unknown
- Date: March 2014
Bitcurex never revealed how much was stolen when it was raided by hackers in March. The Polish exchange closed down to revamp its security systems and conduct an investigation following the attack, then it attempted to spin the incident as a success. Apparently, user accounts were not affected.
“We successfully blocked a hacking attack on Bitcurex, preventing mass theft of BTC funds of our users. Thanks to automatic safety procedures, hackers managed to defraud only a portion of the funds stored in operational Hot Wallet Bitcurex.”
- Amount stolen: $9.5 million
- Date: July 2014
News that Cryptsy had been hacked in 2014 only emerged two years later, when the exchange revealed that it was insolvent. Prior to that announcement, Cryptsy had blamed trouble tickets involving withdrawal errors on technical issues.
Leading up to the admission that Cryptsy was approaching bankruptcy, digital currency pricing website CoinMarketCap and mining pool service Multipool.us severed ties with the exchange. After Cryptsy finally shut down in 2016, its former customers filed a class action lawsuit. In July of 2017, US District Judge Kenneth Marra issued the following verdict:
“The Court further declares that the 11,325.0961 [Bitcoin] which were stolen from Cryptsy customers on July 29, 2014, and which, as of the date of this final judgment … are property of the Plaintiff Class and subject to and encompassed within this Final Judgment.”
- Amount stolen: $1.65 million
- Date: August 2014
Chinese exchange BTER sustained the first of two major hacks in 2014, when hackers stole over a million dollars’ worth of the NXT altcoin. BTER briefly considered retrieving the stolen funds by rolling back the NXT blockchain, but the exchange eventually decided against pursuing that course of action, since they were able to obtain “lots of information” on the hacker.
According to CoinDesk, the exchange was eventually able to negotiate a partial return of the stolen funds.
- Amount stolen: $1.3 million
- Date: October 2014
MintPal is yet another exchange that blinked out of existence following a suspicious hack that may have actually been an inside job.
The supposed hack that brought MintPal down followed shortly after the exchange was acquired by convicted rapist Ryan Kennedy. According to Bitcoin.com, UK police started investigating the circumstances around MintPal’s demise in October 2017. In July of the same year, UK authorities brought fraud and money laundering charges against Kennedy for offenses that he allegedly committed during the time when he was operating the now-defunct dogecoin exchange service Moolah.
- Amount stolen: $690,000
- Date: October 2014
After Chinese exchange KipCoin claimed that it had been hacked, skeptics suggested that it may have been a ponzi scheme in disguise all along. Critics of KipCoin’s narrative pointed out that the exchange offered “too good to be true” features. For example, KipCoin’s wallets accumulated 22% annualized interest, which was paid out daily, according to crypto blog NewsBTC.
- Amount stolen: $1.8 million
- Date: December 2014
The hacker that stole over a million dollars worth of cryptocurrency from BitPay used a sneaky phishing attack to trick BitPay’s Chief Financial Officer Bryan Krohn into giving up his email password. Once the hacker had access to Krohn’s email, he sent a series of funds request to BitPay CEO Stephen Pair. By the time the executives realized what was going on, they had already lost $1.8 million dollars’ worth of bitcoin.
- Amount stolen: $230,000
- Date: January 2015
When 796Exchange was targeted by hackers in 2015, it was one of the world’s largest crypto exchanges by volume. Its success likely made it a prime target for hackers. After cyber criminals compromised the site, they tricked the customer service department into sending 1,000 BTC to the wrong address.
796Exchange President Nelson Yu issued comments about the attack to CoinTelegraph:
“Precisely speaking, the wallet system is not affected at all in this event. The theft happened during the transaction of the fund. That’s where the hacker attacked. Due to this nature, major shareholders have carried out their obligation to our customers in covering this loss of fund. The remedy came from the major shareholders’ unpaid dividend.”
- Amount stolen: $5.2 million
- Date: January 2015
The Bitstamp hack of 2015 bears many similarities to the BitPay hack of 2014. In both incidents, hackers used social engineering attacks to gain access to sensitive credentials. The Bitstamp heist, however, was slightly more sophisticated. The Bitstamp hackers used Skype and email to convince Bitstamp employees to download malicious software.
The cyber thieves tried to manipulate Bitstamp employees by appealing to their hobbies and interests. According to an excerpt of a report on the hack published on CoinDesk, one of the Bitstamp hackers tried to get Chief Operations Officer Miha Grcar to download a file by posing as a reporter. (Prior to joining Bitstamp, Grcar was a freelance journalist in Greece.)
“On 26th November, as part of this from within an offline file (such as a Word document). exchange, ivan.foreignpolicy attempted to send a word document of a recent article, ostensibly seeking comment from Mr Grcar. Mr Grcar declined to accept the document.”
- Amount stolen: $1.75 million
- Date: February 2015
Following the second major BTER hack, the exchange was forced to temporarily shut down while it conducted a security check. BTER closed for good several years later in October 2017, after the Chinese government banned cryptocurrency exchanges and ICOs (Initial Coin Offerings).
- Amount stolen: $230,000
- Date: April 2016
After ShapeShift investigated its only publicized hack, the exchange was able to determine that one of its employees were responsible for the theft. According to ShapeShift’s report, the employee stole $130,000 worth of cryptocurrency, then sold information about ShapeShift’s security system to a hacker. That hacker likely was responsible for a second theft of an additional $100,000, which occurred in the same month.
- Amount stolen: $2.14 million
- Date: May 2016
Hackers that raided Gatecoin apparently altered the way that the exchange handles its customers’ money before they pulled off their heist. The forensics suggested that the changes that the thieves made to the exchange caused incoming funds to be deposited into “hot” online wallets instead of “cold” offline wallets.
“We have previously communicated the fact that most clients’ crypto-asset funds are stored in multi-signature cold wallets. However, the malicious external party involved in this breach, managed to alter our system so that ETH deposit transfers by-passed the multi-sig cold storage and went directly to the hot wallet during the breach period. This means that losses of ETH funds exceed the 5% limit that we imposed on our hot wallets.”
- Amount stolen: $77 million
- Date: August 2016
The Bitfinex hack of 2016 was one of a handful of significant thefts that rocked the entire cryptocurrency community. Following the attack, the price of bitcoin took a 20% nosedive.
Part of the reason why the market tanked could be that crypto investors lost their confidence in crypto exchanges. Bitfinex customers that took the extra step of using 2FA (Two-Factor Authentication) were startled to find that the added protection did not stop the hackers from draining their accounts.
Bitfinex issued cryptographic tokens to Bitfinex users that lost their assets. It took nearly a year for Bitfinex to buy back all of these “digital IOUs.” Bitfinex announced that it completed the buyback in April of 2017.
- Amount stolen: $1.5 million
- Date: October 2016
Back when Bitcurex was hacked the first time in March of 2014, the exchange refused to reveal exactly how much was stolen. A similar tight-lipped response followed the second time around in October of 2016, when Bitcurex told a Polish newspaper that it was “damaged by an external interference” following rumors that the exchange had been hacked again.
Bitcurex limped along until March of 2017, when the exchange’s leaders opted to shut the exchange down with no advance warning.
- Amount stolen: $1 million
- Date: February 2017
The intruders that stole around a million dollars worth of cryptocurrency from a series of Bithumb user accounts reportedly used data gleaned from a stolen database and phone calls to pull off the serial thefts. South Korean news site Yonhap estimated that 30,000 accounts were affected by the initial data breach.
- Amount stolen: $5.3 million
- Date: April 2017
One month after the Bithumb hack, another South Korean exchange fell victim to cyber thieves: YouBit. At the time of the attack, YouBit was known as Yapizon. Around the time of the attacks, cyber-threat intelligence analyst Luke McNamara warned that North Korean hackers may have been attempting to siphon money from South Korean crypto exchanges.
- Amount stolen: “17% of all total assets”
- Date: December 2017
The second YouBit attack delivered the straw that broke the camel’s back. The total amount lost was never revealed, but a message on the YouBit website revealed that around 17% of the exchange’s assets were stolen. A South Korean newspaper reported that North Korea may have been behind the heist, according to Reuters.
- Amount stolen: $500 million
- Date: January 2018
One of the worst crypto exchange hacks ever rocked Coincheck to the core in early 2018. According to Fortune, the exchange admitted that its own sloppy security practices were to blame. Rather than storing its customers’ assets in offline wallets, the assets were stored in hot wallets that were connected to the internet. Coincheck also reportedly failed to protect the wallets with standard multi-signature security protocols.
- Amount stolen: $187 million
- Date: February 2018
Suspicious activity around BitGrail’s massive security incident prompted some observers to wonder whether or not BitGrail CEO Francesco Firano had anything to do with the alleged theft of $187 million dollars worth of Nano tokens. The main piece of evidence that skeptics pointed to was data pulled from the Nano blockchain explorer. That data seemed to indicate that the hackers may have initiated the unauthorized transfer weeks before it was reported as a hack. Firano told CoinTelegraph that the Nano explorer could not accurately determine the dates of any Nano transactions.
“They [the public] don’t have the complete data (it is only available to us and law enforcement authorities). And secondly, we cannot rely on the official explorer developed and managed by the Nano dev (proved flawed), which is, to this day, the only way to determine the date of the transactions.”
A week after talking to CoinTelegraph, Firano posted the following tweet:
- Amount stolen: $18 million
- Date: May 2018
The Bitcoin Gold heist proved that 51% attacks really can be used to plunder coin networks. In a 51% attack, hackers use raw computing power to seize control of a coin network. Once they take over a coin, 51% attackers can make changes to its ledger. Blockchain security firm Ciphertrace and others opined that weaknesses in Bitcoin Gold’s PoW (Proof of Work) transaction verification algorithm may have been the reason why the hack turned out to be a success.
- Amount stolen: $1.5 million
- Date: May 2018
The makers of a cryptocurrency trading app called Taylor were raided by hackers to the tune of $1.5 million worth of ETH. The incident occurred shortly after Taylor’s ICO began. Hackers made away with all of the funds that the group had raised. Following the heist, the thieves tried to sell the TAY tokens they had stolen on IDEX. To prevent the thieves from cashing out, Taylor’s developers asked IDEX to temporarily delist TAY.
- Amount stolen: $40 million
- Date: June 2018
Coinrail is yet another South Korean crypto exchange that fell victim to hackers. The exchange had to suspend its services in the wake of the theft. Before the attack, Coinrail ranked 90 on CoinMarketCap’s list of the largest crypto exchanges by volume.
- Amount stolen: $20 million
- Date: June 2018
According to blockchain security firm Cyphertrace, hackers made off with more than $20 million worth of Ether by exploiting an Ethereum client called Geth. The hackers exploited JSON-RPC port 8545– the same port that initiates ETH send transactions. Once the ports were compromised, the thieves were able to drain all the ETH wallets that were affected by the breach.
- Amount stolen: $23.5 million
- Date: July 2018
This theft proved that decentralized exchanges are not immune to hacks. The criminals exploited a security flaw in a wallet used to update some of the exchange’s smart contracts. The scheme worked and the hackers made off with millions. In the aftermath of the hack, Bancor was forced to shut down. Ironically, Bancor was one of the most high profile ICOs of 2017. It managed to raise over $153 million in investments during its token sale.
- Amount stolen: $60 million
- Date: September 2018
The theft of $60 million worth of cryptos from Zaif seems to indicate that measures taken by Japanese regulators following the Coincheck hack weren’t effective enough. Because Zaif only had $20 million in reserve assets, it was forced to partner with a Japanese investment group called Fisco to cover the losses. In return for covering Zaif, Fisco will receive a major share of ownership in the exchange.
New Zealand-based cryptocurrency exchange Cryptopia rang in the new year with not one but two high profile data security failures. During the first incident– which occurred in the middle of January– hackers made off with $16 million worth of cryptocurrency. A follow-up heist resulted in the siphoning of an additional 1,675 ETH. The amount of ETH stolen during the second attack was equal to about $180,000 USD.