Social engineering remains the primary attack vector for major crypto hacks, with North Korea’s Lazarus Group responsible for multiple billion-dollar breaches targeting exchange employees.
Inadequate wallet security—particularly hot wallet vulnerabilities and single-signature authorization—has enabled hackers to execute massive thefts despite advancements in blockchain technology.
Money laundering techniques like peel chains and crypto mixers allow hackers to successfully obscure stolen funds, highlighting the need for improved transaction monitoring systems.
Explore the five largest cryptocurrency exchange hacks that resulted in over $3 billion in losses. From Bybit’s $1.4B ETH theft to DMM Bitcoin’s collapse, discover how hackers exploited critical vulnerabilities in crypto infrastructure.
INTRODUCTION
From its early days, the crypto world has had its fair share of both breakthroughs and breakdowns. Decentralization and blockchain technology are marred by cyberattacks and crimes — especially bold hacks, billion-dollar losses, and constantly evolving threats. No system has proven entirely safe, from major exchanges to cutting-edge DeFi platforms. It’s a race where innovation paces ahead, and security is always playing catch-up.
Blockchain infrastructure, like traditional IT systems, is vulnerable to cyberattacks. Understanding these vulnerabilities is crucial for anyone involved in cryptocurrency. In this article, we’ll explore the top 5 most devastating crypto attacks in history—diving into how each attack was executed, the vulnerabilities exploited, and the scale of the damage caused.
TOP 5 Most Devastating Crypto Hacks
Let’s examine each of these attacks in detail.
1. BYBIT (2025): $1.4 BILLION
Who:
Bybit is a Dubai-based cryptocurrency exchange founded in 2018 by Ben Zhou. It had grown to become the world’s second-largest crypto trading platform before experiencing the largest crypto exchange hack to date.
What Happened & How It Was Done:
The breach resulted in the theft of approximately 400,000 Ethereum tokens, valued at around $1.5 billion.
The attack was linked to the Lazarus Group, a state-backed North Korean hacking outfit notorious for sophisticated cyberattacks.
Attack Method:
February 4: A developer’s Mac workstation was compromised, likely through social engineering.
February 5: Attackers used the developer’s AWS access token to infiltrate Safe{Wallet}’s cloud infrastructure.
February 5-17: Hackers remained undetected, conducting reconnaissance.
February 19: Attackers altered JavaScript files in Safe{Wallet}’s AWS S3 bucket, injecting malicious code into the web interface.
February 21: When Bybit initiated a transaction from a specific cold wallet, the malicious code was triggered.
Within two minutes, the hackers removed the malicious code, erasing evidence of tampering.
Stolen funds were laundered through mixers and peel chains to obscure the trail.
Aftermath:
Emergency Response: Bybit quickly raised funds from Galaxy Digital, FalconX, and Wintermute, restoring reserves within 72 hours.
Security & Transparency: The exchange publicly acknowledged the breach, prompting wider concerns about cold wallet vulnerabilities.
Regulatory Scrutiny: The hack triggered regulatory reviews in the UAE and globally, highlighting the need for better oversight of third-party custodians.
2. COINCHECK (2018): $534 MILLION
Who:
Coincheck was a Tokyo-based cryptocurrency exchange founded by Koichiro Wada and Yusuke Otsuka. Following the hack, the exchange was acquired by Japanese brokerage firm Monex Group for approximately $33 million.
(Source: Entrepreneur)
What Happened & How It Was Done:
On January 26, 2018, Coincheck was hacked, resulting in the theft of NEM (XEM) tokens worth $530 million.
This hack surpassed the value stolen during the Mt. Gox hack at the time.
Attack Method:
Hot Wallet Compromised: Coincheck kept the majority of its NEM tokens in a hot wallet connected to the internet.
Inadequate Wallet Security: The compromised wallet used single-signature authorization instead of multi-signature, creating a single point of failure.
Poor Internal Security: The hot wallet was accessible via Coincheck’s internal system and lacked IP whitelisting, external access restrictions, and network segmentation.
The theft occurred over a 20-minute window in a single unauthorized transfer.
Due to the absence of an automated alerting system, Coincheck was unaware of the breach for several hours.
The stolen funds were sold on the Darknet and other peer-to-peer networks across Asia, often at discounted rates.
Aftermath:
Coincheck reimbursed users about $430 million and faced a regulatory crackdown that tightened crypto exchange rules in Japan.
The incident led to stricter security and compliance standards.
In April 2018, Coincheck was acquired by Monex Group for $34 million to help restore trust and stabilize operations.
3. FTX (2022): $477 MILLION
Who:
FTX was founded in 2019 by Sam Bankman-Fried and quickly rose to prominence in the crypto world. At its peak, it was valued at $32 billion before its sudden collapse.
(Source: CNBC)
What Happened & How It Was Done:
In November 2022, FTX filed for bankruptcy after it was revealed that customer funds were used to cover losses at its sister organization, Alameda Research.
Hours after filing for bankruptcy on November 11, 2022, an unauthorized transfer drained over $400 million in cryptocurrency from its wallets.
Attack Method:
The timing—just after bankruptcy was filed—raised suspicion of an inside job by someone familiar with FTX’s systems.
The attacker moved the funds quickly and used several obfuscation techniques to obscure their trail.
The stolen crypto was laundered through tools like THORChain, Railgun, and cross-chain bridges.
Some funds were converted to Bitcoin and further obfuscated via peel chains and mixers like Sinbad.io.
In late 2023, the hacker began moving the stolen funds again, coinciding with Sam Bankman-Fried’s criminal trial.
The hacker remains unidentified.
Aftermath:
FTX’s new CEO, John Ray III, characterized the incident as unauthorized access and hired forensic firms to investigate.
The breach highlighted serious security failures at FTX, already under scrutiny for misusing customer funds and lacking basic oversight.
While separate from the fraud charges against Sam Bankman-Fried, the hack reinforced the image of a company in complete disarray.
4. MT. GOX (2014): $460 MILLION
Who:
Founded in 2006 by programmer Jed McCaleb as a platform for trading cards (Magic: The Gathering Online Exchange), Mt. Gox was later sold to French developer Mark Karpelès. Under his leadership, it rapidly expanded to become the world’s largest Bitcoin exchange at the time.
(Source: The Guardian)
What Happened & How It Was Done:
Around September 2011, Mt. Gox suffered a breach where hackers gained access to the hot wallet private keys.
Rather than executing a single large heist, the hackers continuously and quietly withdrew Bitcoins over several years.
Attack Method:
Wallet Infrastructure Compromised: Hackers gained access to hot wallet private keys.
Inadequate Security: Mt. Gox failed to implement robust cold wallet infrastructure, leaving funds constantly exposed to online threats.
Poor Internal Controls: The exchange lacked internal access control systems and had almost no real-time accounting, remaining unaware of the missing BTC for years.
Automated Exploitation: The hackers exploited the automated withdrawal system, withdrawing BTC in small denominations to avoid detection.
Money Laundering: Similar to other hacks, the stolen Bitcoin was laundered through peel chains and crypto mixers, with some passing through BTC-e, a now-defunct exchange associated with money laundering.
Aftermath:
The Mt. Gox hack wiped out 850,000 Bitcoin, shaking the crypto world.
The exchange filed for bankruptcy in 2014.
CEO Mark Karpelès was arrested and later found guilty of falsifying records, though not of embezzlement.
More than a decade later, creditors are still awaiting repayment through a complicated civil rehabilitation process.
5. DMM BITCOIN (2024): $308 MILLION
Who:
Launched in 2018, DMM was a Japanese Bitcoin exchange that suffered a devastating hack in May 2024, resulting in the theft of 4,502.9 BTC worth approximately $308 million.
What Happened & How It Was Done:
The Japanese exchange was targeted by the North Korean hacking group known as Lazarus.
The hackers gained access to DMM’s crypto wallet infrastructure and transferred 4,502 BTC to their own wallets.
DMM Bitcoin hack – Money trail obfuscation – Peel Chains & Mixers
Attack Method:
Social Engineering: FBI investigation revealed this was likely a social engineering attack targeting a Ginco employee. Ginco was the wallet service that supported DMM’s digital asset management.
Spear Phishing: An employee unknowingly invited an exploit as part of a fake job application.
Money Trail Obfuscation: The hackers covered their tracks by routing the funds via peel chains and crypto mixers.
The hackers broke down the amount into smaller sums through a series of transactions, effectively scattering the funds into microtransactions across thousands of wallets.
To evade detection, the DMM hackers likely manipulated withdrawal timing—delaying withdrawals for hours or days and keeping funds in constant motion to disrupt timing-based analysis.
Aftermath:
Although DMM acknowledged the hack, the actual vulnerability in the infrastructure was never officially revealed.
Unable to recover from financial losses caused by the attack, DMM announced its closure by March 2025.
DMM Bitcoin also announced that it would transfer its holdings and client accounts to another Japan-based exchange, SBI VC Trade.
CONCLUSION
These five major crypto attacks reveal a consistent pattern: hackers frequently use phishing and social engineering attacks to target vulnerable employees of exchanges, wallet service providers, and other infrastructure providers. The combined losses from just these five incidents exceed $3 billion, highlighting the critical importance of robust cybersecurity measures.
Cybersecurity and regulatory compliance are crucial in preventing crypto hacks. Mandating practices like cold wallet storage, multifactor authentication, and regular audits helps reduce vulnerabilities. Global regulatory alignment ensures consistent protection across jurisdictions, making it harder for attackers to exploit weak links.
For cryptocurrency holders, these incidents emphasize the importance of using exchanges with proven security records, enabling all available security features on accounts, and considering cold storage solutions for significant holdings. As the industry matures, the continuous evolution of security practices remains essential to stay ahead of increasingly sophisticated threats.
〈CoinRank Exclusive: The $3 Billion Heist- 5 Most Devastating Crypto Exchange Hacks in History〉這篇文章最早發佈於《CoinRank》。
