US president Joe Biden’s executive order on cryptocurrencies in March 2022 included a reminder of the market’s staggering recent growth. The market cap of all digital assets reached $3tn in November last year, a 21,000% increase since 2016. But that growth has been far from smooth. Not only has the price of cryptocurrencies such as Bitcoin careened like a rollercoaster, but the market has also been subjected to a barrage of cybersecurity breaches. The biggest crypto hacks of all time, listed below, reveal an industry slowly and painfully learning why the privilege of handling millions of dollars worth of digital assets comes with a responsibility for faultless security.
Proponents argue that the crypto ecosystem is having to learn in a few years, lessons the conventional finance sector has had centuries to perfect. But the biggest crypto hack by value is also the most recent, suggesting there be many more lessons left to learn.
“Traditional financial companies have grown up knowing that you have to have layers of protection… in order for folks to entrust you with their money,” says Chris Caruana, VP of AML solutions at financial crime solutions platform Feedzai.
“Cryptocurrency exchanges, and the actual ecosystem itself, haven’t had to go through those growing pains yet,” Caruana says. “Even the most adult in the room still have some ways to go.”
The biggest crypto hacks of all time
1. Ronin Network, 2021 - $614m
The biggest cryptocurrency theft of all time, calculated using the value of the crypto assets at the time they were stolen, was March 2022's raid on Ronin Network, an exchange that allows players of the Axie Infinity videogame to exchange their in-game tokens for other cryptocurrency.
On 30th March, the network revealed that an attacker had stolen the private keys required to authenticate transactions, and had transferred 173,600 Ethereum and 25.5m USDC, a stablecoin pegged to the US dollar, to their own wallets. Using the conversion rate at the time, this values the heist at $614m. The theft was discovered when a customer tried to make a legitimate withdrawal.
Sky Mavis, the company behind Axie Infinity, said it is working with "law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds.
"We know trust needs to be earned and are using every resource at our disposal to deploy the most sophisticated security measures and processes to prevent future attacks," the company said.
2. Poly Network, 2021 - $611m
The second biggest crypto theft of all time is last year's $611m theft from Poly Network, a smart contract platform that allows users to exchange tokens between disparate blockchains, such as Bitcoin and Ethereum.
On August 10th 2021, a hacker transferred $611m-worth of Poly Network tokens to three wallets under their control. According to analysis by security researcher Mudit Gupta, the attacker had found a way to 'unlock' (ie buy) tokens on the Poly Network protocol without 'locking' (ie selling) the corresponding tokens on other blockchains.
Fortunately for Poly Network, the attacker began returning the tokens the next day. While some speculated that they may have struggled to sell the tokens, someone claiming to be the attacker said they had only stolen them "for fun".
By the end of the week, all assets were returned, Poly Network said, except $33m-worth of 'stablecoin' Tether, which had been frozen immediately after the attack.
Shortly after the theft, Steven Dickens, senior analyst at technology research company Futurum, wrote that it was likely to bolster the security of decentralised finance (DeFi) systems in the long run, but discredit them in the short term. "While lessons need to be learned for sure," he wrote, "we need to be aware of the progress made so far by the DeFi community [which is for all] intents and purposes less than a decade old."
3. Coincheck, 2018 - $547m
In January 2018, Japanese crypto exchange Coincheck revealed that $547m in lesser-known cryptocurrency NEM had been stolen. The company admitted that it had stored the assets in a 'hot wallet', meaning a cryptocurrency store that is connected to the internet and therefore vulnerable to cybersecurity breaches.
Shortly after the incident, 16 of Japan's crypto exchanges merged to form a self-regulatory body. The country's financial regulator, the Financial Services Association, ordered all exchanges to report on their cybersecurity defences.
At the time of the attack, Coincheck was one of the most high-profile exchanges in Japan, which was then among the biggest markets for crypto trading. A few months later, Coincheck was acquired by financial services provider Monex Group.
It is still unknown who undertook the attack, but more than 30 people have been arrested in Japan in connection with selling the stolen assets.
4. Mt. Gox, 2014 - $480m
The first widely publicised - and perhaps still the best-known - crypto heist was the theft of $480m in Bitcoin from another Japanese exchange, Mt. Gox, in 2014.
Founded in 2010 as a site for trading ‘Magic the Gathering’ game cards, by 2014 Mt. Gox was handling over 70% of all Bitcoin transactions. In February of that year, it abruptly suspended trading, closed its exchange services and filed for bankruptcy protection.
Soon after, it revealed that up to 850,000 Bitcoins had gone missing, presumed stolen. Around 7% of all Bitcoin in circulation at the time, the haul was then worth around $480m. Today, it would be closer to $35bn.
Mark Karpeles, CEO of Mt. Gox at the time of the theft, was later arrested on unrelated charges and, he claims, interrogated for eight hours a day. “I was asked about the missing Bitcoins," he told reporters. "I was even asked if I was Satoshi Nakamoto, the creator of Bitcoin."
But in 2016, a US investigation concluded that Mt. Gox had been hacked by an outsider.
5. KuCoin, 2020 - $285m
In September 2020, Singapore-headquartered crypto exchange KuCoin revealed that $275m worth of cryptocurrency had been stolen, including $127m in ERC20 tokens, which are used in Ethereum smart contracts. CEO Johnny Lyu revealed that hackers had obtained the private keys to the exchange's 'hot wallets'.
The majority of the stolen tokens were recovered, and the remaining 16% in stolen funds was covered by KuCoin's insurance, the company said in February 2021, so all customers were reimbursed.
In an interview with Bitcoin.com a year after the theft, Lyu outlined the security enhancements KuCoin had implemented as a result. These included a new risk control system, a network security upgrade, and a restructuring of its cybersecurity team. "The experience gained from this incident will enable us to quickly advise and support other industry partners in the event of a security crisis in the future," he said.
Despite the hack, KuCoin remains the fifth most popular crypto exchange, according to the CoinMarketCap website.
7. Nomad Token Bridge, 2022 - $190m
August 2022 saw $190m in various cryptocurrencies drained from cross-chain protocol Nomad Token Bridge in a matter of hours. Due to a fault that was introduced to the protocol during a routine update, hackers were able to transfer any amount by simply editing the code of a previous transaction.
Once the first hacker had carried out the attack, hundreds quickly followed suit. The incident was described as "the first de-centralised crowd looting of a nine-figure bridge in history" and “one of the most chaotic hacks web3 has ever seen".
Nomad had positioned itself as a "security-first cross-chain messaging protocol" and a response to the billions of dollars that have been stolen from similar bridges in recent times.
7. BitGrail, 2018 - $170m
A matter of weeks after the Coincheck heist, a smaller Italian crypto exchange called BitGrail revealed that hackers had stolen $170m in niche cryptocurrency Nano. One Reddit user claimed to have lost $1.4m in the hack. The exchange closed down, unable to repay its customers.
An Italian court later found that the coins had been removed from the exchange's wallets many months before, perhaps as early as June 2017, and found the company's CEO to be a fault for its lack of security controls.
8. Maiar, 2022 - $113m
Decentralised crypto exchange Maiar warned users of "suspicious activities" on its Elrond blockchain in early June 2022. Soon after, an independent researcher revealed that hackers had found a security flaw in the platform and used it to extract 1,650,000 Elrond eGold (EGLD), the blockchain's internal currency. This was worth $113m at the time of the hack. However, after the hackers sold just under half of its haul, the price of EGLD fell from $76 to just $5.
In a post-breach update, Maiar CEO Beniamin Mincu said that the company had recovered the stolen funds and upgraded its platform to fix the bug.
9. Bitfinex, 2016 - $72m
Hong Kong-based crypto exchange Bitfinex saw 120,000 Bitcoin, at the time worth $72m, stolen in 2016. The incident saw the proceeds of 2,000 transactions re-routed into a single wallet controlled by the hackers, which caused the value of Bitcoin to plummet by 20%. Though the funds were not recovered at the time, last month the US Department of Justice announced it had seized proceeds from the heist, now worth $3.6bn thanks to Bitcoin’s rocketing value.
The largest seizure of stolen digital assets in history, the raid by the department’s new National Cryptocurrency Enforcement Team saw two people, Ilya Lichtenstein, 34, and his wife Heather Morgan, 31, arrested and charged with “alleged conspiracy to launder cryptocurrency”.
10. NiceHash, 2017 - $64m
Just under 4,700 Bitcoin, at the time worth $64m, were pilfered in a breach of cryptocurrency mining marketplace NiceHash in 2017. Hackers infiltrated the website’s payment system to seize the Bitcoin.
The breach, dubbed “the largest theft in Ukrainian history” by NiceHash CMO Andrej Skraba, is thought to have been the work of North Korea-based Lazarus group, and last year an indictment was issued by a court in Los Angeles for three hackers said to be behind the attack. It had a profound effect on the NiceHash, which spent the next three years paying back affected customers from its profits. It announced in December 2020 that it completed reimbursements to all its clients.
Zaif, 2018 - $60m.
In 2018 hackers targeted Japanese crypto-exchange Zaif, and obtained cryptocurrency which was, at the time, worth $60m. The hackers syphoned off the Bitcoin, Bitcoin Cash and Monacoin from Zaif’s “hot wallets”, crypto wallets which have lighter security measures in place so that they can be used for immediate transactions.
While most of the funds came from Zaif’s customers, the exchange itself was also out of pocket as 32% of the crypto-currencies taken came from its reserves. The company refunded customers immediately, taking out loans to ensure it could meet its obligations.