Notorious Hacks
There are a lot of different meanings to the term "hacking." Hacks can be positive occurrences, such as smart tricks that help one to perform tasks more efficiently. In the context of this website, however, hacks are malevolent events that compromise someone else's equipment, assets, or finances. If a clever thief figured out a way to bypass the security of a network or computer system, and managed to steal money or cryptocurrencies from your account, that's a malevolent or malicious hack.
You've probably already wondered about the risk of getting hacked. There are different ways to fall victim to a hack. You could be hacked personally, through someone accessing your phone or computer in person (either in person or over the internet). Our Smart Computer Practices page helps you mitigate this type of risk. But many cryptoasset holders in the past have fallen victim to broader hacks of third-party infrastructure, which have affected software, exchanges, and even entire crypto projects or platforms. There isn't much that an individual investor can do to safeguard against such risks, other than to use common sense and minimize the exposure of your assets and holdings to third-party entities. On this page, we'll list a few of the very notable large-scale hacks that have affected large numbers of users.
Mt. Gox Exchange, 2014
Mt. Gox was a Bitcoin exchange based in Japan. It launched in July of 2010, and by 2014 it was handling over 70% of all Bitcoin transactions worldwide, which made it the world's leading Bitcoin exchange.
In February 2014, Mt. Gox suspended trading, closed its website and exchange service, and filed for bankruptcy protection from creditors. In April 2014, the company began liquidation proceedings. The company announced that approximately 850,000 Bitcoins (valued at $450m USD at the time) belonging to customers and the company were missing and likely stolen. Although 200,000 Bitcoins have since been "found", the reasons for the disappearance (theft, fraud, or mismanagement) were initially unclear. New evidence presented in April 2015 by Tokyo security company WizSec led them to conclude that "most or all of the missing Bitcoins were stolen straight out of the Mt. Gox hot wallet, over time, beginning in late 2011." There are approximately 127,000 former Bitcoin holders who are listed as official creditors.
As of November 2017, it appeared that the roughly 200,000 Bitcoins recovered by authorities would be used to reimburse people who lost Bitcoins in the hack. However, it appeared that people who lost Bitcoins would be compensated for the initial value of their investments at the time of the loss, rather than taking any other factors (lost opportunity cost, interest) into account. Since Bitcoin has appreciated so much between 2014 and 2017, the value of the recovered coins greatly exceeds the claims of creditors, which is causing significant concern in the bankruptcy proceedings and among unhappy creditors.
Mark Karples, the CEO and former head of Mt. Gox (who was arrested in Japan in August 2015 by Japanese police and charged with fraud and embezzlement), caused great controversy in November of 2017 when he suggested that he would be setting up an ICO to solicit up to $245m in funds to revive Mt. Gox. It appears that the very unfortunate Mt. Gox story is not yet over.
Cryptsy Exchange, 2014
Once one of the most voluminous exchanges for alternative digital currencies, Cryptsy collapsed in late 2015 after months of escalating service issues. Trading was ultimately suspended in early January of 2016, and just days later, the exchange went offline amid claims of insolvency and concealed theft.
The exchange alleged in an early 2016 blog post that it had been the target of a hack in July 2014, an incident that it said cost approximately 13,000 BTC (valued at $7.5m at the time) and approximately 300,000 LTC (valued at $2.08m at the time). The acknowledgement of insolvency and the hacking claim came after months of customer withdrawal delays, comparisons to the already defunct Mt. Gox exchange, and the filing of a class action lawsuit against the exchange.
The exchange ceased trading permanently by the time that the exchange made that 2016 blog post.
The DAO Hack, 2016
The DAO, which stands for Decentralized Autonomous Organization, was a project based upon the Ethereum platform. The intent of the DAO was to provide an entity which was not tied to any one geographic region, nation, or group of controllers, to act as a form of investor-directed venture fund. Various technology projects needing funding would be listed on the DAO network, in a sort of cookie-cutter approach to helping these projects raise capital, instead of having to create fundraising projects from the ground up. Once a project became part of the DAO, various people could support or fund the project. People who owned DAO tokens essentially acted as investors, advisors, board members, and power brokers, all rolled up into one. Projects that got the most support from DAO token holders would raise the most funds. If the projects turned out to be profitable, DAO token holders got to share in the profits on a basis proportionate to their support for that project.
The DAO was decentralized, so it depended on computer code. Although the code was reviewed after being written (and before being released to the public), it was very complex. Once it was released and initialized, there was no way to edit it or turn it off.
Unfortunately, there turned out to be an exploitable bug in the code for the DAO which allowed a hacker(s) to start siphoning funds from the project. On June 16th, funds started to be drained. Over the next few hours, cryptoassets worth approximately $55m USD (at the time) were moved into the attacker's account. Then the attack stopped, temporarily.
At this point, a group of white-hat (good) hackers realized that the only way to stop the attacker from completely draining the DAO would be to steal the rest of the assets themselves, before the attacker could. Eventually, once they had time to deal with everything, those "stolen" funds could be returned to the rightful owners. They did this.
Meanwhile, a very influential group of Ethereum developers, including the founder, examined options. It became apparent that one option would be to "roll back" the Ethereum blockchain, or more specifically, to change the code so the stolen funds were no longer worth anything. The only problem with this option was that it created an enormous ideological rift in the community. The fact that blockchain cryptocurrencies are "decentralized and immutable, not subject to actions of any specific centralized group of individuals," is a very important fundamental tenet for most cryptoasset developers, investors, and supporters. This option was effective, but it ran completely contrary to the ideals of decentralization and autonomy. In the end, it was decided that recovery of the funds was the most important consideration. The Ethereum blockchain was forked, and the stolen funds became unusable.
Shortly thereafter, a new plot twist surfaced. Although the stolen funds still technically lived in a separate fork of Ethereum (the original blockchain), the lack of any support for that chain should have allowed it to die off immediately. But somehow, suddenly, that separate fork was getting mining support, and stayed live. That original blockchain, dubbed Ethereum Classic, still exists and is still traded today. The value of "Ethereum Classic" is much lower than of the "Ethereum" token, but it does have some support among purists who believe that the blockchain should never have been allowed to be forked in the first place. Although the attackers of the DAO never managed to make off with Ethereum ETH tokens, their Ethereum Classic tokens (representing 30% of the total supply of that currency) remain viable today.
The DAO project was wound down immediately and delisted from exchanges. There are a couple links to the DAO story in the Security & Hacking section of our Links page.
Bitfinex Exchange, 2016
Bitfinex is a cryptocurrency exchange that was originally operated out of Beijing, but was subsequently listed as being headquartered in a few other jurisdictions. On August 2nd, 2016, it announced that it had been hacked, and almost 120,000 Bitcoins (valued at $72m USD at the time) had been stolen from random user accounts. Trading on the exchange ceased immediately, although not long afterwards, the exchange opened read-only access so individual users could see if their accounts had been affected.
The amount of the attack, while only about a fifth of the coin volume of the Mt. Gox hack, was significant enough to shock the markets, and Bitcoin prices immediately plummeted by about 10%. The dollar value of the lost Bitcoins was significant enough that the exchange was unable to cover the losses of customers.
In an unprecedented move, while the exchange was still locked down and withdrawals or trades were not possible, Bitfinex stated that they would not allow some individuals to suffer 100% losses while other users didn't suffer any losses, considering that the targeted accounts seemed to be selected randomly. Bitfinex said that to remedy the situation, they would confiscate approximately 36% of the holdings of every investor on the platform, to allow them to balance the losses proportionately between all accounts. Their argument was that if bankruptcy proceedings were to be initiated, the same approximate process would be used to liquidate holdings. At the same time, Bitfinex stated that they would issue tokens to all account holders in proportion to the amounts lost. The eventual goal of the exchange would be to buy back all the tokens at the original value of the losses, once they were able to raise the appropriate amount of funding, and thus fully reimburse all account holders (in the long term).
When these "BFX tokens" were issued and started trading (with a face value of one dollar apiece), the market trading rate dropped to only approximately half of that amount, because token holders were discounting the probability that they would eventually get their money back. However, thirty days after the hack, Bitfinex moved to buy back roughly the first 1.2% of the outstanding tokens. This gave confidence to the markets, so the BFX tokens started trading at a less severe discount, and the global trading price of Bitcoin also started to recover.
Approximately eight months after the hack, Bitfinex was able to buy back the last of the outstanding tokens, and then claimed to have reimbursed everyone for their losses. Of course, this didn't cover interest, lost opportunity costs, or discounts to people who disposed of their BFX tokens prematurely. No information seems to have been made public about the blockchain records of the stolen coins, nor of whether those Bitcoins are being circulated freely today.
The CoinDash ICO Hack, 2017
CoinDash is a cryptoasset based social trading platform. It held its ICO in July of 2017. On July 17th, CoinDash reported that its ICO website had been hacked, and that the hackers had substituted a different deposit address than the official ICO wallet. People who were subscribing to the ICO, not realized that they were sending their investments to the wrong deposit address, lost approximately 44,000 Ether (valued at $10m USD at the time).
The Parity Wallet Hack(s), 2017
Parity Technologies is a group of developers working on a specific collection of open-source projects. Parity itself, also referred to as the Parity Wallet, is an Ethereum client. It is a free software client that was peer-reviewed. The Parity Wallet allows users to interact with the Ethereum blockchain, and includes all traditional wallet-based functions.
On July 19th, 2017, Parity reported that due to a vulnerability in a version of its wallet software, approximately 150,000 Ether (valued at $30m USD at the time) had been stolen from multi-sig wallets. Parity urged all users with any funds in any multi-sig wallets to move their assets into a different secure address immediately. At the time, it appeared that only three wallets had been compromised, but obviously these three wallets held significant amounts of Ether, and there was a risk that more wallets could be drained at any time.
Fast forward several months to November of 2017. Although the initial hack vulnerability from July had been patched (fixed) very quickly, Parity suddenly found itself in the spotlight again. Shockingly, multi-sig wallets were again found to be vulnerable in a much larger hack.
This second Parity hack might arguably be classified as an "egregious error" rather than a malevolent hack, but the effects were the same. Also, it should be noted that this hack was dissimilar to the other hacks discussed so far, because it did not represent a theft of coins. Rather, due to a "user error," approximately $158m USD of Ethereum tokens were locked up and rendered inaccessible. When the first Parity hack vulnerability had been patched in July, a new exploit had been made possible. Basically, there was a section of "library" code which the wallets depended upon for proper functionality. For some reason, certain users had permissions that allowed them to be able to kill the library process (essentially removing the code). On November 7th, a user actually tried this, ostensibly "not knowing what would happen." After the library was killed, none of the affected multi-sig wallets would work anymore, so the assets in those wallets became permanently frozen. Due to the nature of the code, it wasn't possible to simply "re-instantiate" the library. At the present time, those assets still remain frozen and inaccessible.
Certain analysts who have studied the online logs of the unknown user who killed the library routine have suggested that the act may have been deliberate, or more specifically, a very expensive prank. The user in question who triggered the freeze deleted all of his accounts almost immediately after killing the library.
NiceHash Mining Network Hack, 2017
NiceHash is a cryptocurrency mining marketplace, which acts as a service for miners to rent out their hash rate to others. On December 6th, 2017, their Bitcoin wallet was emptied, resulting in a collective loss of 4736 BTC (valued at $62m USD at the time). The company made a statement which included, "Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken. Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days."
YouBit Exchange, 2017
On December 19th, the South Korea based YouBit exchange was hacked, with the thieves stealing approximately 20% of the platform's cryptoasset holdings. It was the second successful attack on the exchange that year, with cyber-thieves having made off with $35 million dollars of Bitcoin in a hack earlier the same year, in April 2017. The second (larger) attack proved to be too much for the exchange, which was forced to declare bankruptcy almost immediately.
Coincheck Exchange, 2018
At the time, this hack was the largest cryptocurrency hack in history. The Coincheck exchange is located in Tokyo. In late January of 2018, hackers broke into a hot wallet on the exchange, and stole 500 million Nem (XEM) tokens. The exchange admitted full responsibility for the breach, and conceded that they should not have had so many coins stored in hot storage. The exchange has indicated that it will reimburse all accounts who suffered losses (many of the coins actually belonged to the exchange itself). In the meantime, all of the stolen funds have been flagged, in an attempt to make them untradeable in the future. Most exchanges that have Nem pairings have already indicated that they will permanently block any trading of the flagged stolen coins, as has ShapeShift.
Bitgrail Exchange, 2018
This Italian exchange was the main trading platform for the popular Nano (formerly RaiBlocks) project. The developers of the project endorsed this exchange.
In early February of 2018, after several weeks of throttled or shut-down withdrawals, the exchange stopped trading funds. Previously, the exchange owner (Francesco Firano) had said that the reason for the withdrawal restrictions was due to a new need to comply with KYC requirements. However, on February 8th, he revealed in conversations with developers at Nano that the Nano wallets on his exchange had a serious deficiency: 15m coins were "held" in theory, but there were only 4m actual coins in the exchange wallets. He alleged that the problem was due to either a hack or due to a coding problem in the Nano technology.
After that, it became apparent to users that funds had probably been missing for several weeks, and that Francesco had been using this time to try to cover up and resolve the problem. Although some users were able to convert a portion of their assets to Bitcoin (at a loss) and remove their funds from the exchange, many other users' assets were frozen and could not be recovered.
A criminal investigation resulted. It appeared likely that this could have been either an intentional criminal act by the exchange owner, or gross negligence (rather than a problem with Nano itself). Certainly, the problems appear to have originated with the exchange, rather than with the Nano code. It is believed that user losses, based upon the market price at the time, may have been as much as approximately $157 million USD.
EVM Hacks
Here's a short list of some of the more recent hacks perpetrated on the Ethereum Virtual Machine:
- October 2021 - Cream Finance lost over $130 million, its third hack to date.
- April 2022 - Beanstalk Finance was hacked for $182 million via a DeFi exploit.
- April 2022 - Aku Dreams NFT project 'Akutars' accidentally locked $34 million in their minting contract, rendering it permanently inaccessible.
- April 2022 - Fei Protocol lost $80 million due to a liquidity pool exploit.
- October 2022 - Team Finance lost $12 million to an exploit.
- December 2022 - the Raydium DEX lost $2 million due to a liquidity pool exploit.
- February 2023 - Orion Protocol lost $3 million due to a re-entrancy bug.
- February 2023 -BonqDAO and AllianceBlock lost $110 million when a hacker exploited an oracle price feed, minting BEUR to sell on Uniswap.
Other Hacks
The list of hacks noted above is just a small sampling of some of the more notorious hacks that have taken place in the cryptoasset world. The take-away lesson here is that you can never be too careful about the security of your investments. If major exchanges with highly skilled InfoSec defense teams can be hacked, then you can too, if you're not careful.