Cryptocurrency crime is on the rise. In this project, we explore the biggest exchange hacks that have occurred over the last eight years, paying attention to both the amounts of money stolen and the way the hacks were performed.
Numbers based on BTC price as of Oct. 28, 2019
Try to guess the dollar amount closest to all the crypto stolen in the past eight years
Numbers based on BTC price as of Oct. 28, 2019
Cost per launch of the Space ShuttleWrong. This is the price tag of launching NASA's Space Shuttle, but isn't even approaching the total loot.
Worldwide box office gross for AvatarAbout the same as the cumulative worldwide gross of the film Avatar? No, that's not the case. Hackers got much more.
How much it cost to build the 123-story Lotte World Tower in SeoulThe Lotte World Tower in Seoul cost this much, but hackers could have built several towers like this one with the wealth they looted.
What it would cost SpaceX to launch 1,200 Falcon 9 rocketsCongrats! You now know how much it costs to launch 1,200 SpaceX Falcon 9 rockets, but you haven't guessed the losses from crypto hacks yet.
What Disney spent to acquire Star Wars, Marvel and Pixar$15.6 billion is right! As of Oct. 28, 2019, the amount of crypto stolen by hackers is equal to the money Disney spent on acquiring Star Wars, Marvel and Pixar.
What it cost to build Hong Kong International Airport in 1991False. Thank goodness, the stolen funds are less (but the number is close).
How much it would cost to build 10 Large Hadron CollidersWrong. $95 billion is enough to build the Large Hadron collider, plus nine more identical LHCs. The stolen funds, however, are much less!
Jeff Bezos's fortuneJeff Bezos could have compensated the losses from crypto theft several times. No, it's less than his net worth.
The cost of building the International Space Station and putting it in orbitFortunately, not that astronomical.
Wrong. This is the price tag of launching NASA's Space Shuttle, but isn't even approaching the total loot.About the same as the cumulative worldwide gross of the film Avatar? No, that's not the case. Hackers got much more.The Lotte World Tower in Seoul cost this much, but hackers could have built several towers like this one with the wealth they looted.Congrats! You now know how much it costs to launch 1,200 SpaceX Falcon 9 rockets, but you haven't guessed the losses from crypto hacks yet.$15.6 billion is right! As of Oct. 28, 2019, the amount of crypto stolen by hackers is equal to the money Disney spent on acquiring Star Wars, Marvel and Pixar.False. Thank goodness, the stolen funds are less (but the number is close). Wrong. $95 billion is enough to build the Large Hadron collider, plus nine more identical LHCs. The stolen funds, however, are much less!Jeff Bezos could have compensated the losses from crypto theft several times. No, it is less than his net worth.False. Fortunately, not that astronomical.
Mt. Gox was hacked in 2011, when the attackers compromised an account belonging to Jed McCaleb, the former owner of the exchange, who had admin-level access to the system. During the attack, hackers managed to create a large number of fake BTC and then flooded the exchange with the artificial supply. As a result, the BTC price dropped from $17.50 to a single cent, thereby allowing for the nefarious purchase and withdrawal of at least 2,000 real BTC before the exchange suspended trading.
On top of this, on June 20, a Mt. Gox user named Kevin, who was not involved in the hack, took advantage of the price drop initiated by the hack and claimed to have bought 250,000 Bitcoins for just $2,613. Of these, he was able to transfer 643 BTC into his personal wallet. However, Kevin said that he immediately contacted Karpeles about the situation. Mt. Gox didn’t calculate these 643 BTC as a portion of the 2,000 BTC it claimed were sent to external wallets. Thus, the total loss from this hack should be considered to be roughly 2,650 BTC.
In February 2014, Mt. Gox revealed that the exchange was compromised back in 2011 and hackers had siphoned off hundreds of thousands of Bitcoins over a period of three years. At the time, Mt. Gox accounted for more than 70% of all Bitcoin transactions. The incident is still the largest Bitcoin heist in history.
On Feb. 7, 2014, the Tokyo-based exchange halted all BTC withdrawals, causing a general panic to break out among the crypto community.
CEO Mark Karpeles left the Bitcoin Foundation during the same month and deleted all of his Twitter posts. On Feb. 24, 2014, the exchange suspended all trading operations while the site went offline. In total, Mt. Gox lost about 750,000 of its users’ BTC and 100,000 BTC of its own holdings — or nearly 7% of all the coins that were in circulation then.
The damage the hack had on the reputation of the exchange, as well as the exorbitant financial liabilities, forced Mt. Gox to file for bankruptcy.
On March 20, 2014, Mt. Gox announced finding a wallet holding a balance of approximately 200,000 BTC. So far, none of this has been used for compensation. However, the number of Bitcoins stolen was updated and estimated to be approximately 650,000 BTC.
Poloniex is another major crypto exchange that was unfortunate enough to find its place in a long list of victims. In March 2014, hackers stole 97 BTC, or 12.3% of Poloniex’s Bitcoin supply, after they discovered a critical vulnerability in the exchange’s software. In the end, the exchange managed to compensate the victims and reimbursed 100% of the affected customers. The 97 BTC were returned, although the value of bitcoin had fluctuated in the meantime.
Users were seemingly satisfied with the exchange’s handling of the hack, which let Poloniex retain its reputation and continue to operate.
Hackers used a banal phishing attack to target exchange employees. The company’s staff, who opened what appeared to be personal emails and messages on Skype, unwittingly gave hackers access to the system.
Even more surprising, a Bitstamp system administrator, Luka Kodrich, had clicked the link and downloaded malware onto a work computer, after which the exchange was hacked. The security regime was subsequently strengthened, which helped the exchange recover quickly. Now, transactions require multisignatures, and 98% of the cryptocurrency on the exchange is stored in a cold wallet.
Bitfinex was hacked in August 2016. The hackers utilized a bug in the multisignature system, which was supported by Bitfinex’s partner BitGo. The hackers were somehow able to trick the BitGo algorithms, forcing them to approve transactions, and withdrew about 120,000 BTC from the exchange’s hot wallet — worth the equivalent of $72.2 million, if we take the average exchange rates on the day of the hack.
The Bitfinex founders were transparent about the fact that financial losses would be distributed among all the users, with 36% of the funds in each wallet being frozen. These funds were later compensated with BFX tokens, which could be converted into U.S. dollars at an exchange rate set by Bitfinex or into shares of iFinex Inc., the company operating Bitfinex. This policy helped the exchange stay at the top even to this day.
Coincheck was attacked in the last days of January 2018. The target of the hack, as in most cases, was the hot wallet of the exchange, from which 523 million NEM tokens were stolen. Despite all the previous lessons to be learned, the exchange continued to keep users’ funds and even its own funds in the hot wallet, which did not use multisignature protection.
Did the hackers cash out the stolen goods? Hardly. The crypto community united after this theft and finally began to actively exchange information in order to prevent further movements of stolen funds. In particular, the instant exchange ShapeShift has banned the trades of NEM coins.
This example was followed by other services, since the 11 anonymous addresses that the stolen tokens had been transferred to have been tagged with a sign “coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker.” This makes it easy to track any transaction made by these hackers. There is an ongoing investigation of the incident, and the exchange claims to be developing compensation options for users.
Bancor, a decentralized exchange created in opposition to centralized ones was attacked by hackers on July 9, 2018.
Hackers withdrew a total of $23.5 million (value at the time of the hack) from the exchange’s hot wallet. Tokens on the exchange were immediately frozen, which caused a flurry of criticism from the cryptocurrency community because such actions directly contradict the principle of decentralization. Charlie Lee summed up the overall view in a tweet, announcing that Bancor can manipulate users’ funds:
“A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”
As for users’ tokens, Bancor immediately created a coalition with the instant exchange service Changelly, through which the hackers tried to withdraw funds. Transactions were frozen there as well.
Following the attack, $10 million worth of BNT was recovered from the hack.
Founder:Guy Benartzi, Galia Benartzi, Eyal Hertzog, Yudi Levi
The Cryptopia exchange is still reeling from a hack that happened in January this year. Optimism surrounding the potential for the reimbursement of stolen funds is now dwindling.
The exchange filed for bankruptcy in May, asking the U.S. Bankruptcy Court in the Southern District of New York to issue an order preserving the SQL database held exclusively on Arizona servers. This data contains vital information that can reconcile individual holdings with the currencies held by (and stolen from) Cryptopia.
The appointed auditing and liquidation firm, Grant Thornton, admitted that the recovery of funds would be impossible without this data.
On March 30, 2019, crypto exchange Bithumbposted on Twitter that its cryptocurrency withdrawals and deposits had been temporarily paused. Bithumb fell victim to security breaches that affected hundreds of thousands of users.
More than 3 million EOS were transferred from the hot wallet. The company has since pointed out that all the funds stolen were those of the exchange and that users’ funds are in a cold wallet. More than 3 million EOS and around 20 million XRP were also stolen. The company has since pointed out that all the funds stolen were those of the exchange and that users’ funds are in a cold wallet.
Bithumb, which is considered to be one of the two biggest crypto exchanges in South Korea (alongside UPbit), was hacked for the third time in two years, in what the exchange suspects to be an insider job. The Bithumb team said:
“According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service. As a result of the internal inspection, it is judged that the incident is an ‘accident involving insiders’. Based on the facts, we are conducting intensive investigations with KISA, Cyber Police Agency and security companies.”
Binance, one of the largest cryptocurrency exchanges, fell prey to a major security breach on May 7, 2019. Hackers used a variety of tactics — including phishing and viruses — to obtain a large number of two-factor authentication codes and API keys. The hackers made off with 7,074 BTC — worth more than $40 million on the day of the attack — in just one transaction.
CEO Changpeng Zhao stated in a letter that the Bitcoins were withdrawn from the exchange’s hot wallet. The exchange established a Secure Asset Fund for Users, or SAFU, in July 2018 to compensate clients in the event of such a hack. According to Binance:
“Starting from 2018/07/14, we will allocate 10% of all trading fees received into SAFU to offer protection to our users and their funds in extreme cases. This fund will be stored in a separate cold wallet.”
On July 12, 2019, Tokyo-headquartered cryptocurrency exchange BITPoint lost around 3.5 billion yen (about $32 million at the time of the hack) due to a hot wallet security breach. BITPoint said 2.5 billion yen belonged to customers, while 1 billion yen was owned by the exchange. Bloomberg reported that shares of BITPoint’s parent firm, Remixpoint Inc., shed 19% after the hack.
BITPoint was among the few Japanese crypto exchanges cleared to operate by the local financial regulator, the Financial Service Agency, during its rigorous inspections of industry players.
And finally, the last hack of the decade: Upbit. Upbit is a South Korea-based cryptocurrency exchange that was hacked for 342,000 ETH — equivalent to $49,116,778 at the time — on Nov. 27. The exchange was relatively quick to confirm the loss. All that is really known is that hackers were able to gain access to Upbit’s hot wallet and move Ether without authorization.
Apologizing to users for any inconvenience caused, Lee Sirgoo outlined the measures taken by the exchange after it detected the incident. The exchange has pledged to protect user assets, stating that the 342,000 ETH will be covered using corporate assets.
Hack date:Nov. 27, 2019
How it was hacked:Security breach
Also over the period
Total at least for
What about refunds?
As experience shows, after large hacking attacks, crypto exchanges most often use three ways to compensate the affected users:
Return of the funds from the exchange’s own profit
or by issuing exchange tokens.
Rollback to a previous state
or a freeze of transactions.
Compensation at the expense
of other users.
Larger exchanges interested in continuing operations might come up with offer new ways of compensating lost funds, which is good news for the cryptocurrency industry. Furthermore, the practice of exchange owners trying to hide information and subsequently disappearing is starting to become a thing of the past.
Can cryptocurrency exchanges avoid the problem of hacking attacks anytime soon?
There are three main approaches to hacking exchanges:
The first type is a phishing scheme. For this exploit, the hackers pretend to be someone of authority (e.g., a security specialist, researcher, etc.) and convince exchange employees to give them access to certain systems. Once they have access, the hackers install a backdoor and steal funds later.
The second happens via a compromised third-party application — i.e. a poorly secured API connection that hackers can exploit and use to gain unauthorized access to an exchange.
The third occurs when the infrastructure of an exchange is compromised. Hackers exploit a vulnerability, take control of the exchange and withdraw as much crypto as is possible before the leak is detected.
Consequently, the protection of digital assets can only be achieved by the joint efforts of users and crypto banks serving the turnover of cryptocurrencies.
CEO of BEQUANT on the future of crypto trading:
The 24/7/365 nature of crypto trading, together with extreme competition for new clients, means that over time very few exchanges will have operational manpower and expertise, to keep up to date with tech upgrades and build custody offering to keep customer funds safe from hackers
CEO of BEQUANT
Exchanges that have Not Been Hacked YET (At least officially):
There are few exchanges that have not been hacked. But that doesn't mean that these more fortunate exchanges are 100% secure or that your funds are safe. You should always remember the risks of leaving your funds on an exchange.
*Was reportedly hacked in 2017, but strongly denies it.
In this article, we dived deep into the biggest crypto exchanges heists. This kind of hack is not the fault of the users. However, there is another kind of hack happening everyday — where ordinary users become hackers’ targets. You’ll improve your chances to avoid these attacks if check out our next Special Project — 12 Proactive Steps to Protect Crypto Assets.