In this report by Crystal Blockchain and Cointelegraph, we shed light on the bigger crypto exchange hacks to have taken place between 2011 and 2020, paying attention to the amounts stolen, ways the hacks were implemented, fund flows post-hack, connections to other entities, and potential ML schemes to obfuscate funds.
Numbers based on BTC price as of Oct. 28, 2019
Try to guess the dollar amount closest to all the crypto stolen in the past eight years
Numbers based on BTC price as of Oct. 28, 2019
Cost per launch of the Space ShuttleWrong. This is the price tag of launching NASA's Space Shuttle, but isn't even approaching the total loot.
Worldwide box office gross for AvatarAbout the same as the cumulative worldwide gross of the film Avatar? No, that's not the case. Hackers got much more.
How much it cost to build the 123-story Lotte World Tower in SeoulThe Lotte World Tower in Seoul cost this much, but hackers could have built several towers like this one with the wealth they looted.
What it would cost SpaceX to launch 1,200 Falcon 9 rocketsCongrats! You now know how much it costs to launch 1,200 SpaceX Falcon 9 rockets, but you haven't guessed the losses from crypto hacks yet.
What Disney spent to acquire Star Wars, Marvel and Pixar$15.6 billion is right! As of Oct. 28, 2019, the amount of crypto stolen by hackers is equal to the money Disney spent on acquiring Star Wars, Marvel and Pixar.
What it cost to build Hong Kong International Airport in 1991False. Thank goodness, the stolen funds are less (but the number is close).
How much it would cost to build 10 Large Hadron CollidersWrong. $95 billion is enough to build the Large Hadron collider, plus nine more identical LHCs. The stolen funds, however, are much less!
Jeff Bezos's fortuneJeff Bezos could have compensated the losses from crypto theft several times. No, it's less than his net worth.
The cost of building the International Space Station and putting it in orbitFortunately, not that astronomical.
Wrong. This is the price tag of launching NASA's Space Shuttle, but isn't even approaching the total loot.About the same as the cumulative worldwide gross of the film Avatar? No, that's not the case. Hackers got much more.The Lotte World Tower in Seoul cost this much, but hackers could have built several towers like this one with the wealth they looted.Congrats! You now know how much it costs to launch 1,200 SpaceX Falcon 9 rockets, but you haven't guessed the losses from crypto hacks yet.$15.6 billion is right! As of Oct. 28, 2019, the amount of crypto stolen by hackers is equal to the money Disney spent on acquiring Star Wars, Marvel and Pixar.False. Thank goodness, the stolen funds are less (but the number is close). Wrong. $95 billion is enough to build the Large Hadron collider, plus nine more identical LHCs. The stolen funds, however, are much less!Jeff Bezos could have compensated the losses from crypto theft several times. No, it is less than his net worth.False. Fortunately, not that astronomical.
Hackers prefer to use fraudulent exchanges and exchanges without verification requirements. This is the fastest and easiest way to cash out stolen money as it avoids KYC procedures and withdrawal limits.
*- category includes entity types, which received less then 1% (Gambiling services, ATMs, Scam, Online marketplaces, Mining companies, Darknet services, Ransomware distriburors).
Mt. Gox was hacked in 2011, when the attackers compromised an account belonging to Jed McCaleb, the former owner of the exchange, who had admin-level access to the system. During the attack, hackers managed to create a large number of fake BTC and then flooded the exchange with the artificial supply. As a result, the BTC price dropped from $17.50 to a single cent, thereby allowing for the nefarious purchase and withdrawal of at least 2,000 real BTC before the exchange suspended trading.
On top of this, on June 20, a Mt. Gox user named Kevin, who was not involved in the hack, took advantage of the price drop initiated by the hack and claimed to have bought 250,000 Bitcoins for just $2,613. Of these, he was able to transfer 643 BTC into his personal wallet. However, Kevin said that he immediately contacted Karpeles about the situation. Mt. Gox didn’t calculate these 643 BTC as a portion of the 2,000 BTC it claimed were sent to external wallets. Thus, the total loss from this hack should be considered to be roughly 2,650 BTC.
In February 2014, Mt. Gox revealed that the exchange was compromised back in 2011 and hackers had siphoned off hundreds of thousands of Bitcoins over a period of three years. At the time, Mt. Gox accounted for more than 70% of all Bitcoin transactions. The incident is still the largest Bitcoin heist in history.
On Feb. 7, 2014, the Tokyo-based exchange halted all BTC withdrawals, causing a general panic to break out among the crypto community.
CEO Mark Karpeles left the Bitcoin Foundation during the same month and deleted all of his Twitter posts. On Feb. 24, 2014, the exchange suspended all trading operations while the site went offline. In total, Mt. Gox lost about 750,000 of its users’ BTC and 100,000 BTC of its own holdings — or nearly 7% of all the coins that were in circulation then.
The damage the hack had on the reputation of the exchange, as well as the exorbitant financial liabilities, forced Mt. Gox to file for bankruptcy.
On March 20, 2014, Mt. Gox announced finding a wallet holding a balance of approximately 200,000 BTC. So far, none of this has been used for compensation. However, the number of Bitcoins stolen was updated and estimated to be approximately 650,000 BTC.
Poloniex is another major crypto exchange that was unfortunate enough to find its place in a long list of victims. In March 2014, hackers stole 97 BTC, or 12.3% of Poloniex’s Bitcoin supply, after they discovered a critical vulnerability in the exchange’s software. In the end, the exchange managed to compensate the victims and reimbursed 100% of the affected customers. The 97 BTC were returned, although the value of bitcoin had fluctuated in the meantime.
Users were seemingly satisfied with the exchange’s handling of the hack, which let Poloniex retain its reputation and continue to operate.
Hackers used a banal phishing attack to target exchange employees. The company’s staff, who opened what appeared to be personal emails and messages on Skype, unwittingly gave hackers access to the system.
Even more surprising, a Bitstamp system administrator, Luka Kodrich, had clicked the link and downloaded malware onto a work computer, after which the exchange was hacked. The security regime was subsequently strengthened, which helped the exchange recover quickly. Now, transactions require multisignatures, and 98% of the cryptocurrency on the exchange is stored in a cold wallet.
Bitfinex was hacked in August 2016. The hackers utilized a bug in the multisignature system, which was supported by Bitfinex’s partner BitGo. The hackers were somehow able to trick the BitGo algorithms, forcing them to approve transactions, and withdrew about 120,000 BTC from the exchange’s hot wallet — worth the equivalent of $72.2 million, if we take the average exchange rates on the day of the hack.
The Bitfinex founders were transparent about the fact that financial losses would be distributed among all the users, with 36% of the funds in each wallet being frozen. These funds were later compensated with BFX tokens, which could be converted into U.S. dollars at an exchange rate set by Bitfinex or into shares of iFinex Inc., the company operating Bitfinex. This policy helped the exchange stay at the top even to this day.
Coincheck was attacked in the last days of January 2018. The target of the hack, as in most cases, was the hot wallet of the exchange, from which 523 million NEM tokens were stolen. Despite all the previous lessons to be learned, the exchange continued to keep users’ funds and even its own funds in the hot wallet, which did not use multisignature protection.
Did the hackers cash out the stolen goods? Hardly. The crypto community united after this theft and finally began to actively exchange information in order to prevent further movements of stolen funds. In particular, the instant exchange ShapeShift has banned the trades of NEM coins.
This example was followed by other services, since the 11 anonymous addresses that the stolen tokens had been transferred to have been tagged with a sign “coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker.” This makes it easy to track any transaction made by these hackers. There is an ongoing investigation of the incident, and the exchange claims to be developing compensation options for users.
Bancor, a decentralized exchange created in opposition to centralized ones was attacked by hackers on July 9, 2018.
Hackers withdrew a total of $23.5 million (value at the time of the hack) from the exchange’s hot wallet. Tokens on the exchange were immediately frozen, which caused a flurry of criticism from the cryptocurrency community because such actions directly contradict the principle of decentralization. Charlie Lee summed up the overall view in a tweet, announcing that Bancor can manipulate users’ funds:
“A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It’s a false sense of decentralization.”
As for users’ tokens, Bancor immediately created a coalition with the instant exchange service Changelly, through which the hackers tried to withdraw funds. Transactions were frozen there as well.
Following the attack, $10 million worth of BNT was recovered from the hack.
Founder:Guy Benartzi, Galia Benartzi, Eyal Hertzog, Yudi Levi
Zaif is a Japanese-based cryptocurrency exchange owned, and was operated by Tech Bureau at the beginning. On September 17, 2018, the Zaif exchange suspended deposits and withdrawals in BTC, BCH, and MonaCoin (MONA). On September 18, the exchange reported to the police that it had been hacked and funds had been stolen.
Someone gained unauthorized access to the exchange on September 14, 2018, between 5 PM and 7 PM local time (8 AM and 10 AM UTC). They successfully transferred out 5,966 bitcoin (BTC) and unknown amounts of BCH and MONA. Zaif was alerted of this unauthorized access when a server malfunction was detected on September 17.
After the hack, Zaif was purchased by Fisco, a publicly listed Japanese investment firm that already had its own exchange.
All services were resumed, and the exchange refunded the users their stolen holdings. As Zaif outlined, users who had Bitcoin or Bitcoin Cash stolen were refunded in the same cryptocurrency. However, users who had MONA stolen received around 60 percent of the crypto, and the rest was compensated in Japanese Yen.
The Cryptopia exchange is still reeling from a hack that happened in January this year. Optimism surrounding the potential for the reimbursement of stolen funds is now dwindling.
The exchange filed for bankruptcy in May, asking the U.S. Bankruptcy Court in the Southern District of New York to issue an order preserving the SQL database held exclusively on Arizona servers. This data contains vital information that can reconcile individual holdings with the currencies held by (and stolen from) Cryptopia.
The appointed auditing and liquidation firm, Grant Thornton, admitted that the recovery of funds would be impossible without this data.
The Singapore-based cryptocurrency exchange DragonEx announced on its official Telegram channel that it was hacked on March 24, 2020. The users’ and exchange’s crypto assets were transferred and stolen. The judicial administration of Estonia, Thailand, Singapore, and Hong Kong were informed.
DragonEx’s Telegram admin provided wallet addresses for 20 cryptocurrencies to which the stolen funds had apparently been transferred. The list included the top-five cryptos by market capitalization: bitcoin (BTC), Ether (ETH), Ripple (XRP), Litecoin (LTC), and EOS, as well as Tether stablecoin (USDT).
The exchange issued 7 million USDT value of Dragon Bond (DB) which is 1:1 with USDT. The stolen user assets were calculated at the price when it was hacked, and DragonEx compensated 10% of the stolen assets as original currencies and the other 90% were compensated with DB.
On March 30, 2019, crypto exchange Bithumbposted on Twitter that its cryptocurrency withdrawals and deposits had been temporarily paused. Bithumb fell victim to security breaches that affected hundreds of thousands of users.
More than 3 million EOS were transferred from the hot wallet. The company has since pointed out that all the funds stolen were those of the exchange and that users’ funds are in a cold wallet. More than 3 million EOS and around 20 million XRP were also stolen. The company has since pointed out that all the funds stolen were those of the exchange and that users’ funds are in a cold wallet.
Bithumb, which is considered to be one of the two biggest crypto exchanges in South Korea (alongside UPbit), was hacked for the third time in two years, in what the exchange suspects to be an insider job. The Bithumb team said:
“According to the company’s manual, Bithumb secured all the cryptocurrency from the detection time with a cold wallet and checked them by blocking deposit and withdrawal service. As a result of the internal inspection, it is judged that the incident is an ‘accident involving insiders’. Based on the facts, we are conducting intensive investigations with KISA, Cyber Police Agency and security companies.”
Binance, one of the largest cryptocurrency exchanges, fell prey to a major security breach on May 7, 2019. Hackers used a variety of tactics — including phishing and viruses — to obtain a large number of two-factor authentication codes and API keys. The hackers made off with 7,074 BTC — worth more than $40 million on the day of the attack — in just one transaction.
CEO Changpeng Zhao stated in a letter that the Bitcoins were withdrawn from the exchange’s hot wallet. The exchange established a Secure Asset Fund for Users, or SAFU, in July 2018 to compensate clients in the event of such a hack. According to Binance:
“Starting from 2018/07/14, we will allocate 10% of all trading fees received into SAFU to offer protection to our users and their funds in extreme cases. This fund will be stored in a separate cold wallet.”
On July 12, 2019, Tokyo-headquartered cryptocurrency exchange BITPoint lost around 3.5 billion yen (about $32 million at the time of the hack) due to a hot wallet security breach. BITPoint said 2.5 billion yen belonged to customers, while 1 billion yen was owned by the exchange. Bloomberg reported that shares of BITPoint’s parent firm, Remixpoint Inc., shed 19% after the hack.
BITPoint was among the few Japanese crypto exchanges cleared to operate by the local financial regulator, the Financial Service Agency, during its rigorous inspections of industry players.
And finally, the last hack of the decade: Upbit. Upbit is a South Korea-based cryptocurrency exchange that was hacked for 342,000 ETH — equivalent to $49,116,778 at the time — on Nov. 27. The exchange was relatively quick to confirm the loss. All that is really known is that hackers were able to gain access to Upbit’s hot wallet and move Ether without authorization.
Apologizing to users for any inconvenience caused, Lee Sirgoo outlined the measures taken by the exchange after it detected the incident. The exchange has pledged to protect user assets, stating that the 342,000 ETH will be covered using corporate assets.
The cryptocurrency exchange from Italy, Altsbit, announced that on February 5, 2020, it was hacked and the attacker stole almost all of the BTC, ETH, and other exchange cryptocurrencies.
The exchange gave its clients time to withdraw all assets left and was closed on May 8, 2020.
The responsibility for the theft was taken by the hacking group LulzSec. However, because of the suspicious use of hot-wallets as a permanent storage system, and the quick exchange termination announcement, some users on social media have accused this of being an exit scam by Altsbit.
On September 8, 2020, Slovakian cryptocurrency exchange ETERBASE announced that it was hacked and that its hot wallets were compromised. Hackers stole cryptocurrency funds worth $5.4 million. The exchange temporarily suspended its activity and reported to law enforcement.
ETERBASE was able to track the movement of stolen assets as they were transferred by the hackers into well-known exchanges including Binance and Huobi. All of the exchanges are cooperating closely to retrieve a significant part of the stolen funds.
To be continued…
Hack date:September 8, 2020
Assets stolen:BTC, ETH, XRP, TRX, XTZ, ALGO, and ERC-20 tokens
Exchange status:Suspended at the time of the investigation
The licensed exchange KuCoin was attacked by unknown malicious actors. According to an official announcement, KuCoin detected some large withdrawals from September 26, 2020, at 03:05:37 (UTC+8), after which the company suspended asset deposit and withdrawal services.
KuCoin reps explained that after further investigation, it was discovered that the hackers managed to use a security breach to gain access to the exchange’s hot wallets from which more than $150 million was stolen. It was ERC-20 tokens mainly, but some amounts of BTC and ETH were lost too.
KuCoin has assured its customers that in the case that any user funds are affected by this incident, the losses will be covered completely by KuCoin and its insurance fund.
Hack date:September 26, 2020
Assets stolen:BTC, ETH, ERC-20 tokens
Exchange status:Suspended at the time of the investigation
of Bitfury Group is the all-in-one cryptocurrency monitoring and AML/CFT compliance tool powering security breach investigations for crypto service providers and promoting digital asset transparency for all.
CEO, Crystal Blockchain
The CEO of Crystal Blockchain
This collaborative analysis between the Cointelegraph and Crystal Blockchain team is a very important investigative report of exchange hacks that have taken place over the last nine years. Researching cases like these allows the crypto industry to understand what happened more clearly so that we can hopefully avoid such incidents in the future and make the crypto industry safer.
11 Proactive Steps to Protect Crypto Assets
This guide aims to empower casual users with the knowledge to avoid falling prey to crypto scammers.