What are the greatest cryptocurrency hacks ever? Cryptocurrency hacks disclose digital currency’s security vulnerabilities, so what are the biggest crypto heists ever?
Cryptocurrencies have been the focus of financial headlines due to their ability to disrupt markets in ways no one could have predicted.
That isn’t to suggest that the crypto journey has been without hiccups.
However, because many people use third-party wallet providers, their crypto is only as safe as the provider’s protections and security procedures.
Every few months, a cryptocurrency heist makes the news, revealing the digital currency and blockchain’s security flaws.
Hackers have taken advantage of vulnerabilities in these third party exchange apps to target cryptocurrencies directly. They have stolen the equivalent of $4 billion to date.
However, as we all know, the value of several cryptos has soared in recent years. This means that if hackers had kept all of the cryptos they stole and cashed them in today, they would have amassed a wealth of almost $90 billion.
So, how have crypto heists progressed throughout history? How much money has been stolen in total? And how many platforms have been forced to shut down as a result?
Keep reading to find out the biggest and craziest crypto heists to have ever been recorded in history.
Top crypto heists ranked
The following are the largest crypto heists to date, according to our findings (based on the amount stolen in USD at the time).
Poly Network
- Year: August, 2021
- Amount stolen: $610 million
In August 2021, a hacker exploited a vulnerability in Poly Network’s system and stole cash totalling over $600 million.
They didn’t get away with their reward, though, in an odd twist. Instead, the hacker approached the platform and agreed to return the majority of the funds, with the exception of $33 million in tether (USDT) that had been frozen by the issuers.
But the saga didn’t end there. $200 million of the stolen money was locked away in an account that required a password from both the hacker and Poly Network. The hacker initially refused to pass out theirs.
That is, until Poly Network pleaded with them to release it, gave them a $500,000 reward for discovering the system flaw, and even offered them a job!
Poly Network later revealed that the private key had been handed to them by “Mr White Hat.”
Coincheck
- Year: January, 2018
- Reported crypto loss: 523 million NEM
- Amount stolen: $530 million
Coincheck, based in Japan, had their NEM (XEM) tokens stolen for more than $530 million in January 2018.
Hackers took advantage of the fact that the currency was kept in a “hot” wallet, which meant it was connected to the server and thus “online” (a cold wallet sees funds stored offline).
The stolen coins were identified and marked as such by NEM developers, although there was conjecture that the monies were available on dark markets.
However, given how much the coins lost in value following the attack, it’s unlikely that many people would have thought this was a good deal (the coins are now worth 83 per cent less than they were–roughly $90 million).
MT Gox
- Year: 2014
- Crypto loss: 850,000 BTC
- Amount stolen: $470 million (Current value: $4.8bn)
This was the first large-scale hack on a cryptocurrency exchange, and it remains the largest theft of Bitcoins to date.
The MT Gox heist, on the other hand, was not a one-off occurrence. Rather, until February 2014, the platform had been leaking funds since 2011.
Hackers stole 100,000 bitcoins from the exchange and 750,000 bitcoins from its customers over the course of a few years.
These bitcoins were worth $470 million at the time, but they’re now worth around ten times that ($4.7 billion).
Shortly after the hack, MT Gox went into liquidation, with liquidators recovering roughly 200,000 of the stolen bitcoin.
Wormhole
- Year: February 2022
- Reported crypto loss: 120,000 wETH
- Amount stolen: $326 million
Wormhole’s crypto platform was hacked for $326 million in the first major crypto heist of 2022. The platform serves as a communication link between Solana (a recently popular Ethereum competitor) and other decentralized finance networks.
Hackers exploited a vulnerability on February 2, 2022, forcing Wormhole to shut down its platform while it investigated. Later, it was revealed that 120k wrapped Ethereum (wETH) coins had been stolen.
KuCoin
- Year: September 2020
- Reported crypto loss: Undisclosed
- Amount stolen: $281 million
In September 2020, KuCoin confirmed that hackers had managed to obtain private keys to their hot wallets before withdrawing large amounts of Ethereum (ETH) and Bitcoin (BTC), as well as Bitcoin SV (BSV), Litecoin (LTC), XRP (XRP), Stellar Lumens (XLM), Tron (TRX), and Tether (USDT) (USDT).
Since then, experts have suggested they have strong reason to believe that hackers in North Korea were responsible.
PancakeBunny
- Year: May 2021
- Reported crypto loss: Undisclosed
- Amount stolen: $200 million
In May 2021, hackers were able to drain $200 million from the platform in a flash loan attack. To carry out the attack, the hacker loaned a large amount of Binance Coin (BNB) before manipulating its price and dumping it on PancakeBunny’s BUNNY/BNB market.
This allowed the hacker to obtain a large amount of BUNNY via a flash loan, dump all of the bunny on the market to lower the price, and then repay the BNB via pancakeswap.
Bitmart
- Year: December 2021
- Reported crypto loss: Undisclosed
- Amount stolen: $196 million
In December 2021, a compromise of Bitmart’s hot wallet resulted in the theft of nearly $200 million.
At first, it was thought that $100 million had been stolen via the Ethereum blockchain, but further investigation revealed that another $96 million had been stolen via the Binance Smart Chain blockchains.
Over 20 tokens were stolen, including altcoins such as BSC-USD, Binance Coin (BNB), BNBBPay (BPay), and Safemoon, as well as large amounts of Moonshot, Floki, and BabyDoge.
Bitgrail
- Year: February 2018
- Reported crypto loss: 17 million XRB
- Amount stolen: $150 million
Bitgrail was a small Italian exchange that traded in obscure cryptocurrencies like Nano (XRB). The exchange was hacked in February 2018, just as the price of XRB soared from a few cents to $33.
At least 17 million coins (the equivalent of about $150 million) were taken from nano wallets. Many users began to express their dissatisfaction with the exchange prior to the attack (significantly lower withdrawal limits and transaction problems).
Investigations also revealed that the coins were taken from cold wallets rather than hot wallets, implying that the theft was an inside job.
Over the last few years, investigations have continued, with Italian police recently accusing the owner of Bitgrail of being behind the attacks (either directly involved or aware/did nothing to prevent further theft once the first attack had been carried out).
Vulcan Forged
- Year: December 2021
- Reported crypto loss: 4.5 million PYR
- Amount stolen: $135 million
In December 2021, hackers stole $135 million from Vulcan Forged, a blockchain gaming company. They stole private keys to 96 different wallets before draining 4.5 million PYR tokens from them.
Cream Finance
- Year: October 2021
- Reported crypto loss: Undisclosed
- Amount stolen: $130 million
This October 2021 attack not only resulted in the theft of $130 million, but it was also Cream Finance’s third attack of the year.
Hackers stole $37 million in February and $29 million in August. Hackers used what was deemed to be a flaw in the DeFi platform’s flash lending system in the most recent attack.
On the Ethereum network, they were able to take all of Cream Finance’s tokens and assets, totalling $130 million.
BadgerDAO
- Year: December 2021
- Reported crypto loss:
- Amount stolen: $121 million
A hacker was able to drain assets from several cryptocurrency wallets on the DeFi network, BadgerDAO, in December 2021.
Hackers used a “maliciously injected snippet” via Cloudfare to drain $130 million in funds, with around $9 million recovered because it hadn’t been withdrawn, according to the platform.
CoinBene
- Year: March 2019
- Reported crypto loss: Undisclosed
- Amount stolen: $105 million
$105 million stolen: In March 2019, the platform claimed it was undergoing maintenance after large outgoing transactions from CoinBene’s hot wallet to an unknown wallet.
However, rumours immediately spread that the platform’s ERC-20 tokens were being transferred to an unknown wallet (which didn’t exist until the day of the transfer).
Data scientists also discovered that the tokens were quickly transferred to Etherdelta and traded for Ethereum (ETH). At the time, this was worth $105 million.
Liquid
- Year: August 2021
- Reported crypto loss: Undisclosed
- Amount stolen: $97 million
In August 2021, Liquid, a Japanese cryptocurrency exchange, discovered that unauthorized individuals had gained access to its accounts and transferred assets worth more than $97 million out of them.
ERC-20 assets worth $16.13 million USDe were frozen to prevent further movement, however, 69 different cryptos were misappropriated and moved to other DeFi platforms or exchanges.
EasyFi
- Year: July 2021
- Reported crypto loss: Undisclosed
- Amount stolen: $81 million
Hackers were able to extract $6 million in USD, DAI, and USDT, as well as 2.98 million EASY tokens, totalling about $81 million, by stealing the private keys to EasyFi’s MetaMask admin account.
The machine that was used to obtain the keys was mostly off the grid, only coming up to complete formal project transfers. The machine had been inactive for more than a week before the attack was carried out.
Because it wasn’t being used at the time of the attack, the platform’s response was delayed, allowing the hacker to drain the protocol’s assets.
NiceHash
- Year: December 2017
- Reported crypto loss: 4,700 BTC
- Amount stolen: $70 million
On December 6, 2017, the Bitcoin mining marketplace NiceHash was hacked for roughly 4,700 Bitcoins. At the time of the breach, the stolen coins were worth around $70 million.
The hacker, according to NiceHash, was able to steal an employee’s credentials using a phishing email.
Users were also advised to reset their passwords by the platform.
Despite the fact that NiceHash was unable to collect the monies, it began a refund program with its fees in order to save its reputation.
The platform had refunded 100 per cent of the monies taken during the incident by December 2020.
It’s unusual for a crypto service provider to fully reimburse its customers after a security breach. NiceHash, on the other hand, has hopefully established an example for others to follow.