Crypto Security Timeline
A history of expensive lessons in cryptocurrency security.
Total losses: $16,942,648,000+
Nobitex Hack
Iranian exchange Nobitex breached in attack linked to regional cyber operations, marking geopolitical crypto warfare.
Bybit Hack
Largest crypto hack in history. North Korean TraderTraitor group compromised Safe{Wallet} developer machine to drain Bybit cold wallet.
WazirX Hack
India's largest exchange WazirX lost $235M when hackers exploited multisig interface discrepancies on Liminal custody.
DMM Bitcoin Hack
Japanese exchange DMM Bitcoin lost $305M in one of 2024's largest hacks. North Korean attribution.
Orbit Bridge Hack
Attackers compromised validator keys to steal funds from Orbit Bridge during New Year period.
PlayDapp Exploit
Private key breach allowed attacker to mint 1.79B PLA tokens across two attacks on the gaming platform.
Poloniex Exchange Hack
Justin Sun's Poloniex exchange lost $130M from hot wallets. Private key compromise suspected.
HTX/Heco Bridge Hack
HTX exchange and Heco Chain bridge both suffered hacks within days, losing combined $113M.
Kyber Network Exploit
KyberSwap Elastic pools were exploited through a complex vulnerability in concentrated liquidity calculations.
Mixin Network Hack
Cloud service provider breach led to database compromise at Mixin Network. $200M in assets stolen.
Stake.com Hack
Crypto casino Stake.com lost $41M after hot wallet private keys were compromised. Lazarus Group attributed.
Milk Sad Vulnerability
Trust Wallet's WebAssembly had weak randomness, generating predictable mnemonics with 'milk sad' pattern.
Multichain Bridge Hack
Multichain CEO went missing along with private keys, leading to massive fund drainage. Single point of failure exploited.
Atomic Wallet Hack
Decentralized wallet Atomic Wallet was compromised, with North Korean Lazarus Group suspected. Users lost $100M+.
Euler Finance Hack
Flash loan attack exploited vulnerability in donation and liquidation logic. Attacker later returned most funds.
FTX Collapse
FTX filed bankruptcy amid revelations of misappropriated customer funds. $8B+ customer funds lost in fraud and subsequent hack.
BNB Bridge Hack
Attacker exploited bug in BNB Chain bridge to mint 2M BNB tokens. Chain was halted to prevent further damage.
Profanity Vanity Address Exploit
Profanity tool used only 32 bits of seed entropy. Attackers brute-forced all vanity addresses in hours.
Wintermute Hack
Market maker Wintermute lost $160M due to compromised DeFi operations wallet generated with Profanity tool.
Nomad Bridge Hack
Faulty smart contract upgrade allowed anyone to drain funds. Hundreds of copycats joined the 'decentralized robbery'.
Beanstalk Governance Attack
Attacker used flash loan to acquire governance tokens, passed malicious proposal, and drained protocol in single transaction.
Fei/Rari Capital Hack
Reentrancy attack on Rari Capital's Fuse pools. Borrow function lacked check-effects-interactions pattern.
Ronin Bridge Hack
North Korean Lazarus Group compromised 5 of 9 validator keys to steal 173,600 ETH and 25.5M USDC from Axie Infinity's bridge.
Wormhole Bridge Hack
Attacker exploited signature verification bug to mint 120,000 wETH on Solana without backing collateral.
BadgerDAO Exploit
Attacker compromised Cloudflare API key to inject malicious scripts, tricking users into approving token transfers.
Vulcan Forged Hack
Private keys of 96 wallets were compromised, draining 4.5M PYR tokens from the gaming platform.
Cream Finance Hack
Flash loan attack exploited vulnerability in yUSD pricePerShare calculation, inflating prices to double true value.
Poly Network Hack
Cross-chain protocol exploit allowed attacker to steal $610M. The 'Mr. White Hat' hacker later returned all funds.
PancakeBunny Exploit
Eight flash loan attacks manipulated PancakeBunny's pricing algorithm, inflating BUNNY token value before dumping.
xToken Exploit
Attacker used dYdX flash loan of 61K ETH to manipulate xToken protocol, exploiting SNX token pricing.
Akropolis Reentrancy
Reentrancy attack allowed attacker to mint unbacked dsUSD tokens, stealing 2.04M DAI across 17 transactions.
Harvest Finance Exploit
Flash loan attack manipulated stablecoin prices in Curve pools to drain Harvest Finance vaults.
KuCoin Hack
Hackers stole private keys to KuCoin's hot wallets, draining multiple cryptocurrencies. Most funds were later recovered.
bZx Flash Loan Attacks
DeFi protocol bZx was hit by two flash loan attacks exploiting price oracle manipulation and margin trading vulnerabilities.
Upbit Hack
Korean exchange Upbit lost 342,000 ETH during a transfer between hot and cold wallets.
Binance Hack
Hackers used phishing and malware to steal 7,000 BTC from Binance's hot wallet.
Bithumb Third Hack
Bithumb was hacked for the third time, losing nearly $20M in EOS and XRP. Suspected insider involvement.
Cryptopia Hack
New Zealand exchange Cryptopia suffered a security breach, losing funds from multiple wallets. The exchange eventually went into liquidation.
Zaif Hack
Japanese exchange Zaif had $60M in BTC, BCH, and MonaCoin stolen from hot wallets during server maintenance.
Bithumb Second Hack
Bithumb suffered its second major hack, losing $31M worth of XRP tokens from hot wallets.
BitGrail Hack
Italian exchange BitGrail lost 17 million Nano tokens. The exchange claimed it was hacked but evidence suggested insider involvement.
Coincheck Hack
Japanese exchange Coincheck lost 523M NEM tokens stored in a hot wallet. One of the largest crypto thefts in history.
NiceHash Hack
Cryptocurrency mining marketplace NiceHash was breached, losing approximately 4,700 BTC from its payment system.
Parity Wallet Freeze
A user accidentally killed Parity's library contract, permanently freezing 513,774 ETH.
Bithumb First Hack
Korean exchange Bithumb suffered its first hack, losing $7M in Bitcoin and Ethereum from compromised hot wallets.
Parity Multisig Hack
A vulnerability in Parity's multisig wallet allowed attackers to take ownership and drain funds.
Bitfinex Hack
120,000 BTC stolen from Bitfinex through compromised BitGo multisig implementation. Ilya Lichtenstein later admitted to the theft.
The DAO Hack
A reentrancy vulnerability in The DAO smart contract allowed an attacker to drain 3.6M ETH, leading to Ethereum's hard fork.
Bitstamp Hack
Social engineering attack on Bitstamp employee led to malware infection. Attackers obtained hot wallet backup passphrase and stole 19,000 BTC.
Blockchain.info RNG Bug
A flaw in blockchain.info's random number generation resulted in predictable private keys being generated.
Mt. Gox Collapse
Mt. Gox filed for bankruptcy after losing 850,000 BTC. Transaction malleability and poor security were blamed.
Android SecureRandom Bug
Android's Java SecureRandom had insufficient entropy, causing duplicate R values in ECDSA signatures, exposing private keys.
Linode Hack
Hackers broke into Linode's servers and stole Bitcoin from several hosted wallets including Bitcoinica.
Mt. Gox First Hack
Hackers compromised Mt. Gox auditor's computer and changed the price of Bitcoin to $0.01, buying millions of BTC.
Key Lessons Learned
Not Your Keys, Not Your Coins
Mt. Gox, FTX, and countless exchange hacks prove: self-custody is the only guarantee.
Randomness is Everything
Android RNG bug, Profanity exploit, Milk Sad - weak entropy has cost hundreds of millions.
Bridges Are Risky
Ronin, Wormhole, Multichain - cross-chain bridges are prime targets with billions lost.
Audit Everything
The DAO, Parity - even audited contracts fail. Multiple audits and formal verification help.
Cold Storage Saves
Hot wallet hacks are common. Keep minimal funds online, majority in cold storage.
Key Management is Critical
Multichain CEO disappearing with keys shows single points of failure are unacceptable.
Loss by Year
A Decade and a Half of Cryptocurrency Security Failures
The cryptocurrency security timeline is, by some measures, the most expensive ongoing case study in computer security ever recorded. Since the early Bitcoin era around 2011, the industry has cumulatively lost more than thirty billion US dollars to hacks, exploits, scams, and operational failures. Almost none of those losses are due to weaknesses in the underlying cryptography. SHA-256, secp256k1, and Keccak-256 remain unbroken across all of these incidents. Instead, the failures cluster into a handful of recurring categories: bad randomness in key generation, custodial key-management mistakes, smart-contract bugs, bridge designs that aggregate enormous value behind tiny validator sets, and economic exploits in DeFi protocols.
The earliest catastrophic loss, Mt. Gox, was operational rather than cryptographic — bad accounting, weak hot-wallet hygiene, and a slow response to transaction malleability. The DAO incident of 2016 introduced the smart-contract era of losses, where a recursive call bug in Solidity drained 3.6 million ETH and forced the Ethereum community into the contentious hard fork that produced today\'s ETH/ETC split. The Parity multisig freezes of 2017 demonstrated that a single uninitialized library contract could permanently lock hundreds of millions of dollars. The Coincheck NEM theft of 2018 showed that even nine-figure exchange losses could happen because a single hot wallet was kept online for convenience.
2021-2025: The Bridge and DeFi Era
The DeFi summer of 2020 and the bull market that followed drove total value locked into smart contracts past $200 billion at peak, and attack volume scaled accordingly. Cross-chain bridges turned out to be the highest-value targets ever built: Wormhole ($325M, 2022), Ronin ($625M, 2022), Nomad ($190M, 2022), and Multichain ($126M, 2023) all succumbed to compromised validators, signature-verification bugs, or insider key access. Ethereum-side DeFi protocols suffered a parallel wave of price-oracle manipulations, flash-loan attacks, and reentrancy variants. The Euler Finance hack of 2023 ($197M, eventually returned) showcased how a single donate-then-liquidate sequence could drain a lending protocol.
The 2022 collapse of FTX is in a different category: not a hack, but a fraudulent commingling of customer funds. It is included on this timeline because the lesson — that "not your keys, not your coins" applies even to centralized exchanges that look healthy — is at least as important as any cryptographic exploit. Industry-wide, the number of audits, formal-verification efforts, and on-chain monitoring services has grown sharply since 2022, and overall loss rates have begun to decline. But the timeline keeps lengthening: every month brings at least one new entry, and the lessons keep repeating because each generation of builders has to re-learn them.
Crypto Security History FAQ
What was the biggest cryptocurrency hack ever?
The Ronin Network bridge exploit in March 2022 lost about $625 million, making it the largest single DeFi hack at the time. The Poly Network hack of August 2021 ($611 million, eventually returned) and the FTX collapse of November 2022 (multi-billion-dollar customer losses) are also among the most damaging events in crypto history.
How much money has been lost to crypto hacks total?
Conservative public tallies put cumulative losses to hacks, exploits, scams, and rug pulls at over $30 billion since 2011. Chainalysis, Immunefi, and Rekt News maintain ongoing trackers; numbers vary because some events recover funds and some scams remain undisclosed.
What was the Mt. Gox incident?
Mt. Gox, the dominant Bitcoin exchange in 2013-2014, lost roughly 850,000 BTC (about $450 million at the time, far more today) to a combination of hot-wallet theft, malleability attacks, and internal mismanagement. The bankruptcy and creditor claims process is still being unwound a decade later.
Did the DAO hack lead to the Ethereum/Ethereum Classic split?
Yes. In June 2016 an attacker exploited a recursive-call bug in The DAO smart contract and drained roughly 3.6 million ETH. The Ethereum community executed a contentious hard fork to restore the funds. The chain that retained the original (un-rolled-back) state is now called Ethereum Classic (ETC), while the post-fork chain became today's Ethereum (ETH).
What lessons does crypto-security history teach?
Almost every major loss traces back to one of: weak randomness, key management failures (custodial mishandling, phishing, hot-wallet exposure), unaudited or rushed smart-contract code, bridge architectures that concentrate huge value behind small validator sets, and economic exploits in DeFi protocols. The protocols themselves rarely fail; the surrounding software, processes, and humans do.