English 
Nederlands 
Deutsch 
Key Takeaways
- More than $20 billion in cryptocurrency has been stolen through hacks and exploits since 2014, with North Korea’s Lazarus Group responsible for a significant portion of the largest thefts.
- Cross-chain bridges have become the single most targeted category, accounting for several of the biggest losses ever recorded, often due to compromised validator keys or smart contract flaws.
- Self-custody with a hardware wallet and strong operational security remain the most reliable defenses available to individual holders.
In This Article
Why Crypto Gets Hacked at Scale
Tens of billions of dollars in cryptocurrency have been stolen since Bitcoin’s earliest exchanges opened their doors. The pace has not slowed: 2022 was the worst year on record for crypto theft, and 2025 opened with the largest single exchange hack in history when Bybit lost $1.46 billion in a single transaction. Cryptocurrency is uniquely attractive to attackers because transactions are irreversible, identities are pseudonymous, and even a moderately well-funded team can write code that controls hundreds of millions of dollars. Hot wallets at centralized exchanges represent concentrated pools of private keys held online around the clock, and a single compromised key can drain an entire treasury.
Several factors compound the risk. Smart contract code is immutable once deployed, so a single logic flaw becomes a permanent vulnerability. Cross-chain bridges must trust external validators or cryptographic proofs, and either can be manipulated. State-sponsored groups, notably North Korea’s Lazarus Group, have turned crypto theft into a strategic revenue stream, reportedly funding weapons programs with the proceeds. The FBI and multiple blockchain intelligence firms have attributed billions in losses to Lazarus alone, with attacks ranging from social-engineered LinkedIn recruiter scams to sophisticated multisig UI poisoning that tricks human signers into approving malicious transactions.
Every Major Hack, Newest to Oldest
The table below lists the largest confirmed crypto thefts and exploits on record, ordered from most recent to oldest.
| Date | Target | Type | Amount Lost | What Happened |
|---|---|---|---|---|
| Apr 2026 | Kelp DAO | DeFi | ~$293 million | Attackers exploited a single-verifier flaw in a LayerZero bridge to mint and drain roughly 116,500 rsETH from the restaking protocol, laundering proceeds through THORChain; the theft is widely attributed to North Korea. |
| Apr 2026 | Drift Protocol | DeFi | ~$285 million | After months of social engineering to compromise protocol signers, attackers used a stolen admin key and a fake token to manipulate oracles and drain about $285M from Drift’s vaults in roughly 12 minutes. |
| Nov 2025 | Upbit | Exchange | ~$36 million | North Korean actors are the leading suspects in the theft of about $36M from Upbit’s Solana hot wallet, the South Korean exchange’s second major hack after its 2019 breach. |
| Nov 2025 | Balancer | DeFi | ~$128 million | An attacker exploited a precision rounding error in Balancer V2 stable pools, chaining batched swaps to drain about $128M across six chains in under 30 minutes, despite the protocol having been audited roughly ten times. |
| Aug 2025 | BtcTurk | Exchange | ~$48 million | Attackers drained roughly $48M from BtcTurk’s hot wallets across seven blockchains, the Turkish exchange’s second major breach in just over a year after a 2024 loss. |
| July 2025 | CoinDCX | Exchange | ~$44 million | A server-side breach gave attackers access to critical infrastructure at Indian exchange CoinDCX, draining about $44M from an internal operational account while customer funds stayed safe. |
| Jun 2025 | Nobitex | Exchange | ~$90 million | Pro-Israel group Gonjeshke Darande drained about $90M from Iran’s largest exchange using stolen keys and admin credentials, then burned the funds to vanity addresses bearing anti-Iran messages in a politically motivated attack. |
| May 2025 | Cetus Protocol | DeFi | ~$223 million | An attacker exploited a flawed overflow check in Cetus’s Move math library via flash loan, draining the Sui DEX’s pools; ~$162M was later frozen and returned by validator action. |
| Feb 2025 | Bybit | Exchange | ~$1.46 billion | Lazarus Group poisoned the Safe{Wallet} multisig UI with malicious JavaScript, tricking signers into approving a transaction that drained roughly 401,346 ETH. |
| Jan 2025 | Phemex | Exchange | ~$73 million | Lazarus Group compromised hot-wallet private keys and drained funds across 16 blockchains, leaving cold wallets unaffected. |
| July 2024 | WazirX | Exchange | ~$235 million | Lazarus Group tricked signers of WazirX’s Gnosis Safe multisig into approving a malicious contract upgrade, draining the wallet; users eventually recovered ~85% through a Singapore court-supervised restructure. |
| May 2024 | DMM Bitcoin | Exchange | ~$305 million | Lazarus Group’s TraderTraitor subgroup social-engineered a Ginco wallet employee via a fake LinkedIn recruiter, then manipulated a legitimate DMM transaction to divert 4,502.9 BTC; DMM shut down after the loss. |
| Dec 2023 | Orbit Chain (Orbit Bridge) | Bridge | ~$81.5 million | Attackers compromised Orbit Bridge’s multisig signers and drained stablecoins, ETH and WBTC from the Ethereum vault; funds were swapped to ETH and DAI and have not moved since. |
| Nov 2023 | HECO Bridge (HTX/Huobi) | Bridge | ~$86.6 million | Attackers compromised the HECO bridge operator’s private key, draining USDT, ETH, HBTC and other tokens; Elliptic linked the laundering to Lazarus Group via Tornado Cash. |
| Nov 2023 | Poloniex | Exchange | ~$126 million | Hackers compromised Poloniex hot-wallet private keys across Ethereum, Tron and Bitcoin chains; Justin Sun pledged full reimbursement from company funds. |
| Sep 2023 | Mixin Network | Infrastructure | ~$200 million | Attackers breached a third-party cloud database, draining roughly $200M from Mixin’s hot wallets; the company offered a 50% immediate refund plus bond tokens for the remainder. |
| Sep 2023 | CoinEx | Exchange | ~$54 million | A leaked hot-wallet private key allowed attackers to drain assets across nine chains; ZachXBT linked the theft to Lazarus Group via shared laundering addresses with the Stake.com hack. |
| Jul 2023 | Curve Finance | DeFi | ~$70 million | A reentrancy bug in older Vyper compiler versions exposed several Curve liquidity pools; white-hat MEV bots front-ran the attackers and recovered a portion, bringing net losses to roughly $52M. |
| July 2023 | Multichain | Bridge | ~$210 million | The bridge was drained via compromised MPC admin keys in what is widely suspected to be an insider rug pull, with the CEO detained by Chinese police and the protocol later ordered into liquidation. |
| Jun 2023 | Atomic Wallet | Wallet | ~$100 million | Lazarus Group drained over 5,500 non-custodial Atomic Wallet accounts in a mass compromise, laundering proceeds through the Russia-linked Garantex exchange. |
| Mar 2023 | Euler Finance | DeFi | ~$197 million | A flash-loan attack exploited a flaw in the protocol’s donation function, draining $197M; the attacker later returned nearly all funds after on-chain negotiations. |
| Nov 2022 | FTX | Exchange | ~$477 million | Hours after FTX filed for bankruptcy, attackers SIM-swapped an employee to defeat SMS two-factor authentication and drained roughly $477M from hot wallets in an unauthorized hack wholly separate from the exchange’s broader collapse. |
| Oct 2022 | Mango Markets | DeFi | ~$114 million | Avraham Eisenberg manipulated the MNGO oracle price by over 2,000% to borrow against artificially inflated collateral and drain the Solana protocol; he was later convicted of commodities fraud. |
| Oct 2022 | BNB Chain (BSC Token Hub) Bridge Exploit | Bridge | ~$570 million | An attacker forged an IAVL Merkle proof to mint 2 million BNB; validators halted the chain within hours so only ~$110M actually left the ecosystem before the exploit was contained. |
| Sep 2022 | Wintermute | Infrastructure | ~$160 million | A flaw in the Profanity vanity-address generator allowed attackers to brute-force the private key of Wintermute’s DeFi admin wallet, taking $160M while the firm remained solvent. |
| Aug 2022 | Nomad Bridge | Bridge | ~$190 million | A botched upgrade set a zero-hash as a trusted root, enabling spoofed messages to auto-validate; hundreds of copycat addresses drained the bridge in a permissionless free-for-all. |
| Jun 2022 | Harmony Horizon Bridge | Bridge | ~$100 million | Lazarus Group compromised two of five Harmony bridge multisig signer keys and drained ETH, BNB and stablecoins; the FBI officially confirmed the attribution in January 2023. |
| Apr 2022 | Beanstalk Farms | DeFi | ~$182 million | An attacker used a flash loan to acquire super-majority governance voting power and pass a malicious proposal that drained the stablecoin protocol’s entire collateral in a single transaction. |
| March 2022 | Ronin Network | Bridge | ~$540 million | Lazarus Group compromised five of nine Ronin bridge validator keys via a fake-job social engineering campaign, approving two fraudulent withdrawals that went undetected for six days. |
| Feb 2022 | Wormhole | Bridge | ~$325 million | An attacker exploited a deprecated signature-verification function to mint 120,000 unbacked wETH on Solana; Jump Crypto replaced the full amount within a day to keep users whole. |
| Jan 2022 | Qubit Finance (QBridge) | Bridge | ~$80 million | An attacker exploited a QBridge deposit flaw to mint unbacked collateral and borrow roughly 206,809 BNB; Chainalysis later attributed the theft to Lazarus Group via laundering patterns. |
| Dec 2021 | AscendEX (BitMax) | Exchange | ~$77.7 million | Compromised hot-wallet keys allowed an attacker to drain tokens across Ethereum, BSC and Polygon chains; AscendEX reimbursed all affected users in full. |
| Dec 2021 | BitMart | Exchange | ~$196 million | A stolen private key let attackers drain BitMart’s Ethereum and BSC hot wallets across 20 or more tokens, laundered via 1inch and Tornado Cash; BitMart pledged full user compensation. |
| Dec 2021 | BadgerDAO | Infrastructure | ~$120 million | Attackers injected malicious scripts into BadgerDAO’s front-end via a compromised Cloudflare API key, silently accumulating token approvals from nearly 200 accounts before draining roughly $120M from user wallets. |
| Oct 2021 | Cream Finance | DeFi | ~$130 million | A complex flash-loan attack manipulated vault share valuations to drain $130M from the lending protocol; it was Cream’s third exploit of 2021. |
| Aug 2021 | Liquid (QUOINE) | Exchange | ~$97 million | Attackers compromised an MPC warm wallet at Liquid’s Singapore subsidiary and stole 69 different assets, later laundered through Uniswap, SushiSwap and Tornado Cash. |
| Aug 2021 | Poly Network | Bridge | ~$611 million | An attacker exploited cross-chain contract logic to spoof instructions and drain assets across Ethereum, BSC and Polygon; the self-styled “Mr. White Hat” returned nearly all funds within 15 days. |
| Sept 2020 | KuCoin | Exchange | ~$281 million | Lazarus Group obtained KuCoin’s hot-wallet private keys and drained Bitcoin, ETH, ERC-20 tokens and more; KuCoin recovered ~84% through on-chain tracking and token freezes, covering the remainder from its insurance fund. |
| Nov 2019 | Upbit | Exchange | ~$49 million | 342,000 ETH was drained from Upbit’s Ethereum hot wallet in a single transfer; South Korean police officially attributed the theft to Lazarus Group and Andariel in November 2024. |
| May 2019 | Binance | Exchange | ~$40 million | Hackers used phishing and malware to steal API keys and 2FA codes, pulling 7,000 BTC from Binance’s hot wallet in one transaction; losses were fully covered by the exchange’s SAFU insurance fund. |
| Jan 2019 | Cryptopia | Exchange | ~$16 million | Attackers obtained thousands of private keys and drained over 76,000 Ethereum wallets across roughly five days; the exchange entered liquidation and creditors eventually received distributions through 2024. |
| Sep 2018 | Zaif (Tech Bureau) | Exchange | ~$60 million | Hackers accessed Zaif’s hot wallets and stole bitcoin, bitcoin cash and MonaCoin over roughly three days; Tech Bureau secured a 5 billion yen bailout from Fisco to compensate users. |
| June 2018 | Bithumb | Exchange | ~$30 million | Attackers compromised Bithumb’s hot wallet, stealing about $30M in multiple cryptocurrencies; security researchers linked the methodology to Lazarus Group. |
| Feb 2018 | BitGrail | Exchange | ~$170 million | A withdrawal idempotency flaw let users withdraw the same Nano repeatedly, draining 17 million tokens; an Italian court later held owner Francesco Firano personally liable for the losses. |
| Jan 2018 | Coincheck | Exchange | ~$530 million | Malware on an employee terminal stole the private key to Coincheck’s internet-connected NEM hot wallet, which lacked multisig; Coincheck reimbursed all ~260,000 affected users from its own funds. |
| Nov 2017 | Parity Wallet | Wallet | ~$150 million (frozen) | A user accidentally triggered the self-destruct function on a shared Parity library contract, permanently freezing 513,774 ETH across 587 multisig wallets; the funds were never stolen but remain inaccessible to this day. |
| Aug 2016 | Bitfinex | Exchange | ~$72 million | Attackers bypassed BitGo multisig controls to drain 119,756 BTC via roughly 2,000 approved transactions; Ilya Lichtenstein later admitted the theft, and the US DOJ seized ~94,000 BTC in 2022. |
| Jun 2016 | The DAO | DeFi | ~$60 million | An attacker exploited a reentrancy bug to siphon about 3.6 million ETH, triggering the Ethereum hard fork that created Ethereum Classic and establishing reentrancy as one of the most studied vulnerabilities in smart contract development. |
| Feb 2014 | Mt. Gox | Exchange | ~$473 million | A years-long undetected drain of customer and company bitcoins from a compromised hot wallet was revealed when Mt. Gox filed for bankruptcy; US prosecutors later charged Russian nationals with stealing ~647,000 BTC starting around 2011. |
This table counts confirmed thefts only. Some of the most alarming recent scares were caught before any funds moved. In June 2026, Zcash developers disclosed a critical counterfeiting flaw in the Orchard shielded pool that had gone undetected for roughly four years, then patched it through an emergency hard fork after a security audit uncovered it. No ZEC was ever proven stolen, yet the price still fell sharply on the news, a reminder that with privacy-preserving systems the mere possibility of an undetectable exploit can be almost as damaging as a confirmed breach.
The Three Favourite Targets
Looking across the full timeline, three categories account for the overwhelming majority of losses. The oldest and most persistent target is the centralized exchange, where private keys protecting pooled customer funds sit online and accessible around the clock. From Mt. Gox in 2014 to Bybit in 2025, the core attack vector has barely changed: obtain the key, drain the wallet. Exchanges have layered in multisig wallets, hardware security modules and withdrawal whitelists, but each additional control also creates a new surface. A compromised signing UI, a social-engineered employee or a stolen API credential can still unravel years of security investment in minutes.
Cross-chain bridges emerged as the dominant loss category in 2022, accounting for billions of dollars in a single year. Bridges present an inherently complex security problem: they must lock assets on one chain and mint representations on another, often relying on a small set of validators or a cryptographic proof mechanism. Compromise any critical link in that chain and the entire locked pool is exposed. The Ronin Network hack, the Wormhole exploit, the Nomad free-for-all and the BNB Chain bridge incident all struck within twelve months of each other. The aggregate losses from bridge hacks across the table run to several billion dollars, more than any other single category.
DeFi protocols round out the three main targets, with flash loans serving as the enabler of choice. Flash loans allow an attacker to borrow tens or hundreds of millions of dollars within a single transaction block, use those funds to manipulate oracle prices or pass governance votes, then repay the loan, pocketing the profit with no upfront capital. The DAO in 2016 established the blueprint with a reentrancy attack; Beanstalk Farms in 2022 demonstrated that governance itself can be weaponized when it lacks flash-loan-resistant vote counting; and Euler Finance in 2023 showed that even audited code can contain logic flaws subtle enough to be missed until someone with a large enough flash loan finds them. Throughout all three categories, Lazarus Group has proved the most prolific single actor, using social engineering, key theft and sophisticated laundering infrastructure to extract and clean funds at a scale no criminal group has matched.
The All-Time Top 5
The five largest individual incidents tell the story of how crypto security threats have evolved over a decade. Mt. Gox, the Tokyo-based exchange that collapsed in February 2014, lost roughly 650,000 BTC to a slow drain that had been running for years before anyone noticed, exposing the catastrophic risk of a single hot wallet with no meaningful monitoring. Coincheck, another Japanese exchange, repeated a strikingly similar failure in January 2018 when $530 million in NEM tokens was taken from a hot wallet that lacked even basic multisig protection. Both incidents triggered major regulatory overhauls in Japan. Then came the bridge era: Poly Network’s $611 million hack in August 2021 became the largest crypto theft ever recorded at the time, only to be eclipsed within a year by the $540 million Ronin Network breach, where Lazarus Group spent six days in control of the bridge before anyone realised the funds were gone. Finally, February 2025 saw Bybit lose $1.46 billion in a single transaction to a UI-layer attack so sophisticated it deceived experienced human signers reviewing what appeared to be a legitimate multisig approval. Each record-breaker has reflected the dominant infrastructure of its era, and each has reshaped how the industry thinks about custody and key management.
How to Protect Your Crypto
- Store long-term holdings on a hardware wallet that keeps private keys offline and requires physical confirmation for every transaction.
- Write your seed phrase on paper and store it securely offline. Never photograph it, type it into any website, or share it with anyone, including support staff.
- Verify website URLs carefully before connecting a wallet or signing any transaction. Bookmark the official addresses of platforms you use and stay alert to phishing sites that differ by a single character or use lookalike domains.
- Enable two-factor authentication using an authenticator app rather than SMS. SIM-swapping attacks have enabled several major thefts, including the unauthorized $477 million FTX wallet drain in November 2022.
- Only keep on an exchange the funds you need for active trading. Assets sitting on a platform rely entirely on that exchange’s security, not yours.
- Revoke unused token approvals regularly. Tools that audit your on-chain permissions can remove access granted to contracts you no longer use, eliminating a common attack surface exploited in hacks like BadgerDAO.
- Before signing any transaction, verify the contract address, the amount and the recipient independently, not only in the wallet UI, which can itself be compromised as the Bybit and BadgerDAO attacks demonstrated.
Bottom Line
By 2026, the crypto security landscape looks meaningfully different from 2014. Mandatory smart contract audits, formal verification, multi-party computation for key management, bug bounty programmes and slower bridge designs with time-locked withdrawals have all become standard at serious projects. Regulators in Japan, the EU and the US have imposed requirements that push exchanges toward cold-storage minimums and insurance reserves. Blockchain analytics firms can trace and freeze stolen funds faster than ever, and state-level attribution of North Korean hacks has moved from speculation to official FBI indictments. Yet the pace of theft has not meaningfully declined, because the value at stake keeps rising and sophisticated attackers adapt to each new control.
The hardest lesson the industry keeps relearning is that crypto’s core property, the irreversibility that makes it valuable as a settlement layer, is also what makes every theft permanent. There is no central authority to reverse a transaction, no deposit insurance scheme to restore funds automatically, no fraud department to call. That responsibility falls on users and builders alike. For individuals, the practical implication is straightforward: the safest crypto is crypto held in self-custody with robust key management, as explored in detail in our guide to the top hardware wallets for cryptocurrency security. The hacks in this table are not cautionary tales about cryptocurrency itself, but about the persistent gap between how securely assets can be held and how carelessly they sometimes are.
Stay Ahead in Crypto
