The advent of cryptocurrency enabled users to be their own bank, but being your own bank means managing your own funds using cryptography to secure your private keys. It requires a level of proficiency with software and hardware tools. A well known adage in the cryptocurrency space goes, “Your keys, Your Bitcoin. Not your keys, not your Bitcoin.” Although the skill level required to ‘be your own bank’ is not that high, it is still easier to just set up an account with a third-party, use a password, and this is invariably what most cryptocurrency users do.
This convenience is offered by cryptocurrency exchanges. They give you the convenience of a user account and password to access your coins. They profit from making fees from any coin movements, trades or conversions into and out of fiat money on their platform. They do the key storage for you and offer a service that is more user friendly and very much resembles traditional banking. Although this service is convenient and user friendly, it makes them the custodians of your keys. Your money is now only as secure as the security measures the exchange has in place. They may use a lot of security measures to manage the risk and secure your funds, but just like any other technology that involves public access to databases and servers, they are prone to sophisticated hacks, internal thefts and losses of user funds.
Cryptocurrency hacks are not confined to exchanges either. Hackers have proved successful at hacking into people’s personal computers using malware that can look for passwords and cryptocurrency holdings. Hackers have also taken advantage of coding bugs in smart contracts which are basically lines of code designed by blockchain programmers to hold, transfer, and manage cryptocurrency movements.
The 9 biggest cryptocurrency heists of all time
In this post we explore some of the biggest cryptocurrency heists:
1. Coincheck Hack
Date: Jan 2018
Crypto amount stolen: Approximately 500 Million NEM
Fiat equivalent at the time: ~ 58 Billion Japanese Yen (~$532 Million USD)
The popular cryptocurrency exchange and wallet Coincheck, which had been in operation since 2014 got hacked in January 2018. The hackers got away with transferring around 500 Million NEM into 19 wallets, 18 of which were controlled by the hackers. At the time, NEM was a new currency and the hackers managed to swipe the funds from the exchange’s wallet. Typically exchanges store large amount in cold storage wallets (using cryptographic keys that are offline and not in contact with the internet), and keep a smaller amount that is needed as a daily float in ‘hot wallets’ – which are connected to their servers in real-time live and online. Seeing as the currency was new and its tech was only recently implemented, the exchange got caught short-staffed and vulnerable before being able to properly set up their NEM cold wallet facility – which would have involved a smart contract utilizing multisig technology and require multiple signers to agree to release any funds.
The initial suspects were thought to be from North Korea but further investigations have revealed that certain exchange employees personal laptops had been infected with a virus that was exploited by Russian hackers. The NEM developers quickly got involved after the hack and marked the hacked coins (flagged them as identifiable) on the blockchain. This allowed exchanges to identify the stolen coins and not honor the hackers’ transactions. There had been speculation that the funds would be sold privately in dark markets, but with the value of NEM being significantly lower today, and with the coins being tainted, it is doubtful many buyers would show up for such a deal.
The Coincheck exchange compensated all their affected users with a full refund which was drawn from their own reserves. The exchange was acquired by the Monex Group in April that same year. They have since complied and registered with Japanese cryptocurrency regulators and began trading again in November 2018. The event was also a catalyst for the formation of the Japanese Cryptocurrency Association to form stricter rules and guidelines for participating members, particularly as this was the second such large scale hack in the country, the first being the infamous MT Gox hack.
2. MT Gox Hack
Date: Feb 2014
Crypto amount stolen: 850,000 BTC
Fiat equivalent at the time: ~ $470 million USD
Although this hack comes in second on our list, it is only because of the value that Bitcoin had at the time of the hack when it was valued at less than 1,000 USD. At the time of writing this article, Bitcoin is valued at over $9,000 USD and that amount would stand at close to $8 Billion USD. It was the first large scale hack on an exchange and the amount was also the most Bitcoins ever stolen from an exchange. It was also the most renowned attack as leading up to the time, users were reporting difficulties withdrawing their funds and speculation was rife on social media and the press before the eventual collapse.
Although the hack was uncovered in February of 2014, the exchange had been leaking funds since 2011, something that the exchange operators had kept secret until they were no longer solvent. 750,000 were their customer’s Bitcoins and 100,000 of them were their own. At the time of the collapse, the MT Gox exchange covered 70% of the active Bitcoin trading at the time.
MT Gox was never designed or developed to be a cryptocurrency exchange. The exchange originated as a place for in-game tokens to be traded among game players online. The founder, Jed McCaleb, bought the mtgox.com domain in January 2007 (which stands for Magic: The Gathering Online eXchange). Later in 2010, he heard about Bitcoin and decided to extend the exchange services to Bitcoin traders who were lacking trading and exchange facilities at the time. It is of note that Bitcoin was trading at fractions of a dollar at the time and was more of a novelty among niche computing circles. He sold the site to Mark Carpelles, citing lack of time to focus and develop the site to its fullest potential while acknowledging that the site would need substantial development to continue trading Bitcoin.
The company went into liquidation. 200,000 of the stolen Bitcoin have been recovered since by the liquidators, but none of the owners have had any of their Bitcoins returned to date. The recovered funds have been pending court decisions on how they are to be returned to their rightful owners.
Even Bitcoin investors that didn’t use the exchange were affected as the price plummeted by over 50% at the time of the collapse.
3. BitGrail Hack
Date: Feb 2018
Crypto amount stolen: 17 million Nano (XRB)
Fiat equivalent at the time: ~ $170 million USD
With the cryptocurrency scene still reeling from the news of the Coincheck hack in Japan, less than a month later a little known Italian operated exchange BitGrail got hacked to the tune of 17 million Nano. With faith in cryptocurrency exchanges at a new low, this new hack was engrossed in suspicious circumstances. The developers of the Nano cryptocurrency had been encouraging their investors to use the little known BitGrail exchange because it was one of the only exchanges that carried liquidity and trading in the nascent cryptocurrency at the time. In more controversy, the individual behind Bitgrail, Francesco Firano, suggested that the Nano developers should adjust the ledger to reverse the losses, something that the developers of Nano were not in a position to do, or support even as this would bring into dispute the irreversibility of transactions on the Nano blockchain.
More suspicions were directed toward the operator of the exchange after a user of the exchange reported difficulties in withdrawing Nano funds from the exchange as early as October the previous year. More recently, affected BitGrail account holders formed a group called the Bit Grail Victims Group (BGVG) and took Mr. Firano to court. According to a post they released on Medium, the court declared BitGrail and Mr. Firano as bankrupt which allowed for the seizure of their assets. The court also found that Mr. Fiorano was aware of earlier losses of Nano from his exchange’s hot wallets, but these losses went unreported. More details from the court proceedings and judgments can be seen here.
4. Bitfinex Hack
Date: Aug 2016
Crypto amount stolen: 119,756 Bitcoin (BTC )
Fiat equivalent at the time: ~ $72 million USD
The hack was announced on August 2nd, 2016 and the details about the attack came out very slowly over the next few weeks. Unlike other high profile hacks where the loss of funds could be put down to negligence or hot wallet security blunders, these funds were stolen directly from their user’s multisig accounts.
Acknowledging that the funds were stolen despite all the security measures they had in place, the Bitfinex operators offered their affected users a novel solution. They issued affected users with Bitfinex tokens (BFX) in a buyback scheme. They did this by generalizing the losses overall trading accounts, similar to what would otherwise be commonly known as a bank bail-in. On the first of September just weeks following the hack, they purchased back just over 1% of the tokens they issued. After another 6 installments over the following months to March the following year they had bought 5% of the tokens back, and then a month later, in a final installment they purchased the 95% of tokens still in circulation.
In the meantime, the exchange has been working closely with law enforcement agencies to recover the stolen funds. Various attempts had been made to move some of the stolen funds, but they are proving difficult to convert or move at any scale. US law enforcement has managed to recover a small percentage of the initial stolen funds (less than 1%). Unlike other exchanges that closed down, Bitfinex continues to operate to this day.
5. NiceHash Hack
Date: Dec 2017
Crypto amount stolen: 4,700 Bitcoin (BTC )
Fiat equivalent at the time: ~ $64 million USD
It’s not just cryptocurrency exchanges that are vulnerable to hackers. This time, hackers got their hands on 4,700 Bitcoin from the Slovenian based cryptocurrency mining firm. NiceHash operates a marketplace where independent miners can rent out their hash power to users that don’t have mining machines. As with most cryptocurrency related companies, a combination of hot and cold wallets are used to store funds on behalf of the beneficiaries. In this case, the funds are cryptocurrency mining rewards that are to be distributed to the pool members.
Suspicions first arose when some users reported their accounts balances being emptied. It didn’t help that NiceHash had put out tweets that their services were ‘under maintenance’ as they were investigating the circumstances of the hack. Some affected users initially feared that the NiceHash operators had made off with the funds in an exit scam as Marko Kobal resigned as the CEO of NiceHash later in December. Speculation was also flamed when it became known that NiceHash founder had previously served four years imprisonment in 2010 for releasing malware that was designed to swiped credit card details. The malware was called Mariposa and at its height, it had infected over 1 million computers to form a botnet.
Nonetheless, NiceHash continued operations after the CEOs resignation. It also set up a reimbursement program to reimburse its affected users. To date, they have managed to reimburse over 75% of lost funds back to their users.
6. Zaif Hack
Date: Sep 2018
Crypto amounts stolen: 2723.4 Bitcoin (BTC), 40,360.0 Bitcoin Cash (BCH), 5,911,859.3 Monacoin (MONA)
Fiat equivalent at the time: ~ $62 Million USD
Zaif, another Japanese exchange fell victim to a hack. The low-fee exchange had 3 hot wallets affected containing three different cryptocurrencies, Bitcoin, Bitcoin Cash, and Monacoin. The hackers had managed to swipe funds from the hot wallets on September 14th. The exchange became aware of the missing funds three days later on the 17th.
Zaif’s parent company Tech Bureau confirmed the hack and reported it to the Japanese authorities on the 18th. They also announced that they would use company funds to compensate customers that lost funds. Independent researchers are watching the addresses of the hacked funds and tracking any movements. Some coins have been sent to mixing and gambling services in an attempt to mix the coins with other transactions to cover their trails as this obscures the amounts that have been sent. Some have also been sent to cryptocurrency exchanges. The hackers remain at large.
7. The DAO Hack
Date: June 2016
Crypto amount stolen: 3,6 Ether (ETC)
Fiat equivalent at the time: ~ $55 Million USD
‘The DAO’, which stands for Decentralized Autonomous Organization, was the first such DAO to be deployed on the Ethereum blockchain. The idea of the DAO was for it to be funded in a decentralized manner, and for the organization to be run by smart contracts autonomously.
The DAO was widely hyped in the cryptocurrency industry. It promised a world where autonomous organizations could be set up using code to replace managers in traditional organizations with a set of protocols. Investors could place funds into the smart contracts and expect returns and DAO token ownership. The DAO fundraising period ran for 28 days and some 11,000 investors participated and raised a record-breaking $150 million USD crowdfund, far exceeding the developer’s expectations.
The DAO fund was to be used to fund project proposals which would be decided on in a decentralized way by the DAO investors. Dozens of such proposals were already in the pipeline, including the main proposal by the company called slock.it who were going to use the funds to set up an AirBNB rival of sorts. Apartments, cars, and boats would have automated locks connected to the blockchain and the owners would be able to hire their property out via smart contracts and apps. The slock.it team were to provide the lock technology and support the development of the platform.
Unfortunately, smart contracts are scripts of computer code. As such, any vulnerabilities in the scripts can be exploited. One of the DAOs developers discovered a ‘recursive bug’ in the code. He alerted the developer community, but it was too late. A hacker managed to exploit the vulnerability and start draining funds from The DAO smart contract into another smart contract they had set up, autonomously. The hacker’s contract was known as the ‘child DAO’. Seeing as the network was run autonomously and the fund movements were executed by smart code contracts, the network participants were powerless to stop the hack as they watched the funds being moved in real time.
It should be noted that although the DAO was hacked, the underlying Ethereum blockchain continued to operate as designed and was not in any way affected by the bug or the hack. Even so, most of the Ethereum community decided to effectively rollback and adjust the Ethereum blockchain to fix the bug and render the hackers funds unspendable. This also meant that all investors in the DAO would be able to claim their Ether back out of the smart contract. Further, this meant that the DAO was also annulled and voided.
Apart from the immediate tradeoffs that this solution posed, the wider implications were also long lasting and impactful. It turns out that not all Ethereum network participants agreed on the proposal to roll back the blockchain, instead, they continued to advocate for blockchain immutability – a key leading feature of any blockchain. This resistance would not allow for such a rollback and its proponents believed that they should honor the hackers exploit.
As a result, the Ethereum blockchain forked into two distinct and separate blockchains. The ‘no rollback’ proponents, which included miners, constituted of a minority fork that became known as Ethereum Classic (ETC). The majority fork which had the support from the most miners and network nodes continued being referred to as Ethereum (ETH). As promised, DAO investors were able to retrieve their funds from the smart contract. Furthermore, anyone who held Ethereum at the time ended up having Ethereum of both kinds on both sides of the fork. You can read more about the DAO hack and Ethereum fork here.
8. Upbit Hack
Date: November 2019
Crypto amount stolen: 342,000 Ethereum
Fiat equivalent at the time: ~ $50.7 Million USD
A hacker managed to transfer over $50 million USD worth of Ethereum to an unknown address from Upbit’s hot-wallet. On the 27th of November 2019, Upbit, who tout themselves as “The Most Trusted Crypto-Asset Exchange” on their website, published a statement to calm down the rumors that had already started spreading on social media about large unusual movements of various cryptocurrencies that were related to the exchange’s hot and cold wallets. Joseph Young, a cryptocurrency researcher that is active on Twitter posted that the timing of the attack coincided with the movement of other large amounts from the company’s wallets suggesting the likelihood that the attacker had inside knowledge of the timing of the movements of the funds.
Upbit suspended deposits and withdrawals of all crypto assets upon discovering that their Ethereum trading wallet had been hacked to the tune of 342,000 ETH being sent to an unknown anonymous address. Upbit revealed that they also transferred all other crypto assets to cold wallets as a precautionary measure, hence justifying all the speculation and hubris on social media. They went on to publish the address of the unknown hacker and ask for the cooperation of other exchanges in blacklisting any movements that originate from that address. The exchange has assured users that their funds are safe and that the exchange will use its own funds to fill the void and make all users whole.
South Korea is host to one of the most vibrant and well established cryptocurrency trading hubs, and according to the Coinhill website, trading volumes are only third to the US and Japan, and where the Korean Won is the third most traded national fiat currency for Bitcoin. UPbit is the country’s most popular exchange with over 50% of the country’s market share. Upbit has benefited from being integrated with South Korea’s most popular Messaging app, Kakao Talk, which is owned by their parent company, Kakao Corporation. Due to their partnership with global cryptocurrency exchange Bittrex, Upbit are able to offer the local market over 200 trading pairs.
In a sign that markets are maturing and that exchanges are able to account for losses and make their customers whole, the Ethereum price hardly budged and actually appreciated by 1.5% in the 24hrs following the attack, indicating that traders are growing increasingly comfortable with the idea of keeping their funds on exchanges. Had this not been one of South Korea’s largest exchanges, it is hard to imagine that a smaller competitor could have taken such a hit and remained solvent.
9. Binance Hack
Date: May 2019
Crypto amount stolen: 7,000 Bitcoin
Fiat equivalent at the time: ~ $40 Million USD
No exchange seems immune to being hacked. Binance reported that sophisticated fishing methods were used by hackers who managed to swipe 7,000 Bitcoin from the exchange’s Bitcoin hot-wallet. Although the funds were taken from user accounts, their balances were unaffected as Binance used an emergency fund they had set up for just this kind of scenario. Although no users lost money, trading was suspended for a week to give the operators time to conduct a thorough security review. The CEO Zhao Changpeng was as transparent as possible during the investigations, even putting out a blog post to users at the time to keep them updated and offering himself for an “Ask Me Anything” session on twitter.
It seems that exchanges are acknowledging that they will always be prone to hacks, and they are taking a more proactive approach by setting up funds, like Binance’s #SAFU (Secure Asset Fund for Users) fund in anticipation of future attacks. As the industry matures it seems certain that such measures will continue to be put in place to keep allay users fears and to keep the regulators off their backs.