From Mt. Gox’s slow-bleed catastrophe to Bybit’s $1.4 billion single-day heist, a forensic look at the exchange hacks that shook the crypto industry, the security failures that made them possible, and the risk management lessons every firm should take away.
The Staggering Cost of Getting Security Wrong
In 2025 alone, hackers stole approximately $2.7 billion in cryptocurrency, according to TechCrunch’s year-end analysis. That figure set a new annual record, surpassing the $2.2 billion stolen in 2024, which itself exceeded the $2 billion lost in 2023. The trajectory is clear: crypto hacking is not slowing down. It is accelerating, professionalising, and becoming increasingly state-sponsored.
But the raw dollar figures, as alarming as they are, obscure the more important story. Each major hack reveals a specific, identifiable failure in risk management, security architecture, governance, or operational controls. These are not random acts of genius by mysterious hackers. They are predictable consequences of known vulnerabilities that went unaddressed.
This article breaks down the biggest crypto exchange hacks in history, dissects exactly what went wrong in each case, and extracts the operational risk management lessons that every crypto firm, investor, and regulator should internalise. If you work in risk, compliance, or security at a crypto firm, this is required reading.
The Biggest Crypto Exchange Hacks: A Timeline
Before we dive into the details, here is the scale of what we are talking about:
| Year | Exchange | Amount Stolen | Primary Cause | Outcome |
| 2011–2014 | Mt. Gox | 850,000 BTC (~$460M) | Hot wallet compromise, no version control | Bankruptcy; 10+ years of creditor proceedings |
| 2016 | Bitfinex | 120,000 BTC (~$72M) | Multisig implementation flaw | BFX token reimbursement; recovered 2022 |
| 2018 | Coincheck | 523M NEM (~$534M) | Hot wallet, single-sig, phishing | Acquired by Monex Group; users reimbursed |
| 2020 | KuCoin | $280M (multiple tokens) | Private key compromise | $204M recovered; rapid response model |
| 2022 | Ronin Network | 173,600 ETH + 25.5M USDC (~$625M) | Validator node compromise (Lazarus) | Sky Mavis secured $150M from Binance |
| 2022 | FTX | $477M (during collapse) | SIM-swap attack; internal chaos | SBF sentenced to 25 years; ongoing recovery |
| 2024 | DMM Bitcoin | 4,502 BTC (~$308M) | Private key compromise (Lazarus) | Exchange shut down Dec 2024; transferred to SBI |
| 2024 | WazirX | $235M | Multisig wallet exploit | Mutual blame between exchange and custodian |
| 2025 | Bybit | 401,000 ETH (~$1.4B) | Supply chain attack on Safe{Wallet} UI | Largest hack in history; user balances honoured |
| 2025 | Coinbase | $180–400M (data breach) | Insider bribery; social engineering | $20M bounty offered; class action lawsuit filed |
Source data compiled from Crystal Intelligence, Chainalysis 2025 report, The Block’s 2025 roundup, and CCN’s exploit tracker.
The Hacks: What Happened and What Went Wrong
1. Mt. Gox (2011–2014): The Hack That Nearly Killed Bitcoin
At its peak, Mt. Gox handled over 70% of global Bitcoin transactions. Between 2011 and 2014, hackers systematically drained approximately 850,000 BTC from the exchange’s hot wallets. The breach was not a single dramatic event. It was a slow, years-long bleed that went undetected because the exchange lacked the most basic software development and operational risk management practices.
What went wrong:
- No version control software. CEO Mark Karpelès was the only person who could approve code changes. There was no test environment until shortly before the collapse.
- Hot wallet over-exposure. The compromised wallet was a hot wallet managed directly by the exchange, with funds regularly transferred to unknown addresses undetected for years.
- No real-time accounting. The exchange had no internal system to reconcile wallet balances against customer obligations. Withdrawals continued while the exchange was insolvent.
- No incident detection. As WizSec’s 2015 investigation revealed, the majority of bitcoins were slowly withdrawn since 2011, not stolen in a single event.
Mt. Gox filed for bankruptcy in February 2014. Creditor repayments, which began over a decade later, remain one of the longest restitution processes in financial history. The Gemini Cryptopedia analysis provides an authoritative account of the full timeline.
2. Bitfinex (2016): When Multisig Was Not Enough
In August 2016, hackers drained 120,000 BTC (worth $72 million at the time) from Bitfinex by exploiting vulnerabilities in the exchange’s multisig wallet implementation with partner BitGo.
What went wrong:
- Flawed multisig configuration. Bitfinex held two of three signing keys, with BitGo holding the third. The implementation allowed hackers to compromise enough keys to authorise withdrawals.
- No withdrawal anomaly detection. There were no automated controls to flag or halt abnormally large fund transfers.
- Shared responsibility, no accountability. Neither Bitfinex nor BitGo took responsibility. Neither issued a definitive post-mortem.
Bitfinex recovered relatively well, issuing BFX tokens to spread losses across its customer base (each customer lost about 36%) and eventually redeeming them. In February 2022, US authorities seized $3.6 billion of the stolen Bitcoin, the largest financial seizure in DOJ history at the time.
3. Coincheck (2018): $534 Million in NEM Stored in a Hot Wallet
On January 26, 2018, hackers stole 523 million NEM tokens (worth approximately $534 million) from Coincheck, a Tokyo-based exchange. At the time, this was the largest digital currency theft in history.
What went wrong:
- Hot wallet storage of massive holdings. Coincheck stored the majority of its NEM tokens in a hot wallet connected to the internet, rather than in cold storage.
- Single-signature authorisation. The compromised wallet used single-signature authorisation instead of multisig, creating a single point of failure.
- Phishing as the entry vector. Attackers used phishing to infiltrate the hot wallet and install malware for fund transfer.
Coincheck was subsequently acquired by Japanese brokerage Monex Group and reimbursed affected users at $0.83 per NEM token. The hack triggered Japan’s Financial Services Agency to tighten exchange regulation significantly. For context on how business continuity planning for cryptocurrency firms should address this scenario, see our detailed guide.
4. KuCoin (2020): The Recovery Success Story
In September 2020, hackers compromised KuCoin’s private keys and drained approximately $280 million across multiple tokens from the Singapore-based exchange’s hot wallets.
What went wrong:
- Private key compromise. Hackers obtained keys to several hot wallets, enabling direct asset withdrawal.
- Insufficient key rotation. Key management protocols did not include regular rotation or compartmentalisation.
What went right:
- Rapid response. KuCoin immediately blocked all transactions, launched a forensic investigation, and coordinated with other exchanges and blockchain projects to freeze stolen assets.
- Recovery at scale. Over $204 million was recovered within weeks through cross-exchange cooperation and token contract updates that rendered stolen tokens unusable.
KuCoin’s response became the industry benchmark for incident management. The Lazarus Group was identified as a suspect. This case illustrates why a tested BCP risk assessment and incident response plan is not optional.
5. Ronin Network (2022): $625 Million Through Compromised Validators
On March 23, 2022, attackers stole approximately 173,600 ETH and 25.5 million USDC from the Ronin network, a blockchain bridge linked to the popular Axie Infinity game. The breach was not discovered until six days later.
What went wrong:
- Validator key compromise. Ronin used a 5-of-9 validator scheme. The attackers, later attributed to North Korea’s Lazarus Group, obtained control of five validator keys, meeting the threshold to authorise withdrawals.
- Validator centralisation. Sky Mavis (Axie Infinity’s developer) controlled four of the nine validators, creating a concentrated point of failure.
- Six-day detection delay. The hack went unnoticed for nearly a week because monitoring systems failed to flag the massive outflow.
This hack exposed the fragility of bridge protocols, which connect different blockchains. Binance provided $150 million to support recovery. For firms evaluating their own cross-chain dependencies, the risk management lifecycle must explicitly account for bridge and validator risks.
6. FTX (2022): Chaos, Collapse, and $477 Million Vanishes
On November 11, 2022, hours after FTX filed for bankruptcy amid revelations that founder Sam Bankman-Fried had embezzled billions in customer funds, an additional $477 million in crypto was drained from the exchange’s wallets.
What went wrong:
- SIM-swap attack during institutional collapse. According to Fortune’s investigation, US-based hackers used a fake ID at an AT&T store to hijack a female FTX executive’s phone account, intercepting wallet security codes.
- No operational controls during crisis. During bankruptcy proceedings, there was no functioning security team to detect or respond to the unauthorised transfers.
- Pre-existing governance failure. FTX lacked basic corporate controls. New CEO John Ray III described it as the worst corporate governance failure he had ever seen.
SBF received a 25-year prison sentence in March 2024 and was ordered to forfeit $11 billion. The Elliptic blockchain trail analysis tracked stolen funds through mixers, cross-chain bridges, and Russian-linked laundering networks.
7. DMM Bitcoin (2024): $308 Million and a Business Destroyed
In May 2024, Japan’s DMM Bitcoin exchange lost 4,502.9 BTC (worth approximately $308 million) in a hack attributed to North Korea’s Lazarus Group. The exchange initially secured funding to cover customer deposits, but could not sustain operations under ongoing withdrawal restrictions.
What went wrong:
- Private key mismanagement. The attack targeted infrastructure vulnerabilities that enabled unauthorised key access.
- Insufficient recovery capacity. Despite raising $320 million in emergency funding, the sustained operational disruption proved terminal.
DMM Bitcoin shut down in December 2024 and transferred all customer accounts to SBI VC Trade by March 2025. This is the clearest recent example of how a single hack can destroy an exchange entirely, underscoring the need for robust business continuity planning.
8. Bybit (2025): The $1.4 Billion Supply Chain Attack
On February 21, 2025, Bybit suffered the largest cryptocurrency theft in history. Approximately 401,000 ETH ($1.4 billion) was drained from its cold wallet in minutes. The attack, attributed to North Korea’s Lazarus Group, was a masterclass in supply chain compromise.
What went wrong:
- Third-party infrastructure compromise. Attackers did not breach Bybit’s own systems. They compromised a Safe{Wallet} developer’s machine through social engineering (a trojanised Docker project), then used stolen AWS credentials to inject malicious JavaScript into Safe’s S3 bucket.
- UI-level transaction manipulation. The malicious code displayed a legitimate-looking routine transfer to Bybit’s signers, while the actual transaction payload was a delegatecall that transferred control of the wallet to the attackers. As Fireblocks’ analysis confirmed, the UI deception was targeted specifically at Bybit’s wallet addresses.
- Blind signing on hardware wallets. Ledger hardware wallets used by Bybit’s signers could not parse and display the complex smart contract transaction details, forcing operators to approve transactions without seeing what they were actually signing. Cobo’s post-mortem calls this the fundamental flaw.
- No independent transaction verification layer. Bybit’s entire security stack relied on Safe{Wallet}’s solution. Once that UI was compromised, the multisig mechanism was effectively bypassed. There was no secondary validation system.
- No subresource integrity (SRI) checks. Safe{Wallet} did not implement SRI hashing to detect modified frontend code, and had no real-time alerting for unauthorised S3 edits.
Bybit honoured all customer balances and began rebuilding its wallet infrastructure. Within 48 hours, at least $160 million had been laundered through mixers and cross-chain bridges. The CSIS policy analysis and Chainalysis’s detailed forensic breakdown both provide essential reading on the attack’s implications. The TRM Labs investigation estimates North Korea’s total crypto theft at over $5 billion since 2017.
9. Coinbase (2025): The $400 Million Insider Threat
In May 2025, Coinbase disclosed that criminals had bribed overseas customer support contractors to steal sensitive personal data from 69,461 customers. The breach did not directly compromise crypto wallets or private keys, but it enabled downstream social engineering scams where attackers impersonated Coinbase staff and convinced customers to transfer funds.
What went wrong:
- Insider threat via outsourced contractors. Attackers bribed third-party support agents based in India to access internal systems and extract customer names, addresses, SSNs, bank details, and transaction histories.
- Slow detection. According to the Maine AG filing, the breach began in December 2024 but was not detected until May 2025.
- Insufficient insider monitoring. Despite handling the majority of $122 billion in spot-Bitcoin ETF tokens, Coinbase’s internal behavioural monitoring did not flag the data exfiltration pattern.
Coinbase refused the attackers’ $20 million ransom demand and instead offered a $20 million reward for information leading to arrests. Estimated remediation costs: $180–400 million. The Fortune investigation revealed the attackers were teenage members of “The Comm,” a loose hacking collective coordinating via Telegram and Discord.
Five Patterns That Connect Every Major Hack
Looking across all these incidents, five failure patterns emerge repeatedly:
Pattern 1: Private key concentration remains the single largest vulnerability. From Mt. Gox’s unmonitored hot wallet to DMM Bitcoin’s infrastructure compromise, private key exposure caused more dollar losses than any other attack vector. Chainalysis’s 2024 data confirms that private key compromises accounted for 43.8% of all stolen crypto in 2024.
Pattern 2: Third-party and supply chain risks are the new frontier. The Bybit hack was not a direct attack on the exchange. It was a supply chain compromise of Safe{Wallet}’s development infrastructure. Similarly, Coinbase was breached through outsourced support contractors. Your security is only as strong as your weakest vendor. A rigorous risk management policy must extend to every third party with access to your systems or data.
Pattern 3: North Korea’s Lazarus Group is the dominant threat actor. Lazarus has been linked to at least five of the ten largest exchange hacks (Ronin, DMM Bitcoin, WazirX, Bybit, and multiple smaller incidents). TRM Labs estimates the group has stolen over $5 billion in crypto since 2017, with the Bybit hack alone exceeding all of North Korea’s 2024 crypto theft combined.
Pattern 4: Detection delays compound losses exponentially. Mt. Gox was drained over three years without detection. Ronin took six days to notice $625 million was gone. Coinbase’s insider breach ran for five months. Continuous monitoring, real-time reconciliation, and anomaly detection are not optional. For KRI design guidance, see our best key risk indicators guide.
Pattern 5: Post-hack response separates survivors from casualties. KuCoin’s rapid cross-industry response recovered $204 million. Bitfinex’s BFX token model kept the exchange alive. Meanwhile, Mt. Gox and DMM Bitcoin failed to recover and shut down. Your business continuity plan and incident response playbook determine whether a hack is a crisis or a death sentence.
Risk Management Lessons for Every Crypto Firm
Based on the forensic evidence from every hack above, here are the controls that would have prevented or significantly mitigated each incident:
| Control Area | Minimum Standard | Best Practice (post-Bybit) |
| Key management | Cold storage for >95% of assets; multi-signature with no single entity holding quorum | MPC wallets with geographically distributed key shares; HSM-backed storage; automated key rotation |
| Transaction verification | Human review of all large transactions | Independent transaction validation layer; clear signing (not blind signing) on hardware wallets; AI-based anomaly detection |
| Supply chain security | Vendor risk assessments; contract security requirements | Subresource Integrity (SRI) checks; code-signing verification; independent frontend UIs for critical operations |
| Insider threat | Background checks; access controls; segregation of duties | Behavioural analytics on privileged users; zero-trust architecture; in-house critical support functions |
| Monitoring and detection | Daily wallet reconciliation; transaction logging | Real-time on-chain monitoring; automated alerts on threshold breaches; <1 hour detection SLA |
| Incident response | Documented IR plan with defined roles | Pre-tested playbooks; cross-exchange cooperation agreements; token freezing capabilities; recovery bounty frameworks |
| Business continuity | BCP with defined RTOs for wallet access and transaction processing | Tested failover infrastructure; pre-funded insurance coverage; customer communication templates; regulatory notification procedures |
For a structured approach to implementing these controls, our essential risk management process flow chart provides the step-by-step framework. For firms building cyber risk into their enterprise risk programme, the enterprise risk management cyber security guide covers the integration methodology.
The Regulatory Response Is Hardening
Regulators worldwide are responding to these escalating losses. The FDIC, OCC, and Federal Reserve’s July 2025 joint statement on crypto-asset safekeeping explicitly requires governance expertise, contingency planning, and incident response protocols at every enterprise level. The EU’s MiCA regulation mandates sound administrative procedures, internal control mechanisms, and continuity arrangements for all licensed crypto firms.
The CSIS policy analysis of the Bybit hack notes that the incident coincided with the Trump administration making cryptocurrency a bellwether of its technology policy portfolio, creating a regulatory paradox: the desire to promote crypto innovation collides with the reality that state-sponsored actors are exploiting weak security to fund weapons programmes.
For compliance teams, the message is unambiguous: demonstrating robust risk management processes and operational risk controls is no longer optional. It is a regulatory expectation that will increasingly determine licensing decisions.
What Should You Do Now?
If you manage, invest in, or regulate a crypto exchange or custodian, here are your immediate priorities:
- Audit your key management architecture. If any single person or entity can authorise material fund movements, you have a ticking time bomb. Implement multi-sig or MPC with no single-point-of-failure quorum configurations.
- Map your third-party dependencies. The Bybit hack proved that your security is your vendor’s security. Conduct penetration testing and code integrity checks on every piece of third-party infrastructure that touches your wallet operations.
- Implement continuous on-chain monitoring. Six-day detection windows (Ronin) and five-month insider breaches (Coinbase) are unacceptable. Deploy real-time monitoring with automated alerts and sub-hour response targets.
- Test your incident response plan. KuCoin recovered $204 million because it acted fast. Mt. Gox and DMM Bitcoin died because they could not. Run tabletop exercises quarterly and live drills semi-annually. See our BCP risk assessment guide for the framework.
- Address insider threat proactively. The Coinbase breach was not a technical exploit. It was a human failure. Background checks, behavioural analytics, access reviews, and in-sourcing critical functions are table stakes.
- Build your risk register. Document every risk identified here, with controls, owners, and review dates. Our key elements of a risk register guide provides the template.
The crypto industry has now experienced over $10 billion in exchange-level hacks. Each one was preventable with controls that were well-understood at the time. The question is not whether the next hack will happen. It is whether your firm will be prepared when it does.
For further reading, explore our guides on business continuity planning for small cryptocurrency firms, crypto trading risk management strategies, and the key risk indicators for financial institutions.
Internal Links: Risk Publishing Guides
- Business Continuity Plan for Cryptocurrency
- Business Continuity Plan for Small Cryptocurrency Firms
- Operational Risk Management Process
- What Is Operational Risk Management?
- BCP Risk Assessment
- A Guide to Business Continuity Planning
- Key Components of a Risk Management Policy
- Key Elements of a Risk Register
- Best Key Risk Indicators
- Key Risk Indicators Examples for Banks
- Risk Management Lifecycle
- Enterprise Risk Management Cyber Security
- Essential Risk Management Process Flow Chart
- What Is Risk Management Process?
- Operational Risks Examples
- Best Crypto Trading Strategy Using Risk Management
External Sources and Further Reading
- Crystal Intelligence: The 10 Biggest Crypto Hacks in History
- Chainalysis: $2.2 Billion Stolen in Crypto in 2024
- Chainalysis: Bybit Exchange Hack Forensic Analysis
- TechCrunch: Hackers Stole Over $2.7B in Crypto in 2025
- The Block: 10 Biggest Crypto Hacks of 2025
- CCN: Crypto Hacks 2025 Full List
- Protos: 2025’s Biggest Crypto Hacks
- CSIS: The Bybit Heist and US Crypto Regulation
- TRM Labs: The Bybit Hack – North Korea’s Largest Exploit
- NCC Group: Bybit Hack In-Depth Technical Analysis
- Fireblocks: Bybit Attack Security Analysis
- Cobo: The Bybit Breach – Why Multi-Sig Alone Isn’t Enough
- Gemini Cryptopedia: Mt. Gox Hack Analysis
- Trakx: The Mt. Gox Hack Story Explained
- Nasdaq: Biggest Cryptocurrency Hacks in History
- Elliptic: The $477 Million FTX Hack Blockchain Trail
- Fortune: FTX Hack Carried Out by SIM-Swap Gang
- Fortune: Inside the $400M Coinbase Breach
- Cointelegraph: Coinbase Data Breach 2025 Explained
- CoinDesk: Bybit and Safe Custody Blame Dispute
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.