Has a Cryptocurrency Exchange Ever Been Hacked?
Cryptocurrency exchanges have been hacked repeatedly since the industry’s early days, sometimes with record-shattering losses. Across 2014–2025, incidents have ranged from early collapses like Mt. Gox (hundreds of thousands of BTC lost) to modern, state-sponsored heists—most notably the $1.5 billion Bybit theft in February 2025, which is the largest single crypto hack on record. (Reuters, Internet Crime Complaint Center, Chainalysis)
Below you’ll find a clear, practical walkthrough: what counts as an “exchange hack,” how some of the biggest ones unfolded, why they keep happening, how exchanges respond, and what you can do to protect yourself.
What exactly is an “exchange hack”?
“Exchange hack” typically refers to the compromise of a centralized trading platform’s custodial wallets or critical keys (often “hot” wallets connected to the internet). It’s different from exploits of DeFi protocols or cross-chain bridges (smart-contract bugs), though attackers and laundering patterns can overlap. In centralized incidents, attackers usually steal private keys, abuse insider access or social engineering, or compromise a third-party vendor integrated into the exchange’s wallet stack. The 2024 DMM Bitcoin theft, for example, was publicly attributed by law enforcement to a North Korea-linked operation (“TraderTraitor”), illustrating the blend of social engineering and key compromise seen in modern CEX attacks. (Federal Bureau of Investigation)
A quick timeline of notable centralized exchange hacks
Amounts reflect values near the time of the incident unless noted.
- Mt. Gox (2014) – The most infamous early exchange collapse: about 850,000 BTC were declared missing as the company filed for bankruptcy, with later partial recovery of coins. Contemporary journalism and later analyses detail years-long thefts and operational failures. (WIRED, TIME)
- Bitfinex (2016) – 119,755 BTC stolen. Years later, U.S. authorities arrested two individuals, recovered a massive portion of the funds, and secured guilty pleas; Bitfinex ultimately redeemed BFX tokens issued to impacted users. (support.bitfinex.com, AP News)
- Coincheck (2018) – Roughly $530 million in NEM (XEM) drained from a hot wallet; regulators in Japan responded with broader security inspections. (Reuters)
- KuCoin (2020) – More than $275 million stolen; a significant portion was later recovered or frozen with help from projects and partners. (Chainalysis, KuCoin)
- Poloniex (Nov 2023) – About $120–130 million siphoned from hot wallets after a private-key compromise. (certik.com)
- CoinEx (Sep 2023) – $70 million+ lost due to compromised private keys; investigators pointed to North Korean actors. (Cointelegraph)
- DMM Bitcoin (May 2024) – Around 4,502.9 BTC (~$305–308 million) stolen; the FBI publicly attributed the theft to DPRK-linked TraderTraitor actors in December 2024. (Reuters, Federal Bureau of Investigation)
- WazirX (Jul 2024) – Around $235 million drained; multiple blockchain intelligence firms analyzed the flows and patterns. (Chainalysis, Elliptic)
- BtcTurk (2024 and 2025) – Turkish exchange reported hot-wallet compromises; recent reports in August 2025 estimate losses in the tens of millions as investigations continue. (Cointelegraph)
- Bybit (Feb 2025) – ~$1.5 billion in ETH stolen during a wallet transfer—the largest single crypto heist ever; the FBI attributed the attack to DPRK shortly thereafter. (Reuters)
Takeaway: exchange hacks aren’t theoretical. They’re recurring—and getting bigger when sophisticated actors target centralized services. Chainalysis’ 2024 and 2025 industry snapshots document the outsized impact of a handful of very large CEX incidents. (Chainalysis)
Why do exchange hacks keep happening?
1) Hot-wallet key compromise
Centralized platforms must keep some funds in online “hot” or “warm” wallets to process withdrawals quickly. If attackers obtain or bypass the signing keys, they can drain funds rapidly—seen in CoinEx 2023, Poloniex 2023, DMM Bitcoin 2024, WazirX 2024, and Bybit 2025. (Cointelegraph, certik.com, Federal Bureau of Investigation, Elliptic, Reuters)
2) Social engineering & supply-chain attacks
Modern heists increasingly begin with phishing, fake job offers, and malicious documents that compromise employees or wallet vendors. The DMM Bitcoin case is a textbook example of social engineering culminating in key abuse. (Federal Bureau of Investigation)
3) Insider risk
Employees or contractors with privileged access (or who can be manipulated) remain a perennial risk in any custodial operation. Independent reporting and law-enforcement advisories highlight the role of insiders and social engineering in several high-profile cases. (Internet Crime Complaint Center)
4) Concentration of assets
CEXs pool large balances to serve many users, making them lucrative targets. Industry data show attackers periodically “return to CEXs” after periods focused on DeFi. (Reuters)
How exchanges respond (and what that means for you)
- Freeze, investigate, and trace
Exchanges typically pause withdrawals, rotate keys, and work with blockchain-analytics firms and law enforcement. In some cases (KuCoin 2020), projects coordinated token swaps or freezes to blunt the damage; exchanges may later resume full services as recovery efforts mature. (KuCoin) - Covering user balances
Some platforms commit to making customers whole via operating capital, insurance-like funds, or special programs. Bitfinex (2016) issued BFX tokens redeemable for value or equity and later completed redemptions. Binance’s SAFU is a well-publicized emergency fund intended for extreme events (not a blanket insurance policy for the industry). (support.bitfinex.com, Binance) - Attribution and legal follow-through
Major heists often see attributions to state-linked groups (notably DPRK “TraderTraitor/Lazarus”). Public attributions help exchanges and investigators enlist global compliance teams to monitor and block tainted funds. (Internet Crime Complaint Center)
Are funds on exchanges “safe”?
No exchange can promise zero risk. That said, security maturity varies widely. Look for:
- Wallet architecture: Use of multi-party computation (MPC), hardware security modules (HSMs), strict key-sharding and rotation, and minimized hot-wallet exposure.
- Operational discipline: Least-privilege access, segregated duties, enforced code review and change control, strong endpoint security, and red-team testing.
- Incident history and transparency: How a venue handled past incidents (communication, restitution) tells you a lot.
- Independent assurance: SOC 2/ISO 27001 attestations are not silver bullets, but they indicate process maturity.
- Reserves & solvency: Proof-of-Reserves (preferably paired with liabilities) improves transparency but is not the same as a full solvency audit and has well-documented limitations. (arXiv)
- Insurance or reserve funds: Some exchanges maintain internal emergency funds (e.g., SAFU) with published assets and policies; treat these as a backstop, not a guarantee. (Binance)
Practical steps to protect yourself
Even if you prefer the convenience of a CEX, you can greatly reduce risk:
- Use self-custody for long-term holdings.
Keep trading balances on an exchange modest. Store the majority in your own wallet (e.g., hardware wallet) with secure backups and strong passphrases. - Enable strong account security.
Use app-based or hardware 2FA (avoid SMS), set withdrawal address whitelists, and enable login and withdrawal alerts. - Segment your activity.
Trade on one venue, hold on another (self-custody), and keep separate emails/keys for critical accounts to reduce blast radius. - Vet the exchange.
Check for transparent wallet architecture disclosures, incident reports, and clear user-restitution policies. Assess whether the platform publishes meaningful reserves information (and whether it addresses liabilities, not just assets). (arXiv) - Have a “panic plan.”
Know ahead of time how to export API keys, revoke them, and migrate funds if your venue reports an incident.
Deep dives: how several major hacks unfolded
Mt. Gox (2014): The early cautionary tale
Mt. Gox at its peak processed most of Bitcoin’s trading volume. Years of operational weaknesses culminated in the discovery that hundreds of thousands of BTC were missing; the company shut down and entered bankruptcy. The case became a landmark lesson in custody risk and operational discipline. (WIRED, TIME)
What it taught the industry: custody must be engineered like a bank vault—not like a web startup. Separation of duties, auditable controls, and verifiable reserves are non-negotiable.
Bitfinex (2016): A massive BTC theft with unusual remediation
Attackers obtained the ability to authorize withdrawals despite Bitfinex’s use of multisig with a third-party provider. The exchange socialized losses across users via BFX tokens, later redeeming them fully or swapping to equity—rare restitution success in an otherwise grim genre. U.S. authorities subsequently recovered billions’ worth of the stolen BTC and secured convictions. (support.bitfinex.com, AP News)
Lesson: even “advanced” custody (e.g., multisig) can be undermined by operational integration flaws—so architecture and implementation both matter.
Coincheck (2018): Hot-wallet risk in sharp relief
Keeping large balances in a hot wallet made Coincheck a soft target. The $530 million XEM theft galvanized Japanese regulators to intensify inspections across licensed exchanges, sharply raising the local security bar. (Reuters)
Lesson: minimize hot-wallet exposure; continuously reassess what “needs” to be online.
KuCoin (2020): Recovery playbook and industry coordination
Despite an initial $275 million+ loss, project teams, exchanges, and analytics firms coordinated freezes and token swaps that clawed back a substantial portion of funds and limited downstream harm. (Chainalysis, KuCoin)
Lesson: rapid, public coordination can materially reduce damage—if relationships and response plans exist before an incident.
Poloniex (2023) & CoinEx (2023): Private-key compromise
Both incidents showcased the enduring dominance of key compromise in exchange heists. The scale and speed of outflows underline why key custody and operations remain attack vector #1 for centralized services. (certik.com, Cointelegraph)
Lesson: fortify key management with MPC/HSM, strict signing policies, and real-time anomaly detection.
DMM Bitcoin (2024): Sophisticated social engineering meets key abuse
Japanese and U.S. authorities pointed to DPRK-linked TraderTraitor actors, highlighting the blend of spear-phishing, fake job workflows, and session hijacking that can precede wallet manipulation. The outflow—about 4,502.9 BTC (~$305–308 million)—was one of 2024’s largest. (Reuters, Federal Bureau of Investigation)
Lesson: security perimeters now include people and vendors as much as code; continuous training and vendor hardening are mandatory.
WazirX (2024): Another nine-figure CEX incident
Analysts estimate roughly $235 million was drained across many assets, with post-incident tracing showing laundering via mixers over subsequent weeks. (Elliptic)
Lesson: diversified asset support widens the attack surface and complicates recovery—strong asset-listing security reviews matter.
Bybit (2025): The largest single exchange hack to date
During a wallet operation, attackers gained control over a wallet and moved ~$1.5 billion in ETH. Within days, the FBI publicly attributed the incident to DPRK actors. The case epitomizes both the scale adversaries can reach and the speed of public-private collaboration that now follows such incidents. (Reuters)
Lesson: even mature exchanges face nation-state adversaries. Defensive posture must assume APT-level threat models.
If your exchange is hacked: a user checklist
- Don’t transact until there’s clarity. Wait for official notices; don’t send additional funds.
- Rotate everything. Change passwords, reset 2FA (prefer hardware/app-based), revoke API keys.
- Export records. Save balances, deposit/withdrawal histories, and tax reports.
- Withdraw when safe. Once the venue reopens withdrawals and you’re comfortable, move long-term funds to self-custody.
- Watch recovery channels. Some exchanges coordinate reimbursements or tokenized claims (as Bitfinex did); read the fine print. (support.bitfinex.com)
How to evaluate an exchange before you deposit
- Custody disclosures: Is the wallet architecture explained? Are MPC/HSM and key-split practices documented?
- Attestations & reserves: Does the venue publish regular proof-of-reserves accompanied by a discussion of liabilities (or a broader “proof-of-solvency” design)? Academic and industry literature document PoR’s benefits and limits—treat it as one signal among many. (arXiv)
- Emergency funds & insurance: Is there a clear reserve fund (e.g., SAFU-style) with public wallets/policies and a track record of use? (Binance)
- Incident history: How has the exchange handled past issues? Transparent post-mortems, rapid coordination, and timely user communication are green flags.
- Regulatory posture: Licensing, audits, and compliance teams won’t stop a zero-day—but they correlate with stronger operational discipline and accountability.
Bottom line
Yes, cryptocurrency exchanges have been hacked—repeatedly—and the trend includes nine-figure and now ten-figure events. The biggest recent cases (DMM Bitcoin 2024, WazirX 2024, and Bybit 2025) illustrate that even large, well-known platforms remain targets for advanced adversaries, including state-linked actors. Your best defense is layered: keep only working balances on an exchange, use strong account controls, and choose venues that are transparent about custody, reserves, and incident handling. (Reuters, Elliptic)
References & Further Reading
- Chainalysis (Dec 2024): “$2.2 Billion Stolen in Crypto in 2024” – overview of 2024 hacking trends; highlights DMM Bitcoin and WazirX. (Chainalysis)
- FBI / IC3 (Feb 2025): Public Service Announcement attributing the $1.5 billion Bybit hack to DPRK TraderTraitor actors. (Internet Crime Complaint Center)
- Reuters (Feb 2025): Coverage of the Bybit theft and roundup of largest historical crypto heists. (Reuters)
- Bitfinex Support (2025): 2016 Security Breach FAQ (BFX token redemptions & recovery history). (support.bitfinex.com)
- Reuters (Jan 2018): Japan orders checks after $530 million Coincheck hack. (Reuters)
- CertiK (Nov 2023): Poloniex incident analysis (private-key compromise). (certik.com)
- Cointelegraph (Sep 2023): CoinEx hot-wallet hack (compromised keys, $70 million+). (Cointelegraph)
- Chainalysis (Sep 2020): KuCoin hack initial report and laundering via DeFi. (Chainalysis)
- FBI / Japan NPA (Dec 2024): Attribution of DMM Bitcoin theft (TraderTraitor). (Federal Bureau of Investigation)
- Academic / Technical: Proof-of-Reserves vs. solvency limitations (arXiv & academic literature). (arXiv)
- Binance Academy / Policy: SAFU fund overview and FAQ (emergency reserve concept). (Binance, Binance)