Clock 10 MINUTES

A Comprehensive List of Cryptocurrency Exchange Hacks

Hacks and data breaches happen on an almost daily basis. Cryptocurrency exchange hacks are particularly damaging because they typically affect thousands of users and involve the loss of funds. Here we provide an updated list of all major cryptocurrency exchange hacks.

19 Oct
2019
SelfKey
Identity Wallet
Cryptocurrency Exchange Hacks
key-icon

Cryptocurrency exchanges come and go, and it’s almost inevitable that an exchange will get hacked at one point or another. While cryptocurrencies themselves are very secure, exchanges can be affected by a variety of vulnerabilities, making them a prime target for malicious actors. 

We’ve compiled a comprehensive list of cryptocurrency exchange hacks – you’ll be amazed at how much has been stolen over the years.

2019

June – Bitrue – 9.3 Million XRP & 2.5 Million ADA

Bitrue is a Singapore-based cryptocurrency exchange that experienced a major hack to it’s hot wallet. Only 90 Bitrue users were affected, but the cryptocurrency that was stolen was worth almost $5 million. Luckily for users who lost their funds, Bitrue has reassured them that they will be fully repaid

June – GateHub – 23,200,000 XRP

This UK and Slovenia-based cryptocurrency exchange suffered from a large hack this summer where hackers made off with $10 million worth of Ripple. While it is still unclear as to how exactly the hacker(s) gained access to user funds, the culprit(s) managed to access encrypted secret keys. So far, GateHub has managed to make some progress in recovering the stolen funds.

May – Binance – 7,000 BTC

Despite the fact that we are now in 2019, hackers still managed to use a phishing scam and malware to hack into Binance. The malicious actors ran off with $40 million worth of Bitcoin. As a result, Binance promised to increase its security, but users are understandably wary. 

March – Bithumb – 3 Million EOS & 20 Million XRP

This South Korean cryptocurrency exchange was the victim of a suspected insider job. It all started with a suspicious withdrawal, and the exchange immediately suspended all withdrawals on their platform, but it was too late. Who conducted the hack is still unknown, but since there is no evidence of outsider interference, many suspect that it was a Bithumb employee who stole the funds.

March – CoinBene – Unknown

Problems started to surface for CoinBene when funds began to mysteriously move out of the exchange’s hot wallet. Analysts were worried, especially since the exchange was down for maintenance, a typical post-hack response. Despite assurances from CoinBene that nothing had happened, the exchange was down for a whole month. Funds are definitely missing, but just how much is unclear, and CoinBene has refused to comment on it. 

The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!

February – Coinmama – 450,000 User Emails & Passwords

This is a slightly less conventional hack, because instead of stealing money the hackers just stole information. Coinmama is one of the largest cryptocurrency brokers with over a million active users. There appears to have been little fallout from this hack, as Coinmama informed users rapidly once they learned that user data was being leaked on the dark web. To date, no cryptocurrency has been stolen.

January – Cryptopia – Min. 19,390 ETH

It all started with Cryptopia users having difficulty accessing their accounts, and it only went downhill from there. The company originally thought it was a technical issue, but later clarified on Twitter that it was a security breach. The exact amount stolen in the hack is still unknown.

January – Cryptopia – 1,675 ETH

Unfortunately for Cryptopia, they suffered from another hack 15 days after the first one. That was the end of the exchange – they are now going through the liquidation process.

2018

December – QuadrigaCX – 26,350 BTC

While this doesn’t quite qualify as a hack, it is too unbelievable to not include on this list. 

QuadrigaCX was Canada’s largest cryptocurrency exchange owned by Gerald Cotten. Cotten was the only person who knew how to access the cold wallets belonging to the exchange.

In December, while on his honeymoon in India, Cotten died and took any information on how to access the cold wallets to his grave. QuadrigaCX had already been struggling and rumors of bankruptcy had been floating around, and with Cotten’s passing the exchange collapsed. Conspiracy theories started popping up that Cotten wasn’t actually dead, he had just pulled a very elaborate exit scam.

As investigations started into QuadrigaCX’s finances began, things took a bizarre turn. Six cold wallets were identified to belong to QuadrigaCX. However, when investigators looked at the wallets, five of them had been emptied around April 2018. No one is really sure what has happened, and investigations are still ongoing. Cotten’s widow has voluntarily returned $9 million in assets from Cotten’s estate to repay users.

September – Zaif – 5,966 BTC

This is yet another case where it’s unclear how hackers stole the funds. However, Zaif did file a criminal case with their local authorities, which makes it sound like they have an idea as to who did it. Either way, this Japanese exchange lost $60 million worth of cryptocurrency.

June – Coinrail – 1,927 ETH, 2.6 Billion NPXS, 93 Million ATX, 831 Million DENT Coins & large amounts of 6 other tokens

Despite the fact that Coinrail was a relatively small cryptocurrency exchange, it did a lot of business which drew the attention of hackers. Exact details of the attack are still unclear, and the exchange lost an estimated $40 million.

June- Bithumb – $31 Million Worth of XRP

Unfortunately Bithumb’s hacking problems didn’t start in 2019. The exchange was hacked in 2018 as well (and you will see them again on our list), with hackers making off with substantial amounts of Ripple. This hack appears to be orchestrated by a group of North Korean hackers known as the Lazarus Group, who have been responsible for a number of cryptocurrency hacks over the years. Luckily for Bithumb users, the exchange promised to pay back any stolen funds.

May – Bitcoin Gold – $18 Million Worth of BTG

This is probably one of the stranger hacks on our list, as a cryptocurrency exchange wasn’t hacked but a cryptocurrency was. Bitcoin Gold was an offshoot of the original Bitcoin, which took a hard fork from Bitcoin as an attempt to decentralize (ironic given that Bitcoin is already decentralized). 

Bitcoin Gold became the victim of a 51% attack, a rare occurrence where hackers managed to gain control of more than 50% of the networks computing power. From there, attackers can prevent confirmations, allowing them to effectively stop payments between users and make changes to the network’s blockchain ledger. This type of attack was thought to be rare, if not impossible, until the Bitcoin Gold incident.

Using some complicated maneuvers, hackers put their Bitcoin Gold onto exchanges, traded them for other cryptocurrencies, then withdrew the amount. And because they had control of Bitcoin Gold’s blockchain ledger, they could simply return the original Bitcoin Gold back into their own wallet, essentially stealing money from exchanges.

May – Taylor – 2,578 ETH

Taylor is a cryptocurrency trading app, that raised a successful initial coin offering (ICO) in order to get funding. Unfortunately, not long after, hackers managed to gain access to a company device and took control of a password file. The malicious actors stole all of the Ethereum raised in the ICO, valued at $1.5 million. There were concerns that this was just another exit scam, but it appears that Taylor has slowly managed to rebuild

April – CoinSecure – 438 BTC

CoinSecure, an Indian cryptocurrency exchange, lost Bitcoin valuing $3.5 million at the time of the hack. However, it seems like this one was an inside job. The owners of CoinSecure believe their former Chief Security Officer stole the funds. It seems they may have been onto something, as he was later arrested

February – Bitgrail – 17,000,000 NANO

Over $170 million was stolen from the Italian exchange Bitgrail, and the details are a little fuzzy. While the owner, Francesco Firani, announced the hack, other Bitgrail employees denied it and said there was nothing wrong. People are sceptical as to whether this was an actual hack, or an attempt at an exit scam.

January – Coincheck – 523,000,000 NEM

Coincheck was the leading exchange in Japan, but the hack showed how remarkably unsecure the platform was. The hackers managed to spread a virus through email that allowed them to steal private keys. After that it was remarkably easy, as Coincheck did not use smart contracts or multi-signatures, and all coins were stored in the same wallet. The total value of cryptocurrency stolen is one of the highest ever, $533 million. Remarkably, the cryptocurrency exchange is still in business.

2017

December – NiceHash – 4,736 BTC

NiceHash is a cryptocurrency mining marketplace that allows miners to rent out their hash rate to others. Their payment system was compromised, causing the contents of users Bitcoin wallets to be stolen. The exact amount stolen was never confirmed by NiceHash, but it is strongly believed to be 4,736 worth of Bitcoin, worth about $62 million at the time. This story ends on a happy note though, as NiceHash managed to return 60% of the stolen funds to users.

December – Youbit – Unknown

Youbit (formerly known as Yapizon) was a relatively small South Korean cryptocurrency exchange that had experienced a hack earlier in 2017. This time, hackers made off with 17% of the exchange’s holdings. This marked the end for Youbit, they filed for bankruptcy the same day.

July – Bithumb – $7 Million Worth of BTC & ETH

Bithumb makes yet another appearance on this list. At the time of this hack, Bithumb was the fourth largest cryptocurrency exchange by volume worldwide. An unknown hacker managed to gain access to an employee’s personal computer and stole the details of over 30,000 Bithumb users. Not long after, users started to notice their accounts being drained. 

April – Yapizon – 3,800 BTC

Before Yapizon changed their name to Youbit, they experienced their first hack. Malicious actors managed to run off with $5 million worth of Bitcoin and Yapizon did it’s best to mitigate the damages.

2016

August – Bitfinex – 120,000 BTC

This Hong Kong-based cryptocurrency exchange had claimed to be the most secure exchange in the world. Unfortunately, that proved to be very untrue. Hackers made off with a large amount of Bitcoin through Bitfinex’s processing service – BitGo. The price of Bitcoin plunged as a result of the hack.

May – GateCoin – 250 BTC & 185,000 ETH

GateCoin was one of the first regulated cryptocurrency exchanges at the time, and its popularity made it a prime target for malicious actors. Hackers managed to gain access to user wallets and stole cryptocurrencies valued at $2 million. That was the nail in the coffin for GateCoin – the exchange never recovered. 

April – ShapeShift – $230,000 Worth of Cryptocurrency

Over the course of a month, the cryptocurrency exchange ShapeShift was hacked three separate times. According to a detailed report by ShapeShift CEO Erik Voorhees, a former employee was responsible for all three hacks. The cryptocurrency pledged to rebuild, and they are one of the few who has managed to do so successfully. 

2015

February – BTER – 7,170 BTC

This China-based exchange had it’s cold wallet hacked, leading to a loss of over $1.5 million worth of Bitcoin. Users on Reddit were very suspicious, as it is extremely difficult to hack a cold wallet, and hypothesized that the hack was an inside job.

February – KipCoin – 3,000 BTC

You’ll see Linode further down on our list, but it was a hosting server for a few cryptocurrency exchanges.  It was hacked again in 2014, which this time caused a security breach on the KipCoin server. The hackers managed to gain control of the entire platform by changing passwords internally. A month-long struggle ensued, in which the administrators managed to regain control of the exchange, but the hackers still lurked. At the time of the hack, KipCoin did not tell users what was happening in light of the Bitstamp hack and only later revealed the information.

January – Bitstamp – 19,000 BTC

Bitstamp was the first licensed cryptocurrency exchange in Europe. It was compromised when hackers sent a malicious email to Bitstamp employees, and it only took one employee to follow the link and expose the whole exchange. The attackers made off with Bitcoin valued at $5.1 million at the time.

January – LocalBitcoins – 17 BTC

While this was a relatively small hack, it proved a point when it came to spending money on cybersecurity. Attackers used the LocalBitcoins live chat to distribute malware then made off with a relatively small profit. 

January – 796 – 1,000 BTC

It was not a good start to the year for cryptocurrency exchanges in 2015. Chinese exchange 796 had its server compromised, and hackers tampered with withdrawal addresses to trick users. It worked, and major shareholders footed the bill so users didn’t have to lose funds themselves.

2014

October – MintPal – 3,700 BTC

MintPal experienced their second hack in October (scroll down to read about the first one in July), but this one had a lot more twists and turns. Not long after the hack in July, MintPal was purchased by a company called Moolah (also known as Moopay Ltd), owned by Ryan Kennedy alias Alex Green.

After a failed relaunch of MintPal, Moolah announced it was closing its doors but users would be able to still use MintPal. However, user accounts were locked and users were able to track funds being removed from wallets and then watch them be sold on another platform. Kennedy was the only one with access to customer funds, and he was currently on the run. 

Kennedy was arrested in 2016 for rape changes and is now in jail. He is now also facing charges of fraud from the UK police for his involvement in the MintPal hack. 

July – Cryptsy – 13,000 BTC & 300,000 LTC

A trojan virus was inserted into the code of Cryptsy by a hacker going by the name of Lucky7Coin. As a result, Lucky7Coin (and potentially others) walked away with a staggering amount of cryptocurrency. The owner of Cryptsy, Paul Vernon, was accused of destroying evidence and stealing Bitcoin himself and the exchange declared insolvency. Vernon was successfully sued for $8.2 million in a class-action lawsuit.

July – MintPal – 8 Million VRC

Before MintPal’s unfortunate takeover by Alex Kennedy, they experienced another hack. The hacker found a weak point in the withdrawal system on the exchange, and managed to authorize a withdrawal from the Vericoin wallet. The sites Bitcoin and Litecoin wallets were also targeted, but nothing was stolen. The hack resulted in the loss of 30% of all Vericoin, which caused the Vericoin development team to decide on a hard fork in order to mitigate the damages.

March – Mt.Gox – 850,000 BTC

You might be surprised to see this name again, and attached to what is one of the biggest hacks of all time. The investigation is still ongoing and the situation is far from clear, but it appears that when Mt.Gox was originally hacked in 2011, some private keys were also stolen by malicious actors. The hackers gained access to a large number of Bitcoin and started emptying wallets. Purportedly due to an error in the Mt.Gox systems, the exchange was interpreting these withdrawals as deposits for nearly two years. It was a huge error, costing users a total of $45 million and marking the end of the cryptocurrency exchange. Interestingly, some of the stolen funds may potentially be recovered

March – Poloniex – 97 BTC

In the same month, hackers managed to take advantage of an incorrect withdrawal code of this US-based cryptocurrency exchange. While the company did not report exactly how much was stolen, the figure has been explained on the Bitcointalk forum. There is still some speculation as to whether the hack was an inside job or not.

2013

November – BitCash – 484 BTC

The Czech-based exchange Bitcash lost Bitcoin after a hack on their servers. The attackers gained access to emails and sent out a phishing scam, pretending to be Bitcash to obtain customer information, which they then used to steal funds.

May – Vicurex – 1,454 BTC

While the hack of Vicurex has never exactly been confirmed (leading some to believe it was an inside job), the cryptocurrency exchange announced it had lost most of its reserve funds to attackers. Vicurex, claiming near bankruptcy, froze all withdrawals, leading several former customers to sue the company for withholding their money.

2012 

September – BitFloor – 24,000 BTC

At the time of the hack, BitFloor was the fourth largest exchange on the US market. Attackers managed to gain access to the servers and found unencrypted backup wallet keys. From there, they simply siphoned out the funds, worth a cumulative $250,000. 

May – Bitcoinica – 18,457 BTC

Unfortunately for Bitcoinica, they suffered another hack just two months after their initial hack. This led many to suspect that the original security issues from the Linode attack in March had never actually been effectively dealt with. The site was immediately shut down and the exchange was ultimately closed for good.

March – Linode – 43,000 BTC from Bitcoinica & 3,000 BTC from Slush

This one is a little complicated. Linode is a web hosting provider, and they hosted the cryptocurrency exchanges Bitcoinica and Slush. Linode itself was hacked, and the attackers managed to steal significant amounts Bitcoin from both exchanges.

2011 

June – Mt.Gox – 2,643 BTC

While at the time this was a relatively modest hack, it was just the beginning of problems for Mt.Gox. In this hack, attackers were able to gain access to a computer belonging to an auditor at the cryptocurrency exchange. The malicious actor changed the price of Bitcoin to $0.01, purchased them at the artificially low price and made off with a small fortune.

October – Bitcoin7 – 11,000 BTC

In this case, hackers from Russia and Eastern Europe managed to gain access to Bitcoin7’s servers. This also gave them access to the exchange’s main BTC depository and two backup wallets. Bitcoin7 continues to exist with an obviously spammy website (steer clear!).

Conclusion

Cryptocurrencies are relatively safe, but take a look at this list to make sure the cryptocurrency exchange you use isn’t on it! Exchanges are always at risk of attack, especially when they are doing a lot of business. It’s important that cryptocurrency exchanges take security seriously, and put a number of measures in place to prevent security breaches. Any decent cryptocurrency exchange should outline what security measures they have in place. If they don’t, and fail to adequately justify their reasons for withholding that information,  then that’s a red flag you would do well to pay attention to.