14 — Historical Incidents

Hacks, collapses, exploits, frauds. Lessons from each case. Categories: protocol hacks, bridge hacks, exchange hacks/collapses, stablecoin failures, governance attacks, MEV, smart contract bugs.


1. Mt. Gox (2014)

Pioneering exchange collapse. Tokyo-based, ex-Magic: The Gathering cards trading site. Largest Bitcoin exchange from 2010-2014.

February 2014: announces loss of 850,000 BTC (~US\( 450M at the time; ~US\) 50B+ in 2026).

  • Cause: combination of malleability bug + progressive internal thefts over years.
  • CEO Mark Karpelès arrested in 2015 — released 2016, convicted 2019 (suspended sentence for record falsification).
  • Judicial bankruptcy → conversion into civil proceedings.
  • 2024-2025: 142k BTC distributed to creditors (17% recovery).
  • ~75k+ creditors waiting.

Lesson: custodial exchanges are single points of failure. "Not your keys, not your coins" as a saying was born here.


2. The DAO Hack (jun/2016)

First major Ethereum hack.

The DAO: decentralized investment fund on Ethereum, raised US$ 150M in ETH (crowdsale abr/2016 — 14% of all ETH then circulating).

17 jun/2016: attacker exploits reentrancy bug in splitDAO function. Drains 3.6M ETH (US$ 60M).

Response:

  • 28-day "challenge period" inherent to DAO contract.
  • Ethereum community votes hard fork to revert.
  • 20 jul/2016: hard fork executed. Majority adopts.
  • Minority keeps original chain → Ethereum Classic (ETC).

Attacker: never formally identified; speculation Toby Hoenisch (questioned).

Lesson:

  • Reentrancy = first major bug pattern in smart contracts.
  • Checks-Effects-Interactions pattern emerges.
  • Immutability vs governance discussion permanent.

3. Bitfinex hack (ago/2016)

Exchange hack. ~119,756 BTC stolen from Bitfinex hot wallet.

  • Bitfinex issues BFX tokens (effectively IOUs); redeems them in ~8 months via revenue.
  • 2022: DOJ seizes the remaining 94,000 BTC (~US$ 3.6B at the time). Couple Ilya Lichtenstein + Heather Morgan ("Razzlekhan") arrested.
  • 2023: Lichtenstein pleads guilty; sentenced 2024 to 5 years prison.

Lesson: criminals can hold BTC for years but on-chain tracing eventually catches up. Chainalysis maturity.


4. Parity Multisig hacks (2017)

Parity Wallet hack #1 (jul/2017)

Bug in wallet contract lets attacker reset ownership. 150k ETH drained (~US$ 30M).

Parity Wallet freeze (nov/2017)

User "devops199" "accidentally" triggers kill() on the library contract. ~513k ETH frozen forever (~US$ 280M at the time).

Parity proposed EIP-867 for recovery; Ethereum community rejected it (immutability principle post-DAO).

Lesson: complex multisig wallets have attack surface. Standardization (Gnosis Safe / Safe) dominates thereafter.


5. Coincheck hack (jan/2018)

Japanese exchange, US$ 530M in NEM stolen (hot wallet without multisig). Negligent hot wallet design.

Lesson: cold/hot wallet separation is critical. Japan tightened regulation thereafter.


6. QuadrigaCX (2019)

Canadian exchange collapses. CEO Gerald Cotten dies in India (controversial suspicion). Without him, crypto accounts inaccessible (allegedly).

Investigation revealed: Cotten was running a Ponzi with client funds; "frozen funds" was the excuse.

Loss: ~C$ 215M.

Documentary "Trust No One: The Hunt for the Crypto King" (Netflix 2022).


7. Plus Token Ponzi (2018-2019)

Chinese-South Korean Ponzi disguised as a "high-yield wallet". Stole ~US$ 5.7B in BTC, ETH, EOS.

Multiple operators arrested China 2020. Coins gradually moved to mixers + exchanges → suspected of driving BTC sell pressure in 2019.


8. KuCoin hack (set/2020)

Exchange hack: US$ 285M stolen. KuCoin recovers ~84% via partnerships + chain reorg requests + asset issuer help (token issuers froze drained tokens).

Lazarus suspected.


9. PolyNetwork hack (ago/2021)

Cross-chain bridge. US$ 611M drained — largest at the time.

Attacker: white-hat-style. Returned funds within a week, dialoged via tx messages.

PolyNetwork offered a chief security advisor role; declined.

Lesson: bridges are honeypots. Cross-chain message verification is difficult.


10. Cream Finance hacks (2021)

3 hacks in 1 year:

  • Feb: US$ 37M (flash loan).
  • Aug: US$ 19M (flash loan exploitation Yearn integration).
  • Oct: US$ 130M (flash loan + price oracle manipulation).

Lesson: flash loan vector consolidated as major DeFi threat.


11. Wormhole hack (fev/2022)

Ethereum-Solana bridge. US$ 320M in wETH minted without backing due to a signature verification bug.

Jump Trading (parent of Wormhole/Jump Crypto) bailed out — replenished US$ 320M from its own treasury overnight.

Lesson: rich backstop is rare; centralized recovery saves users but is not decentralized.


12. Ronin Bridge hack (mar/2022)

US$ 625M, largest DeFi/bridge hack at the time.

Axie Infinity's Ronin sidechain bridge. 5 of 9 validator signatures required. Sky Mavis (Axie devs) ran 4; Axie DAO ran 1 backup (delegated to Sky Mavis temporarily after Nov 2021 load spike). Attacker compromised 4 Sky Mavis nodes via phishing (LinkedIn job lure → malware on senior engineer).

Drain: 173,600 ETH + 25.5M USDC.

Lazarus (N. Korea) attributed.

Sky Mavis raised US$ 150M led by Binance; partial recovery of users.

Lesson: 59 not actually 59. Validator concentration risk. Phishing OPSEC critical.


13. Terra Luna / UST collapse (mai/2022)

Largest stablecoin failure ever. US$ ~60B evaporated in 1 week.

Mechanics

UST: algorithmic stablecoin. Burn LUNA → mint US$1 of UST (and vice-versa). Maintenance via arbitrage.

Anchor Protocol: paid ~20% APY on UST deposits (unsustainable; subsidized by Terraform Labs reserves).

Cascade (May 2022)

  • 7 mai 2022: large UST sell from 4-pool on Curve. Slight de-peg.
  • 9-10 mai: panic → mass redemption.
  • Burn UST → mint LUNA: LUNA supply explodes from 350M to 6.5T in days.
  • Hyperinflation: LUNA price crashes 99.99%.
  • UST de-pegs to ~US$0.02.

Total loss: ~US$ 60B in marketcap.

Aftermath

  • Do Kwon (founder) hides in Montenegro; arrested 2023; awaiting extradition.
  • South Korea seeking US$1B asset seizure.
  • US SEC charges Kwon + Terraform Labs (2023).
  • Terra 2.0 (new LUNA, abandoned UST) — minor adoption.
  • Trigger to Three Arrows Capital, Celsius, Voyager, BlockFi collapses.

Lesson: algorithmic stablecoins with reflexive collateral = ticking bomb. "It's not algorithmic, it's a Ponzi" (Sam Trabucco, others rebuked Kwon's defenders).


14. Three Arrows Capital (3AC) collapse (jun/2022)

Hedge fund. US$ 18B AUM at peak. Massive leverage. Cascaded from Terra Luna loss.

  • Founders Su Zhu + Kyle Davies. Singapore-based.
  • Defaulted on US$ 3.5B+ creditor loans.
  • Filed bankruptcy Jun 2022.
  • Founders fled, hid for over a year. Caught Aug 2023.

Cascaded: Voyager Digital bankruptcy (Jul 2022, exposure 3AC), BlockFi struggles.


15. Celsius Network collapse (jul/2022)

Crypto lender. 1.7M users, US$ 25B AUM peak.

  • Promised high yields (~17% APY) via reckless DeFi exposure.
  • Mai/2022: rumours about exposure.
  • Jun 12: halts withdrawals.
  • Jul 13: files Chapter 11 bankruptcy.

Alex Mashinsky (CEO): arrested 2023; pleaded guilty to fraud + commodities + market manipulation 2024; sentenced 2025 to 12 years.

Recovery: ~80% via judicial process distribution (BTC/ETH at time-of-bankruptcy prices — much lower than 2024-2025 recoveries would represent).


16. Voyager Digital (jul/2022)

Exchange. Exposure to 3AC ($650M unsecured loan). Bankruptcy.

FTX bid to acquire Voyager → fell through with FTX collapse. Coinbase acquired customer assets later.


17. FTX collapse (nov/2022)

Largest fraud in crypto history. Second-largest exchange globally pre-collapse.

Background

  • Sam Bankman-Fried (SBF) founded 2019.
  • Alameda Research: SBF's trading firm (founded 2017).
  • FTX peak ~US$ 32B valuation (Jan 2022). Sponsorships: Tom Brady, Larry David, Stephen Curry, Miami Heat arena.
  • "Effective Altruism" public persona.

Collapse (Nov 2022)

  • Nov 2: CoinDesk article reveals Alameda balance sheet 40% FTT (FTX's own token). Reflexive value.
  • Nov 6: Binance CEO CZ announces selling FTT.
  • Nov 8: bank run on FTX. Halts withdrawals.
  • Nov 11: FTX, Alameda, ~130 affiliated entities file Chapter 11.
  • Nov 11-12: ~US$ 477M drained from FTX wallets ("the hack" or insider exit?).

Revelations

  • FTX had commingled customer funds with Alameda.
  • Alameda borrowed customer deposits (~US$ 8-10B) for speculative trades.
  • "Slush fund" code in FTX exchange backend hiding negative Alameda balance.
  • FTX had no risk team, no CFO, no proper governance.

Trials

  • SBF arrested Bahamas Dec 12, 2022. Extradited.
  • Trial Oct-Nov 2023: convicted 7 counts wire fraud, conspiracy, money laundering.
  • Sentenced Mar 2024: 25 years prison + US$ 11B forfeiture.
  • Caroline Ellison (Alameda CEO): cooperative; sentenced 2 years.
  • Gary Wang (FTX CTO): cooperative; sentenced ~0 years (time served + supervised).
  • Nishad Singh (FTX engineering): cooperative.
  • Ryan Salame (FTX co-CEO): 7.5 years.

Recovery

Surprisingly strong: ~119% on USD claim value (using Nov 2022 prices), boosted by BTC appreciation + recovered assets + tax overpayment refunds.

Lesson: trust verifiable proof-of-reserves; "celebrity CEO" doesn't replace due diligence; regulatory gaps exploitable.


18. BlockFi (nov/2022)

Crypto lender. Exposed to FTX (Alameda loan default + FTX collateral seizure). Chapter 11.

Customer recovery ~50-100% depending on tier.


19. Genesis (jan/2023)

Crypto prime broker. Exposure to 3AC + FTX. Bankruptcy. Major creditor to Gemini Earn → Gemini-Genesis dispute, eventual settlement.


20. Euler Finance hack (mar/2023)

Lending protocol. US$ 200M drained via faulty liquidation function.

  • Donation function had insufficient health check.
  • Attacker leveraged → self-liquidated → recovered loss as "donor".

White hat resolution: attacker returned all funds after dialog with Euler team. Among the few major DeFi hacks fully recovered.


21. Curve Finance Vyper bug (jul/2023)

Compiler bug (Vyper versions 0.2.15-0.3.0) — improper reentrancy locks in certain pools.

Affected pools: CRV/ETH, alETH, msETH, pETH. US$ 73M drained.

White-hats recovered $25M; rest mixed recovery (half returned by hacker dialog, rest mixed).

Lesson: language compiler bugs can affect production. Curve recovered but the ecosystem was shaken.


22. Multichain saga (jul/2023)

Cross-chain bridge protocol. CEO Zhaojun disappeared (arrested by Chinese authorities). Without his keys, the protocol can't operate. US$ 130M+ stuck/lost.

Lesson: centralized actors in "decentralized" bridges = catastrophic failure mode.


23. Stake.com hack (set/2023)

Crypto casino. Hot wallet compromised. US$ 41M.

Lazarus attributed.


24. KyberSwap hack (nov/2023)

KyberSwap Elastic (concentrated liquidity AMM). US$ 47M drained via complex precision exploit.


25. Orbit Chain hack (jan/2024)

Korea-based cross-chain bridge. US$ 82M.

Lazarus attributed.


26. Munchables (mar/2024)

GameFi project on Blast. Insider attack — N. Korean dev hired as engineer accessed contracts. ~US$ 62M.

Recovery: insider returned funds after social pressure + identification.


27. WazirX hack (jul/2024)

Indian exchange. US$ 235M drained from multisig wallet. Compromised signer keys.

Lazarus attributed (signature: Tornado Cash mixing patterns).

WazirX filing restructuring. Heavy customer losses; partial socialization plan controversial.


28. Bybit hack (fev/2025)

Largest exchange hack ever. US$ 1.5B (~400k ETH) drained from cold wallet.

  • Lazarus Group (N. Korea, official US/UK attribution).
  • Method: compromised UI of multisig signing tool (Safe.global / smart contract wallets); signers approved malicious tx thinking it was routine.
  • Bybit operationally solvent — uses own treasury + loans + sells assets to backfill.
  • Industry response: tightened cold wallet signing UX, hardware-level verification standards.

29. Other notable 2024-2025 hacks (not exhaustive)

Date Target Loss
Jan 2024 Cronos PlayDapp US$ 290M
Mar 2024 Curio Network US$ 16M
May 2024 Gala Games US$ 200M (recovered)
Jul 2024 Compound Finance US$ 24M (recovered via vote)
Sep 2024 Penpie US$ 27M
Mar 2025 Hyperliquid JELLY ~US$ 13M (gov vault auto-liquidation forced exception)
Apr 2025 DEXX US$ 21M

30. Smart contract bug categories

Reentrancy

  • The DAO (2016).
  • Imperial College Lendf.me (2020) — US$ 25M ERC-777 reentrancy.
  • Cream Finance (2021 x3).
  • Burgerswap (2021).
  • Siren Protocol (2021).

Flash loan + oracle manipulation

  • Harvest Finance (2020): US$ 24M, Curve y-pool.
  • Pickle Finance (2020): US$ 20M.
  • bZx (2020 x2).
  • Cream (2021).
  • Mango Markets (2022): Avi Eisenberg drained ~US$ 117M via MNGO collateral manipulation; convicted of commodities fraud + market manipulation 2024.

Math / precision

  • Compound DAI/USDC reward bug (2021): US$ 80M user overpayment (recovered most).
  • Curve Vyper compiler (2023).

Logic bugs

  • Nomad bridge (Aug 2022): initialization bug → US$ 190M everyone-drains; "free for all" mempool race.
  • Beanstalk (2022): governance + flash loan.

Signature bypass

  • Wormhole (2022).
  • BNB Bridge (2022): US\( 570M minted (post-chain halt, ~\)100M extracted).

Centralized key compromise

  • Ronin (2022).
  • WazirX (2024).
  • Bybit (2025).

31. Hacking groups

Lazarus Group (DPRK)

State-sponsored. Estimated US$ 3-4B stolen 2017-2025 from crypto. Funds North Korean nuclear program (per US/UN reports).

Recent attribution: Ronin, Atomic Wallet, CoinEx, Stake.com, Orbit, WazirX, Bybit.

Tactics:

  • Spear phishing of senior engineers (LinkedIn).
  • Trojanized job applications.
  • Maintaining N. Korean IT contractors in US/EU exchanges (HR phishing).

Other state actors

China-attributed less common but suspected in select cases. Russia-attributed in some early Bitcoin-era hacks.

Cybercriminal gangs

DarkSide (Colonial Pipeline), Conti, REvil — ransomware groups demanding BTC. Mostly Russian-affiliated.

"Solo black hats"

Individuals exploiting smart contract bugs. Often demand bounties or anonymize → cash out.

"White hats / grey hats"

Sometimes return funds (PolyNetwork, Euler) for reputation or fear of consequences.


32. Anti-money laundering responses

Tornado Cash sanctions

OFAC sanctioned the smart contract (Aug 2022). First time code itself sanctioned. Roman Storm + Alexey Pertsev charged (developers).

Pertsev convicted in Netherlands (May 2024), 64-month sentence — appeal pending.

Storm US trial: 2024 set; later 2025 trial. Conviction (mixed).

Van Loon v. Treasury (5th Circuit, Aug 2024): OFAC overreached on immutable contracts; vacated for those. Mutable smart contracts can still be sanctioned.

Trump administration (2025): rescinded some sanctions; pivoted softer on Tornado.

Chain analytics

Chainalysis, TRM Labs, Elliptic — track flows, work with law enforcement. Help recover hundreds of millions per year.


33. Lessons by category

Don't custody if you can avoid it

Self-custody >= custodial. Exchanges can fail (Mt. Gox, FTX, QuadrigaCX, BlockFi, Celsius...).

Verify proof-of-reserves

Post-FTX, exchanges publish PoR (Merkle tree of liabilities, on-chain reserves). Imperfect but a signal.

Smart contracts need audits + bug bounties + formal verification

Reentrancy patterns documented; CEI mandatory; flash loan attack surface understood.

Bridges = honeypots

Be skeptical of new cross-chain bridges. Prefer canonical (CCTP, native rollup) or large-TVL battle-tested.

Algorithmic stablecoins → death spiral risk

UST proved it. USDe (Ethena) less reflexive but counterparty risk to perp venues.

Centralized "decentralized" actors

Multisig N-of-M is only as good as keyholder OPSEC. Ronin 59 was actually 49.

Front-end vs protocol

Many "hacks" compromise the UI, not the protocol. Signing safely is critical.

Lazarus is a thing

N. Korean state APT targeting crypto persistently. Treat OPSEC accordingly.


34. References + tracking

  • Rekt.news: rekt leaderboard of DeFi/crypto hacks.
  • CertiK Skynet: hack alerts.
  • Chainalysis annual crypto crime reports.
  • TRM Labs: AML/financial crime reports.
  • De.Fi REKT Database.
  • Web3 Is Going Just Great (Molly White): chronicle of hacks.

35. Cross-reference

  • Smart contract bug categories: 08-smart-contracts.md §SWC.
  • Bridge architecture vulnerabilities: 11-bridges-interop.md.
  • Stablecoin design failures: 09-defi.md §Stablecoins.
  • Crypto-specific attacks: ../cryptography/11-attacks.md.
  • Regulatory response: 13-regulation.md.
  • Koder Stack lessons: 15-koder-applied.md.