14 — Incidentes Históricos
Hacks, colapsos, exploits, frauds. Aprendizado de cada caso. Categorias: protocol hacks, bridge hacks, exchange hacks/collapses, stablecoin failures, governance attacks, MEV, smart contract bugs.
1. Mt. Gox (2014)
Exchange collapse pioneiro. Tokyo-based, ex-Magic: The Gathering cards trading site. Maior exchange Bitcoin de 2010-2014.
Fevereiro 2014: anuncia perda de 850.000 BTC (~US\( 450M na época; ~US\) 50B+ em 2026).
- Causa: combinação de bug em malleability + roubos internos progressivos ao longo de anos.
- CEO Mark Karpelès preso em 2015 — solto 2016, condenado 2019 (sentença suspensa por falsificação de records).
- Falência judicial → conversão em proceedings civis.
- 2024-2025: 142k BTC distribuídos aos credores (17% recovery).
- ~75k+ creditors esperando.
Lição: exchanges custodiais são pontos únicos de falha. "Not your keys, not your coins" como ditado nasceu daqui.
2. The DAO Hack (jun/2016)
Primeiro grande hack Ethereum.
The DAO: investment fund descentralizado em Ethereum, raised US$ 150M em ETH (crowdsale abr/2016 — 14% de todo ETH então circulante).
17 jun/2016: atacante explora reentrancy bug em splitDAO function. Drains 3.6M ETH (US$ 60M).
Resposta:
- 28-day "challenge period" inerente a DAO contract.
- Comunidade Ethereum vota hard fork pra reverter.
- 20 jul/2016: hard fork executado. Maioria adota.
- Minoria mantém chain original → Ethereum Classic (ETC).
Atacante: nunca formalmente identificado; speculation Toby Hoenisch (questionada).
Lição:
- Reentrancy = primeiro grande padrão de bug em smart contracts.
- Checks-Effects-Interactions pattern emerges.
- Imutabilidade vs governance discussion permanent.
3. Bitfinex hack (ago/2016)
Exchange hack. ~119.756 BTC roubados de hot wallet Bitfinex.
- Bitfinex emite BFX tokens (efetivamente IOUs); resgata em ~8 meses via revenue.
- 2022: DOJ apreende 94.000 BTC restantes (~US$ 3.6B na época). Casal Ilya Lichtenstein + Heather Morgan ("Razzlekhan") preso.
- 2023: Lichtenstein pleads guilty; sentenced 2024 5 anos prisão.
Lição: criminosos podem deter BTC anos mas tracing on-chain eventualmente captura. Chainalysis maturidade.
4. Parity Multisig hacks (2017)
Parity Wallet hack #1 (jul/2017)
Bug em wallet contract permite atacante reset ownership. 150k ETH drained (~US$ 30M).
Parity Wallet freeze (nov/2017)
User "devops199" "acidentalmente" trigger kill() no library contract. ~513k ETH frozen forever (~US$ 280M na época).
Parity propôs EIP-867 para recovery; Ethereum community rejeitou (princípio imutability pós-DAO).
Lição: complex multisig wallets têm attack surface. Standardization (Gnosis Safe / Safe) pós-isso domina.
5. Coincheck hack (jan/2018)
Exchange japonesa, US$ 530M em NEM roubados (hot wallet sem multisig). Hot wallet design negligente.
Lição: cold/hot wallet separation crítica. Japão regulação tightened pós-isso.
6. QuadrigaCX (2019)
Exchange canadense colapsa. CEO Gerald Cotten morto na Índia (suspeita controversa). Sem ele, contas crypto inacessíveis (allegedly).
Investigação revelou: Cotten estava operando Ponzi com fundos clientes; "frozen funds" desculpa.
Loss: ~C$ 215M.
Documentary "Trust No One: The Hunt for the Crypto King" (Netflix 2022).
7. Plus Token Ponzi (2018-2019)
Chinese-South Korean Ponzi disfarçado de "high-yield wallet". Stole ~US$ 5.7B em BTC, ETH, EOS.
Multiple operators arrested China 2020. Coins gradually moved to mixers + exchanges → suspected drove BTC sell pressure em 2019.
8. KuCoin hack (set/2020)
Exchange hack: US$ 285M roubado. KuCoin recovers ~84% via partnerships + chain reorg requests + asset issuer help (token issuers froze drained tokens).
Lazarus suspected.
9. PolyNetwork hack (ago/2021)
Cross-chain bridge. US$ 611M drained — largest at time.
Atacante: white-hat-style. Returned funds dentro de uma semana, dialoged via tx messages.
PolyNetwork ofereceu chief security advisor role; declined.
Lição: bridges são honeypots. Cross-chain message verification difícil.
10. Cream Finance hacks (2021)
3 hacks em 1 ano:
- Feb: US$ 37M (flash loan).
- Aug: US$ 19M (flash loan exploitation Yearn integration).
- Oct: US$ 130M (flash loan + price oracle manipulation).
Lição: flash loan vector consolidated as major DeFi threat.
11. Wormhole hack (fev/2022)
Bridge Ethereum-Solana. US$ 320M em wETH minted sem backing por signature verification bug.
Jump Trading (parent of Wormhole/Jump Crypto) bailed out — replenished US$ 320M de própria treasury overnight.
Lição: rich backstop rare; centralized recovery saves users mas not decentralized.
12. Ronin Bridge hack (mar/2022)
US$ 625M, largest DeFi/bridge hack at time.
Axie Infinity's Ronin sidechain bridge. 5 of 9 validator signatures required. Sky Mavis (Axie devs) ran 4; Axie DAO ran 1 backup (delegated to Sky Mavis temporarily after Nov 2021 load spike). Attacker compromised 4 Sky Mavis nodes via phishing (LinkedIn job lure → malware on senior engineer).
Drain: 173,600 ETH + 25.5M USDC.
Lazarus (N. Korea) attributed.
Sky Mavis raised US$ 150M led by Binance; partial recovery of users.
Lição: 59 not actually 59. Validator concentration risk. Phishing OPSEC critical.
13. Terra Luna / UST collapse (mai/2022)
Largest stablecoin failure ever. US$ ~60B evaporated em 1 semana.
Mechanics
UST: algorithmic stablecoin. Burn LUNA → mint US$1 of UST (and vice-versa). Maintenance via arbitrage.
Anchor Protocol: paid ~20% APY em UST deposits (unsustainable; subsidized by Terraform Labs reserves).
Cascade (May 2022)
- 7 mai 2022: large UST sell from 4-pool em Curve. Slight de-peg.
- 9-10 mai: panic → mass redemption.
- Burn UST → mint LUNA: LUNA supply explodes from 350M to 6.5T em days.
- Hyperinflation: LUNA price crashes 99.99%.
- UST de-pegs to ~US$0.02.
Total loss: ~US$ 60B in marketcap.
Aftermath
- Do Kwon (founder) hides em Montenegro; arrested 2023; awaiting extradition.
- South Korea seeking US$1B asset seizure.
- US SEC charges Kwon + Terraform Labs (2023).
- Terra 2.0 (new LUNA, abandoned UST) — minor adoption.
- Trigger to Three Arrows Capital, Celsius, Voyager, BlockFi collapses.
Lição: algorithmic stablecoins with reflexive collateral = ticking bomb. "It's not algorithmic, it's a Ponzi" (Sam Trabucco, others rebuked Kwon's defenders).
14. Three Arrows Capital (3AC) collapse (jun/2022)
Hedge fund. US$ 18B AUM at peak. Massive leverage. Cascaded from Terra Luna loss.
- Founders Su Zhu + Kyle Davies. Singapore-based.
- Defaulted on US$ 3.5B+ creditor loans.
- Filed bankruptcy Jun 2022.
- Founders fled, hid mais de 1 ano. Caught Aug 2023.
Cascaded: Voyager Digital bankruptcy (Jul 2022, exposure 3AC), BlockFi struggles.
15. Celsius Network collapse (jul/2022)
Crypto lender. 1.7M users, US$ 25B AUM peak.
- Promised high yields (~17% APY) via reckless DeFi exposure.
- Mai/2022: rumours sobre exposure.
- Jun 12: halts withdrawals.
- Jul 13: files Chapter 11 bankruptcy.
Alex Mashinsky (CEO): arrested 2023; pleaded guilty fraud + commodities + market manipulation 2024; sentenced 2025 to 12 years.
Recovery: ~80% via judicial process distribution (BTC/ETH at time-of-bankruptcy prices — much lower than 2024-2025 recoveries would represent).
16. Voyager Digital (jul/2022)
Exchange. Exposure 3AC ($650M unsecured loan). Bankruptcy.
FTX bid to acquire Voyager → fell through with FTX collapse. Coinbase acquired customer assets later.
17. FTX collapse (nov/2022)
Largest fraud em crypto history. Second-largest exchange globally pre-collapse.
Background
- Sam Bankman-Fried (SBF) founded 2019.
- Alameda Research: SBF's trading firm (founded 2017).
- FTX peak ~US$ 32B valuation (Jan 2022). Sponsorships: Tom Brady, Larry David, Stephen Curry, Miami Heat arena.
- "Effective Altruism" public persona.
Collapse (Nov 2022)
- Nov 2: CoinDesk article reveals Alameda balance sheet 40% FTT (FTX's own token). Reflexive value.
- Nov 6: Binance CEO CZ announces selling FTT.
- Nov 8: bank run on FTX. Halts withdrawals.
- Nov 11: FTX, Alameda, ~130 affiliated entities file Chapter 11.
- Nov 11-12: ~US$ 477M drained from FTX wallets ("the hack" or insider exit?).
Revelations
- FTX had commingled customer funds with Alameda.
- Alameda borrowed customer deposits (~US$ 8-10B) for speculative trades.
- "Slush fund" code in FTX exchange backend hiding negative Alameda balance.
- FTX had no risk team, no CFO, no proper governance.
Trials
- SBF arrested Bahamas Dec 12, 2022. Extradited.
- Trial Oct-Nov 2023: convicted 7 counts wire fraud, conspiracy, money laundering.
- Sentenced Mar 2024: 25 years prison + US$ 11B forfeiture.
- Caroline Ellison (Alameda CEO): cooperative; sentenced 2 years.
- Gary Wang (FTX CTO): cooperative; sentenced ~0 years (time served + supervised).
- Nishad Singh (FTX engineering): cooperative.
- Ryan Salame (FTX co-CEO): 7.5 years.
Recovery
Surprisingly strong: ~119% on USD claim value (using Nov 2022 prices), boosted by BTC appreciation + recovered assets + tax overpayment refunds.
Lição: trust verifiable proof-of-reserves; "celebrity CEO" doesn't replace due diligence; regulatory gaps exploitable.
18. BlockFi (nov/2022)
Crypto lender. Exposed to FTX (Alameda loan default + FTX collateral seizure). Chapter 11.
Customer recovery ~50-100% depending on tier.
19. Genesis (jan/2023)
Crypto prime broker. Exposure to 3AC + FTX. Bankruptcy. Major creditor to Gemini Earn → Gemini-Genesis dispute, eventual settlement.
20. Euler Finance hack (mar/2023)
Lending protocol. US$ 200M drained via faulty liquidation function.
- Donation function had insufficient health check.
- Attacker leveraged → self-liquidated → recovered loss as "donor".
White hat resolution: attacker returned all funds after dialog with Euler team. Among the few major DeFi hacks fully recovered.
21. Curve Finance Vyper bug (jul/2023)
Compiler bug (Vyper versions 0.2.15-0.3.0) — improper reentrancy locks em certain pools.
Affected pools: CRV/ETH, alETH, msETH, pETH. US$ 73M drained.
White-hats recovered $25M; rest mixed recovery (half returned by hacker dialog, rest mixed).
Lição: language compiler bugs can affect production. Curve recovered but ecosystem shook.
22. Multichain saga (jul/2023)
Cross-chain bridge protocol. CEO Zhaojun disappeared (arrested by Chinese authorities). Without his keys, protocol can't operate. US$ 130M+ stuck/lost.
Lesson: centralized actors em "decentralized" bridges = catastrophic failure mode.
23. Stake.com hack (set/2023)
Crypto casino. Hot wallet compromised. US$ 41M.
Lazarus attributed.
24. KyberSwap hack (nov/2023)
KyberSwap Elastic (concentrated liquidity AMM). US$ 47M drained via complex precision exploit.
25. Orbit Chain hack (jan/2024)
Cross-chain bridge Korea-based. US$ 82M.
Lazarus attributed.
26. Munchables (mar/2024)
GameFi project em Blast. Insider attack — N. Korean dev hired as engineer accessed contracts. ~US$ 62M.
Recovery: insider returned funds after social pressure + identification.
27. WazirX hack (jul/2024)
Indian exchange. US$ 235M drained from multisig wallet. Compromised signer keys.
Lazarus attributed (signature: Tornado Cash mixing patterns).
WazirX filing restructuring. Customers heavy losses; partial socialization plan controversial.
28. Bybit hack (fev/2025)
Largest exchange hack ever. US$ 1.5B (~400k ETH) drained from cold wallet.
- Lazarus Group (N. Korea, official US/UK attribution).
- Method: compromised UI of multisig signing tool (Safe.global / smart contract wallets); signers approved malicious tx thinking it was routine.
- Bybit operationally solvent — uses own treasury + loans + sells assets to backfill.
- Industry response: tightened cold wallet signing UX, hardware-level verification standards.
29. Other notable 2024-2025 hacks (not exhaustive)
| Date | Target | Loss |
|---|---|---|
| Jan 2024 | Cronos PlayDapp | US$ 290M |
| Mar 2024 | Curio Network | US$ 16M |
| May 2024 | Gala Games | US$ 200M (recovered) |
| Jul 2024 | Compound Finance | US$ 24M (recovered via votação) |
| Sep 2024 | Penpie | US$ 27M |
| Mar 2025 | Hyperliquid JELLY | ~US$ 13M (gov vault auto-liquidation forced exception) |
| Apr 2025 | DEXX | US$ 21M |
30. Smart contract bug categories
Reentrancy
- The DAO (2016).
- Imperial College Lendf.me (2020) — US$ 25M ERC-777 reentrancy.
- Cream Finance (2021 x3).
- Burgerswap (2021).
- Siren Protocol (2021).
Flash loan + oracle manipulation
- Harvest Finance (2020): US$ 24M, Curve y-pool.
- Pickle Finance (2020): US$ 20M.
- bZx (2020 x2).
- Cream (2021).
- Mango Markets (2022): Avi Eisenberg drained ~US$ 117M via MNGO collateral manipulation; convicted commodities fraud + market manipulation 2024.
Math / precision
- Compound DAI/USDC reward bug (2021): US$ 80M user overpayment (recovered most).
- Curve Vyper compiler (2023).
Logic bugs
- Nomad bridge (Aug 2022): initialization bug → US$ 190M everyone-drains; "free for all" mempool race.
- Beanstalk (2022): governance + flash loan.
Signature bypass
- Wormhole (2022).
- BNB Bridge (2022): US\( 570M minted (post-chain halt, ~\)100M extracted).
Centralized key compromise
- Ronin (2022).
- WazirX (2024).
- Bybit (2025).
31. Hacking groups
Lazarus Group (DPRK)
State-sponsored. Estimated US$ 3-4B stolen 2017-2025 from crypto. Funds North Korean nuclear program (per US/UN reports).
Recent attribution: Ronin, Atomic Wallet, CoinEx, Stake.com, Orbit, WazirX, Bybit.
Tactics:
- Spear phishing of senior engineers (LinkedIn).
- Trojanized job applications.
- Maintaining N. Korean IT contractors in US/EU exchanges (HR phishing).
Other state actors
China-attributed less common but suspected in select cases. Russia-attributed in some early Bitcoin-era hacks.
Cybercriminal gangs
DarkSide (Colonial Pipeline), Conti, REvil — ransomware groups demanding BTC. Mostly Russian-affiliated.
"Solo black hats"
Individuals exploiting smart contract bugs. Often demand bounties or anonymize → cash out.
"White hats / grey hats"
Sometimes return funds (PolyNetwork, Euler) for reputation or fear of consequences.
32. Anti-money laundering responses
Tornado Cash sanctions
OFAC sanctioned the smart contract (Aug 2022). First time code itself sanctioned. Roman Storm + Alexey Pertsev charged (developers).
Pertsev convicted in Netherlands (May 2024), 64-month sentence — appeal pending.
Storm US trial: 2024 set; later 2025 trial. Conviction (mixed).
Van Loon v. Treasury (5th Circuit, Aug 2024): OFAC overreached on immutable contracts; vacated for those. Mutable smart contracts can still be sanctioned.
Trump administration (2025): rescinded some sanctions; pivoted softer on Tornado.
Chain analytics
Chainalysis, TRM Labs, Elliptic — track flows, work with law enforcement. Help recover hundreds of millions per year.
33. Lessons by category
Don't custody if you can avoid
Self-custody >= custodial. Exchanges can fail (Mt. Gox, FTX, QuadrigaCX, BlockFi, Celsius...).
Verify proof-of-reserves
Post-FTX, exchanges publish PoR (Merkle tree of liabilities, on-chain reserves). Imperfect but signal.
Smart contracts need audits + bug bounties + formal verification
Reentrancy patterns documented; CEI mandatory; flash loan attack surface understood.
Bridges = honeypots
Be skeptical of new cross-chain bridges. Prefer canonical (CCTP, native rollup) or large-TVL battle-tested.
Algorithmic stablecoins → death spiral risk
UST proved. USDe (Ethena) less reflexive but counterparty risk to perp venues.
Centralized "decentralized" actors
Multisig N-of-M is only as good as keyholder OPSEC. Ronin 59 was actually 49.
Front-end vs protocol
Many "hacks" compromise UI not protocol. Signing safely critical.
Lazarus is a thing
N. Korean state APT targeting crypto persistently. Treat OPSEC accordingly.
34. References + tracking
- Rekt.news: rekt leaderboard of DeFi/crypto hacks.
- CertiK Skynet: hack alerts.
- Chainalysis annual crypto crime reports.
- TRM Labs: AML/financial crime reports.
- De.Fi REKT Database.
- Web3 Is Going Just Great (Molly White): chronicle of hacks.
35. Referência cruzada
- Smart contract bug categories:
08-smart-contracts.md§SWC. - Bridge architecture vulnerabilities:
11-bridges-interop.md. - Stablecoin design failures:
09-defi.md§Stablecoins. - Cripto-specific attacks:
../cryptography/11-ataques.md. - Regulatory response:
13-regulacao.md. - Koder Stack lessons:
15-koder-aplicada.md.