14 — Incidentes Históricos

Hacks, colapsos, exploits, frauds. Aprendizado de cada caso. Categorias: protocol hacks, bridge hacks, exchange hacks/collapses, stablecoin failures, governance attacks, MEV, smart contract bugs.


1. Mt. Gox (2014)

Exchange collapse pioneiro. Tokyo-based, ex-Magic: The Gathering cards trading site. Maior exchange Bitcoin de 2010-2014.

Fevereiro 2014: anuncia perda de 850.000 BTC (~US\( 450M na época; ~US\) 50B+ em 2026).

  • Causa: combinação de bug em malleability + roubos internos progressivos ao longo de anos.
  • CEO Mark Karpelès preso em 2015 — solto 2016, condenado 2019 (sentença suspensa por falsificação de records).
  • Falência judicial → conversão em proceedings civis.
  • 2024-2025: 142k BTC distribuídos aos credores (17% recovery).
  • ~75k+ creditors esperando.

Lição: exchanges custodiais são pontos únicos de falha. "Not your keys, not your coins" como ditado nasceu daqui.


2. The DAO Hack (jun/2016)

Primeiro grande hack Ethereum.

The DAO: investment fund descentralizado em Ethereum, raised US$ 150M em ETH (crowdsale abr/2016 — 14% de todo ETH então circulante).

17 jun/2016: atacante explora reentrancy bug em splitDAO function. Drains 3.6M ETH (US$ 60M).

Resposta:

  • 28-day "challenge period" inerente a DAO contract.
  • Comunidade Ethereum vota hard fork pra reverter.
  • 20 jul/2016: hard fork executado. Maioria adota.
  • Minoria mantém chain original → Ethereum Classic (ETC).

Atacante: nunca formalmente identificado; speculation Toby Hoenisch (questionada).

Lição:

  • Reentrancy = primeiro grande padrão de bug em smart contracts.
  • Checks-Effects-Interactions pattern emerges.
  • Imutabilidade vs governance discussion permanent.

3. Bitfinex hack (ago/2016)

Exchange hack. ~119.756 BTC roubados de hot wallet Bitfinex.

  • Bitfinex emite BFX tokens (efetivamente IOUs); resgata em ~8 meses via revenue.
  • 2022: DOJ apreende 94.000 BTC restantes (~US$ 3.6B na época). Casal Ilya Lichtenstein + Heather Morgan ("Razzlekhan") preso.
  • 2023: Lichtenstein pleads guilty; sentenced 2024 5 anos prisão.

Lição: criminosos podem deter BTC anos mas tracing on-chain eventualmente captura. Chainalysis maturidade.


4. Parity Multisig hacks (2017)

Parity Wallet hack #1 (jul/2017)

Bug em wallet contract permite atacante reset ownership. 150k ETH drained (~US$ 30M).

Parity Wallet freeze (nov/2017)

User "devops199" "acidentalmente" trigger kill() no library contract. ~513k ETH frozen forever (~US$ 280M na época).

Parity propôs EIP-867 para recovery; Ethereum community rejeitou (princípio imutability pós-DAO).

Lição: complex multisig wallets têm attack surface. Standardization (Gnosis Safe / Safe) pós-isso domina.


5. Coincheck hack (jan/2018)

Exchange japonesa, US$ 530M em NEM roubados (hot wallet sem multisig). Hot wallet design negligente.

Lição: cold/hot wallet separation crítica. Japão regulação tightened pós-isso.


6. QuadrigaCX (2019)

Exchange canadense colapsa. CEO Gerald Cotten morto na Índia (suspeita controversa). Sem ele, contas crypto inacessíveis (allegedly).

Investigação revelou: Cotten estava operando Ponzi com fundos clientes; "frozen funds" desculpa.

Loss: ~C$ 215M.

Documentary "Trust No One: The Hunt for the Crypto King" (Netflix 2022).


7. Plus Token Ponzi (2018-2019)

Chinese-South Korean Ponzi disfarçado de "high-yield wallet". Stole ~US$ 5.7B em BTC, ETH, EOS.

Multiple operators arrested China 2020. Coins gradually moved to mixers + exchanges → suspected drove BTC sell pressure em 2019.


8. KuCoin hack (set/2020)

Exchange hack: US$ 285M roubado. KuCoin recovers ~84% via partnerships + chain reorg requests + asset issuer help (token issuers froze drained tokens).

Lazarus suspected.


9. PolyNetwork hack (ago/2021)

Cross-chain bridge. US$ 611M drained — largest at time.

Atacante: white-hat-style. Returned funds dentro de uma semana, dialoged via tx messages.

PolyNetwork ofereceu chief security advisor role; declined.

Lição: bridges são honeypots. Cross-chain message verification difícil.


10. Cream Finance hacks (2021)

3 hacks em 1 ano:

  • Feb: US$ 37M (flash loan).
  • Aug: US$ 19M (flash loan exploitation Yearn integration).
  • Oct: US$ 130M (flash loan + price oracle manipulation).

Lição: flash loan vector consolidated as major DeFi threat.


11. Wormhole hack (fev/2022)

Bridge Ethereum-Solana. US$ 320M em wETH minted sem backing por signature verification bug.

Jump Trading (parent of Wormhole/Jump Crypto) bailed out — replenished US$ 320M de própria treasury overnight.

Lição: rich backstop rare; centralized recovery saves users mas not decentralized.


12. Ronin Bridge hack (mar/2022)

US$ 625M, largest DeFi/bridge hack at time.

Axie Infinity's Ronin sidechain bridge. 5 of 9 validator signatures required. Sky Mavis (Axie devs) ran 4; Axie DAO ran 1 backup (delegated to Sky Mavis temporarily after Nov 2021 load spike). Attacker compromised 4 Sky Mavis nodes via phishing (LinkedIn job lure → malware on senior engineer).

Drain: 173,600 ETH + 25.5M USDC.

Lazarus (N. Korea) attributed.

Sky Mavis raised US$ 150M led by Binance; partial recovery of users.

Lição: 59 not actually 59. Validator concentration risk. Phishing OPSEC critical.


13. Terra Luna / UST collapse (mai/2022)

Largest stablecoin failure ever. US$ ~60B evaporated em 1 semana.

Mechanics

UST: algorithmic stablecoin. Burn LUNA → mint US$1 of UST (and vice-versa). Maintenance via arbitrage.

Anchor Protocol: paid ~20% APY em UST deposits (unsustainable; subsidized by Terraform Labs reserves).

Cascade (May 2022)

  • 7 mai 2022: large UST sell from 4-pool em Curve. Slight de-peg.
  • 9-10 mai: panic → mass redemption.
  • Burn UST → mint LUNA: LUNA supply explodes from 350M to 6.5T em days.
  • Hyperinflation: LUNA price crashes 99.99%.
  • UST de-pegs to ~US$0.02.

Total loss: ~US$ 60B in marketcap.

Aftermath

  • Do Kwon (founder) hides em Montenegro; arrested 2023; awaiting extradition.
  • South Korea seeking US$1B asset seizure.
  • US SEC charges Kwon + Terraform Labs (2023).
  • Terra 2.0 (new LUNA, abandoned UST) — minor adoption.
  • Trigger to Three Arrows Capital, Celsius, Voyager, BlockFi collapses.

Lição: algorithmic stablecoins with reflexive collateral = ticking bomb. "It's not algorithmic, it's a Ponzi" (Sam Trabucco, others rebuked Kwon's defenders).


14. Three Arrows Capital (3AC) collapse (jun/2022)

Hedge fund. US$ 18B AUM at peak. Massive leverage. Cascaded from Terra Luna loss.

  • Founders Su Zhu + Kyle Davies. Singapore-based.
  • Defaulted on US$ 3.5B+ creditor loans.
  • Filed bankruptcy Jun 2022.
  • Founders fled, hid mais de 1 ano. Caught Aug 2023.

Cascaded: Voyager Digital bankruptcy (Jul 2022, exposure 3AC), BlockFi struggles.


15. Celsius Network collapse (jul/2022)

Crypto lender. 1.7M users, US$ 25B AUM peak.

  • Promised high yields (~17% APY) via reckless DeFi exposure.
  • Mai/2022: rumours sobre exposure.
  • Jun 12: halts withdrawals.
  • Jul 13: files Chapter 11 bankruptcy.

Alex Mashinsky (CEO): arrested 2023; pleaded guilty fraud + commodities + market manipulation 2024; sentenced 2025 to 12 years.

Recovery: ~80% via judicial process distribution (BTC/ETH at time-of-bankruptcy prices — much lower than 2024-2025 recoveries would represent).


16. Voyager Digital (jul/2022)

Exchange. Exposure 3AC ($650M unsecured loan). Bankruptcy.

FTX bid to acquire Voyager → fell through with FTX collapse. Coinbase acquired customer assets later.


17. FTX collapse (nov/2022)

Largest fraud em crypto history. Second-largest exchange globally pre-collapse.

Background

  • Sam Bankman-Fried (SBF) founded 2019.
  • Alameda Research: SBF's trading firm (founded 2017).
  • FTX peak ~US$ 32B valuation (Jan 2022). Sponsorships: Tom Brady, Larry David, Stephen Curry, Miami Heat arena.
  • "Effective Altruism" public persona.

Collapse (Nov 2022)

  • Nov 2: CoinDesk article reveals Alameda balance sheet 40% FTT (FTX's own token). Reflexive value.
  • Nov 6: Binance CEO CZ announces selling FTT.
  • Nov 8: bank run on FTX. Halts withdrawals.
  • Nov 11: FTX, Alameda, ~130 affiliated entities file Chapter 11.
  • Nov 11-12: ~US$ 477M drained from FTX wallets ("the hack" or insider exit?).

Revelations

  • FTX had commingled customer funds with Alameda.
  • Alameda borrowed customer deposits (~US$ 8-10B) for speculative trades.
  • "Slush fund" code in FTX exchange backend hiding negative Alameda balance.
  • FTX had no risk team, no CFO, no proper governance.

Trials

  • SBF arrested Bahamas Dec 12, 2022. Extradited.
  • Trial Oct-Nov 2023: convicted 7 counts wire fraud, conspiracy, money laundering.
  • Sentenced Mar 2024: 25 years prison + US$ 11B forfeiture.
  • Caroline Ellison (Alameda CEO): cooperative; sentenced 2 years.
  • Gary Wang (FTX CTO): cooperative; sentenced ~0 years (time served + supervised).
  • Nishad Singh (FTX engineering): cooperative.
  • Ryan Salame (FTX co-CEO): 7.5 years.

Recovery

Surprisingly strong: ~119% on USD claim value (using Nov 2022 prices), boosted by BTC appreciation + recovered assets + tax overpayment refunds.

Lição: trust verifiable proof-of-reserves; "celebrity CEO" doesn't replace due diligence; regulatory gaps exploitable.


18. BlockFi (nov/2022)

Crypto lender. Exposed to FTX (Alameda loan default + FTX collateral seizure). Chapter 11.

Customer recovery ~50-100% depending on tier.


19. Genesis (jan/2023)

Crypto prime broker. Exposure to 3AC + FTX. Bankruptcy. Major creditor to Gemini Earn → Gemini-Genesis dispute, eventual settlement.


20. Euler Finance hack (mar/2023)

Lending protocol. US$ 200M drained via faulty liquidation function.

  • Donation function had insufficient health check.
  • Attacker leveraged → self-liquidated → recovered loss as "donor".

White hat resolution: attacker returned all funds after dialog with Euler team. Among the few major DeFi hacks fully recovered.


21. Curve Finance Vyper bug (jul/2023)

Compiler bug (Vyper versions 0.2.15-0.3.0) — improper reentrancy locks em certain pools.

Affected pools: CRV/ETH, alETH, msETH, pETH. US$ 73M drained.

White-hats recovered $25M; rest mixed recovery (half returned by hacker dialog, rest mixed).

Lição: language compiler bugs can affect production. Curve recovered but ecosystem shook.


22. Multichain saga (jul/2023)

Cross-chain bridge protocol. CEO Zhaojun disappeared (arrested by Chinese authorities). Without his keys, protocol can't operate. US$ 130M+ stuck/lost.

Lesson: centralized actors em "decentralized" bridges = catastrophic failure mode.


23. Stake.com hack (set/2023)

Crypto casino. Hot wallet compromised. US$ 41M.

Lazarus attributed.


24. KyberSwap hack (nov/2023)

KyberSwap Elastic (concentrated liquidity AMM). US$ 47M drained via complex precision exploit.


25. Orbit Chain hack (jan/2024)

Cross-chain bridge Korea-based. US$ 82M.

Lazarus attributed.


26. Munchables (mar/2024)

GameFi project em Blast. Insider attack — N. Korean dev hired as engineer accessed contracts. ~US$ 62M.

Recovery: insider returned funds after social pressure + identification.


27. WazirX hack (jul/2024)

Indian exchange. US$ 235M drained from multisig wallet. Compromised signer keys.

Lazarus attributed (signature: Tornado Cash mixing patterns).

WazirX filing restructuring. Customers heavy losses; partial socialization plan controversial.


28. Bybit hack (fev/2025)

Largest exchange hack ever. US$ 1.5B (~400k ETH) drained from cold wallet.

  • Lazarus Group (N. Korea, official US/UK attribution).
  • Method: compromised UI of multisig signing tool (Safe.global / smart contract wallets); signers approved malicious tx thinking it was routine.
  • Bybit operationally solvent — uses own treasury + loans + sells assets to backfill.
  • Industry response: tightened cold wallet signing UX, hardware-level verification standards.

29. Other notable 2024-2025 hacks (not exhaustive)

Date Target Loss
Jan 2024 Cronos PlayDapp US$ 290M
Mar 2024 Curio Network US$ 16M
May 2024 Gala Games US$ 200M (recovered)
Jul 2024 Compound Finance US$ 24M (recovered via votação)
Sep 2024 Penpie US$ 27M
Mar 2025 Hyperliquid JELLY ~US$ 13M (gov vault auto-liquidation forced exception)
Apr 2025 DEXX US$ 21M

30. Smart contract bug categories

Reentrancy

  • The DAO (2016).
  • Imperial College Lendf.me (2020) — US$ 25M ERC-777 reentrancy.
  • Cream Finance (2021 x3).
  • Burgerswap (2021).
  • Siren Protocol (2021).

Flash loan + oracle manipulation

  • Harvest Finance (2020): US$ 24M, Curve y-pool.
  • Pickle Finance (2020): US$ 20M.
  • bZx (2020 x2).
  • Cream (2021).
  • Mango Markets (2022): Avi Eisenberg drained ~US$ 117M via MNGO collateral manipulation; convicted commodities fraud + market manipulation 2024.

Math / precision

  • Compound DAI/USDC reward bug (2021): US$ 80M user overpayment (recovered most).
  • Curve Vyper compiler (2023).

Logic bugs

  • Nomad bridge (Aug 2022): initialization bug → US$ 190M everyone-drains; "free for all" mempool race.
  • Beanstalk (2022): governance + flash loan.

Signature bypass

  • Wormhole (2022).
  • BNB Bridge (2022): US\( 570M minted (post-chain halt, ~\)100M extracted).

Centralized key compromise

  • Ronin (2022).
  • WazirX (2024).
  • Bybit (2025).

31. Hacking groups

Lazarus Group (DPRK)

State-sponsored. Estimated US$ 3-4B stolen 2017-2025 from crypto. Funds North Korean nuclear program (per US/UN reports).

Recent attribution: Ronin, Atomic Wallet, CoinEx, Stake.com, Orbit, WazirX, Bybit.

Tactics:

  • Spear phishing of senior engineers (LinkedIn).
  • Trojanized job applications.
  • Maintaining N. Korean IT contractors in US/EU exchanges (HR phishing).

Other state actors

China-attributed less common but suspected in select cases. Russia-attributed in some early Bitcoin-era hacks.

Cybercriminal gangs

DarkSide (Colonial Pipeline), Conti, REvil — ransomware groups demanding BTC. Mostly Russian-affiliated.

"Solo black hats"

Individuals exploiting smart contract bugs. Often demand bounties or anonymize → cash out.

"White hats / grey hats"

Sometimes return funds (PolyNetwork, Euler) for reputation or fear of consequences.


32. Anti-money laundering responses

Tornado Cash sanctions

OFAC sanctioned the smart contract (Aug 2022). First time code itself sanctioned. Roman Storm + Alexey Pertsev charged (developers).

Pertsev convicted in Netherlands (May 2024), 64-month sentence — appeal pending.

Storm US trial: 2024 set; later 2025 trial. Conviction (mixed).

Van Loon v. Treasury (5th Circuit, Aug 2024): OFAC overreached on immutable contracts; vacated for those. Mutable smart contracts can still be sanctioned.

Trump administration (2025): rescinded some sanctions; pivoted softer on Tornado.

Chain analytics

Chainalysis, TRM Labs, Elliptic — track flows, work with law enforcement. Help recover hundreds of millions per year.


33. Lessons by category

Don't custody if you can avoid

Self-custody >= custodial. Exchanges can fail (Mt. Gox, FTX, QuadrigaCX, BlockFi, Celsius...).

Verify proof-of-reserves

Post-FTX, exchanges publish PoR (Merkle tree of liabilities, on-chain reserves). Imperfect but signal.

Smart contracts need audits + bug bounties + formal verification

Reentrancy patterns documented; CEI mandatory; flash loan attack surface understood.

Bridges = honeypots

Be skeptical of new cross-chain bridges. Prefer canonical (CCTP, native rollup) or large-TVL battle-tested.

Algorithmic stablecoins → death spiral risk

UST proved. USDe (Ethena) less reflexive but counterparty risk to perp venues.

Centralized "decentralized" actors

Multisig N-of-M is only as good as keyholder OPSEC. Ronin 59 was actually 49.

Front-end vs protocol

Many "hacks" compromise UI not protocol. Signing safely critical.

Lazarus is a thing

N. Korean state APT targeting crypto persistently. Treat OPSEC accordingly.


34. References + tracking

  • Rekt.news: rekt leaderboard of DeFi/crypto hacks.
  • CertiK Skynet: hack alerts.
  • Chainalysis annual crypto crime reports.
  • TRM Labs: AML/financial crime reports.
  • De.Fi REKT Database.
  • Web3 Is Going Just Great (Molly White): chronicle of hacks.

35. Referência cruzada

  • Smart contract bug categories: 08-smart-contracts.md §SWC.
  • Bridge architecture vulnerabilities: 11-bridges-interop.md.
  • Stablecoin design failures: 09-defi.md §Stablecoins.
  • Cripto-specific attacks: ../cryptography/11-ataques.md.
  • Regulatory response: 13-regulacao.md.
  • Koder Stack lessons: 15-koder-aplicada.md.