The biggest crypto heists of all time

The biggest crypto heists to date are MT Gox, Bitgrail, Coincheck, KuCoin, PancakeBunny, Poly Network, Cream Finance, BadgerDAO, Vulcan Forged and Bitmart.

MT Gox

MT Gox was the first large-scale exchange hack, and it remains the most significant Bitcoin (BTC) heist from an exchange. The MT Gox robbery, on the other hand, was not a one-off occurrence. Rather, the site leaked cash from 2011 to February 2014.

Hackers stole 100,000 BTC from the exchange and 750,000 BTC from its consumers over a few years. These Bitcoin burglaries were valued at $470 million at the time, but they’re now worth approximately ten times this amount. Shortly after the theft, MT Gox went into liquidation, with liquidators recovering roughly 200,000 of the stolen BTC.

Bitgrail

Bitgrail was a small Italian exchange that traded in obscure cryptos like Nano (XNO). The exchange was hacked in February 2018, just as the price of XNO soared from a few cents to $33. At least 17 million coins (the equivalent of about $150 million) were taken from Nano wallets.

Many users began to express their dissatisfaction with the exchange before the attack (significantly lower withdrawal limits and transaction problems). According to the investigations, the coins were stolen from cold—not hot— wallets. Investigations persisted throughout the preceding three years, with Italian authorities now charging Bitgrail’s owner of being behind the attacks.

Coincheck

Coincheck, based in Japan, had $530 million worth of NEM (XEM) tokens stolen in January 2018. Hackers took advantage of the fact that the currency was kept in a “hot” wallet, which meant it was connected to the server and thus “online” (a cold wallet sees funds stored offline).

The stolen coins were identified and marked as such by NEM developers, although there was conjecture that the monies were available on dark markets.

However, given how much the coins lost in value following the attack, it’s unlikely that many people would have thought this was a good deal (the coins are now worth 83% less than they were—roughly $90 million).

KuCoin

KuCoin announced in September 2020 that hackers had obtained private keys to their hot wallets before withdrawing substantial quantities of Ethereum (ETH), BTC, Litecoin (LTC), Ripple (XRP), Stellar Lumens (XLM), Tron (TRX) and Tether (USDT). Since then, experts have claimed that they have reasonable cause to assume that crypto heist hackers are North Korean.

PancakeBunny

This flash loan attack, in which hackers were able to siphon $200 million from the platform, occurred in May 2021 and is among the more severe cases of cryptocurrency theft. The hacker loaned a big sum of Binance Coin (BNB) before manipulating its price and selling it on PancakeBunny’s BUNNY/BNB market to carry out the attack.

This allowed the hacker to obtain a large number of BUNNY via a flash loan, dump all of the BUNNY on the market to lower the price, and then repay the BNB using PancakeSwap.

Poly Network

In August 2021, a hacker exploited a vulnerability in Poly Network’s infrastructure and stole funds totaling more than $600 million. They didn’t get away with their reward, though, in an odd twist. Instead, the hacker approached the platform and agreed to return the majority of the funds, except $33 million in Tether (USDT) that had been frozen by the issuers.

But the saga didn’t end there: $200 million of the stolen assets were locked away in an account that required the hacker’s password, according to Poly Network. The hacker initially refused to hand over the hacked crypto.

That is, until Poly Network pleaded with them to release it, gave them a $500,000 reward for discovering the system flaw, and even offered them a job! Poly Network later revealed that the private key had been handed to them by “Mr. White Hat.”

Cream Finance

Not only did hackers steal $130 million in the October 2021 incident related to robbing a cryptocurrency, but it was also Cream Finance’s third attack of the year. Hackers took $37 million in February 2021 and $19 million in August 2021.

In the most recent attack, hackers used what was deemed a flaw in the DeFi platform’s flash lending system. On the Ethereum network, they were able to take all of Cream Finance’s tokens and assets, totaling $130 million.

BadgerDAO

A hacker succeeded in stealing assets from multiple cryptocurrency wallets on the DeFi network, BadgerDAO, in December 2021. The problem is thought to have started on November 10 when a malicious script was injected into the website’s user interface.

Users’ transactions may have been intercepted while the script was active. The attacker took 896 BTC valued at roughly $50 million at that time.

Vulcan Forged

In December 2021, hackers stole $135 million from Vulcan Forged, a blockchain gaming startup. They stole private keys to 96 separate wallets before draining 4.5 million PYR tokens from them.

Bitmart

In December 2021, a hack of Bitmart’s hot wallet resulted in the theft of about $200 million. At first, it was thought that $100 million had been stolen via the Ethereum blockchain, but additional research found that another $96 million had been stolen via the Binance Smart Chain blockchain.

Over 20 tokens were taken, including altcoins such as BSC-USD, Binance Coin (BNB), BNBBPay (BPay), and Safemoon, as well as substantial quantities of Moonshot (MOONSHOT), Floki Inu (FLOKI) and BabyDoge (BabyDoge).

window.fbAsyncInit = function () { FB.init({ appId: ‘1922752334671725’, xfbml: true, version: ‘v2.9’ }); FB.AppEvents.logPageView(); }; (function (d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) { return; } js = d.createElement(s); js.id = id; js.src = “https://connect.facebook.net/en_US/sdk.js”; js.defer = true; fjs.parentNode.insertBefore(js, fjs); }(document, ‘script’, ‘facebook-jssdk’)); !function (f, b, e, v, n, t, s) { if (f.fbq) return; n = f.fbq = function () { n.callMethod ? n.callMethod.apply(n, arguments) : n.queue.push(arguments) }; if (!f._fbq) f._fbq = n; n.push = n; n.loaded = !0; n.version = ‘2.0’; n.queue = []; t = b.createElement(e); t.defer = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, ‘script’, ‘https://connect.facebook.net/en_US/fbevents.js’); fbq(‘init’, ‘1922752334671725’); fbq(‘track’, ‘PageView’);