WEB3-COINCHECK-2018

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

In mid-February 2024 (around February 16), the non-KYC instant crypto exchange FixedFloat was hacked for about $26.1M, comprising roughly 409 BTC (~$21M) and about 1,728 ETH (~$4.9M), drained in roughly nine transactions. FixedFloat denied an insider job or rug pull and said a third party exploited vulnerabilities and insufficient protection in its infrastructure, gaining access to some service functions; it deliberately prioritized patching over disclosure, so no public technical root-cause writeup was ever released. The exact vector therefore remains officially undisclosed, but on-chain analysts observed no smart-contract exploitation and a direct hot-wallet drain pattern consistent with a compromised hot wallet or private key rather than a protocol bug. The stolen funds were quickly laundered, with ETH funneled through the eXch mixer and BTC split across many addresses, and were not recovered.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.

On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.

On or about September 4, 2023, crypto gambling platform Stake.com lost about $41 million across Ethereum, BNB Chain and Polygon after attackers gained the ability to make unauthorized transactions from its hot wallets. The exact mechanism is disputed: co-founder Edward Craven stated private keys were not compromised and blamed a sophisticated breach of the platform's transaction-authorization service, whereas multiple security researchers (Cyvers, others) assessed a hot-wallet private-key leakage as the most plausible explanation given the clean, MEV-free on-chain sweep. Either way, the weakness was operational, signing authority over internet-connected hot wallets was reachable by the attacker, not a smart-contract flaw. On September 6, 2023 the FBI officially attributed the theft to North Korea's Lazarus Group (APT38), tracking the stolen funds as they moved into various virtual-currency addresses; Elliptic observed commingling with Atomic Wallet proceeds. The funds were laundered and not recovered.