WEB3-MTGOX-2014

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.

On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.

On June 3, 2023, users of Atomic Wallet, a non-custodial cryptocurrency wallet, lost over $100M (an early Elliptic estimate of ~$35M was later revised upward) across at least 5,500 accounts. Atomic Wallet never published a root cause, so the exact technical mechanism remains officially undisclosed and disputed; leading unconfirmed theories, consistent with a compromise of key generation or key exfiltration, include weak entropy or insufficient randomness in seed generation creating a brute-forceable keyspace, private keys or seeds being exfiltrated to a server (for example via logging), a supply-chain compromise of the app build, or fault attacks on the signing algorithm. Blockchain forensics firm Elliptic attributed the heist to North Korea's Lazarus Group with high confidence on June 6, 2023, based on laundering through the Sinbad mixer and Garantex and, most tellingly, stolen funds flowing into wallets already holding proceeds of prior Lazarus hacks; the FBI later supported this. Only a small portion (over $1M) was frozen and the bulk was not recovered. A class action (Colorado federal court) was later dismissed.

On September 25, 2020, exchange KuCoin lost roughly $281 million in BTC, ETH and ERC-20 tokens after attackers gained access to the private keys controlling its hot wallets. KuCoin's own incident report confirmed the keys were exposed via a compromised server; the precise initial intrusion was not fully disclosed but is consistent with phishing or malware against personnel with key access, compounded by the operational weakness that the hot-wallet key pairs reportedly had not been rotated for around three years. Holding large balances in single-key-controlled hot wallets meant one key compromise allowed sweeping of multiple assets across chains. Chainalysis attributed the theft to North Korea's Lazarus Group, citing a structured money-laundering pattern (consistent sub-round-number payments to mixers and DeFi swaps via Uniswap) and deposit addresses shared with the Harvest Finance hack. KuCoin recovered the funds almost entirely: about 84% via on-chain tracking, token freezes and judicial action, with the remaining 16% covered by its insurance fund, leaving users unaffected.