WEB3-STAKE-COM-2023

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

In mid-February 2024 (around February 16), the non-KYC instant crypto exchange FixedFloat was hacked for about $26.1M, comprising roughly 409 BTC (~$21M) and about 1,728 ETH (~$4.9M), drained in roughly nine transactions. FixedFloat denied an insider job or rug pull and said a third party exploited vulnerabilities and insufficient protection in its infrastructure, gaining access to some service functions; it deliberately prioritized patching over disclosure, so no public technical root-cause writeup was ever released. The exact vector therefore remains officially undisclosed, but on-chain analysts observed no smart-contract exploitation and a direct hot-wallet drain pattern consistent with a compromised hot wallet or private key rather than a protocol bug. The stolen funds were quickly laundered, with ETH funneled through the eXch mixer and BTC split across many addresses, and were not recovered.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.

On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.

On June 3, 2023, users of Atomic Wallet, a non-custodial cryptocurrency wallet, lost over $100M (an early Elliptic estimate of ~$35M was later revised upward) across at least 5,500 accounts. Atomic Wallet never published a root cause, so the exact technical mechanism remains officially undisclosed and disputed; leading unconfirmed theories, consistent with a compromise of key generation or key exfiltration, include weak entropy or insufficient randomness in seed generation creating a brute-forceable keyspace, private keys or seeds being exfiltrated to a server (for example via logging), a supply-chain compromise of the app build, or fault attacks on the signing algorithm. Blockchain forensics firm Elliptic attributed the heist to North Korea's Lazarus Group with high confidence on June 6, 2023, based on laundering through the Sinbad mixer and Garantex and, most tellingly, stolen funds flowing into wallets already holding proceeds of prior Lazarus hacks; the FBI later supported this. Only a small portion (over $1M) was frozen and the bulk was not recovered. A class action (Colorado federal court) was later dismissed.