48 entries tagged “theft”.
A wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
An early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
A December 2023 software supply-chain attack: a phished former Ledger employee's npm key let attackers publish malicious versions of Ledger's widely used 'Connect Kit' library, injecting the Angel Drainer into many dApps. About $500K–$600K was drained in a few hours before a fix shipped.
An Avalanche stablecoin protocol exploited for about $8.5M in February 2023 via a flash loan that abused a flawed solvency check. Two brothers were arrested in France (aided by ZachXBT) but were later acquitted of criminal charges by a French court.
In January 2025, the Singapore-based exchange Phemex had its hot wallets drained across 16 blockchains, with losses estimated at $73–85M. On-chain investigators (ZachXBT, Arkham) tied it to North Korea's Lazarus Group, later linking it directly to the Bybit and BingX hacks via commingled funds.
In November 2019, 342,000 ETH (~$41.5M at the time) was stolen from South Korean exchange Upbit. In November 2024 South Korea's National Police Agency officially attributed the theft to North Korea's Lazarus and Andariel groups — its first such attribution of an exchange hack.
The hacker who breached Bitfinex in 2016 and fraudulently transferred 119,754 BTC. He pleaded guilty in 2023 to a money-laundering conspiracy and admitted carrying out the hack; he was sentenced in November 2024 to five years in prison.
A financially motivated cybercrime group (tracked as UNC3944, 0ktapus, Octo Tempest) known for SMS phishing and SIM-swapping. U.S. prosecutors say members stole millions in cryptocurrency from individuals; several have been arrested and pleaded guilty.
A wallet-drainer-as-a-service crew that, per ZachXBT and Scam Sniffer, stole more than $75–85M from roughly 20,000 victims, often via hijacked X/Discord accounts pushing phishing links, before announcing its 'retirement' in 2024.
A 'drainer-as-a-service' operation that rented phishing/wallet-draining software to affiliates for a ~20% cut. Group-IB and Scam Sniffer say it stole roughly $80M+ from ~137,000 victims (Nov 2022–Nov 2023) by spoofing 100+ Web3 brands; it later resumed activity.
A BNB Chain AMM drained of about $50M on April 28, 2021 during a contract migration, after a single-character math error in its pair contracts let an attacker withdraw far more than deposited. The team suspected an internal leak; U.S. authorities later seized ~$31M.
A Solana stablecoin drained of about $52.8M on March 23, 2022 via an 'infinite mint' bug: missing collateral-validation let an attacker mint ~2B CASH with worthless tokens, collapsing the peg to near zero. The attacker left a message saying small accounts were refunded.
A BNB Chain yield aggregator hit by a flash-loan price-manipulation 'economic exploit' on May 19, 2021. The attacker minted ~6.97M BUNNY and dumped it for about $45M in profit, crashing BUNNY from ~$146 to near $1; the team said no vaults were breached.
About $70M was drained from the Hong Kong-based exchange CoinEx in September 2023 after its hot-wallet private keys were compromised. Researchers (Elliptic, ZachXBT) linked the theft to North Korea's Lazarus Group, partly via wallets shared with the Stake.com hack.
About $41M was stolen from the crypto casino Stake.com on September 4, 2023, after attackers obtained access to its hot wallets (ETH, BNB Chain, Polygon). The FBI publicly attributed the theft to North Korea's Lazarus Group (APT38).
Two linked crypto payment processors were drained in mid-2023 — about $60M from Alphapo and ~$37M from CoinsPaid — via compromised hot-wallet keys. The FBI attributed both thefts to North Korea's Lazarus Group (TraderTraitor); CoinsPaid said it was breached after months of social-engineering.
A Web3 game on the Blast network drained of about $62.5M in March 2024 by one of its own developers — an insider whom investigators (ZachXBT) linked to North Korea. After negotiations, the developer returned all of the funds without a ransom.
A July 30, 2023 incident in which a compiler bug in older Vyper versions broke reentrancy protection, letting attackers drain several Curve pools and dependent protocols (Alchemix, JPEG'd, Metronome). Gross losses were ~$70M; white-hats and returns cut net losses to about $52M.
A cross-chain lending protocol drained of about $50M on October 16, 2024. Mandiant attributed it to a North Korea-linked actor (UNC4736 / AppleJeus) that used a fake-contractor Telegram lure to plant macOS malware on developers' machines and forge multisig approvals.
A decentralized exchange drained of about $48M in November 2023 via a complex exploit of its Elastic concentrated-liquidity pools. The attacker then posted an on-chain 'treaty' demanding full executive control of the Kyber company in exchange for the funds.
A yield-farming protocol exploited on October 26, 2020 in a flash-loan attack that manipulated Curve pool prices to drain its USDC and USDT vaults. Estimates ranged from ~$24M to ~$33.8M; the attacker returned about $2.5M.
The New Zealand exchange Cryptopia was hacked in January 2019, losing about NZ$30M (~$20M) in crypto, and was placed into liquidation in May 2019. A landmark NZ court ruling held that the assets were held on trust for account holders.
The Ethereum stablecoin protocol Beanstalk lost about $182M in April 2022 when an attacker used a flash loan to borrow enough governance tokens to pass a malicious proposal that drained the protocol's funds in a single transaction.
The Nomad token bridge was drained of about $190M in August 2022 in a chaotic 'free-for-all' after a flawed upgrade let users replay other people's withdrawal messages by copying transactions.
Harmony's Horizon bridge was exploited for about $100M in June 2022 after attackers compromised multisig signing keys. The FBI later attributed the theft, along with the Ronin hack, to North Korea's Lazarus Group.
A North Korea-linked, financially focused sub-group of the Lazarus umbrella that targets banks and crypto firms. Blamed for the 2016 Bangladesh Bank SWIFT heist and, more recently, macOS malware campaigns against crypto businesses (RustBucket, KandyKorn, 'Hidden Risk'). Sanctioned by the U.S. in 2019.
A North Korea-linked threat cluster (part of the Lazarus umbrella) that the FBI blames for several of the largest exchange thefts, including Bybit ($1.5B), DMM Bitcoin ($305M), and the Ronin/Axie bridge. It favors social-engineering of employees and supply-chain compromises.
The most widely used name for North Korea's state-sponsored hacking apparatus, run under its Reconnaissance General Bureau. Blamed for the Sony hack, the Bangladesh Bank SWIFT heist, WannaCry, and — since ~2017 — many of the largest crypto thefts ever. Chainalysis puts DPRK's cumulative crypto haul near $6.75B, used to fund the regime's weapons programs.
About $196M was stolen from the BitMart exchange in December 2021 after attackers obtained a private key controlling two hot wallets (~$100M on Ethereum, ~$96M on BNB Chain). Funds were laundered via 1inch and Tornado Cash; BitMart reimbursed affected users.
About $81.5M was drained from the Orbit Bridge (by South Korea's Ozys) on Dec 31, 2023 – Jan 1, 2024, via weak withdrawal/signature validation. Ozys later said a former security chief had weakened its firewall weeks earlier and pursued legal action.
A BNB Chain lending protocol whose QBridge was exploited for about $80M on January 27, 2022. A logic flaw let an attacker mint unlimited 'qXETH' collateral without depositing any ETH, then borrow out the protocol's assets. Chainalysis later assessed it was likely North Korea-linked.
A blockchain-gaming ecosystem on Polygon whose semi-custodial wallets were drained of about $140M on December 13, 2021. Attackers compromised Vulcan Forged's servers to obtain its wallet-provider (Venly) credentials and export 96 users' private keys; the team reimbursed users from its treasury.
A DeFi protocol whose users lost about $120M on December 2, 2021 — not via a smart-contract bug but a front-end attack: a compromised Cloudflare API key let attackers inject a script that tricked users into approving malicious token allowances, then drained their wallets.
About $120M+ was drained from hot wallets of the Justin Sun-owned exchange Poloniex on November 10, 2023, across Ethereum, Tron, and Bitcoin. Security firms attributed it to a private-key compromise, with the North Korea-linked Lazarus Group widely suspected.
More than $100M was drained from users of the non-custodial Atomic Wallet beginning June 3, 2023, affecting 5,000+ wallets. Elliptic attributed the theft to North Korea's Lazarus Group based on laundering patterns; the root cause was never fully disclosed.
About $305M (4,502.9 BTC) was stolen from the Japanese exchange DMM Bitcoin in May 2024. The FBI, DC3, and Japan's NPA attributed it to North Korea's TraderTraitor, which used a fake-recruiter lure to compromise an employee at wallet vendor Ginco. DMM later wound down.
The largest crypto theft on record: about $1.5B in Ether was stolen from the Bybit exchange on February 21, 2025. The FBI attributed it to North Korea (TraderTraitor/Lazarus), which compromised the Safe{Wallet} signing interface to redirect a routine cold-wallet transfer.
A cross-chain lending protocol drained of about $130M on October 27, 2021 via a flash-loan price-oracle manipulation of a Yearn yUSD vault — the largest of three exploits Cream suffered in 2021.
About $230M+ was stolen from India's largest crypto exchange, WazirX, in July 2024 after attackers compromised a multisignature wallet and altered its logic. Blockchain analysts attributed the theft to North Korea's Lazarus Group.
The crypto market maker Wintermute lost about $160M in September 2022 after an attacker brute-forced the private key of a 'vanity' admin address generated with the buggy Profanity tool, then used it to drain the firm's DeFi vault.
The Ethereum lending protocol Euler Finance lost about $197M in a March 2023 flash-loan attack exploiting a flawed 'donate' function. After weeks of on-chain negotiation, the attacker returned essentially all of the recoverable funds.
About $281M in crypto was stolen from the Singapore-based exchange KuCoin in September 2020 after attackers obtained hot-wallet private keys. Chainalysis attributed the theft to North Korea's Lazarus Group; KuCoin recovered roughly 84% of the assets.
The Japanese exchange Coincheck lost about 523M NEM tokens (~$530M) to attackers in January 2018 — then one of the largest crypto thefts. The coins had been stored in an internet-connected hot wallet; Coincheck pledged to reimburse affected users.
The Wormhole bridge between Solana and Ethereum was exploited for about $325M (120,000 wETH) in February 2022 after a signature-verification flaw let the attacker mint unbacked tokens. Backer Jump Crypto replenished the funds.
A cross-chain protocol exploited for about $611M in August 2021 — one of the largest DeFi thefts ever. Unusually, the attacker (dubbed 'Mr. White Hat') returned nearly all of the funds over the following days.
The Ronin bridge behind the game Axie Infinity was drained of about $625M in ETH and USDC in March 2022 after attackers obtained validator keys. U.S. authorities attributed the theft to North Korea's Lazarus Group, and OFAC sanctioned the wallet.
About 119,754 BTC were stolen from the Bitfinex exchange in August 2016. In 2022 the U.S. DOJ arrested Ilya Lichtenstein and Heather Morgan ('Razzlekhan') for laundering the proceeds; both pleaded guilty, and Lichtenstein was sentenced to five years in 2024.
Once the dominant Bitcoin exchange, Tokyo-based Mt. Gox filed for bankruptcy in February 2014 after about 850,000 BTC (worth roughly $450M at the time) went missing. A security firm concluded most coins were stolen from its hot wallet over years.