Crypto Exchange Hacks: Biggest Heists and How to Stay Safe
Forget the getaway car. The most profitable robberies on earth now run on a laptop, a tricked employee, and a wallet address no one can ever claw back. Crypto exchange hacks have quietly grown into the most lucrative crime online, and the bleeding has not slowed. In 2025 alone, thieves pulled roughly $3.4 billion off crypto platforms, a 55% jump in a single year, and one heist swallowed nearly half of that. Keep coins on an exchange and this is the bet you are making, whether the sign-up screen spelled it out or not. The reassuring part: almost all of it traces back to the same short list of mistakes. Avoid those, and you dodge most of the danger.
Why crypto exchanges are such tempting targets
Think about what an exchange actually is. It is a single company holding billions of dollars of other people's money, much of it sitting in internet-connected "hot" wallets so customers can trade at 3 a.m. Behind those wallets sit a few dozen employees with the keys, the access, and the human weaknesses that come standard with being human. No bank vault on earth concentrates value like that.
That is the uncomfortable trade-off at the center of crypto. The same centralization that makes a cryptocurrency exchange easy to use makes it a honeypot. You get a friendly app, instant trades, and a password-reset button. The hacker gets one target instead of ten million. Rob a bank and you get whatever is in the drawer; rob an exchange and you can get everything at once, then move it somewhere no court can reach.
It helps to understand the two kinds of crypto wallets an exchange runs. Cold wallets are kept offline and are extremely hard to touch remotely, but they are slow to access. Hot wallets stay online so withdrawals can clear instantly, which is exactly why they are the part that gets drained. Every exchange balances the two, and every time one tilts too far toward convenience, it leaves more on the table for whoever gets in. The yearly totals show where that balance has landed: thieves took about $2.2 billion in 2024 and $3.4 billion in 2025, according to Chainalysis, and the figure keeps climbing.
The biggest crypto exchange hacks, ranked
This list is not just a hall of shame. Read it top to bottom and you watch the entire nature of the attack change, from sloppy hot wallets left exposed to nation-state crews infiltrating the software supply chain. The ranking is the story.
Bybit 2025: the $1.5 billion record
In February 2025, attackers pulled roughly $1.5 billion in Ethereum (Ether) out of Bybit in a single afternoon, the largest cryptocurrency hack on record by a wide margin, as reported by CNBC. Here is the part that should worry everyone: they never "broke into" Bybit. They compromised a developer machine at Safe{Wallet}, the third-party signing tool Bybit used, and slipped malicious code into the interface so the people approving the transfer saw a normal transaction while authorizing a malicious one. North Korea's Lazarus Group was behind it. Bybit, to its credit, covered customer losses out of its own reserves.
Why this one matters beyond its size: it marked a category change. For a decade, the standard advice to exchanges was "guard your keys and keep most funds in cold storage," and Bybit did exactly that. The attackers simply moved upstream, targeting the software the exchange trusted rather than the exchange itself. That is a far harder problem to defend, because your security is now only as strong as every vendor and tool in your chain. Every major platform spent the following months auditing software they had never thought to question.
Mt. Gox, Coincheck, and the early disasters
The older crypto exchange hacks were cruder, and just as ruinous. Take Mt. Gox. Once the largest crypto exchange on the planet, handling most of the world's Bitcoin trades, it bled out around 850,000 BTC and collapsed by 2014. The industry is still cleaning up that mess. Coincheck was hacked in 2018 for about $530 million in NEM, and for the dumbest of reasons: it had left the tokens sitting in a hot wallet with no multi-signature protection. FTX is the strange one. Its 2022 death was mostly fraud, not hacking, yet on the very night it filed for bankruptcy someone drained roughly $400 million out the back. Outside attacker or inside job? People still argue about it. The table below tracks the worst of the bunch.
| Exchange | Year | Stolen | What failed |
|---|---|---|---|
| Bybit | 2025 | ~$1.5B | Compromised third-party signing interface |
| Coincheck | 2018 | ~$530M | NEM held in a hot wallet, no multi-sig |
| Mt. Gox | 2014 | ~850k BTC | Years of undetected hot-wallet theft |
| DMM Bitcoin | 2024 | ~$305M | Social engineering of a vendor employee |
| KuCoin | 2020 | ~$280M | Hot-wallet private keys leaked (73% recovered) |
| WazirX | 2024 | ~$230M | Multi-sig upgrade exploited |
| FTX | 2022 | ~$400M | Hack during the collapse |
How crypto exchange hacks actually happen
Forget the movie image of a genius cracking encryption in a dark room. The cryptography protecting cryptocurrency almost never breaks. What breaks is everything around it: the keys, the staff, and the software they trust. Strip away the jargon and nearly every one of these cryptocurrency hacks comes down to one of two failures.
Stolen keys and hot-wallet exposure
Whoever holds the private key controls the coins, full stop. So to steal crypto, attackers go straight for the keys rather than the math protecting them. Private-key compromise accounted for 43.8% of all stolen funds in 2024, the single biggest category by far. Exchanges that leave too much in hot wallets, or store keys carelessly, hand thieves the whole prize the moment one machine is breached.
Social engineering and the supply-chain shift
The newer and scarier vector is people. North Korean operatives have posed as recruiters on LinkedIn to plant malware on an employee's computer — a social-engineering vulnerability that is how the $305 million DMM Bitcoin theft started. They have injected code into the tools exchanges rely on, as in Bybit. They abuse leaked API keys, hijack session cookies, and impersonate staff convincingly enough to talk a colleague into approving a transfer. Deepfaked voices and video now show up in these schemes too, which makes the old advice to "just verify it's really your boss" a lot shakier than it sounds. I keep coming back to this point because the industry still markets "military-grade encryption" while the actual door being kicked in is a tired engineer clicking a fake job offer. The math is bulletproof. The people using it are not, and attackers worked that out years ago.
North Korea: the crews behind the biggest thefts
If there is one through-line in modern crypto exchange hacks, it is this: a single nation-state is doing most of the heavy lifting. North Korea's hacking units, Lazarus Group chief among them, stole an estimated $2.02 billion in 2025 alone, around 76% of all funds lost to service breaches that year, according to Chainalysis. Cumulatively, researchers at TRM Labs put the regime's all-time haul above $7.3 billion.
What makes them different is patience and scale. These are not smash-and-grabs. They run fewer attacks but far larger ones — spending months inside a target before moving, then laundering the stolen funds to finance a sanctioned state's weapons programs. The pace has not let up either: TRM Labs counted more than $770 million in crypto theft across the industry in just the first four months of 2026, with North Korea responsible for about 76% of it through a mere two attacks. That reframes the whole problem. The biggest exchange thefts are now state-run crypto crime, not lone-wolf opportunism, and you are up against a government with a payroll. That is a fight individual exchanges keep losing.
Where the stolen crypto goes, and why you rarely get it back
People cling to a comforting story: surely the hackers get caught and the money comes home. They almost never do. Watch what happens the second the funds move. The thieves push them through mixers and cross-chain bridges, splitting and reshuffling, and within an hour the trail is smoke.
A few exceptions exist, and they only prove the rule. A Poly Network hacker drained $611 million in 2021, then handed almost all of it back, for reasons nobody has ever fully explained. KuCoin clawed back most of its 2020 losses with fast freezes and insurance. Bybit just repaid its users. Those are the lucky ones. Mt. Gox creditors? Still waiting more than a decade on, with the deadline now pushed to October 2026 and tens of thousands of Bitcoin unreturned. The bitter irony is that it all plays out on a public blockchain, so analysts can watch the stolen funds glide away in real time and do nothing to stop them. Treat money taken as money gone.
FTX did leave one useful scar behind. It dragged the industry toward proof-of-reserves, a public cryptographic way for an exchange to show it really holds the coins it claims. Does that stop a hack? No. Does it catch the quiet insolvency FTX hid for months? Mostly, yes. So when an exchange will not publish one, draw your own conclusion about why.
How to protect your crypto from exchange hacks
This is the part the breathless "biggest hacks" lists tend to skip. Crypto exchange hacks rarely target ordinary users directly, but you can still make yourself a far harder target. Most of it is unglamorous and takes an afternoon.
Self-custody and cold storage
The oldest rule in crypto still holds: not your keys, not your coins. For anything you are holding rather than actively trading, move it off the exchange into a hardware wallet or other cold storage that never touches the internet. Write the recovery phrase on paper, store it somewhere safe, and never type it into a website or a chat. A hardware wallet that costs $80 protects you from nearly every attack described above — because your keys are simply not where the hackers are looking.
Locking down your exchange account
For the funds you do keep on an exchange, harden the account. Use an authenticator app for two-factor authentication, never SMS codes, which are trivially stolen through SIM swaps. Set up a withdrawal address allowlist so funds can only leave to wallets you pre-approved. Use a unique, long password that exists nowhere else. Bookmark the real exchange URL and only ever log in through that bookmark, because the cheapest way to lose everything is to type your password into a convincing fake site one tab over. Treat any unexpected "verify your account" email or text as hostile until proven otherwise. And keep a simple discipline: do not store more on any exchange than you are prepared to lose.
Choosing a safer crypto exchange
Not every exchange is an equal risk, and the survivors share habits worth checking before you deposit a cent. A serious platform keeps the large majority of digital assets in cold storage, publishes proof-of-reserves so you can verify the coins exist, and runs an insurance fund for emergencies. Binance, for example, holds a $1 billion SAFU fund, recently converted into 15,000 BTC, as a customer backstop.
| Green flags | Red flags |
|---|---|
| Most assets in cold storage | Vague or no security disclosures |
| Public proof-of-reserves | No insurance or reserve fund |
| App-based 2FA, withdrawal allowlists | SMS-only login, no withdrawal controls |
| Regulated, audited, long track record | Anonymous team, sky-high "yields" |
Jurisdiction matters too. An exchange registered and licensed in a country with real financial oversight has more to lose from cutting corners, and gives you at least some legal footing if things go wrong. A platform run by an anonymous team from nowhere in particular offers none of that, and those are exactly the outfits that tend to surface later as exit scams. It is also worth spreading holdings across more than one venue, so a single breach can never take everything you own.
None of this is a guarantee. Bybit was a reputable, regulated centralized exchange when it got hit, and that is precisely the point: reputation lowers the odds, it does not erase them. But these signals stack the odds in your favor, and an exchange that refuses to discuss its security is telling you something.
The future of crypto exchange security
The defense is slowly catching up. Exchanges are moving toward MPC wallets that split keys so no single machine holds them, hardware signing, smart contract audits for their on-chain components, and software that simulates a transaction before anyone approves it. All of it helps reduce the security breach risk. None of it fixes the weakest link, which is still a person who can be fooled or bribed. Until that changes, the safest assumption about crypto exchange hacks is that any exchange can be next, and the smartest move is to keep most of your crypto somewhere a hacked exchange cannot reach.
