Largest Cryptocurrency Hacks In History: How They Happened

dao hack
Popular Article
DAOs EcoSapiens
ReFi landscape
DAOs EcoSapiens

Regenerative Finance 101: A Guide to Crypto’s ReFi Movement

As cryptocurrency’s use and influence spread, the industry has become big business for investors, corporations, wallets, custodians, exchanges, and, unavoidably, hackers. One of the most significant hurdles for widespread consumer and corporate adoption is the paramount issue of security. 

Some of the largest cryptocurrency hacks in history happened in crypto’s more recent years, and hackers have managed to pry apart hundreds of millions of dollars in Bitcoin, Ethereum, and other currencies from a multitude of exchanges. 

Some platforms are fully refunded by honorable hackers, and in likely cases, they are not, and many platforms attempt to make their users whole by reimbursing them with the company’s revenue.

Realistically, many losses are never recovered. To completely understand these cryptocurrency thefts, we’ve examined the largest crypto hacks in history, how they happened, and the methods that have been taken to prevent them from happening again. 

The 8 Largest Cryptocurrency Hacks In History By Value

#1 Poly Network Hack, $610M

#2 Coincheck Hack, $533M

#3 Mt Gox Hack, $470M

#4 The Wormhole Hack, $321M

#5 KuCoin Hack, $281M

#6 Bitmart Hack, $196M

#7 Bitfinex Hack, $72M

#8 The DAO Hack, $70M

Chronological List Of The Largest Cryptocurrency Hacks In History

Here’s a chronological table of the largest cryptocurrency hacks in history and how they happened. We’ve also attached their rank by value (i.e., the amount initially stolen by hackers.) 

Platform

Date of Hack

Method 

Value Stolen

Mt. Gox, #3 2011 – 2014 Various $470M
Bitfinex #7 August 2016 Unknown ~$72M
The DAO #8 May 2016 System Bug $70M
Coincheck #2 January 2018 Phishing Malware $533M
KuCoin #5 September 2020 Unknown $281M
Poly Network #1 August 2021 Targeted System Vulnerability; Brute Force $610M
Bitmart #6 December 2021 Unknown $196M
The Wormhole #4 February 2022 Targeted System Vulnerability $321M

Editor’s note: The cryptocurrency world has undergone hundreds of hacks. Information on the current dollar value of assets compromised in each hack varies due to the versatility of cryptocurrencies, so we’ve ranked each hack by the value of the theft at its occurrence, heedless of whether or not funds were recovered.  While we’ve done our best to find and share the vulnerability exploited by hackers, it was not possible to find out exactly how a hack happened in many cases

Largest Cryptocurrency Hacks In History: Mt Gox’s Legendary Losses

Ranked #3, the Mt Gox hack was the first significant digital currency theft, and it remains one of the most well-known. 

 

 

Mt gox: largest cryptocurrency hacks in history

Once the world’s largest exchange, Mt Gox was a company in Tokyo, Japan. At one point in its four-year reign, this now-defunct crypto trader handled nearly 70% of all Bitcoin transactions. 

In 2006, Mt Gox was set up by a programmer named Jed McCaleb. The site was initially meant to serve as a card exchanging platform for the popular card game “Magic: The Gathering,” which is the story behind its name. “Mt. Gox” stands for Magic: The Gathering — Online eXchange.

However, in July 2010, McCaleb (who went on to found Ripple) published what would become the world’s largest cryptocurrency exchange on the same domain after reading about Bitcoin and realizing that the crypto community needed a “good way to buy and sell Bitcoins.” 

Later, McCaleb sold his project to French programmer and entrepreneur Mark Karpeles. After this sale, McCaleb retained admin rights to audit transactions and remained entitled to Mt Gox’s profits for six months.

While Mt Gox grew to become a massive crypto trading giant, its backend development processes stalled under Karpeles’ management. This led to a series of successful cyber attacks occurring between the first confirmed security breach in 2011 and continuing until a massive heist in 2014. 

In total, Mt Gox’s attackers made off with about 744,000 bitcoins, or approximately $460 million. This amount, huge then, comes up to a colossal $28.1 billion lost today, making this one of the hugest cryptocurrency hacks in history.

How the Mt Gox hack happened

Exact facts about the vulnerabilities exploited in each of Mt Gox’s hacks are scarce. However, it is abundantly clear that there were many vulnerabilities to exploit. Anonymous insiders reported that the exchange lacked such basic (and vital) features as version control software and — until a few months before its fall — a test environment.

Without version control, one Mt Gox developer could accidentally modify another’s code. There was no history of changes or reliable mechanism for merging code or reverting to a known working copy. Since it lacked a test environment, Mt Gox put this largely untested software in front of the general public. 

Furthermore, Mark Karpeles was the only individual with access rights to approve changes to the site’s source code, and he was not always an active part of its development. This meant that bug fixes — even updates for security — were delayed for days, even weeks.

Somehow even worse, the company had no accounting system for reconciling its offline BTC balances for inventory, its online BTC balance for liquidity, and its fiat cash balance for currency exchange. 

The First Mt Gox Thefts

Mt Gox went through a flurry of hacks in 2011. 

First, on 13 June 2011, the exchange reported that attackers had stolen about 25,000 BTC (approximately $400,000 at the time) from 478 user accounts. Then, four days later, an anonymous user who called themselves “~cRazIeStinGer~” posted an offer to sell the platform’s entire user database on Pastebin. This was a massive threat, but the company did not respond.

The next day, Mt Gox reported more thefts. Then, on Sunday, June 19, suspicious trading activity started on the exchange. Someone had placed a series of orders to sell hundreds of thousands of bitcoins. 

These orders triggered a flash BTC price drop, causing the nominal value of BTC on the exchange to drop from $17 to around one cent. The largest sale executed was for 261, 383.7630 BTC, which constituted about 4% of the 6.5 million bitcoins in circulation at the time.

As the news traveled, Mt Gox and other BTC exchanges experienced extreme volatility, with the price of Bitcoin fluctuating between $1 and $20.

The hacker achieved this by compromising Jed McCaleb’s Mt Gox auditor account, using it to transfer an enormous amount of BTC to another wallet. As the BTC price dropped, they used the exchange to sell these coins, purchasing hundreds of thousands of bitcoins at one cent each. 

In response, Karpeles shut the Mt Gox site down.

Later that day, the hacker made good on their threat, publishing a list of all Mt Gox’s user’s details — featuring all usernames, email addresses, and password hashes — on an internet forum. The list contained the details of 61,016 accounts, with an equivalent balance of $8.75 million. This release led to the loss of about 2000 BTC or $30,000 at the time.

Several other exchanges voluntarily shut down as a security response since many users used multiple exchanges for trading and likely used similar security information.

A few hours later, Mt Gox began disclosing the attack to its users, making security recommendations and warning them of possible phishing attacks. 

Two days later, the company started accepting account recovery requests from users, allowing them to prove their claim by verifying their email address, sharing previous passwords, and — optionally — further evidence such as their last-known Mt Gox balance, a copy of government ID, and more. The company verified these claims manually.

On June 23, Mt Gox executed a transfer of 424242.42424242 BTC from cold storage to the exchange to prove that the Bitcoins were still under Mt Gox’s control. Three days later, they reopened for business, rolling back fraudulent trades (at their own expense) and introducing new security measures, including a more secure password hashing algorithm.

They also updated their user verification methods during a first-time login to include users sharing the last IP address that accessed their account and verifying the email address, account name, and old password. Then, users were prompted to enter a new, strong password.

Mt Gox’s reputation recovered from this hack well. Within hours of the site coming back online, the price of BTC stabilized at around $16.50, and there were no massive user withdrawals or huge asset sell-offs by users.

The long haul

Mt Gox’s 2011 hacks did not end there. Research by WizSec shows that in September 2011, a malicious entity gained access to Mt Gox’s wallet.dat file. 

A wallet.dat file contains vital data used by the cryptocurrency wallet on your computer. This file includes information like the public/private key pairs for each of your addresses, transactions you’ve made, and more. 

With the data on its unencrypted wallet.dat file, the hacker gained access to a large amount of BTC owned by Mt Gox and the private keys to the company’s hot wallets. Mt Gox used these wallets to store funds securely online. With the wallets compromised, the hackers were free to slowly empty them of funds every time the company made a deposit.

Slowly but surely, the hackers stole over 650,000 bitcoins from Mt Gox’s hot wallets and — due to the company’s neglect of fiduciary duty — went undetected for years: from early 2012 till Mt Gox’s crash in February 2014.

On 24 February 2014, Mt Gox suspended its trading and went offline. Four days later, it filed for bankruptcy protection, reporting that it had lost almost 750,000 customer BTC and 100,000 of its own. 

This loss came to about 7% of all bitcoins in circulation, around $473 million. In March 2014, the company shared that it had found around 200,000 BTC in an old wallet, bringing the stolen assets down to 650,000 BTC.

How did the Mt Gox episode resolve? 

To date, most Mt Gox users are awaiting reimbursement for their losses. After a short stint in jail in 2015 for fraud and embezzlement, Mark Karpeles is still on trial in the Mt Gox case. 

At a creditors meeting in October 2021, it was announced that Mt Gox’s bankruptcy trustees will begin compensating creditors using the company’s remaining assets. This Civil Rehabilitation Plan was officially approved in November 2021 and plans to provide billions of dollars in compensation to disgruntled ex-customers of the exchange.

Largest Cryptocurrency Hacks In History: The Bitfinex Hack

At #7, Bitfinex is the world’s second-largest Bitcoin heist.

 Founded in 2012, Bitfinex is a Hong Kong-based exchange with many cryptocurrency products and trading options. Once the eighth largest cryptocurrency exchange in the world — and the largest exchange operating in USD — the company was hacked in August 2016 to the tune of 119,756 BTC or $72 million at the time. Today, a hack of that size would mean a loss of about $4.5 billion.

How Bitfinex was hacked

Years after it occurred, the exact weakness that led to Bitfinex’s hack has still not been discovered. However, the hack exploited a vulnerability in Bitfinex’s multi-signature (multi-sig) accounts. 

In a partnership heralded as the future of Bitcoin security, Bitfinex and BitGo developed a multi-signature wallet system that protects against hacks by giving each customer their own secure wallet. Three (instead of one) private keys are required to validate a transaction. Bitfinex held two private keys needed to sign trade for this security method to work, and BitGo had the third.

Multisig wallets are notoriously safer than regular ones and are widely used today. The vulnerability exploited in this case seems to stem from Bitfinex’s implementation of the highly configurable technology. While Bitfinex’s keys were compromised, BitGo reported no suspicious activity on its servers.

The Bitfinex hack resolution

In contrast to Mt Gox’s still-ongoing restitution, Bitfinex handled its loss well, announcing that it had reimbursed all creditors just eight months later.

The company achieved this by spreading the loss over its entire customer base. Each customer experienced a loss of about 36% of their assets. Bitfinex then issued Bitfinex (BFX) tokens to customers, to the tune of each loss. Affected customers received 1 BFX for each $1 lost and could redeem their BFX for crypto using the exchange or for shares of Bitfinex’s parent company, iFinex. 

Soon after the hack, the stolen Bitfinex bitcoins were blacklisted as stolen cryptocurrencies, meaning that exchanges will not allow users to trade them. While the blacklisted assets seem to have been moved by the bad actors, it’s still unclear if or how they might be able to cash out on the stolen coins.

Largest Cryptocurrency Hacks In History: The DAO Hack

Ranked #8, the DAO hack is the largest Ethereum hack in history.

The DAO (Decentralised Autonomous Network) was an immensely popular entity designed to be an unaffiliated, decentralized, and autonomous venture capital fund. It operated based on fully transparent rules enforced and maintained by smart contracts on the Ethereum blockchain network. Any changes were made via a vote by all investors.

Inspired by decentralization, The DAO aimed to improve investments by removing human error from the decision-making process. It allowed individuals to invest anonymously from anywhere in the world and garnered a lot of public attention during its initial funding.

dao hack
The DAO Hack (how we like to imagine it went down)

The DAO was launched in May 2016, and investors began sending funds to its smart contracts. It was funded by a 28-day sale of its DAO token and attracted more than 18,000 investors. 

Figures on the value of the DAO’s campaign are varied; one source records that it had attracted about 12.7 million ETH or $250 million at the end of its campaign, while another puts the figures at 11.5 million ETH, about $163 million.

Nevertheless, the DAO’s crowdfunding was the largest ever recorded at that time, with its investments making up nearly 14% of all ETH in circulation as of the token sale. 

Then, on June 17, hackers used a vulnerability discovered in its code to drain the DAO’s smart contract of 3.6 million ETH (about $70 million.) 

How the DAO hack happened

The DAO contained an exit door so investors could opt out. It was called the splitDao function, and, once called, allowed an investor to withdraw their ETH and, if they wished to, create a “child” DAO by inviting other DAO token holders.

There was only one takeback. If you chose to split from DAO, you would be unable to withdraw your ETH holdings for the standard waiting period before your “child” DAO’s launch: 28 days.

According to a paper published in May 2016, the DAO had serval security risks and other loopholes. Of note was a bug known as the “recursive call” vulnerability. It would allow potential attackers to repeatedly call a function from within the function itself. This would put the operation on a loop; each call was multiplied, meaning that the process would be triggered repeatedly.

The recursive call vulnerability was publicized severally until The DAO creators acknowledged it, sharing that they had issued a fix.

It would soon become apparent that they had not.

In the July 17 hack, the attacker exploited several vulnerabilities, especially the recursive call. By recursively calling the splitDAO function, they could “withdraw” their funds several times before the smart contract updated its balance. The hacker had transferred about $3.6 million into their new “child” DAO by the next day.

Resolution

Because of the way the DAO’s smart contract worked, the hacker was unable to withdraw their stolen funds for 28 days. Technically, the funds hadn’t left The DAO. 

The Ethereum network was divided on what to do next. Many users called for the series of transactions leading to the hack to be rolled back, but others were more inclined to let The DAO deal with its crisis, as the hack was an exploitation of a valid weakness in its software.

Eventually, the Ethereum community almost unanimously voted in favor of a hard fork to roll back the effects of the DAO hack. The recovered Ether was released into a smart contract that allowed the affected users to retrieve their assets.

Those who did not switch to the Ethereum fork continue using the original Ethereum blockchain, known as Ethereum Classic. 

After its hack, several prominent exchanges delisted The DAO’s tokens, and the platform as it was initially intended has not been visualized to date.

Largest Cryptocurrency Hacks In History: Coincheck’s Multi-Million Dollar Hack

At #2, Coincheck’s hack is a case study on the importance of thorough security.

Coincheck logo: biggest crypto hacks

Somehow even larger than Mt Gox’s almost three-year hack is Coinckeck’s 2018 loss. 

Coincheck is a Japanese exchange and wallet provider that remains one of the world’s most prominent today. In 2017, Coincheck handled the highest volume of cryptocurrency trades in Asia. Then, in January 2018, the company announced that it had lost $534 million in what has been heralded as the “largest digital currency theft” in history.

How the Coincheck hack happened

Rather than more valuable cryptocurrencies like Bitcoin and Ether, the mind-boggling sum stolen in Coincheck’s hack was composed entirely of NEM (also known as XEM) tokens — specifically, 523 million of them.

Around 3:00 a.m. local time on 26 January 2018, a malicious entity transferred over half a billion dollars worth of user NEM tokens out of a compromised Coincheck hot wallet, to 11 external addresses.

The hack went unnoticed till near midday.

Most of the blame for this can be placed on the surface-level security Coincheck was implementing at the time. Rather than secure its NEM tokens in offline cold wallets — or in secure multi-sig wallets as recommended by NEM itself — Coincheck stored a majority of its clients’ NEM in one online hot wallet protected by a single private key. Admitting its faults, Coincheck blamed a staff shortage for the lack of vigilance that allowed this tremendous loss.

To access its hot wallet, attackers sent phishing emails to Coincheck’s employees, using this to collect information they needed to install malware that would let them clean out Coincheck’s online NEM store.

Once the breach was discovered, Coincheck froze all deposits and withdrawals.

Resolution

Soon after Coincheck announced the hack, the value of NEM dropped by nearly 20%. While it would have been possible to retrieve the stolen NEM in a move similar to what occurred after the DAO hack, NEM developers opted against hard-forking their blockchain to roll back the transactions, as they were under no obligation to do so. 

Following the attack, NEM developers created an automated tagging system to track the coins and tag any account that receives them, effectively blocklisting the stolen tokens.

In April 2018, Coincheck was sold to Monex Group, which soon began reimbursing customers affected by the hack with $0.83 for each NEM token lost. The company has since repaid all 260,000 customers who lost assets in the hack.

Largest Cryptocurrency Hacks in History: KuCoin

Ranked #5, KuCoin’s hack represents half of all crypto stolen in 2020.

 

KuCoin logo: ranked 5 in Largest cryptocurrency hacks in history

Founded in 2013, KuCoin is a Seychelles-based cryptocurrency exchange that was hacked to the tune of $280 million in September 2020. 

The company lost 1,008 BTC; alongside 14,713 BSV; 9,588,383 XLM; 26,733 LTC; Omni, and EOS-based tether (USDT) worth $14 million; $153 million worth of ETH and ERC20s; and over 18 million XRP.

How the Kucoin hack happened

The exact details of how KuCoin’s hack was carried out are murky. Experts suggest that the attackers may have been North Korean Lazarus Group, but are still largely unsure about the specific weaknesses exploited. 

Nevertheless, it’s clear that the attackers gained access to the private keys to KuCoin’s hot wallets. Some sources suggest that KuCoin’s hack may have been an inside job, while others speculate that hackers might have stolen the private keys using a social engineering attack: a phish, malware, or by building a backdoor into a responsible employee’s account.

Resolution

Kucoin has fully refunded customers who were affected by the hack. The exchange was able to do this largely through the cooperation of the developers of the stolen crypto, who updated their smart contracts or performed “token swaps,” which allowed them to roll back KuCoin’s losses and replace the stolen coins. 

While this meant less loss for the giant exchange, it (and other questionable actions the company allegedly took to urge the smaller companies to cooperate) has raised questions about KuCoin and the stolen tokens themselves, with some saying that the company’s actions went against cryptocurrencies core principle: Decentralization. 

KuCoin worked with project and law enforcement partners to fully reimburse its customers to recover $222 million (about 78%) and $17.45 million (6%,) respectively. The company then covered the remaining 16% — about $45.55 million — from its insurance fund.

Largest Cryptocurrency Hacks in History: PolyNetwork

Ranked #1, Poly Network said, “Can’t beat them? Ask them to join you.”

Poly Network is a cross-chain network founded by Chinese entrepreneur Da Hongfei. The company built a cross-chain network to enable blockchain users to exchange cryptocurrencies without using a centralized platform (i.e., an exchange,) allowing users to avoid high exchange fees.

How the PolyNetwork hack happened

Blockchain networks are inherently independent. Each blockchain is its own ledger, and nodes cannot understand or process data on another blockchain. For example, Alice cannot transfer Bitcoin to her Ethereum address and have that BTC automatically converted to ETH and added to her wallet. This is because the nodes that process transactions on the Bitcoin and Ethereum blockchains cannot communicate. 

Picture two blockchain networks, say Bitcoin and ethereum, running parallel to each other. Poly network’s cross-chain sits on top of them, acting as a bridge connecting the Bitcoin blockchain’s Bitcoin addresses to the Ethereum addresses on the Ethereum blockchain.

The platform works by building smart contracts. For example, a smart contract might allow nodes on Poly’s cross-chain to accept Bitcoin from a node Bitcoin’s blockchain, input that BTC into one of Poly’s wallets, and then send a corresponding amount of ETH from one of Poly’s ETH wallets to an address on the Ethereum blockchain. 

For this to work, Poly Network keeps a large sum of liquid assets (online cryptocurrency) so they always have enough crypto to complete a transaction.

The hacker was able to gain “owner” access rights to one of Poly’s smart contracts by exploiting vulnerabilities in Poly’s systems. 

The most notable vulnerability was that Poly Network mismanaged the access rights between two high-privileged smart contracts. 

One contract was responsible for sending messages to/from the Ethereum blockchain and Poly’s cross-chain. Let’s call it the “Poly-ETH messaging contract.” 

The other was a high-profile smart contract that contained the keys to Poly’s online liquidity reserves, including an Ethereum wallet, a Binance wallet, a Neo wallet, and a Tether wallet. We’ll call it the piggybank contract. It contained a hidden function that issued ownership rights to anyone who triggered it. However, that function could only be initiated by someone with those rights. 

Three things to note:

  • The Poly-ETH messenger contract had ownership rights to the piggybank, meaning it could issue high-privilege commands to the piggybank contract.
  • The piggybank contained a hidden function that granted ownership access to anyone who knew it.
  • The hidden function that issued ownership rights to the piggy bank could be revealed using a brute-force attack.

Once he had discovered these vulnerabilities, the attacker found the piggybank’s hidden function using a brute-force attack and then used the Poly-ETH contract to give himself ownership rights to the piggybank. 

Then, he transferred $610  million worth of cryptocurrency from Poly’s Ethereum, Binance, Neo, Tether, and other reserves using the rights he now had.

Resolution

In a shocking turn of events, the hacker, who has been dubbed “Mr. Whitehat,” began returning the stolen funds to Poly’s hot wallets, eventually returning the entire sum. In explanation, he stated that the hack was “a joke, and meant to encourage Poly Network to improve its security.” 

The company rewarded Mr. Whitehat with $500,000 as a bounty for discovering the bug and offered him a spot on its security team.   

Largest Cryptocurrency Hacks in History: BitMart

Ranked #6, Bitmart’s hack 2021’s most significant crypto loss.

 

Bitmart, biggest crypto hacks ever

Bitmart is a cryptocurrency exchange domiciled in the Cayman Islands. Founded in 2017, the company was hacked in early December 2021, losing nearly $200 million in various cryptocurrencies.

How the BitMark hack happened.

On 4 December 2021, security analysis firm Peckshield tweeted that it had noticed suspicious activity involving one of Bitmart’s addresses. Funds were being transferred out of the company’s hot wallets to an Ethereum address named “Bitmart Hacker.” In another tweet, the company estimated that Bitmart had lost about $100 million from their ETH hot wallet and about $96 million from their Binance Smart Chain (BSC) wallet.

Bitmart soon denounced these claims as “fake news” on a telegram channel. 

Hours later, it announced that a security analysis had revealed “a large-scale security breach,” reporting a loss of about $150M.

At the final tally, Bitmart had lost a total of $196 million in over 20 different cryptocurrencies, most notably Ether and Shiba Inu. 

While it’s clear that the hacker was able to access the private keys to its hot wallets, Bitmart either doesn’t know or has not reported how the attacker gained that access.

Resolution

Soon after the hack, the attacker used a decentralized exchange aggregator to slowly swap the stolen tokens for ETH. Then, the attacker sent the coins to a private mixer that allowed them to mix the stolen coins with clean ones, making Bitmart’s stolen assets harder to trace.

Largest Cryptocurrency Hacks In History: Wormhole

Ranked #4, the Wormhole hack was one of the first major cryptocurrency losses in 2022

Wormhole crypto hack

Launched in September 2021, Wormhole is a popular blockchain bridge. It’s a cross-chain network that connects different blockchain networks, allowing users to access the value of their crypto assets on the supported blockchains. 

The platform works by freezing a user’s assets on one platform, and then issuing them assets on the other network. 

For example, an ETH user who wanted to access their ETH tokens on the Solana network would have to lock up their ETH tokens on Wormhole’s smart contract. Once a majority of Wormhole’s “guardians” — the platform’s 19 cross-chain validators — consent that assets have been locked on one network, the bridge would mint a comparable amount of wormhole-wrapped tokens on the Solana network and send them to the user’s Solana account. 

The user can then trade the issued tokens for SOL, and to restore their original assets, they would have to burn the wrapped assets (which would again be validated by the guardian network), and Wormhole would return their original tokens.

To reiterate, here’s the three-step process:

  1. Lock up assets 
  2. Mint-wrapped tokens on the target blockchain
  3. Burn wrapped tokens and get your original assets back

Between each of these stages, Wormhole’s guardians ensure that the messages received (whether the assets have been locked or burnt) are valid.

On February 2nd, 2022, Wormhole announced via tweet that it was undergoing maintenance to investigate “a potential exploit” of its systems. Soon, it was revealed that an attacker had been able to exploit a vulnerability on the platform’s Solana-Ethereum bridge, and had successfully minted 120,000 invalid Wormhole ETH on the Solana network. 

Then, in two transactions, the attacker withdrew 93,750ETH to his ETH address (even though these assets technically didn’t exist) using Wormhole’s system and sold the rest for SOL, amounting to a loss of about $320M.

How the Wormhole Hack Happened

The hacker was able to trick Wormhole’s system into believing that its guardians had signed off on a 120,000 deposit into their (the hacker’s) account on Solana due to a vulnerability in their system.

Wormhole was using a function that was meant to check that a guardian had signed a transaction (effectively approving it). However, this function (load_instruction_at) was deprecated somewhat because while it checks for a signature, it does not check that it’s executing against the right system address.

Simply put, the hacker was able to get away with using a forged guardian signature. Wormhole’s systems believed that its guardians had locked up 120,000 ETH, so when the hacker requested that his fake funds be returned to his ETH address as real ETH, Wormhole’s smart contracts complied, allowing the attacker to drain the cross-chain of its ETH holdings. 

Resolution

A digital $1 in your bank account is only worth a dollar because your bank holds the physical representation in its vaults. In the same vein, the value of Wormhole wETH is pegged to the amount of ETH held by the bridge. Therefore, when the hacker drained the bridge of ETH, inflation caused the value of Wormhole wETH to drop drastically. 

Soon after the hack had been confirmed, Wormhole announced that it would soon refill its vaults and bring the value of Wormhole wETH back to 1 ETH. At first, it was unclear where they would find $320M of ETH to fulfill that promise.

Then, Jump Crypto, the venture capital firm that owns Wormhole’s developing company, stepped in and restored all lost assets.
Wormhole has since offered the hacker a bounty of $10M for finding the hack (in return for returning the stolen assets — negotiations are ongoing) and is working on tightening its security to prevent such a breach from reoccurring.

Largest Cryptocurrency Hacks In History And How They Happened: Final Thoughts

The cryptocurrency industry has been shaken, but recovered, from some pretty big crypto hacks. It’s one industry that seemingly regularly experiences large financial losses as a result of cyberattacks. Specifically, a majority of those hacks occurred on an exchange, due to a compromised online hot wallet, pointing to a recurring point of failure.

If you’re investing in cryptocurrency, you’re probably already aware that, unlike fiat (regular currency) investments, your crypto cannot be FDIC or SDIC insured. That leaves insurance up to the platform: exchange, wallet, project, etc., that you’re using, and means that investing in crypto inherently involves more risk than fiat investments do. 

Do your best to keep your assets secure.

  • Protect your private key using a secure offline hardware wallet or wallet software that secures your keys in cold storage.
  • If you can avoid storing your cryptocurrency on an exchange, do so.
  • Do your research: always find out how secure (and insured) a platform is, and make sure you understand how it protects your assets.

If you’d like to move your crypto from an exchange to a secure hardware wallet, here are the best cryptocurrency wallets you can use.

Legal Disclaimer

CoinCentral’s owners, writers, and/or guest post authors may or may not have a vested interest in any of the above projects and businesses. None of the content on CoinCentral is investment advice nor is it a replacement for advice from a certified financial planner.