WEB3-COINEX-2023

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On September 23, 2023, Mixin Network lost about $200M (roughly $95M ETH, $24M BTC and $24M USDT among other assets) after attackers breached the database of the network's third-party cloud service provider, which held Mixin's deposit-address and hot-wallet private keys in a recoverable manner. With the database compromised, the attacker reconstructed the private keys and signed outbound transactions directly, sweeping over 11,400 deposit wallets from highest to lowest balance across more than 10,000 transactions; stolen USDT was swapped to roughly 23.5M DAI to break traceability. The weak link was the upstream cloud database acting as a single point of failure with recoverable keys, rather than a smart-contract bug or a direct private-key theft from Mixin itself (the provider is widely inferred to be Google Cloud but was never officially confirmed). Mixin engaged Google and SlowMist to investigate, suspended deposits and withdrawals, offered a $20M bounty, and announced a plan to reimburse 50% of affected user assets with the remainder issued as debt/bond tokens. The bulk of the funds was laundered and not recovered.

On June 3, 2023, users of Atomic Wallet, a non-custodial cryptocurrency wallet, lost over $100M (an early Elliptic estimate of ~$35M was later revised upward) across at least 5,500 accounts. Atomic Wallet never published a root cause, so the exact technical mechanism remains officially undisclosed and disputed; leading unconfirmed theories, consistent with a compromise of key generation or key exfiltration, include weak entropy or insufficient randomness in seed generation creating a brute-forceable keyspace, private keys or seeds being exfiltrated to a server (for example via logging), a supply-chain compromise of the app build, or fault attacks on the signing algorithm. Blockchain forensics firm Elliptic attributed the heist to North Korea's Lazarus Group with high confidence on June 6, 2023, based on laundering through the Sinbad mixer and Garantex and, most tellingly, stolen funds flowing into wallets already holding proceeds of prior Lazarus hacks; the FBI later supported this. Only a small portion (over $1M) was frozen and the bulk was not recovered. A class action (Colorado federal court) was later dismissed.

On September 25, 2020, exchange KuCoin lost roughly $281 million in BTC, ETH and ERC-20 tokens after attackers gained access to the private keys controlling its hot wallets. KuCoin's own incident report confirmed the keys were exposed via a compromised server; the precise initial intrusion was not fully disclosed but is consistent with phishing or malware against personnel with key access, compounded by the operational weakness that the hot-wallet key pairs reportedly had not been rotated for around three years. Holding large balances in single-key-controlled hot wallets meant one key compromise allowed sweeping of multiple assets across chains. Chainalysis attributed the theft to North Korea's Lazarus Group, citing a structured money-laundering pattern (consistent sub-round-number payments to mixers and DeFi swaps via Uniswap) and deposit addresses shared with the Harvest Finance hack. KuCoin recovered the funds almost entirely: about 84% via on-chain tracking, token freezes and judicial action, with the remaining 16% covered by its insurance fund, leaving users unaffected.

Mt. Gox, then the largest Bitcoin exchange, halted withdrawals on February 7, 2014 and filed for bankruptcy in Tokyo on February 28, 2014 after roughly 850,000 BTC (around 750,000 customer coins plus 100,000 company coins, worth roughly $450 million at the time) was found missing. The losses were not a single break-in but years of undetected drain: an early compromise of the exchange's poorly secured private keys, including a wallet.dat file accessible on a server from the McCaleb era, gave attackers persistent access while Mt. Gox lacked cold storage, audited reserves, and reconciliation controls. The exchange publicly blamed transaction-malleability exploitation, but ETH Zurich researchers concluded malleability accounted for at most a few hundred BTC, so the precise vector remains disputed and was likely long-running key theft and skimming masked by broken accounting. About 200,000 BTC was later recovered in an old wallet. In 2023 the U.S. DOJ indicted Russian nationals Alexey Bilyuchenko and Aleksandr Verner for laundering the stolen bitcoin; creditor repayments began rolling out a decade later.