WEB3-MIXIN-NETWORK-2023

On January 23, 2025, exchange Phemex lost about $85M (early estimates started near $29M before rising) after attackers drained hot wallets across roughly 11-16 blockchains in a synchronized series of more than 125 transactions consistent with a compromised set of hot-wallet private keys; Phemex said the affected signing devices were identified and isolated, pointing to compromised signing infrastructure rather than an on-chain contract flaw. The attacker prioritized high-value tokens and swapped freezable assets into non-freezable ones before any freezes could land. Cold wallets stayed secure and Phemex covered the losses, resuming operations within days under Fireblocks MPC custody with keys split across distributed nodes. Flow-of-funds tracing (Merkle Science) and on-chain analysts (ZachXBT, Arkham), later supported by the FBI, attributed the theft to North Korea's Lazarus Group: on February 22, 2025 the attackers consolidated proceeds from the subsequent Bybit hack into the existing Phemex hacker address, retroactively linking the two incidents on-chain. Stolen funds were laundered via Tornado Cash and not recovered.

In mid-February 2024 (around February 16), the non-KYC instant crypto exchange FixedFloat was hacked for about $26.1M, comprising roughly 409 BTC (~$21M) and about 1,728 ETH (~$4.9M), drained in roughly nine transactions. FixedFloat denied an insider job or rug pull and said a third party exploited vulnerabilities and insufficient protection in its infrastructure, gaining access to some service functions; it deliberately prioritized patching over disclosure, so no public technical root-cause writeup was ever released. The exact vector therefore remains officially undisclosed, but on-chain analysts observed no smart-contract exploitation and a direct hot-wallet drain pattern consistent with a compromised hot wallet or private key rather than a protocol bug. The stolen funds were quickly laundered, with ETH funneled through the eXch mixer and BTC split across many addresses, and were not recovered.

Between February 9 and 12, 2024, the South Korean crypto gaming and NFT platform PlayDapp was exploited twice for about $290M after a privileged-key compromise. Around January 16, 2024 the attacker spear-phished the PLA token deployer with a domain-spoofed email whose attachment installed a remote-access tool, giving control of the deployer's machine and its private key. PLA used a custom MinterRole/Ownable mint-permission pattern, so the attacker called addMinter(address) (method ID 0x983b2d56) on the PLA contract (0x3a4f40631a4f906c2BaD353Ed06De7A5D3fCb430) to authorize their own address as an authorized minter, then minted over 200 million PLA (~$36.5M) on February 9 and a further 1.59 billion PLA (~$253.9M) on February 12. PlayDapp's $1M return offer was ignored; PLA trading was suspended and exchanges worked to freeze funds, with most of the inflated supply effectively unsellable due to thin liquidity.

On November 10, 2023, the Justin Sun-linked exchange Poloniex lost roughly $120 million (estimates ranged $114 to $126 million) after attackers compromised a hot-wallet private key and swept tokens to attacker-controlled wallets. The drain hit a hot wallet labeled 'Poloniex 4,' with automated bots executing hundreds of unauthorized transactions that emptied multiple assets in just over an hour, a pattern indicating the signing key itself was in attacker hands rather than any contract bug. The exact intrusion path was not disclosed, but single-key-controlled hot wallets with inadequate signing thresholds let one compromised key authorize the mass outflow. Analysts including Elliptic attributed the theft to North Korea's Lazarus Group based on the attack methodology and a laundering signature of splitting token types across addresses before consolidating, and Justin Sun publicly linked the perpetrators to Lazarus. Poloniex offered a white-hat bounty for the funds' return; the attacker began moving funds (including ETH to Tornado Cash) and the bulk was not recovered, though Sun said losses would be reimbursed.

On September 12, 2023, exchange CoinEx lost an estimated $54 to $70 million after attackers compromised its hot-wallet private keys, exploiting lax single-key hot-wallet security. CoinEx's own assessment preliminarily identified leakage of the hot-wallet private key as the cause; wallets controlled by a single key are especially exposed to phishing and malware, the favored access vectors of the attributed actor, and once the key leaked the attacker swept assets directly. The theft was attributed to North Korea's Lazarus Group: one of the CoinEx attacker addresses was reused from the Stake.com hack (FBI-confirmed Lazarus) and funds were bridged via infrastructure previously used by Lazarus, with the linkage confirmed by Elliptic, CertiK, SlowMist, ZachXBT and overlapping addresses tying CoinEx, Stake.com and Alphapo together. CoinEx absorbed the loss and fully reimbursed affected users without diluting its CET token, restoring full operations over the following months.

On June 3, 2023, users of Atomic Wallet, a non-custodial cryptocurrency wallet, lost over $100M (an early Elliptic estimate of ~$35M was later revised upward) across at least 5,500 accounts. Atomic Wallet never published a root cause, so the exact technical mechanism remains officially undisclosed and disputed; leading unconfirmed theories, consistent with a compromise of key generation or key exfiltration, include weak entropy or insufficient randomness in seed generation creating a brute-forceable keyspace, private keys or seeds being exfiltrated to a server (for example via logging), a supply-chain compromise of the app build, or fault attacks on the signing algorithm. Blockchain forensics firm Elliptic attributed the heist to North Korea's Lazarus Group with high confidence on June 6, 2023, based on laundering through the Sinbad mixer and Garantex and, most tellingly, stolen funds flowing into wallets already holding proceeds of prior Lazarus hacks; the FBI later supported this. Only a small portion (over $1M) was frozen and the bulk was not recovered. A class action (Colorado federal court) was later dismissed.