Top Centralized Exchange Hacks: Lessons Learned from History

By Renuka Tahelyani
22 Min Read

Decentralization isn’t just a cherished principle anymore; it’s become a competitive necessity. In recent years, centralized exchanges (CEXs) like Mt. Gox and WazirX have suffered major losses due to external hacks, while others such as FTX have imploded due to internal misuse of funds. Even the industry giants Binance and Coinbase face existential threats from the world’s most powerful financial regulator. But what about their decentralized counterparts, DEXs?

Decentralized exchanges (DEXs) offer powerful defenses against these three major threats—hacks, fraud, and regulatory overreach—that have plagued CEXs. Of course, there are other threats besides “hacks.” FTX’s downfall, for instance, involved mismanagement and misuse of customer funds by its executives, a scenario less feasible on a DEX due to its inherent structure that promotes transparency and user control. 

This article looks into the biggest exploits in the history of top centralized exchange hacks, illustrating the critical need for the security and autonomy offered by DEXs like ChaiDEX.

Top 10 Centralized Exchange Hacks in Crypto History

From notorious breaches to systemic vulnerabilities, the crypto world has seen its share of turbulence. Here, we recount the 10 biggest top centralized exchange hacks and understand why the pivot to decentralized solutions is not just wise, but imperative.

10. The Bithumb Hack: A Repeated Target

Founded in 2014, Bithumb rapidly became a cornerstone of the South Korean crypto market, with over eight million registered users and a transaction volume surpassing $1 trillion. Despite its prominence, the exchange has been repeatedly compromised.

Starting in 2017, Bithumb suffered several breaches:

Top Centralized Exchange Hacks
The stolen assets, as reported by Bithumb during the June 2018 hack

Each incident prompted a swift shift of funds to cold wallets and heightened security measures, yet vulnerabilities persisted. What’s important to mention is that the March 2019 breach was suspected as an insider job, with systemic security challenges.

In response to the repeated breaches, the South Korean Ministry of Science and Technology (MIC) launched thorough investigations with key findings including,

  • Inadequate network isolation.
  • Poor monitoring systems that failed to distinguish between normal and suspicious activities.
  • Insufficient cryptographic key and password management.

9. WazirX: Leading Amid 16 Crypto Hacks in July 2024

As per a report by Immunefi, over $473 million worth of cryptocurrency has been lost to hacks and rug pulls across 108 incidents in 2024. WazirX alone accounted for 86.4% of the total crypto lost to hacks in July.

Indian CEX WazirX announced plans to undo all trades following its withdrawal freeze on July 18, 2024. “All users will have their portfolio balances restored to what they were on July 18, 2024, 1 p.m. IST,” the exchange stated.

On that date, WazirX suffered a significant wallet exploit, which resulted in the unauthorized transfer of over $230 million in crypto assets. The attack targeted WazirX’s multisig wallet on Ethereum. 

Over $100 million in Shiba Inu (SHIB), 20 million MATIC tokens ($11 million), 640 billion PEPE tokens ($7.5 million), 5.7 million USDT, and 135 million GALA tokens ($3.5 million) were stolen.

The aftermath? Well, WazirX tried to play the blame game, suggesting everyone share the pain. The CEX proposed a “socialized loss strategy” via a social media poll, which of course faced backlash. “Making customers directly absorb the 45% losses is utter nonsense,” said CoinDCX co-founder Sumit Gupta. 

Read this article by DroomDroom that delves into the concept of peer-to-peer (P2P) trading, contrasting it with centralized exchanges.

WazirX’s compromised wallet was a Gnosis Safe multisig using a 4 of 6 signature scheme. Five keys were held by WazirX, with one key controlled by Liminal’s custody service. The attacker bypassed the multisig and whitelist by manipulating a smart contract, tricking four signers into approving a malicious transaction.

What Lessons Were Learned?

Despite advanced security measures, including hardware wallets and address whitelisting, WazirX fell victim to a sophisticated attack. This calls for the need for comprehensive security audits and continual improvement in safeguarding digital assets. The risks associated with centralized control of private keys are evident.

Importance of owning your private keys by Elon Musk as shared by ChaiDEX

8. Binance Hacks: A Stark Reminder of Crypto Vulnerabilities

In 2019, Binance, the world’s leading cryptocurrency exchange, was targeted in one of the top centralized exchange hacks. On May 7, malicious actors breached Binance’s security, using phishing and viruses to access users’ two-factor authentication codes and API keys. 

This breach enabled them to siphon off 7,074 bitcoins, valued at over $40 million at the time, from the exchange’s hot wallet in a single transaction.

Top Centralized Exchange Hacks: Lessons Learned from History
Stolen Assets Movement as Shown by Crystal Blockchain

Following this incident, Binance’s CEO, Changpeng Zhao, announced the establishment of a Secure Asset Fund for Users (SAFU) to protect users’ funds in such extreme cases. Despite these measures, Binance faced another significant security challenge in October 2022. Hackers exploited the BSC Token Hub, a cross-chain bridge, to illegitimately generate and steal 2 million BNB tokens—roughly $570 million.

7. KuCoin: A Cyber Thriller with a Silver Lining

In September 2020, KuCoin, based in Singapore, experienced a Hollywood-style heist that ranks among the top centralized exchange hacks. Hackers launched a cunning attack at 19:05 UTC, pilfering Bitcoin and Ethereum into a mysterious wallet. The plot thickened as the digital thieves accessed the vaults by swiping private keys to KuCoin’s hot wallets.

By the time KuCoin CEO Johnny Lyu addressed the world in a 4:30 UTC live stream the next day, the crypto community was on edge. The quick-thinking team at KuCoin transferred the remaining funds to new hot wallets, decommissioned the compromised ones, and temporarily froze all customer transactions to mitigate further risks. Lyu assured users that the cold wallets, which are offline and thus more secure, were not affected.

Further investigations traced the stolen funds across various cryptocurrencies including BTC, ETH, LTC, XRP, and more, totaling approximately $281 million. Despite this significant loss, KuCoin’s proactive measures led to the recovery of about $204 million of the stolen funds within weeks. 

Adding more intrigue to the story, KuCoin collaborated with international law enforcement, attributing the cyber sleight of hand to a suspected North Korean hacker group.

6. BitGrail: An Internal Job

Italian cryptocurrency exchange BitGrail, led by Francesco Firano, was embroiled in controversy after a staggering €120 million ($146.55 million) was stolen from the platform. Italian police allege that Firano, also known as “F.F.”, may have been complicit in the hacks or negligently failed to enhance security after the initial breaches were discovered. 

This series of events led to the loss of funds for approximately 230,000 users, mainly in the nano cryptocurrency.

Firano was facing charges including computer fraud, fraudulent bankruptcy, and money laundering, making this one of the largest financial breaches in Italian history.

In the aftermath, the Italian Bankruptcy Court took decisive action, declaring both Firano and BitGrail bankrupt. The court also mandated Firano to return as much of the stolen assets to customers as possible. 

Also, the court authorized the seizure of Firano’s assets, including over $1 million in personal items and millions in cryptocurrency from BitGrail’s accounts. The court found that a software flaw on BitGrail’s platform had improperly requested multiple withdrawals.

In CEXs like BitGrail, the control over all assets and security measures are centralized which makes them attractive targets for hackers. In contrast, DEXs distribute the responsibility for asset security to individual users. If BitGrail had been a DEX, each user would have retained control over their wallets.

Not to mention, since DEXs do not rely on a central authority to hold and manage funds, the risk of insider fraud, like that alleged in the BitGrail case, is significantly reduced.

Here’s a review of a promising DEX platform offering innovative solutions for cross-chain trading and user experience, ChaiDEX.

5. Poloniex: A Tale of Two Hacks

Poloniex is another significant player in the cryptocurrency exchange market that was unfortunate enough to find its place in a long list of top centralized exchange hacks. The CEX has suffered not once, but twice, from severe security breaches. 

In March 2014, hackers exploited a software vulnerability, making away with 97 BTC, which represented 12.3% of the exchange’s Bitcoin holdings at the time. Despite the setback, Poloniex managed to rebound by fully reimbursing affected users.

Fast forward to November 2023, the exchange was hit again, this time much harder. Attackers, suspected to be the notorious Lazarus Group linked with North Korea, compromised private keys to drain an estimated $126 million from Poloniex’s hot wallets. 

The modus operandi involved social engineering and malware to obtain critical private keys. Following the hack, the attackers employed complex strategies, including sending different tokens to specialized addresses and utilizing decentralized exchanges for laundering the assets, making tracking and recovery challenging.

Lessons Learned:

In centralized exchanges like Poloniex, the centralized storage and management of private keys create a vulnerability that attackers can exploit using social engineering and malware. These attacks led to unauthorized access to funds, as was the case in the Poloniex incidents.

In contrast, the approach taken by decentralized exchanges can offer a different security model. For instance, platforms like ChaiDEX employ a non-custodial trading model where users maintain control of their private keys at all times. 

Moreover, such DEXs incorporate additional layers of security that are designed to safeguard against the types of vulnerabilities that might be exploited by social engineering or malware. This includes using advanced cryptographic techniques such as Threshold Signature Schemes (TSS) to handle signing operations without exposing individual private keys. 

These measures ensure that even if a user’s device is compromised, the integrity of their keys and, consequently, their funds remain secure.

Read this article about CEXs offering crucial trading platforms and services and also facing criticism due to security risks and centralized control.

4. Bitstamp

Over several weeks, Bitstamp employees were lured by phishing schemes involving emails and Skype messages specific to their personal interests. This deceptive familiarity led them to inadvertently download malware-laden attachments.

The cybercriminals targeted Bitstamp’s system administrator, Luka Kodric, who unknowingly downloaded a malicious file, compromising the exchange’s security. The malware, hidden within an innocuous document, activated a script that infected Bitstamp’s servers, giving hackers access to crucial wallet.dat files and passphrases.

Realizing the breach, Bitstamp acted swiftly, setting up an incident response team and issuing a company-wide alert. Despite these efforts, the hackers managed to drain 18,866 BTC from the hot wallet leading to a loss of approximately $5 million at the time of the hack.

In the aftermath, Bitstamp undertook a massive overhaul of its trading platform, opting for a ground-up rebuild rather than a patchwork fix. They moved their infrastructure to Amazon’s secure cloud servers in Europe, implementing multi-signature wallet access and engaging Xapo for cold wallet management.

3. Bitfinex: A Case of Distributed Losses

In August 2016, Bitfinex was compromised in a sharp cyber heist, adding to the notorious list of top centralized exchange hacks. Hackers exploited a flaw in the exchange’s multisignature security system, backed by BitGo. Manipulating security protocols, they illicitly withdrew 120,000 BTC—worth approximately $72.2 million—from Bitfinex’s hot wallet.

Following the hack, Bitfinex was transparent about the financial fallout. Losses were apportioned across user accounts, translating to a 36% reduction per account. To mitigate these losses, Bitfinex issued BFX tokens to affected users, redeemable for U.S. dollars or shares in iFinex Inc., facilitating gradual recovery.

Top Centralized Exchange Hacks
Chainalysis Tracking Bitfinex’s stolen funds

The Chainalysis report on the laundering of the stolen Bitfinex funds outlines five main components:

  • The hacker initially moved 120,000 Bitcoin from Bitfinex to a designated wallet labeled “Bitfinex.com Stolen Funds” in August 2016.
  • In January 2017, the funds were transferred to AlphaBay, a now-defunct darknet market, which acted as a mixer. 
  • The stolen Bitcoin was then moved from AlphaBay to four different cryptocurrency exchanges, referred to as VCEs 1-4 using fake identities.
  • By 2019, with AlphaBay dismantled, the launderers turned to a mixer to obscure their funds’ origins. They moved the Bitcoin to several exchanges to swap for assets like Monero and used some to buy gold from a precious metals seller.
  • Between 2020 and 2021, a significant amount of funds was converted into fiat currency and subsequently moved into a U.S. bank account.  

Years of diligent efforts led to substantial recovery of the stolen assets. By July 2023, law enforcement had secured over 108,000 BTC. The guilty pleas of Illya Lichtenstein and Heather Morgan in connection to the laundering of these funds marked a crucial win for agencies like the FBI, IRS-CI, and HSI.

2. Coincheck: The Largest Heist

In the waning days of January 2018, Coincheck, a prominent Japanese crypto exchange, fell victim to one of the top centralized exchange hacks in history. Hackers infiltrated the exchange’s hot wallet, absconding with 523 million NEM tokens valued at approximately $534 million at the time. 

Despite previous lessons from other hacks, Coincheck had maintained a significant volume of assets in hot wallets without adequate multisignature protections. Immediately following the breach, the exchange halted all deposits and withdrawals in a frantic bid to stem the flow of stolen funds.

The broader crypto community quickly rallied to prevent the liquidation of the stolen assets. Exchanges like ShapeShift banned trades of the compromised NEM coins and tagged the associated addresses to deter further transactions. Despite these efforts, the full recovery of funds remained elusive.

Coincheck claimed to be exploring compensation options for affected users and covered the losses completely, despite the initial uncertainty about their capacity to do so.

1. Mt. Gox: The Titanic of Cryptocurrency

The Mt. Gox hack remains arguably the most infamous and discussed cryptocurrency heist, primarily due to its magnitude and timing. This monumental event is a classic case study among top centralized exchange hacks.

In 2011, Mt. Gox, then the world’s largest Bitcoin exchange, first experienced a major security breach that resulted in the loss of 25,000 bitcoins. The situation worsened by 2014, culminating in a catastrophic theft where approximately 850,000 bitcoins—valued at about $470 million at the time—were stolen. 

This monumental heist, orchestrated through a combination of fake Bitcoin flooding and exploitation of software security flaws, led to the platform’s eventual bankruptcy. 

Dubbed the “Titanic of cryptocurrency,” the fallout was immediate and severe, impacting Bitcoin prices and trust within the crypto community globally. “I lost nearly everything. It changed my view on digital currency security forever,” shared a forum user, underlining the hack’s profound personal and financial impacts. 

Mt. Gox’s downfall immortalized the cautionary principle among crypto users, “Not your keys, not your coins.”

Here’s an article by DroomDroom that compares and contrasts CEXs and DEXs and the potential benefits and drawbacks of each.

Why DEXs Are Safer?

As the tales of centralized breaches unfold, the question arises: how do decentralized platforms mitigate such risks?

The matter is always of on-chain transparency and custody of users’ funds unless an exchange can immediately show the proof of funds on chain, there are always loopholes that can lead to hacks.

Nitesh Mishra, Co Founder at ChaiDEX

Non-Custodial Trading

Unlike centralized exchanges (CEXs), DEXs like ChaiDEX don’t hold user funds, mitigating the risk of massive thefts. Trades are executed directly between users’ wallets through smart contracts, ensuring there’s no central point of failure.

Smart Contract Audits

Taking ChaiDEX as a case study, it is safe to say that DEXs emphasizes the security of its platform by regularly auditing its smart contracts. These audits, conducted by leading security firms, help identify and rectify vulnerabilities, reinforcing trust and stability.

Decentralized Governance

DEXs leverage decentralized governance, allowing the community to actively participate in critical decisions, including security measures. This democratic approach ensures that the platform evolves in line with user needs and security standards.

Layer 2 Solutions

By implementing Layer 2 solutions, DEXs enhance both scalability and security with the added advantage of faster and cheaper transactions.

Advanced Encryption Techniques

The use of cutting-edge security protocols and encryption techniques, such as zero-knowledge proofs, ensures that transactions on DEXs are secure and private.

Multi-Signature Wallets and Decentralized Insurance

To further cushion security, DEXs like ChaiDEX supports multi-signature wallets and partner with decentralized insurance providers to offer coverage against unforeseen events.

Conclusion

Since its genesis, cryptocurrency has been lauded as a tool to counteract government overreach—a decentralized response to centralized power. Governments around the world have attempted to control this new financial frontier by blacklisting Bitcoin addresses, confiscating digital assets, and tracking users. Despite these efforts, they have not succeeded in halting the decentralized network.

For many enthusiasts and purists, decentralized exchanges (DEXs) like ChaiDEX are not just an option but a necessity. Cryptocurrencies, inherently decentralized by design, demand a trading platform that mirrors their foundational principles. ChaiDEX and similar platforms embody this philosophy, ensuring that the crypto ecosystem remains resilient and true to its roots.

Moreover, ChaiDEX serves as a hedge against crypto volatility, offering a secure platform for inter and intra-chain transfers that safeguard asset value and custody. Today, as we witness the pitfalls and vulnerabilities of centralized exchanges through various top centralized exchange hacks, the shift towards decentralized platforms like ChaiDEX represents not only a strategic defense against these risks but also a commitment to the original vision of cryptocurrency.

Follow:
Curiosity didn't just kill the cat; it dramatically shifted the course of my career! From chartered accountancy to blockchain, my professional journey has been anything but ordinary. I take tough, knotty blockchain topics and turn them into easy reads. My work has not only been recognized in a book published by Stanford University Press, but I've also contributed to legal research papers featured in the Cambridge Handbook and the Maryland State Bar Association's blog.