World

Choose your country:

Biggest Hacks in the History of Cryptocurrencies

December 4, 2024

The ongoing bankruptcy of FTX is all over the news. Some are afraid it might lead to another global financial crisis while most in mainstream media claim it's another proof that crypto needs to be regulated. As if regulated hedge funds or institutions overall never crash. But is the FTX collapse the biggest hack in the history of cryptos or others still surpass it?

We live in uncertain times when the things that used to serve as beacons of hope for humanity have proven to be unreliable after all. When cryptocurrency first came along, it was touted as the most impregnable financial system the world has ever known. This has been shamefully debunked by both previous and recent scandals that have rocked the very industry that served as a beacon of hope to a new generation of investors.

While it's more soothing to point fingers at hackers when there's a breach in the security of Fintech companies, there are certainly no words to describe the disappointment when it comes from within the company. Take, for instance, the FTX fraud, which has taken the crypto world by storm. As the saying goes, nothing stays hidden, and Sam Bankman-Fried's covert activities were recently revealed.

It has been discovered that Sam Bankman-Fried, the former CEO of FTX, was using the funds of his customers to rescue Alameda Research, its affiliated trading firm, from financial ruin. This storm might have been weathered had it not been centered around billions of clients' money. The young former CEO expertly covered up his crime for months, and not even his employees were any the wiser. The cat was finally let out of the bag when FTX filed for bankruptcy on November 10.

These mind-boggling events beg one question - why are cryptocurrency firms still susceptible to attacks and scandals? The answer is simple; cryptos are digital and are housed in online wallets, which makes them a target for hackers. Having said that, let's take a look at some of the ice-cold crypto heists the world has ever recorded.

Ronin network (Axie Infinity) – $620 million lost

When the investors of Ronim Network began the day on March 29th, 2022, little did they know that their beautiful Sunday was about to be ruined with the news of a hack attack on their cherished gaming-based crypto network. The company announced a heavy loss of $620 million, which it has yet to recover from. 

The perpetrators of the dastardly act carried out the theft in two phases; first, they took an estimated $595 million in the form of 173,600 ETH, and the rest of the money was in fiat money, an additional $25.5 million. To this day, no crypto heist comes close to this one. The Lazarus group of North Korea was fingered by the US Treasury Department as the brains and manpower behind the event.

Poly network – $610 million lost

The Poly Network hack comes with a little twist. Unlike hackers whose modus operandi is to steal and escape, this particular hacker decided to hang around for a bit and even went ahead to chat with the operators of Poly Network. How did they gain access to the platform? Simple - a loophole. As most systems have one vulnerability or another, the hacker found that of the Poly Network and took advantage of it, siphoning over $600 million from the company.

One would have imagined that they would make a break for it, but they did the opposite by opening a line of communication with the company, promising to return the money, save for $33 million of tether (USDT) that the issuer had frozen. As if that was not enough drama, $200 million of the funds found their way into an account that could only be opened using a combined password from both the hacker and the Poly Network.

This soon turned into a standoff as the hacker refused to part with their password. The Poly Network was forced to bargain with $500,000 and a job offer before the hacker released the private key to them.

FTX – $600 million lost

Just as the world was getting used to the idea of FTX becoming insolvent, hackers took the opportunity to wreak more havoc by stealing $600 million, which additional information might reveal to be more. This caused the exchange to launch an investigation into the hack, while the remaining funds were transferred to cold storage. No individual or organization has been blamed for the act yet, but from the tweet of Nick Percoco, Kraken’s Chief Security Officer, which reads "We know the identity of the user," there's a possibility that we'll have a culprit soon.

Binance – $570 million lost

In 2022, hackers had a field day ransacking cryptocurrency exchange and leaving depleted coffers in their wake. Even the mighty Binance wasn't spared by hackers, who targeted the exchange in October 2022 and attempted to steal a whopping $570 million in 2 billion BNB tokens via the cross-chain bridge. Thankfully, the exchange caught wind of this early and quickly reacted by freezing a large percentage of the funds. In the end, the firm could not account for $110 million.

Coincheck – $532 million lost

Back then, in January 2018, tragedy struck Coincheck, a crypto firm based in Japan, in the form of hackers, and its NEM (XEM) tokens worth over $530 million were cleaned out. Always on the lookout for vulnerabilities, the hackers discovered that the firm used a "hot wallet," which kept tokens connected to the internet, as opposed to a "cold wallet," which takes them offline. Although the stolen tokens were marked as such, there were rumors that people were buying them on the black market. 

This hacking event dealt such a huge blow to Coincheck that its coin lost a lot of value. So even if the stolen coins are still being offered for sale, not many people will consider it worth the trouble.

MT Gox – $470 million lost

For every series of events, there's always a point of origin. So, if you've ever wondered about the first crypto firm to fall victim to hackers on a large scale, the answer is staring you in the face right now, it's MT Gox. In the case of this company, the hackers stole Bitcoins, and the heist remains the largest Bitcoin theft. Unlike the others we've mentioned, the attack on MT Gox didn't happen all at once. This one was stretched out over years.

The event began in 2011 and was only discovered in 2014. Over this time, the hackers stole 100,000 bitcoins from the firm, and the customers also suffered losses to the tune of 750,000 bitcoins. When this news broke, the value of the stolen Bitcoins was $470 million. If we're to compare it with the current price of Bitcoin, its value will be around $4.7 billion. MT Gox was soon liquidated after the attack, and about 200,000 of the stolen Bitcoins were recovered.

Fraud & alleged fraud

The crypto landscape has been regularly tainted by hacks and data breaches and while these incidents can lead to severe consequences, there is arguably nothing worse than discovering fraudulent behavior by the very founders of a project. 

As seen above, hacks and security breaches are losses in the hundreds of millions, but fraud in crypto companies is measured by billions of dollars in losses.

Before we move on any further it is important to define a few basic concepts that are part of any Chapter 11 Bankruptcy procedure:

Misrepresentation:

Misrepresentation involves the deliberate presentation of false or misleading information by individuals or entities. Within the financial industry, this can manifest in various forms, such as providing inaccurate financial statements, misrepresenting investment opportunities, or falsifying records. Investors rely on the integrity and transparency of the information they receive, making misrepresentation a severe breach of trust.

Fiduciary Duty and Negligence:

Fiduciary duty refers to the legal obligation of individuals in positions of power or authority to act in the best interests of those they represent. In the financial sector, founders, executives, and managerial teams owe a fiduciary duty to their investors. This duty encompasses acting with honesty, loyalty, and care and making decisions that prioritize the interests of the investors over personal gains. Negligence, on the other hand, arises when individuals fail to exercise reasonable care in fulfilling their fiduciary duties, resulting in harm or losses to investors.

Celsius: The Israeli Web of Deception ($1.2 Billion)

Celsius was a prominent crypto lending platform founded in 2017 by Alex Mashinsky and Daniel Leon. Under the slogans of “Unbank Yourself” and “Banks are not your friends”, the Israeli founders quickly positioned Celsius as a disruptor, offering attractive interest rates and promising transparency. On a weekly basis, Alex Mashinsky boasted on the live AMAs about Celsius progress and superiority in terms of risk management, transparency with the community. 

Fast forward to 2022, in a video, Mashinsky reads a piece of paper letting the +1 million users they cannot withdraw their funds from the platform as the company was having liquidity issues and was entering Chapter 11 Bankruptcy proceedings.

*A Chapter 11 Bankruptcy is a procedure by which the debtors clearly evaluate the debt and work with creditors in court to reorganize the business. The reorganization is a way for the business to continue operating while repaying the debt partially or in full. This shouldn’t be confused with Chapter 7 Bankruptcy, which essentially liquidates all assets to repay creditors with whatever is left. 

After almost a year into the bankruptcy proceedings, the US Department of Justice appointed examiner delivered a report on the fraudulent activities of Mashinsky and the rest of the management team. One of the primary fraudulent acts involved deliberately misreporting financial data to inflate Celsius' assets and revenue, creating a false impression of the company's financial health.

Mashinsky and his inner circle had carefully orchestrated a scheme to manipulate Celsius' financial records, painting a picture of prosperity while concealing the underlying truth, that Celsius wasn’t profitable and had a huge hole in the balance sheet. This misrepresentation was intended to lure in new customers to pay for old customers withdrawals (yes, like a Ponzi scheme), as the seemingly robust financial standing of the company appeared to be an assurance of its reliability.

While Mashinsky claimed that Celsius was “…safer than banks.”, was unaffected by other companies’ problems and all was good. In reality, Celsius had lost money on defi hacks, third party “custodians” were “losing” private keys to tens of thousands of ETH, third party lenders where “unable” to return the BTC collateral Celsius had provided, all while Tether was liquidating a BTC collateral as Celsius wasn’t paying back its loans in time.

Furthermore, it was discovered that Mashinsky and certain executives diverted investor funds for personal use, in clear violation of their fiduciary duty. These misappropriations constituted a grave breach of trust, as they undermined the interests of the investors for personal gain. The funds intended for investment purposes or to support the growth of Celsius were siphoned off for lavish personal expenses and undisclosed ventures.

We are now in Q2 of 2023, the bankruptcy proceedings are still ongoing and customers still have no idea of when and how much they will get back. The only thing that is certain based on the examiners report, records and employee interview transcripts is that the Managerial team & relatives withdrew most assets from the platform, higher tiered employees knew what management was up to and made no effort to denounce it. 

FTX ($8 Billion)

FTX was founded in 2019 by Sam Bankman-Fried, a former Wall Street trader who quickly rose to prominence in the crypto industry. Under his leadership, FTX grew rapidly, attracting millions of customers worldwide and achieving a valuation of $32 billion. SBF was regarded as a visionary entrepreneur and gained significant influence in the cryptocurrency space. His success with FTX and his role as the head of Alameda Research, a prominent crypto hedge fund, further solidified his position in the industry.

In November 2022, the FTX empire began to crumble. Shockwaves rippled through the crypto community as FTX filed for bankruptcy protection, citing a staggering loss of nearly $8 billion in customer funds. The news sent shockwaves through the market and left investors and customers reeling from the significant financial blow.

The subsequent unraveling of the FTX fraud revealed a disturbing tale of deceit and misappropriation. Bankman-Fried, once hailed as a trailblazer, now faced serious criminal charges. In a stunning turn of events, he was arrested in the Bahamas and extradited to the United States to face justice.

Bankman-Fried faces several charges, including wire fraud, money laundering, and campaign finance violations. Prosecutors alleged that he orchestrated an elaborate scheme to defraud FTX customers. The fraudulent activities involved diverting customer funds to settle debts at Alameda Research and making personal investments, all while disregarding the fiduciary duty owed to FTX's customers.

Moreover, SBF allegedly engaged in preferential treatment, granting Alameda Research special privileges on the FTX platform. This included providing the hedge fund with an almost unlimited line of credit funded by FTX customers deposits. 

Additionally, Bankman-Fried is accused of inflating the value of certain illiquid assets held by Alameda, such as FTX-affiliated tokens. By artificially inflating their worth, Bankman-Fried manipulated the market, deceiving investors who relied on accurate asset valuations for their investment decisions.

Lessons learned

One takeaway from these events is that hackers are always on the prowl, searching for loopholes in crypto exchanges that they can take advantage of. The successful heists all had the same thing in common: hot wallets (the variant that needs an internet connection to function) and low security. Also, the fact that exchanges are the main target didn't go unnoticed. They rarely go after individuals; what would be the gain in that? The idea is to hit exchanges where a lot of money will be realized from the risk.

In the end, the clients bear the brunt of the attacks. More often than not, they never recover their lost investments. This is, thus, a wake-up call for crypto enthusiasts to be mindful of where they decide to store their digital assets.

For the longest time, people have longed for the power to have complete control over their finances. The answer to this came in the form of cryptocurrencies and blockchain technology. However, this liberty came at a cost: extreme caution, both on the part of the individual and the crypto exchange. Unlike traditional banking services, where individuals will be compensated if there is a hack, in the crypto industry, it is everyone for themselves. If your crypto transaction ends up at the wrong address, the fund is gone forever. There will be no one to report to, and neither will anything be done to retrieve it.

Here are three great tips that will help you stay safe in the crypto community:

  • You do not know what company X is doing with your funds, you will never know, and even if you are told, it could be all lies (misrepresentations). So, no matter what you do, stay away from hot wallets. If you must use them, only do so for a short period. Preferably when you're trading or exchanging funds. Once that's over, move your assets to a more secure wallet.

  • Your funds are not your funds, any deposit to a company means that company owes you that deposit, but you are likely to be the last one in the line of creditors to get paid back, if everything goes wrong.

  • Opt for wallets that provide cold storage with unbreakable security. You can also invest in a hardware wallet, though it will cost you some money. But you can't put a price on safety, right?

  • Don't fall for scams. When a deal appears too good to be true, it probably is. When you come across an offer like "send 0.1 BTC to this address and receive 55 BTC immediately," take to your heels and don't look back!

  • Carefully choose which companies you work with, in the event of Bankruptcy it will be a judge who decides whether the company is holding your property or as the Celsius case in the US, it may consider all cryptocurrencies are property of the estate (Celsius) and they only have a debt to you.Consider that if everything goes wrong, the lawyers are the first to get paid, followed by founders, employees and secured creditors. If there is anything left, you will have to fight the rest of creditors for your “fair” share of the leftovers.