When the news reports that hackers have stolen hundreds of millions of dollars in cryptocurrency, many people picture a simple scenario: the blockchain must have been broken. But in most high-profile cases, the problem was not Bitcoin, Ethereum, or the very idea of a distributed ledger. What usually gets compromised is everything that surrounds cryptocurrency: exchanges, wallets, cross-chain bridges, smart contracts, internal processes, interfaces, employee access, and key storage systems.

That is why the history of the largest crypto hacks is more than a list of dramatic thefts. It is also the story of a maturing market. Every major incident showed the industry where its weak spots were.

What Gets Attacked Most Often in the Crypto Industry

Cryptocurrency does not exist in a vacuum. To buy, sell, swap, or transfer assets, a user normally interacts with services: exchanges, swap platforms, wallets, DeFi protocols, cross-chain bridges, payment solutions, and custodial platforms. Each of these components carries its own area of risk.

An exchange may manage access poorly. A hot wallet may be connected to the internet and become a convenient target. A smart contract may contain a flaw in its logic. A bridge between networks may concentrate enormous sums in one technically complex place. And an employee, an administrator, or the user themselves can be attacked through phishing, fake links, and social engineering. The weak link is almost always found not inside the blockchain, but at the point where assets pass under the control of services, companies, and people.

Mt. Gox: When the Market Did Not Yet Know How to Store Billions

In the early 2010s, Mt. Gox was not merely one of the largest exchanges; it handled roughly 70% of all Bitcoin transactions worldwide. For most users of that era, it was the main and often the only way to enter the world of cryptocurrency.

In February 2014, everything collapsed. The exchange declared bankruptcy and reported the disappearance of about 850,000 BTC, of which roughly 750,000 belonged to clients. At the exchange rate of the time, that was hundreds of millions of dollars. At today's prices, the figure is almost too large to contemplate.

The most troubling part of this story is that the problems did not appear in a single day. According to investigations, some of the funds had been disappearing for years, starting in 2011. There was no proper accounting inside the exchange. Keys were stored carelessly. Control over the movement of funds barely existed. Management either failed to notice what was happening or took no meaningful action.

Later, around 200,000 BTC were found in old wallets that appear to have simply been forgotten. Creditors waited more than ten years for their funds to be returned, and the repayment deadline has since been extended again to October 2026. The case led to the criminal prosecution of the exchange's head, Mark Karpelès, in Japan.

Mt. Gox became a painful lesson for the entire market. The popularity of a service says nothing about the quality of its internal infrastructure. Millions of users entrusted their funds to the platform with no way to verify how storage actually worked there. By the time everything came to light, it was already too late.

Coincheck: Hot Wallets and the Price of Convenience

In January 2018, the Japanese exchange Coincheck lost about 523 million NEM tokens, roughly $530 million at the rate of the time. This hack is notable because the problem could have been prevented easily. The NEM developers had offered the exchange a multi-signature protection mechanism in advance, a setup in which a transaction requires confirmation from several parties rather than a single key. Coincheck declined. All the tokens sat in a single hot wallet that was constantly connected to the internet, without any additional protection. Once the attackers gained access to that wallet, nothing stopped them from withdrawing everything at once, which is exactly what they did in a single operation.

Coincheck ultimately compensated affected users from its own funds, around $425 million. Such a response is rare in the industry, and it cost the exchange dearly. The platform was later acquired by the investment group Monex and continued operating under new management.

But the heart of the story is not who paid whom. The point is that storing assets in a hot wallet without additional protection is a deliberate choice in favor of speed and convenience at the expense of security. Cold wallets are not permanently connected to the internet and are inconvenient for daily operations, which is precisely why they are far harder to attack. Coincheck bet on convenience and put half a billion dollars of other people's money on the line.

A good exchange rate and a pleasant interface are the visible part of an exchange. The architecture of asset storage almost always stays out of sight. Users typically learn about it only when something goes wrong.

Poly Network and Wormhole: When a Coding Error Costs Too Much

As DeFi grew, the risks became more complex. Where the main concern had once centered on centralized exchanges, attention later shifted to smart contracts and protocols that operate automatically.

Poly Network and Wormhole are two telling examples. In August 2021, an attacker targeted Poly Network, a protocol that allows assets to move between different blockchains. The vulnerability lay in the logic of the smart contract that governed who exactly had the right to change the parameters of fund transfers. The hacker found a way to convince the contract that they were the authorized address and gained control over wallets across several networks at once: Ethereum, BSC, and Polygon. In a matter of hours, more than $610 million was withdrawn. It remains one of the largest hacks in DeFi history.

What happened next was unexpected. The hacker began returning the funds. According to them, the attack had been intended as a demonstration of the vulnerability rather than a theft. The entire sum was eventually returned, and Poly Network even offered the attacker the role of security advisor. The market breathed a sigh of relief, but an uneasy feeling remained, because the next person to find the same vulnerability might reason very differently.

In February 2022, Wormhole showed the same logic but with a different ending. Wormhole is a bridge between Solana and Ethereum. The attacker found a vulnerability in the mechanism for verifying digital signatures. The issue was that the contract trusted a certain type of service account that was no longer used in the current version of the system, but the check on the status of those accounts was not strict enough. The hacker used this to fabricate the required signature and mint 120,000 wrapped ETH on the Solana side, with no real backing on the Ethereum side. About $320 million left the protocol in a single move. The funds were ultimately restored by Jump Crypto, the company that financed the project. This spared users from losses, but only because a large investor with resources stood behind the bridge. Most DeFi protocols have no such cushion.

A smart contract does not consider whether it is dealing with an honest user or an attacker. It simply executes the logic built into it. If that logic contains an error, automation offers no protection; at the same speed as an ordinary transaction, it turns a small vulnerability into an enormous problem. In DeFi, automation works in both directions. When a protocol functions correctly, all is well. When it does not, the error unfolds instantly, and there is no one to reverse it.

Ronin Network: Why Bridges Became a Favorite Target for Hackers

In March 2022, news broke of an attack on Ronin Network, a blockchain built for the game Axie Infinity. About 173,600 ETH and 25.5 million USDC were withdrawn from it, amounting to roughly $625 million in total. The attack was later linked to the North Korean group Lazarus.

Understanding how this happened matters, because what was broken here was not code in the usual sense, but the very architecture of access management. Ronin used a system of nine validators to confirm transactions. To withdraw funds, signatures from at least five of them were required. It looks like a reliable setup. But several months earlier, Sky Mavis, the company behind Axie Infinity, had temporarily simplified the process to reduce the load on the network during the game's peak growth. To do so, it granted Axie DAO the right to sign transactions on its behalf. When the load eased, no one revoked that technical access.

The attackers compromised the private keys of four Sky Mavis validators, and they obtained the fifth precisely through that outdated Axie DAO access. Five signatures were enough. The transactions went through as if everything were in order.

The most alarming part is that the attack was discovered only six days later, when a user tried to withdraw funds and could not. Until that moment, the system had produced no automatic signals that anything strange was happening.

This illustrates well that it is not only code that can be attacked. Processes can be attacked, along with access management and old permissions that no one bothered to remove. Greater infrastructure complexity always means a greater number of points that must be kept under control simultaneously.

Bridges are one of the most vulnerable points in the crypto infrastructure. They concentrate large sums, they are technically complex, and they are often built quickly to meet rising demand. Low fees and high speed are merely what is visible from the outside. Behind them stand audits, architectural decisions, the reputation of the team, and the question of what happens when something goes wrong.

Bybit: A New Level of Attack

In February 2025, a hack took place that rewrote the market's understanding of how a major exchange can be attacked at all. Bybit lost about $1.5 billion in Ethereum, making it the largest crypto theft on record, with more than 401,000 ETH withdrawn. The FBI linked the attack to TraderTraitor, the same North Korean group behind many other large thefts in the industry.

Bybit used a multi-signature wallet based on Safe (formerly Gnosis Safe), which is considered one of the most reliable solutions for corporate cryptocurrency storage. Several authorized employees had to approve every transaction. It all looked like a mature, well-built system.

The attackers did not target the wallet directly. They went after the infrastructure through which employees viewed and signed transactions. They managed to compromise the interface of one of the providers, so that on screen the employees saw a legitimate transaction while they were in fact signing a change to the logic of the wallet's smart contract. In effect, they handed control of the vault to the attackers with their own hands. After that, the funds were withdrawn in a single moment.

The attack was carefully prepared. It did not rely on brute force; it was built on people's trust in a familiar tool. They saw a familiar interface, checked the amount, and clicked confirm. And that is exactly what worked against the exchange.

Bybit became a reminder for the entire market that security is not a single setting or a single tool. It is a system that has to work every day. What matters is who signs operations and how, how many layers of verification a transfer passes through, how suspicious addresses are tracked, who has access to critical actions, and what happens when something does not go according to plan.

What the Largest Crypto Hacks Have in Common

The details of all these stories differ. In some cases there were storage problems. In others, a vulnerability in the code. Elsewhere, an attack on a bridge. Elsewhere still, a compromise of access or of the signing process.

But the underlying logic repeats. Major hacks most often occur where three factors converge: a lot of money, complex infrastructure, and at least one weak link. That link may be a private key, a smart contract, an employee, an admin panel, an interface, a hot wallet, or an inattentive user.

This is why security in crypto cannot be reduced to the single phrase "the blockchain is reliable." The blockchain itself may work correctly, yet a user can still lose money by entering the wrong address, following a phishing link, or entrusting assets to a service that lacks proper control procedures.

How Users Can Reduce Their Risks

The good news is that a user does not need to become a cybersecurity specialist to reduce the basic risks. Following a few rules of financial hygiene is enough.

  • Do not keep all your assets in one place. There is a golden rule in the crypto industry: "Not your keys, not your coins." When your funds are kept on an exchange, you do not fully control them from a technical point of view. What you see on the screen is essentially an entry in the exchange's internal database, a promise that the platform owes you those assets and will return them when you request a withdrawal. If the exchange is hacked, frozen by regulators, or goes bankrupt, as happened with Mt. Gox, that promise may suddenly become very hard to enforce. Exchanges are convenient for everyday transactions, conversions, and trading. But for long-term storage of large amounts, a personal wallet is safer, provided that only you control the private keys.
  • Always check the address before a transfer. Pay particular attention to the first and last characters. For a large operation, it is better to first send a small test amount.
  • Use two-factor authentication through an app, not just SMS. App-based codes are significantly harder for attackers to intercept than text messages.
  • Do not follow links from random messages. Do not trust a "support team" that contacts you first in private messages and urgently asks you to confirm something.
  • Be careful with new DeFi protocols and bridges. High yields, an attractive interface, and an active Telegram chat are no substitute for an audit, a track record, and a clear security model.