Loading prices…
Zipp Zipp Advertise
Sign up Sign in

The Biggest Crypto Hacks in History

From Mt. Gox to FTX, Ronin to Bybit, the largest crypto hacks have shaped how the industry thinks about custody, code, and trust. Here is the story of each one and the lesson it left behind.

security Zipp · 7 min read ·
The Biggest Crypto Hacks in History

Why this matters now

Headline hacks are not just historical curiosities. Each one was a moment when thousands or millions of people who thought they were safe woke up to discover they were not, and the patterns repeat. Understanding the biggest cases is the fastest way to develop a real sense for how custody risk actually works — and to recognise the shape of the next one before you become part of it. This is educational, not financial advice.

Mt. Gox — the original lesson (2014)

Mt. Gox was, at its peak in 2013, the exchange handling around 70% of all global BTC trading. In early 2014 it suspended withdrawals, then filed for bankruptcy, and around 850,000 BTC were declared missing — a sum worth hundreds of millions of dollars at the time and tens of billions a decade later. Years of investigation pointed to a slow drain over multiple years, mixing internal mismanagement, weak security, and external theft.

Mt. Gox is the origin story of the phrase "not your keys, not your coins." Creditors waited more than a decade for a partial repayment plan. The lesson the rest of crypto absorbed was simple and brutal: keeping serious holdings on any exchange is a bet on the exchange itself, not just on the market.

Coincheck — the cold-storage lesson (2018)

Coincheck, then a major Japanese exchange, lost roughly $530 million worth of NEM in a single attack in January 2018. The technical root cause was that the targeted funds were sitting in a hot wallet — connected to the internet for operational convenience — rather than in cold storage. Coincheck eventually compensated users from its own balance sheet, but the case nailed down a durable industry standard: serious customer funds belong in cold storage, with only operational liquidity in hot wallets.

Poly Network — the strange one (2021)

In August 2021, cross-chain protocol Poly Network was drained of roughly $610 million across multiple chains. Then the attacker did something unusual: they returned almost everything, claimed they had only wanted to expose the vulnerability, and walked away with a "chief security advisor" offer from the project. Whatever the motivation, the case made clear that cross-chain smart contracts were fragile in ways the market had badly underestimated — a warning that would echo in 2022.

Ronin Network — the bridge wake-up (2022)

In March 2022, attackers stole around $625 million in ETH and stablecoins from Ronin, the bridge powering the Axie Infinity game. The attack worked because five of the nine validator keys securing the bridge had become compromised, partly through a social-engineering attack on a developer. Investigators later attributed the theft to a state-linked group.

Ronin marked the moment the industry stopped treating bridges as plumbing and started treating them as the highest-risk component of multi-chain crypto. The lessons were both technical (validator decentralisation matters, multisig thresholds matter) and human (a single phishing email can cost hundreds of millions).

Wormhole — the smart-contract lesson (2022)

A month before Ronin, in February 2022, the Wormhole bridge between Solana and other chains was exploited for roughly $325 million. This one was pure smart-contract risk: a signature-verification bug let an attacker mint wrapped ETH on Solana without locking real ETH on the other side. The exploit was patched, and Jump Crypto stepped in to replace the missing funds — a backstop most projects do not have.

The case became a textbook example of why cross-chain code is so dangerous: one bug can mint phantom assets at will, and recovery depends entirely on someone else being willing to absorb the loss.

FTX — when the collapse is not technically a hack (2022)

FTX was not a hack in the protocol sense. It was a customer-funds collapse. In November 2022 the second-largest crypto exchange in the world unwound in days when it emerged that customer balances had been used to backstop affiliated trading firm Alameda Research. Billions in user funds were unaccounted for; founder Sam Bankman-Fried was later convicted of fraud.

The FTX case is included alongside the technical hacks because for users the outcome was identical: balances gone, no recovery. The lesson reinforced the original Mt. Gox one with brutal clarity. Marketing, sponsorships, and a friendly public face are not custody. Reputable name on the door is not the same as solvency under the hood.

Other names worth knowing

  • Bitfinex (2016). Roughly 120,000 BTC stolen. The recovery story stretched across nearly a decade and ended with US authorities seizing much of the stolen stash from the launderers, a rare partial-restitution outcome.
  • Coincheck again, Cryptopia, Kucoin, Binance (2019). A series of mid-sized exchange hacks throughout 2019, mostly compensated by the exchanges, reinforced the message that even well-run platforms get breached.
  • Nomad bridge (2022). ~$190 million drained in a chaotic free-for-all after a contract upgrade introduced a verification flaw — copy-paste exploits by random users emptied the bridge.
  • Celsius and Voyager (2022). Centralised lenders that collapsed in the wake of the broader 2022 unwind, locking customer assets and revealing how opaque the underlying lending practices had been.
  • Bybit (2025). One of the largest single thefts ever recorded — roughly $1.4 billion in ETH siphoned through a sophisticated cold-wallet attack. The exchange covered customer losses from its own balance sheet but the case redefined assumptions about cold-storage operational security.

The recurring lessons

Different stories, the same handful of conclusions:

  • Custody is the foundational risk. The thread tying Mt. Gox to FTX is not technology, it is custody. If a third party can move your coins, your coins are exposed to that third party's competence and honesty.
  • Bridges and cross-chain code are the highest-risk layer. Ronin, Wormhole, and Nomad all happened in a single year. Treat bridged assets as a separate, higher-risk bucket.
  • Hot wallets concentrate operational risk. Coincheck and many subsequent exchange hacks targeted hot wallets — the standard is now cold storage for the vast majority of customer funds.
  • Scale is not safety. The two biggest losses in crypto history (Mt. Gox at the time, FTX and Bybit since) hit firms that were, in their moment, market leaders. "Big" is not the same as "safe."
  • Recovery is rare. Some funds are eventually returned — Mt. Gox creditors, Bitfinex via US enforcement, Wormhole via Jump backstop — but for the vast majority of cases, lost is lost.

What to do with this

  • Move significant holdings off exchanges. The single biggest defence against the next big hack is not being on the next big hack's customer list. See how to store crypto securely for the practical setup.
  • Treat exchanges as utilities, not vaults. Use them for trading, withdraw promptly, and avoid leaving long-term balances.
  • Limit bridge exposure. If you need bridged assets, treat them as a higher-risk position and size accordingly.
  • Watch the news. The early signs of an exchange in trouble — withdrawal delays, social-media silence, sudden marketing pivots — often appear hours or days before the worst becomes public.
  • Diversify counterparty risk. Splitting holdings across self-custody plus more than one reputable exchange means no single failure wipes you out.

Catch the early signs

Most major exchange collapses give off warning signals before the official statement — withdrawal pauses, unusual on-chain movements, social-media defensiveness, exchanges scrambling to plug holes. Zippfeed tracks crypto security and exchange headlines across many sources with sentiment and importance scoring, so the early signs of a brewing problem land on your feed alongside their context. The earlier you see the smoke, the more time you have to move funds before the fire reaches them.

Frequently asked questions

What was the biggest crypto hack ever?
Measured in coins, Mt. Gox in 2014 remains the most consequential — around 850,000 BTC declared missing, worth tens of billions of dollars at later prices. By single-event US dollar size at the time, the 2025 Bybit theft (~$1.4 billion in ETH) and the 2022 Ronin bridge attack (~$625 million) are among the largest pure thefts. FTX in 2022 was not technically a hack but cost users billions in unrecoverable balances.
What is the difference between a hack and an exchange collapse?
A hack is a technical breach — stolen keys, exploited code, drained wallets. An exchange collapse is a business failure where customer funds were misused, lost in trading, or otherwise unaccounted for. From the user's perspective the outcome is identical: balances gone, recovery uncertain. FTX in 2022 was a collapse, not a hack. Mt. Gox was a mix of both.
Why do exchanges keep getting hacked?
Exchanges concentrate massive value in one operational target, which makes them irresistible to attackers. Even with strong cold-storage policies, the hot wallets needed for daily operations remain online and exposed, and the human and key-management layers around them are where most successful attacks land. The defence is structural — cold storage for the bulk, tight operational discipline for the hot layer.
Can I get my coins back if an exchange is hacked?
Sometimes, partly, eventually — but rarely fully and rarely fast. Some exchanges have covered customer losses from their own balance sheet (Coincheck, Bybit). Some recoveries come from law enforcement seizing stolen funds years later (Bitfinex). Many losses are simply never recovered. The right plan is to assume losses are permanent and design custody to make them unlikely in the first place.

Related guides