What Is Crypto Theft And What Is the Largest Crypto Theft Ever?

What is Crypto Theft

Crypto theft refers to the unauthorized acquisition of digital assets through hacking, fraud, or the exploitation of security vulnerabilities. Unlike traditional financial fraud, where banks and institutions provide security measures and fraud protection, cryptocurrency operates on decentralized networks, making stolen funds difficult to recover without intermediaries.

How Does Crypto Theft Happen?

Crypto theft can occur in multiple ways, each presenting challenges to individuals and organizations involved in digital assets.

A common form of attack is exchange hacks, where cybercriminals target centralized cryptocurrency exchanges to gain unauthorized access to user funds. These breaches often exploit weaknesses in an exchange’s security infrastructure, allowing attackers to move assets from customer wallets. Since exchanges hold large reserves of digital assets, they remain attractive targets for hackers.

Another significant threat comes from smart contract exploits, which take advantage of vulnerabilities in decentralized finance (DeFi) protocols and cross-chain bridges. These flaws can stem from coding errors, insufficient security audits, or weaknesses in the contract's logic. Exploiting these gaps allows attackers to manipulate transactions, withdraw excess funds, or disrupt the platform’s operations.

Phishing scams are also widely used by cybercriminals to steal user credentials. Attackers create deceptive websites, emails, or social media messages that mimic legitimate crypto services, tricking users into revealing private keys, seed phrases, or exchange login details. Once these credentials are compromised, the attackers can access and transfer funds without detection.

Another risk comes from rug pulls and Ponzi schemes, where fraudulent projects lure investors by promising high returns or groundbreaking technology. Once enough funds have been raised, the developers abruptly exit the project, leaving investors with worthless assets. These schemes are particularly prevalent in the DeFi and NFT sectors, where new projects launch frequently with little oversight.

Finally, wallet vulnerabilities present another layer of risk. Attackers may exploit security weaknesses in both software and hardware wallets using malware, keyloggers, or direct hacks to extract private keys. Poor security practices, such as failing to update wallet software or improperly storing keys, further increase the chances of asset theft.

What is the Largest Crypto Theft Ever

The largest cryptocurrency theft to date occurred in February 2025, when Bybit, a crypo exchange, was hacked for $1.5 billion. The attack exploited vulnerabilities in the platform’s contract logic during a routine transfer between its cold and warm wallets, enabling unauthorized withdrawals. The FBI later attributed the breach to North Korea’s Lazarus Group, also known as the TraderTraitor group, a state-sponsored cybercriminal organization with a history of targeting cryptocurrency platforms.

Prior to this, the most significant crypto theft was the Ronin Network breach in March 2022, where hackers stole $625 million from Axie Infinity’s blockchain. This attack was also linked to the Lazarus Group, underscoring the persistent cyber threats faced by crypto exchanges, DeFi protocols, and blockchain infrastructure worldwide.

Crypto Theft Examples

Bybit (2025) - $1.5 Billion

In February 2025, Bybit experienced a security breach that resulted in a loss of approximately $1.5 billion. The attack exploited vulnerabilities in the exchange’s contract logic during fund transfers between its cold and warm wallets, allowing unauthorized transactions to external addresses.

Ronin Network (2022) - $625 Million

The Ronin Network hack in March 2022 remains one of the most significant exploits in DeFi, resulting in the theft of approximately $625 million in Ethereum (ETH) and USD Coin (USDC). The attack targeted Sky Mavis, the developer of Axie Infinity, a blockchain-based game that relied on the Ronin bridge for asset transfers between Ethereum and its sidechain.

Hackers gained unauthorized control over five of the nine validator nodes responsible for securing the Ronin bridge. By compromising a majority of the validators, the attackers were able to fraudulently authorize transactions, leading to the unauthorized withdrawal of 173,600 ETH and 25.5 million USDC.

The breach remained undetected for six days until a user attempted to withdraw 5,000 ETH and discovered that the funds were missing. This delay in detection highlighted vulnerabilities in the network’s security monitoring processes.

Subsequent investigations attributed the attack to North Korea’s Lazarus Group, a cybercriminal organization known for targeting financial platforms. In response, the U.S. Treasury sanctioned wallet addresses linked to the stolen funds to prevent laundering efforts and mitigate further risks associated with the breach.

Poly Network (2021) - $610 Million

The Poly Network hack in August 2021 resulted in the unauthorized transfer of approximately $610 million across multiple blockchain networks, including Ethereum, Binance Smart Chain (BSC), and Polygon. The exploit was made possible by a vulnerability in the protocol’s smart contract logic, which allowed the attacker to override transaction permissions and gain control of funds.

Poly Network is a cross-chain interoperability protocol designed to facilitate asset transfers between different blockchains. The attacker identified a flaw in the contract authorization process, which enabled them to manipulate transaction parameters and assume ownership of a significant amount of tokens. By exploiting this weakness, the hacker bypassed security mechanisms and withdrew assets from Poly Network’s liquidity pools.

The incident took an unexpected turn when the hacker, later referred to as "Mr. White Hat," returned nearly all of the stolen funds. The individual claimed the attack was intended to highlight security vulnerabilities in the protocol rather than for financial gain. 

Binance BNB Bridge (2022) - $570 Million

On October 6, 2022, the Binance Smart Chain (BSC) Token Hub Bridge experienced a security breach that resulted in the unauthorized minting and withdrawal of 2 million BNB tokens, valued at approximately $570 million at the time. The incident highlighted the vulnerabilities associated with cross-chain bridges, which have increasingly been targeted in security breaches.

The BSC Token Hub Bridge is designed to enable asset transfers between the Binance Smart Chain and other blockchain networks. The exploit occurred due to a flaw in the bridge’s verification system, which failed to properly authenticate transactions before approving the minting of new tokens. This allowed the attackers to generate and withdraw a substantial amount of BNB without legitimate backing.

Following the detection of unusual activity, Binance took immediate action by suspending the entire BSC blockchain to contain the impact of the breach. The rapid response helped mitigate further losses, with approximately $110 million in assets ultimately remaining unrecovered, as a significant portion of the stolen funds was frozen before it could be moved or laundered.

Coincheck (2018) - $530 Million

In January 2018, Coincheck, one of Japan’s largest cryptocurrency exchanges, experienced a significant security breach, resulting in the loss of approximately $530 million worth of NEM (XEM) tokens. The incident was attributed to security shortcomings, particularly in how the exchange managed asset storage, bringing attention to the risks associated with hot wallet security.

Unlike many exchanges that utilize cold wallets—offline storage solutions that provide greater security against cyber threats—Coincheck stored a substantial amount of NEM tokens in a single hot wallet. This made the funds more vulnerable to external attacks. Hackers exploited this weakness and gained unauthorized access to the wallet, transferring 523 million NEM tokens.

Upon detecting the breach, Coincheck took immediate action by suspending all withdrawals and trading activities to prevent further losses. The exchange also reported the incident to Japanese authorities, including the Financial Services Agency (FSA), and collaborated with regulators to investigate the attack.

The stolen NEM tokens were not immediately liquidated but were instead moved across multiple wallets, with some transactions traced to dark web marketplaces. The NEM Foundation attempted to track the stolen assets by implementing a tagging system to monitor movement, but only a small portion of the funds was ultimately recovered.

Mt Gox (2014) -$460 Million

Founded in 2010, Mt. Gox, short for "Magic: The Gathering Online Exchange," was originally designed as a platform for trading collectible game cards. It later pivoted to Bitcoin trading and, by 2013, had become the world’s largest cryptocurrency exchange, handling over 70% of all Bitcoin transactions.

In 2014, Mt. Gox collapsed following the loss of 850,000 BTC, valued at approximately $460 million at the time. The breach was not the result of a single attack but rather a prolonged security compromise that had gone undetected for years. Investigations revealed that hackers had been siphoning Bitcoin from the exchange’s wallets since at least 2011.

Several security lapses contributed to the attack. The exchange’s reliance on hot wallets made private keys vulnerable, allowing unauthorized withdrawals over an extended period. Additionally, Mt. Gox lacked multi-signature authentication, a security measure that could have prevented unauthorized access. A flaw in the transaction processing system, known as "transaction malleability," also enabled attackers to alter transaction IDs, leading to multiple withdrawals of the same funds. Poor internal controls and delayed detection meant that by the time the breach was uncovered, most of the stolen BTC was unrecoverable.

By February 2014, Mt. Gox halted all withdrawals, citing "technical issues." Shortly after, the company filed for bankruptcy protection in Japan, officially acknowledging the loss of 850,000 BTC. The collapse led to extensive legal disputes, and many victims have yet to receive full compensation.

FTX (2022) - $400 Million

The FTX hack remains one of the most controversial cryptocurrency thefts due to its timing and circumstances. On November 11, 2022, just hours after the exchange filed for bankruptcy, unauthorized transactions began draining funds from its wallets. In total, approximately $400 million worth of cryptocurrencies, including Ethereum (ETH) and stablecoins, were transferred from FTX’s hot wallets to unknown addresses.

The nature of the attack raised speculation about whether it was an external hack or an insider operation, as it occurred amid FTX’s legal and financial turmoil. While some assets were frozen on exchanges and firms like Chainalysis have tracked the movement of stolen funds, much of the cryptocurrency has been laundered through mixing services and decentralized exchanges (DEXs), and a significant portion of the stolen funds has not been recovered.

Wormhole (2022) - $320 Million

Wormhole is a cross-chain bridge designed to facilitate asset transfers between multiple blockchain networks, including Ethereum, Solana, Terra, Binance Smart Chain, and Avalanche. 

On February 2, 2022, Wormhole experienced a major security breach, leading to the theft of 120,000 ETH, valued at approximately $320 million at the time. The attack was made possible by a vulnerability in the bridge’s smart contract, which failed to properly validate guardian signatures—a key security measure used to confirm cross-chain transactions.

The hacker executed the exploit by forging guardian signatures, bypassing the verification process, and tricking the smart contract into approving fraudulent transactions. This allowed them to mint 120,000 wrapped ETH (wETH) on the Solana blockchain without depositing an equivalent amount of ETH on Ethereum. After obtaining the illicitly minted tokens, the attacker quickly exchanged portions of the stolen wETH for SOL and other cryptocurrencies, making it more difficult to track and recover the funds.

Upon detecting the breach, Wormhole’s development team promptly suspended bridge operations to prevent further unauthorized activity. In response, Jump Trading, the parent company of Jump Crypto and a key investor in Wormhole, stepped in to replenish the stolen 120,000 ETH, ensuring that users relying on the bridge would not suffer direct financial losses. This swift intervention helped stabilize the Wormhole ecosystem and prevented a potential collapse.

Following the incident, Wormhole partnered with blockchain security firms to analyze the exploit and implement security enhancements to prevent future attacks. The team also extended a $10 million bounty offer to the hacker in exchange for returning the stolen assets, though the offer was ultimately ignored.

Atomic Wallet Hack (2023) - $100 Million

Atomic Wallet is a non-custodial, decentralized wallet that allows users to store, manage, and swap cryptocurrencies without depending on a third party. Unlike centralized exchanges, where funds are stored in company-controlled wallets, Atomic Wallet users maintain full control over their private keys. While this self-custody model offers greater financial autonomy, it also means that users bear full responsibility for securing their assets.

In June 2023, Atomic Wallet experienced a major security breach, leading to the theft of over $100 million worth of cryptocurrency from individual user wallets. Unlike previous large-scale hacks that primarily targeted centralized exchanges or blockchain bridges, this incident directly impacted self-custody wallets, raising concerns about the security of decentralized wallet solutions.

The exact method of the attack remains unclear, but security researchers identified multiple potential vulnerabilities that may have contributed to the breach. One likely attack vector involved the compromise of private keys and seed phrases, possibly through malware infections, phishing scams, or software vulnerabilities. Another theory suggests a supply chain attack, where the wallet’s software update process may have been infiltrated by malicious actors, allowing unauthorized access to users’ funds. Additionally, weak security measures played a role in the severity of the breach. Unlike hardware wallets, which require physical confirmation for transactions, Atomic Wallet operates as a hot software wallet, making it more vulnerable to malware that could access funds remotely.

The attack was not immediately detected, as users began reporting unauthorized withdrawals from their wallets. In total, over 5,500 wallet addresses were affected, with the stolen funds rapidly moved across multiple blockchain networks in an attempt to obscure tracking efforts. Blockchain analytics firm Elliptic later traced a significant portion of the stolen funds to wallet addresses associated with North Korea’s Lazarus Group.

Can Crypto Theft be Traced

Since cryptocurrency transactions are recorded on public blockchains, they can be traced using forensic analysis. Blockchain analytics firms such as Chainalysis and Elliptic monitor stolen funds and flag illicit transactions. However, cybercriminals use methods to obscure their activity, including:

• Mixers & Tumblers: Services that mix stolen funds with legitimate assets, breaking transaction links.

• Privacy Coins: Cryptocurrencies like Monero (XMR) and Zcash (ZEC) that hide sender and receiver information.

• Cross-Chain Swaps: Moving assets across multiple blockchains to evade tracking.

Despite these techniques, law enforcement agencies have successfully traced and seized stolen funds in numerous cases, such as the Colonial Pipeline Bitcoin ransom recovery and the U.S. Treasury's intervention in the Ronin Network hack.

Can Stolen Crypto be Recovered

Recovering stolen cryptocurrency is difficult but possible. Unlike traditional assets, crypto operates on decentralized networks, making fraud reversal challenging. Recovery depends on factors such as law enforcement involvement, laundering techniques, and exchange intervention to freeze stolen funds before withdrawal.

Centralized exchanges play a key role in fund recovery through KYC and AML policies, flagging and freezing stolen assets before cashing out. However, once funds are laundered through DEXs, privacy coins, or cross-chain swaps, tracing them becomes more difficult. 

Disclaimer: This material is for information purposes only and does not constitute financial advice. Flipster makes no recommendations or guarantees in respect of any digital asset, product, or service. Trading digital assets and digital asset derivatives comes with a significant risk of loss due to its high price volatility, and is not suitable for all investors. Please refer to our Terms.