Infographic: An Overview of Compromised Bitcoin Exchange Events
This infographic visualizes some of the most significant bitcoin exchange compromises (occurring through hacks, mismanagement, etc.) as if they all happened with a standard bitcoin price, to provide a better understanding of their relative magnitude.
The x-axis plots the price of bitcoin at the time of each compromise, while the y-axis plots the amount of BTC lost in each compromise. The size of each compromise circle also represents the amount of BTC lost without adjusting for the specific price at the time.
Below, we’ve included brief summaries of each compromise event pictured.
Date: June 2011 (then continuously until February 2014)
Amount Lost: 790,000+ BTC
In March 2014, Mt. Gox declared bankruptcy due to a series of hacks and thefts that went unreported for over three years, which were later documented by blockchain analyst Kim Nilsson. The final collapse resulted in a crash of bitcoin in 2014. Below is a summary of all meaningful hacks that occured:
On March 1, 2011, 80,000 BTC were stolen from Mt. Gox’s hot wallet, as thieves were able to make a copy of the wallet.dat file. In May 2011, hackers stole 300,000 BTC temporarily stored in an off-site wallet, which was on an unsecured, publicly accessible network drive. However, shortly after, the thieves got nervous and returned the stolen funds with a 1 percent (3,000 BTC) “keeper’s fee.” In June 2011, a hacker was able to get into Jed McCaleb’s administrator account and manipulate prices, temporarily crashing the market. After the ordeal was over, the hacker managed to steal 2,000 BTC.
In September 2011, a hacker was able to get read-write access to Mt. Gox’s database. The hacker created new accounts on the exchange, inflated user balances and was able to withdraw 77,500 BTC, after which they deleted most of the logs containing evidence of such transactions. In October 2011, a bug in Mark Karpelès’s new wallet software caused 2,609 BTC to be sent to an unspendable null key. The largest hack occurred by 2013, when a hacker was able to obtain a copy of Mt. Gox’s wallet.dat file and stole 630,000 BTC.
Date: July 27, 2011
Amount Lost: Approximately 17,000 BTC
During a server restart, the remote Amazon service that housed Bitomat.pl’s wallet was wiped. No backups were kept and Mt. Gox later bailed out Bitomat.pl. Ultimately, neither the exchange’s customers nor the original owners suffered any loss from the incident.
Date: October 2011
Amount Lost: 1,000 BTC
Eastern European hackers penetrated Bitcoin7’s servers, giving them direct access to Bitcoin7’s primary hot wallets.
Date: March 1, 2012
Amount Lost: 43,000 BTC (and then another 18,457 BTC)
Web hosting provider Linode’s servers were hacked, granting access to the bitcoin stored on pioneering exchange Bitcoinica. The incidents ultimately led to the demise of Bitcoinica.
Date: September 2012
Amount Lost: 24,000 BTC
BitFloor was compromised when a hacker was able to access unencrypted backups of the exchange’s wallets and transfer out the funds.
Date: May 2013
Amount Lost: 1,454 BTC
The jury’s still out on Vircurex — literally. Former users of the exchange are currently suing its operators after they mysteriously shuttered the company in 2013. Citing that they had been hacked and lost most of their funds, the exchange froze all accounts, filed for bankruptcy and closed down.
Date: November 2013
Amount Lost: 484 BTC
No, not Bcash; BitCash was an exchange located in the Czech Republic back in the day. This relatively small compromise was orchestrated via a phishing attack that gave the attackers access to individual accounts.
Date: March 4, 2014
Amount Lost: 97 BTC
In March 2014, Poloniex announced that it had been the victim of an attack due to a previously unknown vulnerability in its code. As a result, the exchange told all of its customers that it would have their account balances reduced by 12.3 percent.
Date: July 2014
Amount Lost: 13,000 BTC
In early 2016, Cryptsy collapsed following the July 2014 theft of 13,000 BTC (and 30,000 LTC) from customers’ wallets.
Date: October 2014
Amount Lost: 3,700 BTC
MintPal’s case has an air of true crime to it. The exchange announced that it had been hacked in October 2014 and was purchased soon after by upstart Moolah, which subsequently folded. MintPal accounts were locked, and one of Moolah’s operators, Ryan Kennedy, allegedly drained these accounts before being arrested by U.K. authorities on charges of rape. He is currently facing prosecution for the MintPal debacle, as well.
Date: January 2015
Amount Lost: 1,000 BTC
In the first month of 2015, hackers wormed their way into 796 Exchange’s servers. Thankfully, the exchange covered the losses.
Date: January 2015
Amount Lost: 19,000 BTC
Hackers were able to access Bitstamp’s hot wallet. As a result of the theft, Bitstamp began to keep 98 percent of its bitcoin in cold storage.
Date: February 2015
Amount Lost: 7,170 BTC
BTER supposedly had its cold wallet compromised in this hack, though community members were skeptical that this was the case, given the relative robustness of cold storage (which, it should be noted, is not impenetrable).
Date: February 2015
Amount Lost: 3,000 BTC
KipCoin was compromised after its server provider, Linode, was hacked. The result would be a month-long tussle to regain control over the exchange.
Date: May 2016
Amount Lost: 250 BTC
Hackers breached Gatecoin’s hot wallets to steal some $2 million in bitcoin and ether.
Date: August 2016
Amount Lost: 120,000 BTC
Attackers were able to exploit a vulnerability in the multisig wallet architecture of Bitfinex and blockchain security company BitGo.
Date: April 2017
Amount Lost: 3,800 BTC
Yapizon had its servers compromised and its hot wallets drained. Shortly after this episode, the exchange would rebrand to Youbit (only to be compromised two more times).
Date: April 2018
Amount Lost: 438 BTC
The details are murky surrounding this case, but this “hack” is believed to be an inside job orchestrated by the exchange’s chief security officer, who was arrestedafter the fact.
Date: September 2018
Amount Lost: 5,966 BTC
Zaif filed a case with Japanese police to solve this $60 million hack, but it has not disclosed to the public details of how the hack occurred.
Date: October 2018
Amount Lost: 913 BTC
This Canadian exchange announced that it had been hacked and that it was closing its doors at the tail end of 2018, but some believe that the whole thing looks, feels and smells like an exit scam.
Date: December 2018
Amount Lost: 26,350 BTC
The co-founder of QuadrigaCX died on December 9, 2018, allegedly as the only person with access to the exchange’s keys. Courtroom proceedings have revealed fund mismanagement and potential fraud on the part of the exchange.
Date: May 7, 2019
Amount Lost: 7,000 BTC
Through phishing, viruses and other techniques, hackers obtained a large number of Binance user API keys and 2FA codes, allowing them to withdraw 7,000 BTC in one transaction.
Date: July 12, 2019
Amount Lost: 1,225 BTC
Hackers compromised Bitpoint without its operators noticing until funds were already on the move. The exchange managed to corral some $2 million of these when they ended up on other exchanges and have promised to reimburse users.
This article was originally published in Bitcoin Magazine‘s 2019 print issue. It is periodically updated as exchange compromises occur.