Key Takeaways
- Wallet hacks happen when hackers gain access to private keys or exploit contract weaknesses, bypassing wallet security infrastructure to drain large sums undetected.
- Hot wallets are frequent targets since they stay online. Weak server protections or stolen credentials often lead to massive, rapid asset losses.
- Even self-custody wallets can be compromised when attackers tamper with software updates or trick users into revealing their recovery phrases.
- Cold wallets offer stronger protection by keeping keys offline. They are harder to breach if combined with proper usage, audits, and secure backups.
Owning cryptocurrency means using a crypto wallet, but not all wallets offer equal levels of protection. These digital vaults hold assets like Bitcoin and Ethereum, making them prime cyberattack targets. Over the years, several high-profile hacks have exposed vulnerabilities in wallet security, leading to substantial financial losses. In fact, in 2024, a record $2.2 billion was lost to crypto-related hacks. Understanding these incidents can help you make informed decisions about securing your own digital assets.
In this article, we’ll look at five wallet hacks, what went wrong, and how you can avoid similar risks.
5 Biggest Crypto Wallet Hacks
| Wallet | Year | Attack Vector | Value Lost |
|---|---|---|---|
| Bybit | 2025 | Cold wallet compromise | $1.5B |
| WazirX | 2024 | Smart contract manipulation | $235M |
| KuCoin | 2020 | Hot wallet private key theft | $281M |
| BitGrail | 2018 | Hot wallet vulnerability | $170M |
| Atomic Wallet | 2023 | Phishing and malware | $100M |
Bybit – Loss of $1.5 billion
Approximately $1.5 billion evaporated from Bybit’s hot wallet in February 2025 when attackers seized private keys and emptied its Ethereum reserves. Bybit is one of the largest custodial exchanges worldwide, serving over 60 million customers who trust the platform to hold their funds in a mix of hot and cold wallets. Users interact through an app or browser, while Bybit stores most assets offline in cold wallets, reserving a fraction in hot wallets for daily withdrawals.
During the hacking period, the platform’s monitoring tools flagged unusual withdrawals from a single Ethereum hot wallet. Millions streamed out to addresses linked to North Korea’s Lazarus Group within minutes. The FBI later confirmed that hackers had compromised a private key, granting them full control of the hot wallet (Reuters). Once inside, they moved funds through multiple chains—Ethereum, Binance Smart Chain, and Polygon—obscuring the trail.
Bybit’s security model relies on strict compartmentalisation: cold wallets sit in hardware security modules (HSMs) offline, while hot wallets use multi-signature controls and automated alarms. Here, the breach occurred because an attacker extracted a private key from an HSM-backed wallet. That key should never have left the module’s secure enclave. Somehow, malware or an insider enabled extraction, bypassing all automated checks.
Automated scripts tried to halt transactions when withdrawals began, but engineers could not freeze the outgoing transfers in time. On-chain analytics later showed that hackers funnelled the loot through dozens of intermediary wallets before swapping into stablecoins and Bitcoin, a tactic that complicates recovery.
This hack is the largest to date. It demonstrates that even industry giants can suffer crippling losses if private keys escape their vaults. For traders and exchanges, the lesson is clear: zero-trust policies around key access, rigorous code audits, and enhanced insider-threat monitoring must never slip because once a key is out, funds follow almost instantly.
WazirX – Loss of $234 million
Around $234 million was drained from WazirX’s cold multisig wallet in July 2024 when hackers slipped in through a smart contract loophole. WazirX, India’s largest exchange, stored most funds offline in a multi-signature contract administered by a custodial partner called Liminal. Traders’ deposits went into this cold wallet, requiring multiple approvals before any transfer.
Attackers created a fake deposit account and triggered a signed transaction, replacing the legitimate multisig “payload” with hacker-controlled parameters. Although the user interface displayed normal balances, the underlying smart contract accepted the malicious transaction, granting the thieves sole authority to move funds. In minutes, the full balance streamed out of WazirX’s cold wallet to external addresses.
International investigators quickly linked the breach to North Korea’s Lazarus Group. Blockchain forensics showed the same laundering techniques used in other Lazarus attacks: shifting assets across multiple chains, swapping coins for privacy tokens, and routing through dozens of intermediary wallets to obscure origins.
WazirX immediately suspended trading and began coordinating with law enforcement. Yet the exploit exposed a critical flaw: a trusted UI did not always reflect the actual smart-contract logic. The attack subverted one of the strongest custody models, multisig, by injecting code that convinced the contract to accept forged signatures.
Following the hack, WazirX overhauled its security, adding on-chain verification tools that cross-check UI-driven approvals against raw contract data. The case shows that even multisig setups can be hijacked if not verified at the smart contract layer.
KuCoin – Loss of $275 million
On 25 September 2020, cybercriminals stole $275 million from KuCoin’s hot wallets. KuCoin, a Seychelles-based exchange, held some user assets in hot wallets to facilitate withdrawals, while the rest sat in cold storage.
Hackerss breached the hot-wallet private keys, then authorised transfers of Bitcoin, Ethereum, and dozens of ERC-20 tokens to addresses they controlled. Chainalysis tracked the exfiltration, linking the breach to North Korea’s Lazarus Group via transaction patterns and known laundering addresses. KuCoin’s own report confirmed that hackers accessed private keys stored on a compromised server.
Against the odds, KuCoin recovered 84% of the stolen funds. They collaborated with other exchanges, freezing assets when hackers tried to cash out, and worked with law enforcement to seize wallets through judicial processes.
KuCoin’s security protocol had called for strict isolation of servers holding private keys, but attackers gained entry via a compromised API key and weak endpoint security. Once inside, they moved laterally across the network until they reached critical key management systems. Because the hot wallet cluster lacked real-time anomaly detection, unusual withdrawals did not trigger automatic shutdowns.
In response, KuCoin implemented enhanced threat monitoring, segmented network architecture, and multi-factor authentication on all key-management processes. This breach underlines that even well-funded exchanges can be caught off guard without continuous endpoint defence and rapid incident response drills.
BitGrail – Loss of $170 million
In February 2018, about 17 million Nano tokens, worth roughly $170 million at the time, vanished from BitGrail’s wallets in Italy, leaving users stunned. BitGrail was a small exchange specialising in Nano, operating a custodial model where it held private keys on behalf of traders. Users logged in via web or mobile interface, then placed buy and sell orders that moved tokens from BitGrail’s wallets.
When the hack came to light, BitGrail’s founder, Francesco Firano, claimed hackers had executed unauthorised transfers. However, Italian authorities opened an inquiry and later alleged that Firano either orchestrated the disappearance or failed to secure the platform adequately. In court, prosecutors pointed to missing transaction logs and incomplete security protocols.
Investigators discovered that BitGrail relied on a single hot wallet for incoming trades. That wallet lacked multi-signature protection and had no cold-wallet reserve for emergency withdrawals. Attackers, or possibly an insider, exploited this single point of failure, emptying the hot wallet in multiple silent transactions late at night. Traders noticed missing balances the following morning, by which time Nano prices had spiked, magnifying the impact.
An Italian court held Firano fully accountable, ordering him to reimburse users. Yet, recoveries have been limited, and most victims remain out of pocket. The episode illustrates how a small exchange with minimal security checks can suffer devastating losses. Custodial wallets demand layers of defence: multi-sig approval, segregated hot and cold storage, and transparent audit trails, but BitGrail lacked each.
For today’s platforms, the warning is unmistakable: never let convenience override security. Even a niche exchange handling modest volumes needs robust, automated controls and external audits. Otherwise, funds can slip away when the lights go down before anyone realises.
Atomic Wallet – Loss of $100 million
Just over $100 million slipped away from Atomic Wallet users in June 2023 when a phishing or supply-chain attack tricked thousands into revealing private keys. Atomic Wallet is a non-custodial desktop and mobile application, meaning each user holds their own seed phrase and private keys.
In this incident, attackers distributed a malicious version of Atomic Wallet via a compromised update server or phishing link. When users installed the rogue update, it prompted them to enter their seed phrase, which the malware then transmitted to the hacker’s servers. Within hours, funds drained from approximately 4,100 addresses, each losing small to moderate sums that collectively totalled over $100 million.
Because Atomic Wallet keeps keys strictly on users’ devices, platform-wide hacks are rare. Here, the breach bypassed that protection by attacking the software delivery chain itself. The wallet’s auto-update feature installed unauthenticated code, and the team lacked an enforced code-signing policy for releases. As users rarely inspect update signatures, most did not suspect foul play.
After the hack surfaced, Atomic Wallet released a patched version with enforced code signing and urged users to migrate funds from any address created before June 2023. They also offered partial reimbursements from a reserve fund..
What’s the Safest Crypto Wallet?
Hardware (cold) wallets remain the strongest defence. These devices keep private keys completely offline, which shuts out most attacks. In fact, one analysis notes private-key or seed theft caused about 70% of stolen crypto in 2024. By contrast, hot wallets (software on phones or computers) and custodial accounts (exchanges) always expose keys to some online risk.
It is advisable to use wallets that have been thoroughly tested and demonstrated to be secure, such as hardware wallets. These types of wallets are known for their strong security track records. Some models further isolate key generation through air-gapped systems and incorporate tamper-resistant features.
Software wallets are more convenient but must be used carefully. They rely on your phone or browser, exposing them to phishing links or malware. Custodial wallets (exchanges or custodial services) require trusting a third party; even big names like Coinbase or Kraken carry risk if the platform is breached or a rogue insider acts.
For most users, a good approach is to keep only small day-trading amounts in hot wallets and lock up long-term savings in a cold wallet. Always enable device passcodes and 2FA. Consider splitting funds across multiple wallets or multi-sig setups for extra resilience. Remember that no wallet can protect you if you expose your seed – never share it and back it up securely. The safest setup is one where your keys stay off the internet.
Closing Thoughts
The string of major wallet hacks offers a blunt reminder: digital assets are only as safe as the systems protecting them. Even platforms with strong reputations and substantial user bases have fallen victim to sophisticated attacks. No solution is invulnerable, and no amount of convenience is worth blind trust in flawed infrastructure.
For individuals holding crypto, the most effective defense is layered technical and behavioral security. Using cold storage, verifying software integrity, and protecting recovery phrases are minimum standards, not optional extras. Threats often exploit human error just as much as technical gaps.
Decentralized technology does not erase risk; it transfers responsibility. Ownership comes with the burden of vigilance. For those unwilling to treat that seriously, losses are not a matter of if, but when.
