Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 066Private Key Compromise

Bitmart Hot Wallet Drain

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

Date
Victim
Bitmart
Chain(s)
EthereumBNB Chain
Status
Funds Stolen

On December 4, 2021, the cryptocurrency exchange Bitmart detected unauthorised activity in two of its hot wallets. By the time the wallets were drained, $196 million had moved — roughly $100M from Ethereum and $96M from BNB Chain — in a single coordinated sweep across more than 20 different tokens.

What happened

Bitmart CEO Sheldon Xia later confirmed publicly that the breach was caused by a stolen private key controlling both affected hot wallets. The compromise vector — whether endpoint malware, insider access, or supply-chain — was not publicly disclosed.

The attacker's behaviour was textbook: a single signing authority granted access to wallets on two chains; the attacker drained both simultaneously, then routed the proceeds through the 1inch DEX aggregator to swap dozens of long-tail tokens into ETH, before sending the consolidated proceeds to Tornado Cash for mixing.

Affected tokens included BNB, SafeMoon, Shiba Inu and many other ERC-20s and BEP-20s — at the time worth nearly $100M each on the two affected chains.

Aftermath

  • Bitmart paused withdrawals the same day and used corporate reserves to reimburse affected customers.
  • Withdrawals were restored over the following week as Bitmart rotated keys and audited wallet infrastructure.
  • The stolen funds were laundered through Tornado Cash; no public recoveries.

Why it matters

Bitmart is one of the cleanest examples of a problem that recurred at half a dozen mid-tier exchanges through 2024-2025 (BingX, Phemex, Indodax, BtcTurk): a single hot-wallet key with cross-chain signing authority is a single point of catastrophic failure. Per-chain key segregation and withdrawal-velocity circuit breakers are now table stakes — but they weren't in 2021, and the lesson cost $196M to learn the first time.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2021/12/05/crypto-exchange-bitmart-hacked-with-losses-estimated-at-196-million
  2. [02]cnbc.comhttps://www.cnbc.com/2021/12/05/hackers-take-196-million-from-crypto-exchange-bitmart-in-large-breach.html
  3. [03]coindesk.comhttps://www.coindesk.com/tech/2021/12/06/bitmart-ceo-says-stolen-private-key-behind-196m-hack

Related filings