Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 006Private Key Compromise

Cryptopia Wallet Drain

A wallet-infrastructure compromise swept ~$16M in ETH and ERC-20s from 76,000+ Cryptopia users, killing the New Zealand exchange and forcing a long bankruptcy.

Date
Victim
Cryptopia
Chain(s)
Ethereum
Status
Partially Recovered

On January 13, 2019, the New Zealand exchange Cryptopia detected unauthorized outflows from its two main hot wallets — one holding ETH, the other holding ERC-20 tokens. Subsequent forensic work by Elementus revealed the loss was not the $2.5M Cryptopia initially reported but approximately $16 million across more than 76,000 individual user wallets.

What happened

Cryptopia stored customer balances using per-user wallet derivation — each customer's deposits sat at a unique address controlled by Cryptopia's internal key-management infrastructure. The attacker compromised that infrastructure and obtained signing authority over the private keys for over 76,000 user-deposit addresses.

The drain was systematic. Rather than emptying a single hot wallet, the attacker swept thousands of individual addresses over a multi-day window, with a long tail of smaller draws after the initial spike. Elementus' on-chain analysis confirmed the total reached ~$16M in ETH and ERC-20 tokens, against Cryptopia's initial public estimate of $2.5M.

Aftermath

  • Cryptopia paused operations on January 14, briefly reopened, then filed for bankruptcy protection in May 2019, citing the breach as the proximate cause.
  • The exchange was placed in liquidation under Grant Thornton, which spent more than five years tracing and recovering customer funds across wallets, mixers, and exchanges.
  • In December 2024, Grant Thornton announced it had distributed approximately NZ$400 million (~US$225M) in cryptocurrency to more than 10,000 verified account holders — far exceeding the original loss in nominal terms, reflecting both partial fund recovery and crypto's six-year price appreciation.

Why it matters

Cryptopia was a relatively small loss in absolute dollars, but it crystallised two operational risks for the early-2019 exchange industry:

  1. Per-user-address custody is not inherently safer than pooled custody — if the master key-management system is compromised, every derived address is compromised at once.
  2. Bankruptcy recoveries in crypto can take half a decade, and the value of recovered assets at the time of distribution may bear no resemblance to their value at the time of loss. Customers benefit from price appreciation; they pay the price in operational uncertainty and time.

The latter dynamic recurred at much larger scale at Mt. Gox and later FTX, where multi-year delays meant creditors received their distributions in cycles that had little to do with the original collapse.

Sources & on-chain evidence

  1. [01]ccn.comhttps://www.ccn.com/new-zealand-exchange-cryptopia-lost-16-million-in-hack-not-initially-reported-2-5-million-research/
  2. [02]coindesk.comhttps://www.coindesk.com/markets/2019/01/16/new-zealand-police-keeping-open-mind-on-cryptopia-hack/
  3. [03]bravenewcoin.comhttps://bravenewcoin.com/insights/cryptopia-hack-liquidators-distribute-225-million-in-crypto-to-victims

Related filings