Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 111Private Key Compromise

Deribit Hot Wallet Hack

Attacker drained $28M from Deribit BTC/ETH/USDC hot wallets; the largest crypto-options exchange covered it from its balance sheet, cold storage untouched.

Date
Victim
Deribit
Chain(s)
BitcoinEthereum
Status
Funds Stolen

On November 1, 2022, the world's largest crypto-options exchange Deribit lost approximately $28 million when its BTC, ETH and USDC hot wallets were compromised. The attacker walked with 691 BTC and 9,111.59 ETH in mixed assets. Deribit absorbed the loss from its balance sheet without touching the company's $40M insurance fund or any cold-storage customer assets.

What happened

Deribit had structured its custody on the standard 99/1 model: roughly 99% of customer funds in cold storage, and approximately 1% in hot wallets to service operational withdrawal demand. The hot wallets on BTC, ETH and USDC were compromised in a coordinated multi-chain drain.

The exchange did not publicly disclose the specific compromise vector — whether endpoint malware, internal credential theft, vendor compromise, or signing-infrastructure breach. The on-chain pattern was a coordinated sweep with immediate cross-chain conversion of stablecoins into ETH, matching standard private-key-compromise behaviour at multi-chain custodial operators.

Aftermath

  • Deribit paused withdrawals within hours; deposits and trading remained available throughout.
  • The exchange announced — and verifiable on-chain — that client cold-storage assets were not affected.
  • The full $28M loss was covered by Deribit's own balance sheet, leaving the $40M insurance fund untouched for potential future incidents.
  • Withdrawals resumed within days after key rotation and infrastructure audit.

Why it matters

The Deribit incident is one of the best-managed exchange hacks on record from a customer-impact perspective. The cold/hot storage ratio worked as designed (99% untouched), the insurance fund worked as designed (uninvoked), and the corporate balance sheet absorbed the immediate loss without disruption to user trading or withdrawals.

The lesson is that the difference between a survivable hot-wallet breach and a fatal one is the architecture of custody, not the size of the loss. Deribit's $28M was a meaningful absolute number, but in context it was less than 1% of customer funds and well within the company's risk capital. Compare to:

  • Mt. Gox — single hot wallet with effectively all funds, no separation.
  • Bitmart — multi-chain hot wallets with much higher percentages of total reserves.
  • Phemex — hot wallets across 16 chains, all compromised at once.
  • Deribit — small percentage in hot wallets, absorbed without customer impact.

The choice of how much to hold hot is, in retrospect, the most important single decision an exchange makes about its custody architecture.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2022/11/02/crypto-exchange-deribit-loses-28m-in-hot-wallet-hack
  2. [02]bloomberg.comhttps://www.bloomberg.com/news/articles/2022-11-02/crypto-derivative-exchange-deribit-lost-28-million-in-a-hot-wallet-hack
  3. [03]quillaudits.medium.comhttps://quillaudits.medium.com/deribit-28-million-hot-wallet-hack-analysis-quillaudits-1ae00c6b946d

Related filings