KuCoin Exchange Compromise

On September 25, 2020, Singapore-based exchange KuCoin detected unauthorised outflows from its hot wallets. Total losses settled at approximately $281 million across BTC, ETH and dozens of ERC-20 tokens — at the time the largest exchange hack since Coincheck.

What happened

KuCoin's CEO Johnny Lyu later confirmed that private keys controlling the affected hot wallets had been exposed. The exact compromise mechanism was not publicly disclosed, but Chainalysis later attributed the operation to Lazarus Group based on TTPs that included the use of decentralised exchanges and DeFi mixing services to launder funds — a meaningful evolution from earlier Lazarus laundering routes which relied on centralised mixers.

The attacker moved stolen tokens directly to attacker-controlled addresses and immediately began swapping them on Uniswap and other DEXs in volumes that briefly distorted on-chain prices for several smaller ERC-20s.

Aftermath

KuCoin's recovery was the most successful response to a major exchange hack on record:

• $222M (78%) was recovered through coordination with token issuers, who froze and reissued affected token supplies to make holders whole.
• $17.4M (6%) was recovered through cooperation with law enforcement and security firms that traced and seized stolen funds.
• The remaining ~$41.5M (~16%) was covered by KuCoin's insurance fund and corporate reserves.

By Lyu's own accounting in 2021, 100% of customer balances were restored.

Why it matters

KuCoin was the first major demonstration that the token-issuer freeze-and-reissue mechanism could work as a recovery tool. Many ERC-20 tokens — particularly those with admin keys — voluntarily froze the stolen supply and issued replacement tokens to KuCoin. This created the recovery playbook used in many smaller incidents since, but it also became a contested governance question: if a token can be frozen and reissued, it can also be censored.