Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 162Private Key Compromise

Mixin Network Cloud Compromise

$200M drained from Mixin Network hot wallets after attackers compromised the cloud provider hosting Mixin's centralised database — an infrastructure wake-up.

Date
Victim
Mixin Network
Chain(s)
BitcoinEthereum
Status
Funds Stolen

In the early morning of September 23, 2023, the database of Mixin Network's cloud-service provider was breached. By the time Mixin paused operations later that day, attackers had drained approximately $200 million from the network's hot wallets — making it the largest crypto incident of 2023.

What happened

Mixin Network described itself as an "open and transparent decentralized ledger, collectively booked and maintained by 35 mainnet nodes." In practice, the system's user balances were tracked in a centralised database hosted with a single cloud-service provider, and the private keys controlling the hot wallets were accessible from infrastructure that provider hosted.

The attacker compromised the cloud provider — exact vector never publicly disclosed — gained read access to the relevant database, and from there obtained signing authority over Mixin's hot wallets across multiple chains. They then drained those wallets in a coordinated sweep.

The on-chain breakdown:

  • ~$95.3M in ETH (about 71% of Mixin's ETH holdings).
  • ~$23.7M in BTC (~9% of holdings).
  • ~$23.6M in USDT (~93% of holdings).

Aftermath

  • Mixin paused all deposits and withdrawals the same day.
  • Founder Feng Xiaodong announced the platform would absorb up to $20,000 per user in losses; affected users with larger balances would receive a mix of debt tokens and equity representing their claims.
  • No funds were publicly recovered.

Why it matters

Mixin Network is the canonical example of a system marketed as decentralised whose security perimeter was the cloud bill it paid every month. The 35-node "decentralised ledger" was real, but it operated on top of a centralised key-management system whose compromise was complete and instant.

The lesson — that operational decentralisation must extend to infrastructure dependencies, not just consensus — has driven the modern push toward enclave-based signing, threshold cryptography across truly independent operators, and the architectural separation of the signing path from the application path.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2023/09/25/mixin-network-losses-nearly-200m-in-hack
  2. [02]elliptic.cohttps://www.elliptic.co/blog/mixin-network-hacked-for-200-million
  3. [03]halborn.comhttps://www.halborn.com/blog/post/explained-the-mixin-network-hack-september-2023

Related filings