Private Key Compromise

Wasabi Protocol's perp vaults across Ethereum, Base, Berachain and Blast lost $5M when a compromised deployer EOA with sole ADMIN_ROLE allowed UUPS upgrades.

Volo Protocol's Sui vaults lost $3.5M after social engineering compromised the admin key. The team froze $500K in 30 minutes and blocked a $2.1M WBTC bridge.

Resolv Labs lost $25M after attackers compromised its AWS KMS keys; a $100K USDC deposit minted 50M USR and depegged the stablecoin 74% in 17 minutes.

Step Finance lost 261,854 SOL ($27M) from treasury and fee wallets to a 'sophisticated' actor. STEP fell 96%; Step, SolanaFloor and Remora all shut down.

Likely private-key theft gave attackers control of GANA Payment's BSC contract; they manipulated reward rates and drained $3.1M via the unstake function.

SBI Crypto, SBI Holdings' mining arm, lost $24M across BTC, ETH, LTC, DOGE and BCH. Undetected for 7 days until ZachXBT flagged a pattern matching DPRK Lazarus.

UXLINK, a Web3 social protocol, lost roughly $41M after attackers compromised the project's multi-sig keys and exploited an unrestricted delegatecall path.

SwissBorg's SOL Earn lost $41.5M (193,000 SOL) via a compromised API at staking vendor Kiln. SwissBorg itself wasn't breached; the third-party infra was.

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

Attackers drained $44M from CoinDCX's internal liquidity account for partner-exchange reserves; the exchange absorbed the loss from treasury.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

UPCX lost roughly $70M from its treasury after a compromised admin account on the open-source payments platform pushed a malicious smart-contract upgrade.

$8.4M drained from Zoth, an RWA restaking protocol, after its deployer/upgrade key was compromised and used to push a malicious proxy implementation.

$49.5M drained from Infini's Morpho MEVCapital USDC vault by the address that built the contract and quietly retained admin authority after launch.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

Moby Trade, an Arbitrum options protocol, lost ~$1M after a privileged key was compromised and used to rig option settlement. SEAL white-hats limited damage.

$13.7M drained from UAE-based M2 Exchange hot wallets across BTC, ETH and Solana; identified, contained and customer funds restored in just 16 minutes.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

DeltaPrime lost $6M on Arbitrum after a single private key was extracted; the team ran multi-sig on Avalanche but not Arbitrum. ZachXBT linked it to Lazarus.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

~$55M drained from BtcTurk's hot wallets, with Binance freezing roughly $5.3M of the stolen funds mid-flight — Turkey's largest exchange compromise to date.

$22M (158 BTC, 2,161 ETH, plus LTC/BCH) drained from Lykke in a private-key compromise the UK exchange tried to keep quiet; later attributed to Lazarus.

Attacker took over a dormant MINTER role to mint 5B GALA ($216M), sold $21.8M before being blacklisted; the remaining 4.4B tokens are effectively burned.

Grand Base, an RWA project on Base, lost $2M after its deployer key was compromised or abused; the attacker minted unlimited GB and drained the liquidity pool.

A stolen admin key let the attacker add themselves as a minter and produce 1.79B PLA across two strikes — nominal $290M, only $32M successfully cashed out.

Orange Finance on Arbitrum lost ~$844K after its admin key was compromised, used to alter strategy contracts and withdraw managed Uniswap v3 positions.

OKX DEX aggregator users lost $2.7M after a deprecated proxy-admin key was compromised, upgrading the contract to a malicious version that swept approvals.

Single-operator compromise drained $87M from HECO's cross-chain bridge plus $12M from HTX hot wallets, hitting both Justin Sun platforms in 24 hours.

$114M+ swept from Poloniex's Ethereum and Tron hot wallets after private keys were extracted from internal systems; Justin Sun pledged full reimbursement.

$200M drained from Mixin Network hot wallets after attackers compromised the cloud provider hosting Mixin's centralised database — an infrastructure wake-up.

$2.7M drained from P2P exchange Remitano's hot wallets in USDT, ANK, USDC and ETH via private-key compromise; TTPs consistent with Lazarus.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

$869K drained from RocketSwap on Base after a server breach yielded both the encrypted private keys and the automation script's decryption logic.

$1.14M drained from Steadefi on Arbitrum and Avalanche after a deployer private-key compromise let the attacker seize ownership of leveraged vaults.

A private-key compromise drained $60M from AlphaPo's hot wallets across Tron, Bitcoin and Ethereum. The FBI attributed the payment-processor breach to Lazarus.

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

A single signing-key compromise swept $23M in ETH, QNT, GALA, SHIB, HOT and MATIC from Bitrue's hot wallet, under 5% of exchange balances, before any pause.

An owner-key compromise added a fake collateral token to Defrost Finance on Avalanche, liquidating all positions for ~$12M. Most funds were returned to users.

$4.4M drained from Raydium's Solana liquidity pools after malware stole the pool-admin private key, then used admin functions to withdraw fees.

Stolen Ankr developer key let an attacker mint 60 trillion aBNBc, which Helio accepted as collateral to lend out $16M of HAY before Binance froze $3M.

Attacker drained $28M from Deribit BTC/ETH/USDC hot wallets; the largest crypto-options exchange covered it from its balance sheet, cold storage untouched.

Wintermute lost $160M from a hot wallet whose Profanity-generated vanity address used a 32-bit PRNG seed that let any 'random' key be brute-forced. They knew.

~9,231 Solana wallets lost $4.1M after Slope Wallet's app logged users' seed phrases in plain text to a Sentry server, traced back via on-chain forensics.

Validator private-key compromise drained 173,600 ETH and 25.5M USDC from the Ronin bridge — the largest crypto hack at the time.

A private-key compromise drained $10M from Dego Finance across Ethereum and BNB Chain, sweeping liquidity pools and user wallets with active token approvals.

148 Vulcan Forged user wallets lost 4.5M PYR ($140M) after attackers compromised Venly custody holding their private keys. Refunded in full from treasury.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

An admin private-key compromise let the attacker withdraw $139M of pooled DEX liquidity from BXH on BSC, one of 2021's largest yet under-remembered losses.

~$97M drained from Japan-based Liquid Global's warm wallets across ETH, XRP, BTC and stablecoins; FTX extended a $120M emergency loan, then acquired it.

~$1.5M drained from Levyathan Finance on Fantom after the team's deployer key was leaked (reportedly to a public repo), letting an attacker mint unlimited LEV.

Compromised deployer key let an attacker mint ~373M BONDLY (~$5.9M) and dump into liquidity, collapsing the token before the team migrated contracts.

Attackers compromised the CEO's machine, pulled keys from his MetaMask admin wallet, then minted EASY and drained $80M+ from liquidity pools on Polygon.

$5.7M drained from Roll's hot wallet, collapsing dozens of independent 'social money' creator tokens at once via a single private-key compromise.

PAID Network had $27M+ minted after a compromised deployer key re-minted ~59M PAID; the attacker dumped ~2.5M for $3M before the team paused. PAID fell ~85%.

$281M drained from KuCoin hot wallets across BTC, ETH and ERC-20s — the third-largest exchange hack ever, a Lazarus operation; ~84% later recovered.

A wallet-infrastructure compromise swept ~$16M in ETH and ERC-20s from 76,000+ Cryptopia users, killing the New Zealand exchange and forcing a long bankruptcy.

523M XEM ($530M) drained from Japan's Coincheck, which stored its NEM reserves in one hot wallet with no multi-signature. Customers were reimbursed in yen.