Private Key Compromise attacks on BNB Chain

Likely private-key theft gave attackers control of GANA Payment's BSC contract; they manipulated reward rates and drained $3.1M via the unstake function.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

DPRK-style multi-chain compromise swept $52M from BingX hot wallets across Ethereum, BNB Chain, Avalanche, Optimism and Polygon.

~$20M swept from Indonesia's largest crypto exchange across multiple chains in a coordinated hot-wallet compromise during 2024's run of exchange breaches.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

Stake.com lost $41M from hot wallets on Ethereum, BSC and Polygon in 90 minutes; the FBI formally attributed the heist to Lazarus and listed 40 addresses.

$125M drained from Multichain bridge contracts a month after CEO Zhaojun's arrest; the team had lost MPC key access and evidence pointed to an inside job.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

Stolen Ankr developer key let an attacker mint 60 trillion aBNBc, which Helio accepted as collateral to lend out $16M of HAY before Binance froze $3M.

A private-key compromise drained $10M from Dego Finance across Ethereum and BNB Chain, sweeping liquidity pools and user wallets with active token approvals.

Attacker drained $77.7M across 78 ERC-20 tokens from AscendEX hot wallets on Ethereum, BSC and Polygon, tied to a third-party hardware-level vulnerability.

Single private-key compromise drained $196M from two Bitmart hot wallets on Ethereum and BNB Chain; CEO Sheldon Xia compensated users from reserves.

An admin private-key compromise let the attacker withdraw $139M of pooled DEX liquidity from BXH on BSC, one of 2021's largest yet under-remembered losses.