Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 196Private Key Compromise

Lykke Exchange Collapse

$22M (158 BTC, 2,161 ETH, plus LTC/BCH) drained from Lykke in a private-key compromise the UK exchange tried to keep quiet; later attributed to Lazarus.

Date
Victim
Lykke
Chain(s)
BitcoinEthereumLitecoin
Status
Funds Stolen
Attribution
Lazarus Group (DPRK)

On June 4, 2024, the Switzerland-founded, UK-headquartered exchange Lykke suffered a private-key compromise that drained roughly $22 million across BTC, ETH, LTC and BCH. The exchange did not publicly disclose the breach for two days; the story broke when on-chain investigator SomaXBT posted the wallet movements to social media on June 6. Lykke wound down operations within months. The UK Treasury later attributed the attack to North Korea's Lazarus Group.

What happened

Lykke held customer reserves across hot wallets on multiple chains. On June 4, an attacker obtained signing authority over those wallets and executed coordinated outflows:

  • 158 BTC (~$11M)
  • 2,161 ETH (~$8M)
  • A mix of LTC and BCH (~$3M combined)

The compromise pattern — simultaneous multi-chain drain, no smart-contract bug, immediate cross-chain bridging into anonymising routes — matched Lazarus' standard CEX-focused playbook documented at Atomic Wallet, Stake.com, and later Phemex and Bybit.

The unusual feature of Lykke's case was the initial cover-up attempt: the exchange did not notify customers until June 6, two days after the breach, and only after on-chain investigators had publicly identified the unauthorised outflows. Multiple media outlets noted that Lykke's communication during the period had been actively misleading — users were told the platform was experiencing "technical difficulties" rather than a security incident.

Aftermath

  • Lykke halted trading on June 6 and did not resume normal operations.
  • The company shut down later in 2024, effectively winding up the business.
  • The UK Treasury formally attributed the attack to Lazarus Group in a sanctions-related disclosure approximately a year later.
  • No public recoveries from the attacker's wallets.

Why it matters

Lykke's incident illustrated two intersecting failures common at the small-to-mid-size CEX tier:

  1. Hot-wallet hygiene that does not match the operational profile of a serious adversary. Lazarus does not pick targets by size; it picks by ease of compromise. Lykke had reportedly minimal HSM-isolated signing infrastructure for an exchange of its size, making it a comparatively soft target.
  2. Disclosure failure as a secondary breach. Hiding a security incident from customers for 48 hours — while attackers were laundering the stolen funds — gives the attacker the maximum possible window to convert proceeds into untraceable forms. Rapid public disclosure is itself a defensive measure, both because it triggers exchange-coordinated freezes and because it activates community-led on-chain forensics.

Lykke is the smaller mirror of the larger 2024-2025 pattern: an under-equipped exchange, a well-resourced state-aligned attacker, a slow public response, and an eventual full shutdown.

Sources & on-chain evidence

  1. [01]dlnews.comhttps://www.dlnews.com/articles/defi/little-known-crypto-exchange-suffers-22-million-dollar-hack/
  2. [02]cryptonews.comhttps://cryptonews.com/news/british-exchange-lykke-loses-22-million-in-cyberattack/
  3. [03]ccn.comhttps://www.ccn.com/news/technology/north-korea-lazarus-lykke-crypto-heist/

Related filings