Bitcoin — hacks & exploits

Solv Protocol's BRO vault lost $2.73M when an ERC-3525 double-mint bug let the attacker turn 135 BRO into ~567M BRO over 22 deposits, then swap for 38 SolvBTC.

SBI Crypto, SBI Holdings' mining arm, lost $24M across BTC, ETH, LTC, DOGE and BCH. Undetected for 7 days until ZachXBT flagged a pattern matching DPRK Lazarus.

Odin.fun, a Bitcoin memecoin launchpad, lost ~$7M when attackers manipulated bonding-curve liquidity accounting to drain BTC pools. Founder paused trading.

Attackers compromised BigONE's backend and rewrote risk-control logic to auto-approve any withdrawal, draining $27M from the hot wallet without exposing keys.

$90M+ drained from Iran's largest exchange by Predatory Sparrow, then burned to addresses tagged with anti-IRGC messages — a destruction-not-profit hack.

A self-listing verification flaw drained $8.37M (up to $16.2M with ALEX tokens) from ALEX Protocol on Stacks, the team's second major incident in 13 months.

~$73M drained from Phemex hot wallets across 16 blockchains in a coordinated sweep — the first major exchange hack of 2025, with TTPs consistent with Lazarus.

$13.7M drained from UAE-based M2 Exchange hot wallets across BTC, ETH and Solana; identified, contained and customer funds restored in just 16 minutes.

~$55M drained from BtcTurk's hot wallets, with Binance freezing roughly $5.3M of the stolen funds mid-flight — Turkey's largest exchange compromise to date.

$22M (158 BTC, 2,161 ETH, plus LTC/BCH) drained from Lykke in a private-key compromise the UK exchange tried to keep quiet; later attributed to Lazarus.

DPRK operatives compromised a developer at wallet vendor Ginco via a fake LinkedIn job offer, draining 4,502.9 BTC ($305M) from Japanese exchange DMM Bitcoin.

DPRK's Lazarus drained $4.3M from ALEX Lab's Stacks cross-chain bridge via a flaw in the bridge's verification logic, traced via on-chain laundering.

$114M+ swept from Poloniex's Ethereum and Tron hot wallets after private keys were extracted from internal systems; Justin Sun pledged full reimbursement.

$200M drained from Mixin Network hot wallets after attackers compromised the cloud provider hosting Mixin's centralised database — an infrastructure wake-up.

Lazarus drained $54M from CoinEx hot wallets across Ethereum, Tron, BSC and seven other chains, reusing infrastructure from the prior week's Stake.com hit.

A private-key compromise drained $60M from AlphaPo's hot wallets across Tron, Bitcoin and Ethereum. The FBI attributed the payment-processor breach to Lazarus.

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

A breach of LastPass encrypted vault backups led to a multi-year drain of victims storing seed phrases there; losses grew from $35M to over $400M.

Attacker drained $28M from Deribit BTC/ETH/USDC hot wallets; the largest crypto-options exchange covered it from its balance sheet, cold storage untouched.

2FA-bypass exploit drained $34M from 483 Crypto.com accounts; attackers authorised transactions without the second factor ever prompting the user.

~$97M drained from Japan-based Liquid Global's warm wallets across ETH, XRP, BTC and stablecoins; FTX extended a $120M emergency loan, then acquired it.

$13M+ drained from THORChain across two attacks one week apart, both exploiting fake-deposit flaws in the Bifrost Ethereum bridge weeks into Chaosnet.

$281M drained from KuCoin hot wallets across BTC, ETH and ERC-20s — the third-largest exchange hack ever, a Lazarus operation; ~84% later recovered.

Canada's largest crypto exchange collapsed when its CEO 'died' in India holding sole access to ~$190M in customer funds; regulators later ruled it a Ponzi.

Hackers stole 119,754 BTC ($71M then, $9B+ at recovery) from Bitfinex multi-sig hot wallets, recovered six years later via DOJ wallet-file decryption.

The largest Bitcoin exchange of its era halted withdrawals and filed for bankruptcy, with 850,000 BTC missing — most of it stolen years earlier.