The 10 largest crypto hacks and exploits of 2023

The crypto industry has consistently encountered challenges from hacks and protocol exploits over the years.

This trend continued into 2023. There was, however, a sliver of good news: hack volumes fell year-on-year by over 50%.

The amount of cryptocurrency funds stolen by hackers this year was estimated at $1.7 billion, less than half of the $4 billion recorded in 2022, according to TRM Labs. Despite a decrease in overall losses, large sums of money were still stolen from individual projects.

The year witnessed several high-profile hacking incidents, impacting prominent entities such as Multichain, Euler Finance, Mixin Network, and Atomic Wallet.

Then in the month of November, three crypto projects associated with Tron founder Justin Sun — Poloniex, HTX, and Heco Bridge — lost over $200 million collectively in a series of exploits.

A recurring problem in many of these incidents involved private key exploits, enabling perpetrators access to user funds. Throughout the year, the North Korean hacking group Lazarus was implicated in multiple attacks, collectively resulting in losses exceeding $300 million.

The article delves into the biggest cryptocurrency thefts of the year, examining the impacted projects and factors that contributed to each attack.

Mixin Network — $200 million 

Mixin Network, a Hong Kong-based crypto project, was hit with the largest crypto exploit of the year.

On Sept. 23, the firm had to abruptly cease operations after hackers plundered a staggering $200 million from users’ hot wallets.

Mixin reported that "the database of its cloud service provider was attacked by hackers." While the firm provided no further explanation, it's believed among analysts the impacted database may have held the private keys to users' accounts — the secret phrases unlocking their crypto holdings.

Euler Finance — $197 million

Few events captured the audacity and vulnerability of DeFi as vividly as the March 2023 exploit on lending protocol Euler. This is when $197 million worth of crypto vanished in a weird sleight of hand.

The culprit? A hacker who exploited a vulnerability on the lending protocol by manipulating the exchange rates between Euler-issued stablecoins: eDAI and dDAI. By repeatedly calling the "donateToReserves" function using DAI, the attacker was able to inflate the eDAI/dDAI rate.

They utilized a flash loan, a type of loan repaid within the same Ethereum transaction, to disrupt the balance of the liquidity pools holding the two tokens. This triggered liquidations of dDAI-denominated borrower positions to siphon funds from the protocol.

But the story doesn’t end there. Later in a twist — dubbed a “white hat” move — the attacker returned the stolen funds. Almost all but a small bounty from the loot trickled back to the team, providing relief for the victims.

Multichain — $125 million

In July, cross-chain bridge Multichain was reportedly exploited for $125 million in cryptocurrencies across different blockchains it supported, with the largest amount of funds taken on Fantom. This occurred right after the bridge was halted amid the team citing "multiple issues due to unforeseeable circumstances."

The exact cause of the hack remains unclear to this date, as no conclusive post-mortem reports have been made available yet.

One likely factor, as explained by security firm Halborn, suggests that the private keys of the bridge's smart contracts were compromised with hackers exploiting bugs in its code.

Concerns have been raised that the team itself may have been responsible for the incident, a fear fueled by the disappearance of Multichain’s CEO Zhaojun right before the hack.

Prior to the event, he was arrested by Chinese authorities, and it was revealed that he had exclusive control over the protocol’s funds, contradicting Multichain’s earlier decentralization claims. The Multichain bridge is currently no longer operational.

Poloniex — $120 million

In November 2023, suspected North Korean Lazarus Group hackers siphoned a staggering $120 million from Poloniex's hot wallets, likely by gaining access to private keys.

The immediate fallout was predictable: trading and withdrawals halted. The exchange says it will reimburse affected users. Poloniex has operated as a centralized exchange since 2014. Tron founder Justin Sun acquired the exchange in 2019.

Atomic Wallet — $100 million

In June 2023, crypto wallet app Atomic had its user wallet accounts emptied. Hackers stole over $100 million worth of assets from roughly 5,500 users. The primary cause behind the incident remains unclear as Atomic has not yet provided an explanation.

It's suspected the exploit may have been caused by code vulnerabilities flagged by security analysts at Least Authority a year prior to the incident. Analysts at SlowMist also found potential issues.

On-chain analytics firm Elliptic, which tracked over 5,500 wallets targeted in the attack, said that the North Korean hacking association Lazarus Group was behind it.

In August, a group of victims in Russia filed a class action against the company behind Atomic for failing to protect user assets. A few months later, the firm replied with a motion to dismiss the lawsuit in a US court.

Heco Bridge, HTX — $99 million

In November, the primary cross-chain bridge on Heco — a blockchain set up by the HTX exchange — witnessed a large exploit. The perpetrator gained control over the bridge’s primary smart contract or operator account, resulting in the theft of over $86 million in various cryptocurrencies.

Initial analyses suggest that the intruder manipulated the smart contract code of the bridge and circumvented its security protocols. This manipulation allowed the hacker to mint unauthorized tokens (via the bridge contract), which were then exchanged for ether and subsequently transferred out of the bridge.

HTX (previously Huobi) also suffered a loss of $12 million from its hot wallet. Justin Sun, an advisor to HTX and founder of Tron, stated a white hat bounty reward was offered to the attacker. This offer was seemingly accepted — leading to the recovery of $8 million (of the $12 million stolen) by the platform. 

Curve — $73 million

July saw an attack on Curve Finance, one of DeFi's largest decentralized exchanges. Several liquidity pools on the platform were exploited due to a vulnerability in the Vyper programming language it had used, resulting in hackers stealing around $73 million in various crypto assets.

A security flaw allowed attackers to drain funds maliciously by exploiting its smart contract logic. This involved a reentrancy attack, where the hacker manipulated smart contracts to withdraw funds in rapid succession.

A malfunctioning reentry guard within Vyper facilitated this attack. Projects built on top of Curve’s factory pools, including JPEG’d, Metronome, and Alchemix, were impacted.

The Curve team quickly patched the vulnerability and eventually ended up recovering about $50 million — 70% of the stolen funds — alleviating concerns for many users and stakeholders. Recovered funds were either directly given back by ethical hackers involved or saved with the assistance of operators of MEV bots, such as c0ffeebabe.eth.

CoinEx — $55 million

In September, Hong Kong-based centralized cryptocurrency exchange CoinEx reported a large hack. Hackers infiltrated the exchange’s hot wallets, designed for immediate transactional use, and absconded with over $55 million in various cryptocurrencies.

The North Korean group Lazarus was again suspected of involvement in this incident. Investigators identified a connection between the CoinEx hack and a separate theft at the betting platform Stake.com, which the US Federal Bureau of Investigation said was connected to the Lazarus hacking group. Analysis revealed that the wallet address which received the pilfered funds from Stake.com had direct interactions with the CoinEx hacker's wallet. 

KyberSwap — $54 million

Decentralized exchange (DEX) aggregator KyberSwap was exploited via an attack on its Elastic platform that siphoned off some $54 million in crypto.

The Nov. 22 exploit stemmed from a vulnerability in the tick interval boundaries of Kyber's concentrated liquidity pools, allowing the perpetrator to artificially double the liquidity and drain its value.

In a negotiation attempt, Kyber offered a 10% white hat bounty to the hacker in exchange for returning the funds. However, the hacker showed no interest in accepting the bounty and made other demands in a bizarre on-chain message, including asking the team for complete control over the project.

The team separately recovered $4.7 million in drained funds that were taken by third-party MEV bots.

Stake.com — $41 million

Crypto-based betting platform Stake.com fell victim to a likely private key exploit of its wallets. On Sept. 4, 2023, an estimated $41 million worth of cryptocurrencies were stolen from the platform.

The FBI attributed the attack to Lazarus in a report, based on its analysis of the addresses receiving stolen funds from Stake.com on Ethereum, BNB Chain and Polygon networks. 

Update: An unknown hacker exploited a cross-chain bridge called Orbit for $81 million on Dec. 31.