Notable mentions

  1. Ronin Network - $620 million

    Ronin Network, the Ethereum-based sidechain for crypto game Axie Infinity, was in March swindled for over $620 million in ETH and USDC. The attacker “used hacked private keys to forge fake withdrawals” from the Ronin bridge contract in two transactions.

    The exploit, which occurred on March 23, was only discovered a week later when one user failed to withdraw 5,000 ether. In total, the hacker made off with 173,600 ETH and 25.5 million USDC, valued at more than $620 million at the time.

  2. Wormhole Bridge – $320 million

    On February 2nd, an individual succeeded in stealing more than $320 million in wrapped Ethereum from the Wormhole protocol, a widely-used cross-chain crypto bridge that connects various networks such as Solana, Ethereum, Avalanche, and others. The Wormhole protocol requires users to stake Ethereum in order to mint wrapped Ethereum, a type of cryptocurrency that is pegged to the value of Ethereum. Analytics company Elliptic has attributed the exploit to the failure of Wormhole to validate "guardian" accounts, which allowed the attacker to mint 120,000 wETH without any Ethereum backing it. The attacker then converted 93,750 wETH into Ethereum and the remaining into Solana. The total value of the loss at the time was over $320 million.

  3. Wintermute hack – $160 million

    A security breach occurred at Wintermute, a UK-based crypto market-maker, resulting in the unauthorized transfer of approximately $160 million across 70 tokens from the company's hot wallet. An investigation by blockchain cybersecurity firm CertiK revealed that the cause of the incident was a vulnerable private key that was likely generated by an app called Profanity, which allows users to create custom crypto addresses and has a known exploit. This vulnerability allowed the attacker to use a function with the private key to change the platform's swap contract to their own. Reports claiming that the hack was an "inside job" were dismissed by blockchain security firm BlockSec, stating that the evidence was not convincing.

PreviousKey-related hacksNextChanging the paradigm

Last updated