DeFi & exchange archive
A chronological record of major DeFi exploits, bridge hacks, oracle attacks, and centralized-exchange compromises from 2016 through 2026 — with loss amounts, attack vector, and outcome.
North Korea's Lazarus Group compromised a Safe{Wallet} signer's machine and tricked Bybit's cold-wallet signers into approving a malicious upgrade, draining ~401K ETH in the largest crypto theft ever recorded.
Attackers (linked to Lazarus Group) compromised WazirX's Liminal multi-sig and drained the exchange's hot wallet.
Japanese exchange DMM Bitcoin lost 4,502.9 BTC in an unauthorized withdrawal later attributed to North Korean actors.
Justin Sun-owned Poloniex saw its hot wallets drained across Ethereum, Tron and Bitcoin networks after a private-key compromise.
HTX (formerly Huobi) and the Heco cross-chain bridge were drained in coordinated exploits affecting hot wallets and bridge contracts.
A cloud-service provider used by Mixin was breached, exposing keys to the network's main deposit/withdrawal wallet.
A Vyper compiler bug broke the reentrancy locks in several Curve stablepools (alETH, msETH, pETH, CRV/ETH), enabling reentrancy drains.
A missing health check in the donateToReserves function allowed the attacker to push accounts into a self-liquidatable state and drain lending pools.
The attacker manipulated the Tellor oracle price feed for AllianceBlock's ALBT token to mint BEUR stablecoin against worthless collateral.
Avraham Eisenberg pumped the MNGO perp price on thin spot liquidity, used the inflated collateral to borrow out the treasury.
Attacker forged a fake Merkle proof in the Token Hub bridge and minted 2M BNB. Validators halted the chain mid-attack.
A misconfigured initialization let any address spoof valid messages. Once one wallet started draining, hundreds copy-pasted the exploit calldata — the first 'free-for-all' bridge hack.
Lazarus Group compromised two of five multi-sig signers (held with insufficient separation) and drained the bridge.
Attacker took a flash loan to obtain a supermajority of governance stalk and instantly executed a malicious proposal that sent the treasury to themselves.
Lazarus Group socially engineered a Sky Mavis engineer via a fake LinkedIn job offer, compromising 5 of 9 bridge validator keys and draining 173,600 ETH + 25.5M USDC.
Attacker forged signatures via a flawed signature-verification routine and minted 120K wETH on Solana without backing.
Hot-wallet private keys for BitMart's Ethereum and BNB Chain wallets were stolen and drained.
Attacker exploited a privileged cross-chain function (EthCrossChainManager) to mint and withdraw assets across Ethereum, BSC and Polygon.
Flash-loan attack manipulated the BUNNY/BNB pool, minting ~7M BUNNY and crashing the token from $146 to near zero.
A migration to v2.1 contained an off-by-one math error in the swap fee logic, letting the attacker drain pool reserves in a single swap.
Two back-to-back attacks pioneered the 'DeFi flash loan' playbook by manipulating oracle prices using uncollateralized loans from dYdX.
Coincheck's NEM hot wallet was drained of 523M XEM after attackers planted malware via spear-phishing on employee machines.
A reentrancy bug in the split-DAO function let the attacker recursively drain 3.6M ETH from the largest crowdfunded smart contract.
Our hardware wallet comparison ranks devices by Secure Element design, air-gap, open-source status and supply-chain practices.
See the full comparison →Loss figures use values reported at the time of each incident from Chainalysis, Rekt.news, Elliptic, TRM Labs, official post-mortems and major-outlet reporting. This page tracks publicly disclosed incidents and is not exhaustive.