14 incidentes

14 — Incidentes Históricos

Hacks, colapsos, exploits, frauds. Aprendizado de cada caso. Categorias: protocol hacks, bridge hacks, exchange hacks/collapses, stablecoin failures, governance attacks, MEV, smart contract bugs.

1. Mt. Gox (2014)

*xchange collapse pioneiro* Tokyobased, exMagic: The Gathering cards trading site. Maior exchange Bitcoin de 2010-2014.

*evereiro 2014* anuncia perda de *50.000 BTC*(~US\( 450M na época; ~US\) 50B+ em 2026).

  • Causa: combinação de bug em malleability + roubos internos progressivos ao longo de anos.
  • CEO *ark Karpelès*preso em 2015 — solto 2016, condenado 2019 (sentença suspensa por falsificação de records).
  • Falência judicial → conversão em proceedings civis.
  • *024-2025* 142k BTC distribuídos aos credores (17% recovery).
  • ~75k+ creditors esperando.

*ição* exchanges custodiais são pontos únicos de falha. "Not your keys, not your coins" como ditado nasceu daqui.

2. The DAO Hack (jun/2016)

*rimeiro grande hack Ethereum*

*he DAO* investment fund descentralizado em Ethereum, raised US$ 150M em ETH (crowdsale abr/2016 — 14% de todo ETH então circulante).

*7 jun/2016* atacante explora *eentrancy bug*em splitDAO function. Drains 3.6M ETH (US$ 60M).

*esposta*

  • 28-day "challenge period" inerente a DAO contract.
  • Comunidade Ethereum vota hard fork pra reverter.
  • *0 jul/2016* hard fork executado. Maioria adota.
  • Minoria mantém chain original → *thereum Classic (ETC)*

*tacante* nunca formalmente identificado; speculation Toby Hoenisch (questionada).

*ição*

  • Reentrancy = primeiro grande padrão de bug em smart contracts.
  • *hecksEffectsInteractions*pattern emerges.
  • Imutabilidade vs governance discussion permanent.

3. Bitfinex hack (ago/2016)

*xchange hack* ~119.756 BTC roubados de hot wallet Bitfinex.

  • Bitfinex emite *FX tokens*(efetivamente IOUs); resgata em ~8 meses via revenue.
  • *022* DOJ apreende *4.000 BTC*restantes (~US$ 3.6B na época). Casal Ilya Lichtenstein + Heather Morgan ("Razzlekhan") preso.
  • 2023: Lichtenstein pleads guilty; sentenced 2024 5 anos prisão.

*ição* criminosos podem deter BTC anos mas tracing on-chain eventualmente captura. Chainalysis maturidade.

4. Parity Multisig hacks (2017)

Parity Wallet hack #1 (jul/2017)

Bug em wallet contract permite atacante reset ownership. *50k ETH*drained (~US$ 30M).

Parity Wallet freeze (nov/2017)

User "devops199" "acidentalmente" trigger kill() no library contract. *513k ETH frozen forever*(~US$ 280M na época).

Parity propôs *IP867*para recovery; Ethereum community rejeitou (princípio imutability pósDAO).

*ição* complex multisig wallets têm attack surface. Standardization (Gnosis Safe / Safe) pós-isso domina.

5. Coincheck hack (jan/2018)

Exchange japonesa, US$ 530M em NEM roubados (hot wallet sem multisig). Hot wallet design negligente.

Lição: cold/hot wallet separation crítica. Japão regulação tightened pós-isso.

6. QuadrigaCX (2019)

Exchange canadense colapsa. CEO *erald Cotten*morto na Índia (suspeita controversa). Sem ele, contas crypto inacessíveis (allegedly).

Investigação revelou: *otten estava operando Ponzi*com fundos clientes; "frozen funds" desculpa.

Loss: ~C$ 215M.

Documentary "Trust No One: The Hunt for the Crypto King" (Netflix 2022).

7. Plus Token Ponzi (2018-2019)

ChineseSouth Korean Ponzi disfarçado de "highyield wallet". Stole ~US$ 5.7B em BTC, ETH, EOS.

Multiple operators arrested China 2020. Coins gradually moved to mixers + exchanges → suspected drove BTC sell pressure em 2019.

8. KuCoin hack (set/2020)

Exchange hack: US$ 285M roubado. KuCoin recovers ~84% via partnerships + chain reorg requests + asset issuer help (token issuers froze drained tokens).

Lazarus suspected.

9. PolyNetwork hack (ago/2021)

Cross-chain bridge. *S$ 611M*drained — largest at time.

Atacante: whitehatstyle. *eturned funds*dentro de uma semana, dialoged via tx messages.

PolyNetwork ofereceu chief security advisor role; declined.

*ição* bridges são honeypots. Cross-chain message verification difícil.

10. Cream Finance hacks (2021)

3 hacks em 1 ano:

  • Feb: US$ 37M (flash loan).
  • Aug: US$ 19M (flash loan exploitation Yearn integration).
  • Oct: US$ 130M (flash loan + price oracle manipulation).

Lição: flash loan vector consolidated as major DeFi threat.

11. Wormhole hack (fev/2022)

Bridge Ethereum-Solana. *S$ 320M*em wETH minted sem backing por signature verification bug.

*ump Trading*(parent of Wormhole/Jump Crypto) bailed out — replenished US$ 320M de própria treasury overnight.

Lição: rich backstop rare; centralized recovery saves users mas not decentralized.

12. Ronin Bridge hack (mar/2022)

*S$ 625M* largest DeFi/bridge hack at time.

Axie Infinity's Ronin sidechain bridge. 5 of 9 validator signatures required. *ky Mavis*(Axie devs) ran 4; Axie DAO ran 1 backup (delegated to Sky Mavis temporarily after Nov 2021 load spike). Attacker compromised 4 Sky Mavis nodes via phishing (LinkedIn job lure → malware on senior engineer).

Drain: 173,600 ETH + 25.5M USDC.

*azarus*(N. Korea) attributed.

Sky Mavis raised US$ 150M led by Binance; partial recovery of users.

*ição* 59 not actually 59. Validator concentration risk. Phishing OPSEC critical.

13. Terra Luna / UST collapse (mai/2022)

*argest stablecoin failure ever* US$ ~60B evaporated em 1 semana.

Mechanics

*ST* algorithmic stablecoin. Burn LUNA → mint US$1 of UST (and vice-versa). Maintenance via arbitrage.

*nchor Protocol* paid ~20% APY em UST deposits (unsustainable; subsidized by Terraform Labs reserves).

Cascade (May 2022)

  • * mai 2022* large UST sell from 4pool em Curve. Slight depeg.
  • *-10 mai* panic → mass redemption.
  • Burn UST → mint LUNA: LUNA supply explodes from 350M to 6.5T em days.
  • Hyperinflation: LUNA price crashes 99.99%.
  • UST de-pegs to ~US$0.02.

*otal loss* ~US$ 60B in marketcap.

Aftermath

  • Do Kwon (founder) hides em Montenegro; arrested 2023; awaiting extradition.
  • South Korea seeking US$1B asset seizure.
  • US SEC charges Kwon + Terraform Labs (2023).
  • *erra 2.0*(new LUNA, abandoned UST) — minor adoption.
  • Trigger to Three Arrows Capital, Celsius, Voyager, BlockFi collapses.

*ição* algorithmic stablecoins with reflexive collateral = ticking bomb. "It's not algorithmic, it's a Ponzi" (Sam Trabucco, others rebuked Kwon's defenders).

14. Three Arrows Capital (3AC) collapse (jun/2022)

Hedge fund. *S$ 18B AUM at peak* Massive leverage. Cascaded from Terra Luna loss.

  • Founders Su Zhu + Kyle Davies. Singapore-based.
  • Defaulted on US$ 3.5B+ creditor loans.
  • Filed bankruptcy Jun 2022.
  • Founders fled, hid mais de 1 ano. Caught Aug 2023.

Cascaded: Voyager Digital bankruptcy (Jul 2022, exposure 3AC), BlockFi struggles.

15. Celsius Network collapse (jul/2022)

*rypto lender* 1.7M users, US$ 25B AUM peak.

  • Promised high yields (~17% APY) via reckless DeFi exposure.
  • Mai/2022: rumours sobre exposure.
  • Jun 12: halts withdrawals.
  • Jul 13: files Chapter 11 bankruptcy.

*lex Mashinsky*(CEO): arrested 2023; pleaded guilty fraud + commodities + market manipulation 2024; sentenced 2025 to 12 years.

Recovery: ~80% via judicial process distribution (BTC/ETH at timeofbankruptcy prices — much lower than 2024-2025 recoveries would represent).

16. Voyager Digital (jul/2022)

Exchange. Exposure 3AC ($650M unsecured loan). Bankruptcy.

FTX bid to acquire Voyager → fell through with FTX collapse. Coinbase acquired customer assets later.

17. FTX collapse (nov/2022)

*argest fraud em crypto history* Secondlargest exchange globally precollapse.

Background

  • *am Bankman-Fried (SBF)*founded 2019.
  • *lameda Research* SBF's trading firm (founded 2017).
  • FTX peak ~US$ 32B valuation (Jan 2022). Sponsorships: Tom Brady, Larry David, Stephen Curry, Miami Heat arena.
  • "Effective Altruism" public persona.

Collapse (Nov 2022)

  • *ov 2* CoinDesk article reveals Alameda balance sheet 40% FTT (FTX's own token). Reflexive value.
  • *ov 6* Binance CEO CZ announces selling FTT.
  • *ov 8* bank run on FTX. Halts withdrawals.
  • *ov 11* FTX, Alameda, ~130 affiliated entities file Chapter 11.
  • *ov 11-12* ~US$ 477M drained from FTX wallets ("the hack" or insider exit?).

Revelations

  • FTX had *ommingled customer funds*with Alameda.
  • Alameda borrowed customer deposits (~US$ 8-10B) for speculative trades.
  • "Slush fund" code in FTX exchange backend hiding negative Alameda balance.
  • FTX had no risk team, no CFO, no proper governance.

Trials

  • *BF arrested*Bahamas Dec 12, 2022. Extradited.
  • *rial Oct-Nov 2023* convicted 7 counts wire fraud, conspiracy, money laundering.
  • *entenced Mar 2024* 25 years prison + US$ 11B forfeiture.
  • *aroline Ellison*(Alameda CEO): cooperative; sentenced 2 years.
  • *ary Wang*(FTX CTO): cooperative; sentenced ~0 years (time served + supervised).
  • *ishad Singh*(FTX engineering): cooperative.
  • *yan Salame*(FTX co-CEO): 7.5 years.

Recovery

Surprisingly strong: ~119% on USD claim value (using Nov 2022 prices), boosted by BTC appreciation + recovered assets + tax overpayment refunds.

*ição* trust verifiable proofofreserves; "celebrity CEO" doesn't replace due diligence; regulatory gaps exploitable.

18. BlockFi (nov/2022)

Crypto lender. Exposed to FTX (Alameda loan default + FTX collateral seizure). Chapter 11.

Customer recovery ~50-100% depending on tier.

19. Genesis (jan/2023)

Crypto prime broker. Exposure to 3AC + FTX. Bankruptcy. Major creditor to Gemini Earn → Gemini-Genesis dispute, eventual settlement.

20. Euler Finance hack (mar/2023)

Lending protocol. *S$ 200M*drained via faulty liquidation function.

  • Donation function had insufficient health check.
  • Attacker leveraged → self-liquidated → recovered loss as "donor".

*hite hat resolution* attacker returned *ll funds*after dialog with Euler team. Among the few major DeFi hacks fully recovered.

21. Curve Finance Vyper bug (jul/2023)

Compiler bug (Vyper versions 0.2.15-0.3.0) — improper reentrancy locks em certain pools.

Affected pools: CRV/ETH, alETH, msETH, pETH. *S$ 73M*drained.

White-hats recovered $25M; rest mixed recovery (half returned by hacker dialog, rest mixed).

*ição* language compiler bugs can affect production. Curve recovered but ecosystem shook.

22. Multichain saga (jul/2023)

Cross-chain bridge protocol. CEO *haojun*disappeared (arrested by Chinese authorities). Without his keys, protocol can't operate. US$ 130M+ stuck/lost.

Lesson: centralized actors em "decentralized" bridges = catastrophic failure mode.

23. Stake.com hack (set/2023)

Crypto casino. Hot wallet compromised. US$ 41M.

Lazarus attributed.

24. KyberSwap hack (nov/2023)

KyberSwap Elastic (concentrated liquidity AMM). US$ 47M drained via complex precision exploit.

25. Orbit Chain hack (jan/2024)

Crosschain bridge Koreabased. US$ 82M.

Lazarus attributed.

26. Munchables (mar/2024)

GameFi project em Blast. Insider attack — N. Korean dev hired as engineer accessed contracts. ~US$ 62M.

*ecovery* insider returned funds after social pressure + identification.

27. WazirX hack (jul/2024)

Indian exchange. *S$ 235M*drained from multisig wallet. Compromised signer keys.

Lazarus attributed (signature: Tornado Cash mixing patterns).

WazirX filing restructuring. Customers heavy losses; partial socialization plan controversial.

28. Bybit hack (fev/2025)

*argest exchange hack ever* *S$ 1.5B*(~400k ETH) drained from cold wallet.

  • Lazarus Group (N. Korea, official US/UK attribution).
  • Method: compromised UI of multisig signing tool (Safe.global / smart contract wallets); signers approved malicious tx thinking it was routine.
  • Bybit operationally solvent — uses own treasury + loans + sells assets to backfill.
  • Industry response: tightened cold wallet signing UX, hardware-level verification standards.

29. Other notable 2024-2025 hacks (not exhaustive)

Date Target Loss
Jan 2024 Cronos PlayDapp US$ 290M
Mar 2024 Curio Network US$ 16M
May 2024 Gala Games US$ 200M (recovered)
Jul 2024 Compound Finance US$ 24M (recovered via votação)
Sep 2024 Penpie US$ 27M
Mar 2025 Hyperliquid JELLY ~US$ 13M (gov vault auto-liquidation forced exception)
Apr 2025 DEXX US$ 21M

30. Smart contract bug categories

Reentrancy

  • The DAO (2016).
  • Imperial College Lendf.me (2020) — US$ 25M ERC-777 reentrancy.
  • Cream Finance (2021 x3).
  • Burgerswap (2021).
  • Siren Protocol (2021).

Flash loan + oracle manipulation

  • Harvest Finance (2020): US$ 24M, Curve y-pool.
  • Pickle Finance (2020): US$ 20M.
  • bZx (2020 x2).
  • Cream (2021).
  • Mango Markets (2022): Avi Eisenberg drained ~US$ 117M via MNGO collateral manipulation; convicted commodities fraud + market manipulation 2024.

Math / precision

  • Compound DAI/USDC reward bug (2021): US$ 80M user overpayment (recovered most).
  • Curve Vyper compiler (2023).

Logic bugs

  • Nomad bridge (Aug 2022): initialization bug → US$ 190M everyone-drains; "free for all" mempool race.
  • Beanstalk (2022): governance + flash loan.

Signature bypass

  • Wormhole (2022).
  • BNB Bridge (2022): US\( 570M minted (post-chain halt, ~\)100M extracted).

Centralized key compromise

  • Ronin (2022).
  • WazirX (2024).
  • Bybit (2025).

31. Hacking groups

Lazarus Group (DPRK)

Statesponsored. Estimated *S$ 34B*stolen 2017-2025 from crypto. Funds North Korean nuclear program (per US/UN reports).

Recent attribution: Ronin, Atomic Wallet, CoinEx, Stake.com, Orbit, WazirX, Bybit.

Tactics:

  • Spear phishing of senior engineers (LinkedIn).
  • Trojanized job applications.
  • Maintaining N. Korean IT contractors in US/EU exchanges (HR phishing).

Other state actors

Chinaattributed less common but suspected in select cases. Russiaattributed in some early Bitcoin-era hacks.

Cybercriminal gangs

DarkSide (Colonial Pipeline), Conti, REvil — ransomware groups demanding BTC. Mostly Russian-affiliated.

"Solo black hats"

Individuals exploiting smart contract bugs. Often demand bounties or anonymize → cash out.

"White hats / grey hats"

Sometimes return funds (PolyNetwork, Euler) for reputation or fear of consequences.

32. Anti-money laundering responses

Tornado Cash sanctions

OFAC sanctioned the smart contract (Aug 2022). First time code itself sanctioned. *oman Storm + Alexey Pertsev*charged (developers).

*ertsev convicted in Netherlands*(May 2024), 64-month sentence — appeal pending.

*torm US trial* 2024 set; later 2025 trial. Conviction (mixed).

*an Loon v. Treasury*(5th Circuit, Aug 2024): OFAC overreached on *mmutable*contracts; vacated for those. Mutable smart contracts can still be sanctioned.

*rump administration (2025)* rescinded some sanctions; pivoted softer on Tornado.

Chain analytics

Chainalysis, TRM Labs, Elliptic — track flows, work with law enforcement. Help recover hundreds of millions per year.

33. Lessons by category

Don't custody if you can avoid

Self-custody >= custodial. Exchanges can fail (Mt. Gox, FTX, QuadrigaCX, BlockFi, Celsius...).

Verify proofofreserves

PostFTX, exchanges publish PoR (Merkle tree of liabilities, onchain reserves). Imperfect but signal.

Smart contracts need audits + bug bounties + formal verification

Reentrancy patterns documented; CEI mandatory; flash loan attack surface understood.

Bridges = honeypots

Be skeptical of new crosschain bridges. Prefer canonical (CCTP, native rollup) or largeTVL battle-tested.

Algorithmic stablecoins → death spiral risk

UST proved. USDe (Ethena) less reflexive but counterparty risk to perp venues.

Centralized "decentralized" actors

Multisig NofM is only as good as keyholder OPSEC. Ronin 59 was actually 49.

Front-end vs protocol

Many "hacks" compromise UI not protocol. Signing safely critical.

Lazarus is a thing

N. Korean state APT targeting crypto persistently. Treat OPSEC accordingly.

34. References + tracking

  • *ekt.news* rekt leaderboard of DeFi/crypto hacks.
  • *ertiK Skynet* hack alerts.
  • *hainalysis*annual crypto crime reports.
  • *RM Labs* AML/financial crime reports.
  • *e.Fi REKT Database*
  • *eb3 Is Going Just Great*(Molly White): chronicle of hacks.

35. Referência cruzada

  • Smart contract bug categories: 08-smart-contracts.md §SWC.
  • Bridge architecture vulnerabilities: 11-bridges-interop.md.
  • Stablecoin design failures: 09-defi.md §Stablecoins.
  • Criptospecific attacks: `..cryptography11ataques.md`.
  • Regulatory response: 13-regulacao.md.
  • Koder Stack lessons: 15-koder-aplicada.md.

Source: ../home/koder/dev/koder/meta/docs/blockchain/compendium/14-incidentes.md