Although blockchain technology is an immutable and somewhat unexploitable digital ledger of transactions, over the years multiple cryptocurrency exchanges have become central points of failure, subject to high profile attacks which have seen the loss of many millions of dollars of funds at the hands of hackers.
The largest exchange hacks in history have affected many thousands of users, some of which still haven’t been reimbursed, and in their aftermath, often significantly affecting the market price of the stolen digital asset.
However, hacks are often the result of mismanagement, or poor security protocols of the respective exchanges, and with proper procedures, could in most cases have been avoided. Here, we examine three of the most infamous exchange hacks, and how they were allowed to occur.

1. Mt. Gox

Although the Mt. Gox exchange hack is almost ancient history in the world of cryptocurrency, it was one of the first times a major exchange had suffered catastrophic losses, and the single largest loss of bitcoin ever recorded to date.
Based in Tokyo, at the beginning of 2014 Mt. Gox was the largest bitcoin exchange in the world, handling around 70% of all BTC transactions, before declaring bankruptcy on the 28th of February. Shortly afterwards, Mt. Gox revealed that they had lost some 850,000 bitcoins, worth around US$470 million at the time, in an ongoing hack which went unnoticed for some time. The resulting fiasco caused the price of BTC to decline by 36%.
Essentially, the fate of Mt. Gox was due to stolen hot wallet private keys, through what is known as a ‘wallet.dat’ file. Having gained the wallet.dat information either through a hack or an internal leak of information, the hacker, or group of hackers, were able to continuously siphon off BTC from wallets associated with Mt. Gox’s private keys. This occurred because prior to September 2011, private keys to hot wallets were not encrypted, and therefore the hacker did not require special passwords, but only the wallet.dat file to withdraw funds from compromised wallets.
However, the real failing on behalf of Mt. Gox was the fact that the hacker was allowed to get away with this over many years, as due to incredibly poor auditing and fiduciary procedures, officials at Mt. Gox exchange had absolutely no knowledge that so many wallets were compromised until it was too late to act, ultimately leading to the closure of the Mt. Gox exchange at the expense of many of its customers.

2. Bitfinex

In what was to be the second largest loss of bitcoin, Hong Kong based Bitfinex was subject to a serious hack in which 120,000 BTC, worth US$78 million at the time, was stolen during August 2016. The attack saw the price of bitcoin slump 20% following the news. After the breach, Bitfinex halted all withdrawals and temporarily ceased trading.
Through gaining access to Bitfinex’s servers, hackers stole the API keys to the multi-signature wallets of bitcoin storage provider BitGo, a Palo Alto based company which provided segregated user wallets for Bitfinex customers. Essentially, although BitGo’s private keys remained safe, hackers used the stolen API keys to instruct BitGo to transfer attackers the entirety of Bitfinex’s stored bitcoin.
The resulting damage control saw Bitfinex impose a 36% balance reduction on every single user of its exchange, a controversial move, with customers receiving Bitfinex (BFX) tokens proportional to their losses. Ultimately, it proved the best course of action to save the exchange from irrevocable loss, and Bitfinex continues to remain a leading exchange to this day.
Despite this, many have criticized Bitfinex for entrusting funds to BitGo and imposing no limit on how much could be withdrawn at any one time, with some cryptocurrency experts comparing BitGo’s storage solution as a huge centralized hot wallet, highly susceptible to attack.

3. Cryptopia

In a more recent example, New Zealand based exchange, Cryptopia, has recently declared insolvency following a major hack in January 2019 which prompted investigations by New Zealand Police, and the loss of an estimated US$16 million worth of various cryptocurrencies.
The hackers mainly made off with Ethereum and various ERC-20 tokens, which the exchange estimated accounted for the loss of over 9% of their total holdings. In an unusual departure from other exchange hacks, it seems that hackers were able to take direct control of two of Cryptopia’s core hot wallets, one used for storing ETH and the other for tokens, which they started extracting funds from on Sunday, January 13th.
In total, the hackers gained access to around 76,000 individual cryptocurrency wallets, and were able to extract assets, even after being discovered, for up to five days. This has led many cryptographic security experts to speculate that the hackers had access to thousands of private keys, and Cryptopia totally lost access to their own wallets, and therefore had no power to stop the hackers. Many have suggested that Cryptopia had their private keys stored in a single server with limited protection, therefore creating a single point of failure for the exchange.

Conclusion

These hacks are just a very small handful of the total number of security breaches that have occurred, and will likely continue to occur, on cryptocurrency exchanges. What is clear, is that in almost every case, there is a fault or bug from the exchange that facilitates access for hackers, and compromises either centralized private key stores, or affects users’ wallets directly.

Instead, it’s up to exchanges to take a pro-active stance in private key security and custody, and many of these hacks could have been avoided by working with best-in-class developers and cryptographic security experts, to preemptively secure funds before hacks could occur.