Technical Exploits Behind Recent Crypto Exchange Hacks (2022–2025)

Over the past few years, centralized cryptocurrency exchanges have suffered a series of high-profile security breaches resulting in significant asset losses. These incidents reveal a range of technical attack vectors from API key leaks and hot wallet compromises to infrastructure vulnerabilities and social-engineering exploits that risk and compliance professionals must understand. This report analyzes the major exchange hacks since 2022, the technical details of how they occurred, and the regulatory gaps exposed. It concludes with concrete takeaways for strengthening security controls and compliance oversight.

Major Crypto Exchange Incidents (2022–2025)

The table below summarizes notable exchange hacks from 2022 to mid-2025, including the affected platform, timeline, nature of the exploit, and estimated funds lost:

Table: Major centralized exchange hacks (2022–2025), with attack vectors and losses. Note: Figures are approximate USD equivalents at the time of each incident.

Rising Threats to Centralized Exchanges

Centralized exchanges remain prime targets for cybercriminals and nation-state hackers due to the large concentration of customer assets under custody. While 2022 saw record crypto hack volumes (over $3 billion stolen, mostly from DeFi protocols), recent data shows a surge in attacks on CeFi platforms as well. In 2024 the number of security incidents targeting centralized finance jumped roughly 1000% year-over-year, with North Korea’s Lazarus Group alone responsible for stealing an estimated $340 million+ in crypto in 2023. These trends underscore that even the most prominent exchanges, despite substantial security investments, are vulnerable to determined attackers.

Several common attack vectors have emerged from the breach post-mortems, revealing where technical and operational controls failed. Below, we break down the key exploit types observed, with case studies illustrating each:

Social Engineering of Key Personnel

One of the most devastating attack vectors has been targeted social engineering aimed at exchange insiders or service providers with high-level access. Rather than directly hacking code, attackers (often state-sponsored) trick humans into opening the door:

• Spear-phishing Employees: In the $305M DMM Bitcoin hack (May 2024), North Korean hackers posed as recruiters on LinkedIn and lured a wallet service contractor into running malicious code under the guise of a coding test. This backdoor allowed the attackers to later impersonate the employee on internal channels and manipulate a legitimate transfer request, resulting in a massive Bitcoin theft from the exchange. The exploit leveraged trust in an authorized employee account to bypass normal controls.
• Deceiving Multisig Signers: The record-breaking $1.4B Bybit hack (Feb 2025) similarly succeeded through social engineering despite robust cold-wallet security. Bybit used an Ethereum multisig wallet (multiple approvers) for cold storage. Attackers executed a “blind signing” trick presenting a transaction that appeared routine to the signers, but which actually introduced malicious smart contract logic. In effect, the signers unknowingly approved a contract upgrade that granted the hacker full control of the wallet, who then drained all funds. Analysts noted this was almost identical to how a $230M hack against WazirX was carried out months earlier. In both cases, human approvers were fooled by a carefully crafted on-chain transaction that wasn’t what it seemed.
• Executive/IT Staff Impersonation: Shortly after FTX’s November 2022 collapse, over $400M was mysteriously drained from its wallets. Initially suspected as an inside job, it was later revealed a SIM-swapping gang had impersonated an FTX employee and convinced a telecom provider to port the victim’s phone number. With control of the phone, the attackers accessed company accounts (likely intercepting 2FA codes or resetting passwords) and transferred hundreds of millions in crypto out of FTX’s wallets. This incident highlighted how poor internal account security and lack of out-of-band confirmations enabled outsiders to masquerade as insiders. John J. Ray III, who took over FTX, noted the exchange’s security was so shoddy that it was “pure hell” to untangle post-hack.

These cases reveal that no matter how strong technical wallet security is, humans remain the weakest link. Sophisticated adversaries (notably Lazarus Group) invest heavily in “social hacking” campaigns, fake job offers, trojanized documents, SIM swap schemes to compromise privileged accounts. 

Risk implication: Exchanges must enforce strict identity verification for sensitive operations (e.g. call-backs or face-to-face confirmation for large transfers), continuous security training for staff, and least-privilege access to limit damage if one account is breached.

Hot Wallet Compromises and Private Key Theft

Hot wallets: cryptocurrency wallets connected to the internet for facilitating daily exchange transactions are frequent targets due to their continuous accessibility. Unlike cold (offline) storage, hot wallets trade some security for operational convenience, and attackers seek to exploit any weakness to extract their private keys:

• Direct Key Theft via Server Breach: In multiple incidents, hackers obtained the unencrypted private keys securing an exchange’s hot wallets. For example, BitMart’s December 2021 breach (which presaged the 2022 hacks) was traced to “a stolen private key that had two of our hot wallets compromised,” according to the CEO. Using that key, the attackers were able to sign off on large outbound token transfers themselves. Blockchain forensics showed the thief simply withdrew tokens, swapped them via decentralized exchanges, and laundered through Tornado Cash in a “pretty straightforward” attack. Similarly, CoinEx’s hack in Sept 2023 was confirmed to be caused by compromised private keys for its hot wallets, allowing the removal of ~$70M in assets on chains like Ethereum, TRON, and Polygon. (Notably, both BitMart and CoinEx pledged to fully compensate users, absorbing the losses.)
• Exploiting Software Vulnerabilities: Sometimes the key compromise is enabled by a software flaw. Investigations into the CoinEx hack and other 2023 cases pointed to the possibility of unpatched wallet software vulnerabilities or poor key management processes on exchange servers. For instance, if an exchange’s wallet daemon or Multi-Party Computation (MPC) system has a known exploit that allows key extraction, hackers will seize that opportunity. The HTX (Huobi) hot wallet breach of 2023 (where ~5,000 ETH was stolen) is suspected to have stemmed from a vulnerability that the hacker ultimately revealed in exchange for a bounty, given that the funds were returned after negotiations.
• Lack of Key Segregation: A concerning pattern is that some exchanges kept large sums in a single hot wallet protected by one key. In the BitMart incident, those two hot wallets represented a broad array of tokens ( ~$196M total) – a single point of failure. High exposure of hot wallets magnified the impact once the key was stolen. Best practice is to limit hot wallets to only the liquidity needed for near-term withdrawals and use multisig or MPC schemes so no single key compromise is catastrophic.

These incidents underscore the importance of rigorous private key management. Keys to hot wallets should be stored in hardware security modules or MPC frameworks, with strict access controls, monitoring, and rapid rotation capabilities if compromise is suspected. Regular penetration testing and code audits are crucial for any wallet software in use. As one crypto security firm executive noted, prioritizing offline key storage and real-time threat monitoring of wallet activity can significantly reduce successful attacks.

API Key Leaks and Third-Party Integrations

Modern crypto trading often involves third-party applications (e.g. portfolio managers, trading bots) that connect to exchange accounts via API keys. These API keys, if falling into the wrong hands can be weaponized to steal funds or conduct unauthorized trades. A wave of incidents in late 2022 highlighted this often-overlooked attack vector:

• 3Commas API Key Leak: 3Commas, a popular trading bot platform, experienced a major breach where its entire database of user API keys was leaked. Throughout 2022, users on exchanges like Binance, FTX, and KuCoin reported mysterious trades draining their accounts. By December 2022, Binance’s CEO publicly warned users to disable any 3Commas-linked keys, saying he was “reasonably sure” there were widespread leaks. Soon after, 3Commas’ CEO admitted that API keys had been stolen and published online. Attackers used these keys (which many users had unknowingly left with withdrawal permissions) to execute illicit strategies – for example, using victims’ accounts to pump low-cap coins and profit off the price swings. Because the exchanges saw valid API credentials, these malicious trades were processed as if initiated by the users, leading to substantial losses. Exchanges declined compensation in most cases, noting that the users’ own API keys were compromised off-platform.
• Insufficient Restrictions on API Use: This episode exposed how poor API key hygiene can harm exchange customers. Some users had enabled trading and withdrawal rights for third-party apps, and the exchange back-ends did not flag the abnormal activity in time. In one FTX user’s case, over $1M was siphoned via API, and it was initially blamed on phishing. The real cause: an integration breach only emerged later. Lax API risk controls (e.g. no IP whitelisting or velocity limits on withdrawals via API) exacerbated the damage. In response, Binance, KuCoin, and others revoked all 3Commas-linked keys and urged users to create new ones.
• Third-Party Custody Risks: Similarly, the WazirX hack (2024) demonstrated risk at the interface between an exchange and an external custodian. WazirX relied on Liminal’s custody platform for managing a critical wallet. Even though Liminal maintained that its infrastructure wasn’t breached, the attackers found a gap in how transaction data was validated between WazirX and Liminal. This suggests that data mismatches or trust assumptions in third-party integrations can be exploited to bypass security. Exchanges need to thoroughly vet and continuously monitor any external tech integration whether trading APIs, custody solutions, or cloud services as these can introduce new attack surfaces.

Risk takeaway: API keys should be treated like passwords stored securely and scoped minimally. Exchanges can implement allowlist options so that API keys only work from specific servers/IPs and cannot be used for withdrawals to arbitrary addresses. Monitoring for unusual API usage patterns (e.g. a normally inactive account suddenly making large trades) can help detect and stop malicious use mid-stream. Additionally, robust due diligence on vendors and explicit shared security responsibilities are key when using third-party services.

Authentication and Access Control Weaknesses

Even when hackers do not directly steal keys or credentials, they often exploit weaknesses in the user authentication process or access control logic of an exchange’s platform. Several incidents show that failing to enforce strong authentication at all times can lead to large losses:

• 2FA Bypass – Crypto.com: In January 2022, Crypto.com was breached in a rather unsettling way, attackers managed to withdraw funds from 483 user accounts without triggering the required 2-Factor Authentication (2FA) challenge. Normally, even with a stolen password, an attacker should be blocked by the secondary code. The fact that transactions went through without 2FA indicates a vulnerability in the exchange’s authentication flow. While Crypto.com never fully disclosed the flaw, the evidence suggests the attackers discovered an oversight or bug that let them completely bypass 2FA verification during login or withdrawal. As a result, the only barrier protecting accounts was the primary password which the attackers likely obtained via phishing or a data leak. Approximately $33.7M in Bitcoin and Ether was drained to the attackers’ wallets (and quickly laundered through Tornado Cash). The company’s CEO initially misleadingly claimed no customer funds were lost, highlighting a transparency issue, but later they acknowledged the incident and migrated to a new 2FA infrastructure.
• SIM Swaps & User Account Takeovers: Outside of the FTX case, SIM swapping has been a common tactic to defeat SMS-based 2FA for retail crypto users. There have been numerous reports (including legal cases) of attackers hijacking a victim’s phone number and then using password resets or OTP interception to gain control of exchange accounts often draining the crypto before the user notices. This method is essentially an attack on the user’s telco security, but it exposes exchange liability if their processes don’t detect anomaly (e.g., a login from a new device right after a SIM swap) or if they rely on weak 2FA forms. The U.S. FBI in late 2022 warned that SIM swap attacks had resulted in over $50M stolen from crypto accounts in just one year, urging platforms to move toward more secure authenticators and to educate users on SIM swap risks. Poor access recovery procedures can compound this threat, if an exchange’s support will change an account’s email or 2FA given convincing social engineering, attackers may exploit that (as seen in some past Coinbase account takeover claims).
• Insufficient Internal Access Segmentation: The FTX exploit also underscored how poor internal access controls can be devastating. The fact that an outside gang (via an employee’s SIM) could get into “company accounts” and initiate massive transfers suggests FTX did not have robust segregation of duties or multilayer approval for moving funds. A single compromised login should never have the ability to unilaterally transfer hundreds of millions in customer assets. Likewise, other cases have shown that if database or admin console access is gained, an attacker might alter whitelisted withdrawal addresses or bypass withdrawal limits. In the Crypto.com case, the root cause could have been an error in how backend systems verified 2FA tokens essentially an access control logic bug. Any such flaw in the authorization layer of an exchange can be catastrophic.

The lesson for compliance teams is to enforce strong authentication and layered approvals, both for customer actions and especially for administrative functions. Exchanges should adopt phishing-resistant 2FA (e.g. hardware security keys or authenticator apps with device binding, rather than SMS). Critical transactions (large withdrawals, or any withdrawal from a new address) should trigger additional verification or time delays, giving time to intervene if suspicious. Internally, sensitive operations should require multi-party approval – for example, a single engineer should not be able to directly access private keys or change security settings without another’s oversight.

Infrastructure and Code Vulnerabilities

While many recent exchange attacks have leveraged human factors, there remains the classic risk of technical vulnerabilities in the exchange’s infrastructure or smart contract ecosystem being exploited:

• Smart Contract Exploits on Exchange-Run Systems: In October 2022, a hacker struck at Binance’s interchange bridge (BSC Token Hub), which, while part of the Binance ecosystem, was essentially a blockchain smart contract exploit. The attacker found a bug that allowed them to forge arbitrary messages and mint about 2 million BNB (~$570M) out of thin air, which they then moved off the BSC chain. Fortunately, Binance managed to pause the blockchain before more was lost, but roughly $100M was unrecoverable. This case blurs the line between DeFi and CeFi – it wasn’t the centralized exchange ledger itself hacked, but a technical extension of the exchange (the cross-chain bridge it operated). It highlights that exchanges venturing into on-chain products must adhere to the same rigor of smart contract audits as any DeFi protocol. Code vulnerabilities in exchange-developed contracts (bridges, staking programs, etc.) can lead to large losses that ultimately affect the exchange’s balance sheet and users.
• Web and Cloud Infrastructure Breaches: Though less publicized in recent mega-hacks, traditional cyber vulnerabilities (web exploits, cloud misconfigurations, etc.) are still a threat. A breach of an exchange’s database could expose hashed (or worse, plaintext) passwords and personal data, facilitating account takeovers. There have been instances of exchange KYC data leaks and even source code leaks. For example, in 2023 one exchange accidentally leaked an API key for its cloud storage, and attackers used it to exfiltrate internal data (though no fund theft occurred in that case). The absence of a major hack purely due to a zero-day or SQL injection in the past couple years shouldn’t breed complacency, attackers continuously scan for these weaknesses too.
• Poor Software Supply Chain Security: Another subtle vector is the risk of malicious code injection through dependencies or updates. Large exchanges deploy custom trading engines, mobile apps, browser plugins, etc. A compromised update server or a poisoned open-source library could theoretically backdoor an exchange or its users. The Atomic Wallet hack (June 2023) though not an exchange, but a popular custody app which saw ~$100M stolen, is suspected to have been caused by such a supply chain compromise (attackers possibly introduced malicious code into the app’s update that extracted users’ keys). Exchanges must therefore also consider hardening their development and deployment processes, to prevent any attacker from exploiting those to get at the keys indirectly.

In summary, technical defenses must be multilayered: rigorous code audits (both for in-house software and any on-chain contracts), continuous vulnerability scanning, bug bounty programs to catch issues before criminals do, and an assumed-breach mindset for infrastructure (using firewalls, network segmentation, and encryption so that a single server breach doesn’t expose critical secrets). Given the high stakes, many exchanges are moving toward “bank-grade” security practices, including comprehensive penetration tests and real-time monitoring of system integrity.

Regulatory Implications and Gaps

Each of these major hacks has prompted questions about regulatory oversight or the lack thereof in the crypto exchange space. Key observations include:

• Transparency and Incident Reporting: Unlike traditional banks, crypto exchanges have not uniformly been held to incident reporting requirements. This became evident when Crypto.com’s CEO at first denied any losses in the 2022 hack, and only after public pressure admitted to ~$34M being gone. Regulators may require exchanges to promptly disclose breaches to authorities and customers. Greater transparency is critical for user protection and to alert the broader industry of emerging threats.
• Custodial Security Standards: Many jurisdictions are now realizing they must impose minimum security standards on exchanges, similar to how banks have IT security guidelines. Japan reacted strongly after the DMM Bitcoin hack, enacting sweeping new rules in 2023–24 that mandate domestic custody of customer assets and stricter AML/KYC compliance for exchanges. These rules aim to “increase custody transparency and reduce counterparty risks” after investors were rattled by the DMM incident and other failures. In practice, requiring domestic (onshore) asset storage can help regulators audit cold wallet arrangements and ensure exchanges aren’t relying on opaque third parties. Similarly, regulators are discussing mandates for independent security audits, multi-signature storage, and insurance or capital reserves to cover hacks.
• Accountability in Case of Hacks: A notable gap highlighted by WazirX’s $230M hack is who bears the loss and what recourse users have. WazirX initially invoked a “force majeure” clause, suggesting the hack was an unforeseeable act of God. However, legal experts pointed out that if security lapses are found (i.e. the event was not truly beyond mitigation), such clauses may not shield the company. In many countries, there is no clear legal framework assigning liability when an exchange is hacked. Customers often rely on the exchange’s goodwill or reputation – e.g. BitMart and CoinEx covering losses from their own funds. Going forward, regulators may require consumer protection measures, such as compensation funds or bonding, so that users are not left empty-handed after a breach.
• Global Cooperation vs. Jurisdictional Limits: The FTX case (an offshore exchange with mainly foreign users) exposed how regulatory gaps between jurisdictions can be exploited. FTX’s lack of basic controls would likely not have passed muster under U.S. exchange regulations, yet being based in the Bahamas it operated without that oversight until it was too late. Many policymakers have since called for harmonized international standards for crypto exchanges. Notably, in August 2023 at the G20, India’s Prime Minister urged a global crypto regulatory framework, pointing out that purely national approaches leave gaps in a borderless digital market. In the meantime, U.S. regulators (SEC, CFTC, state agencies) have ramped up enforcement to indirectly pressure better practices (e.g., New York’s DFS fined exchanges for cybersecurity deficiencies and issued guidance on coin listing and custody).
• AML and Sanctions Dimensions: The prominent role of North Korean hackers (Lazarus Group) in many of these exchange heists has drawn attention from law enforcement and sanctions bodies. Regulators are scrutinizing how stolen funds are cashed out often hackers will move loot into DeFi protocols or mixers to evade tracing. This has led to actions like the U.S. sanctioning Tornado Cash in 2022, and discussions about requiring exchanges to screen wallet addresses more aggressively and cooperate on freezing stolen assets. However, the CoinEx and DMM cases show that when attackers immediately swap and bridge out funds, tracing and recovery are extremely difficult. There is a regulatory gap in terms of global coordination to interdict stolen crypto in flight. The Nobitex hack in Iran by an Israeli-linked group is another facet here, crypto exchanges became targets in geopolitical conflict. This may prompt regulators to consider exchanges as part of critical financial infrastructure that needs protection akin to payment networks.

In summary, the recent hacks have exposed that crypto exchange security is not just an IT issue, but a regulatory concern. Expect to see more efforts to impose baseline security requirements (e.g. operational security audits, mandatory insurance, fit-and-proper vetting of exchange operators) and possibly industry-wide frameworks for incident response. Risk and compliance professionals in traditional finance should be aware that as their institutions interact with crypto markets (through custody, brokerage, etc.), these regulatory developments will influence counterparties and service providers.

Key Takeaways for Risk & Compliance Teams

For financial institutions engaging with or investing in crypto infrastructure, the following lessons emerge from these exploit case studies:

• Implement Rigorous Custody Controls: Insist on robust segregation of duties for any crypto custody. Utilize multi-signature or multi-party computation (MPC) wallets for significant holdings so no single point of failure exists. Ensure that hot wallet exposures are limited and that the majority of assets are secured in offline cold storage with tiered approval processes.
• Strengthen Authentication and Authorization: Enforce the highest standards of user and administrator authentication. Eliminate weak 2FA methods like SMS in favor of hardware keys or app-based MFA with safeguards against phishing (e.g. FIDO2/WebAuthn). Consider risk-based authentication that flags unusual login contexts. Internally, require multilevel approvals for large transfers or critical configuration changes – a single compromised credential should never be enough to drain funds.
• Enhance Employee Security Training and Vetting: Given the prevalence of social engineering, invest in continuous security awareness training, especially for employees with access to keys or sensitive systems. Simulate phishing attacks (including sophisticated LinkedIn-style approaches) to test readiness. Perform background checks and monitor for any suspicious employee behavior. Encourage a culture where any anomalous request (like an urgent transfer or unusual “test”) is verified out-of-band. Remember that attackers may target not just the exchange, but any connected third-party vendor or contractor, so extend these practices to key partners.
• Monitor for Anomalies and Act Swiftly: Deploy real-time monitoring and anomaly detection on transactions and system access. Large exchanges now use tools to track on-chain movements from their wallets – unusual outflows should trigger immediate alarms (as Phemex did in Jan 2025 when noticing $29M in suspicious withdrawals). Similarly, monitor API usage patterns and login locations. Have an incident response plan ready, including procedures to pause withdrawals across the platform at the first sign of a breach to limit damage.
• Audit Third-Party Dependencies: Conduct thorough due diligence on any third-party tech integrations (custody providers, cloud services, trading APIs). Limit the permissions given to external platforms – for example, prefer custody solutions that allow you to retain final approval on transactions, and restrict API keys used by third-party apps (or avoid them for high-value accounts). Regularly review and update API keys; encourage users to prune unused integrations. In procurement and vendor management, treat crypto tech vendors like critical suppliers that must meet your security requirements contractually.
• Prepare for Regulatory Scrutiny: As regulators tighten rules, ensure your crypto exchange partners are compliant with emerging security regulations. This might include verifying that an exchange maintains sufficient insurance or capital reserves for loss events, performs regular penetration tests, and adheres to standards like ISO 27001 or SOC 2 for security. When onboarding any exchange service, ask for their security audits and incident history. Be prepared for regulators to ask how your institution is mitigating crypto-related risks documented due diligence and ongoing monitoring of exchange counterparty risk will be key.
• Incident Response and Customer Communication: If a breach does occur, follow a transparent and customer-centric approach. Promptly inform affected users and work with law enforcement and blockchain analytics firms to trace stolen funds. Having a clear policy (and possibly a fund) for reimbursing customers can save reputational damage. From a compliance perspective, treat a crypto hack like a traditional data breach with notifications, forensic investigation, and a post-mortem that drives improvements. Moreover, share threat intelligence with the wider industry; collaboration can prevent the same attack techniques from hitting others.

In conclusion, the spate of crypto exchange hacks in the last 2–3 years underscores that technical exploits often succeed due to lapses in basic security principles whether human oversight, inadequate access controls, or unpatched systems. Large financial institutions must approach crypto ventures with the same rigor as other high-risk operations, accounting for the unique threats outlined here. By learning from these incidents and implementing layered defenses and oversight, the industry can significantly reduce the risk of cryptocurrency losses and bolster trust in centralized exchanges as gateways to the digital asset market.