Bitcoin hacks and fraud: Mt. Gox, exchange failures and scams
On this page
- Has the Bitcoin protocol itself ever been hacked?
- Where do the biggest Bitcoin hacks happen?
- What were the big Bitcoin collapses and frauds?
- Notable Bitcoin hacks and frauds at a glance
- Which Bitcoin scams target ordinary people?
- How do you protect yourself from Bitcoin hacks and scams?
- Frequently asked questions
Read the headlines and you would think Bitcoin gets hacked every other week. It does not. In more than fifteen years the Bitcoin protocol itself has never been broken: no attacker has ever forged a coin or reversed a confirmed transaction. Almost everything filed under Bitcoin hacks is really something else, a breached exchange, a collapsed lender or an outright scam aimed at one person at a time. Telling the protocol apart from the people around it is the point of this guide, because that distinction decides where your money is genuinely at risk.
The pattern repeats across every case below. The cryptography holds. The failures are human: greedy custodians, careless security, and victims talked into handing over their keys. Every major incident, with the amounts, dates and how each one ended, is catalogued in our complete crypto hack and collapse database.
Has the Bitcoin protocol itself ever been hacked?
No. Since the first block in 2009, no one has counterfeited bitcoin or spent coins they did not hold by breaking the network's cryptography. Every famous loss traces back to a company or a person, not the protocol. Where you store your bitcoin matters far more than the code that runs it.
The confusion is understandable. When an exchange loses half a billion dollars, "Bitcoin" is in the headline, so the network takes the blame for a company's bad security. Yet the blockchain kept producing blocks throughout every episode below, exactly as designed. What gets attacked is the soft tissue around Bitcoin: the exchanges that pool millions of customers' coins in one place, the custodians who promise a yield they cannot safely earn, and the individuals who can be tricked into revealing a private key. Owning bitcoin means owning the key that controls it, which is why control of that key, covered in our guide to Bitcoin wallets, is the thing worth protecting. None of this makes Bitcoin uniquely dangerous. It makes it a neutral tool, a theme explored further in Bitcoin and crime: the same property that lets you hold money no bank can freeze also means a stolen key is stolen money.
Where do the biggest Bitcoin hacks happen?
On exchanges. A busy exchange holds a vast pool of customer bitcoin behind a single set of systems, which makes it the most rewarding target in the industry. The three landmark thefts, Mt. Gox, Bitfinex and Binance, were all breaches of a company's infrastructure, not of the Bitcoin network itself.
Mt. Gox (2014) remains the largest exchange failure in Bitcoin's history. The Tokyo platform once handled the majority of the world's bitcoin trades, having started life, improbably, as a site for swapping Magic: The Gathering cards. From around 2011 attackers exploited a flaw in how it processed withdrawals, quietly draining coins until roughly 850,000 bitcoin were gone, worth about $450 million at the time. The exchange froze withdrawals in February 2014 and filed for bankruptcy weeks later. Around 200,000 of the coins were later recovered, and creditors only began receiving repayments in 2024, a decade on. The lesson landed hard: coins on an exchange are an IOU, not bitcoin in your possession.
Bitfinex (2016) lost 119,754 bitcoin, then worth about $72 million, when attackers defeated the exchange's multi-signature withdrawal setup. Rather than fold, Bitfinex spread the loss across all customers with a roughly 36% haircut and issued a token it later bought back in full, so users were eventually made whole. The story took a strange turn in 2022, when US authorities arrested Ilya Lichtenstein and Heather Morgan, seizing more than 94,000 of the stolen bitcoin in what was then the largest financial seizure the department had ever made. Both later pleaded guilty.
Binance (2019) lost 7,074 bitcoin, about $40 million, in a single sophisticated breach of its hot wallet. I was working at Binance at the time and remember the morning it broke: an unusual withdrawal spotted on the public blockchain before the company had said a word. Binance covered every affected customer in full from an insurance fund it had built for exactly this, and the market barely flinched. That is the shape of a maturing industry, where hacks shrink and the better-run custodians absorb the damage themselves.
What were the big Bitcoin collapses and frauds?
The most spectacular losses were not hacks at all but frauds, where the people running a business lied about what they were doing with customer money. FTX, Celsius, BitConnect, OneCoin and QuadrigaCX between them vaporised tens of billions of dollars, and every one was a failure of human honesty rather than of Bitcoin.
FTX (2022) is the largest fraud the industry has produced. The exchange grew explosively under Sam Bankman-Fried, but its sister trading firm, Alameda Research, was secretly propped up with billions of dollars of FTX customer deposits to cover its own losing bets. When a leaked balance sheet and a public falling-out with Binance triggered a bank run in November 2022, the hole could not be filled, and FTX filed for bankruptcy within days. Bankman-Fried was convicted of fraud and, in 2024, sentenced to 25 years in federal prison. I had money stranded on FTX when it froze withdrawals, and I still have the failed withdrawal confirmation sitting in my inbox. How this fraud measures up against the great 2014 theft, and why the two repayments turned out so differently, gets a full side-by-side in FTX vs Mt. Gox compared.
FTX did not fall in isolation. Months earlier, the Terra/Luna system, which had promised an unsustainable 20% yield, collapsed in May 2022 and wiped out tens of billions of dollars almost overnight. The shockwave took down the hedge fund Three Arrows Capital and the lender Celsius, which had offered high returns it could not safely fund. Celsius froze customer withdrawals in June 2022, filed for bankruptcy, and its founder was later convicted of fraud. This was contagion: one over-leveraged firm dragging down the next.
BitConnect was a pure Ponzi scheme dressed up as a lending platform, promising returns as high as 40% a month from a trading bot that did not exist. It collapsed in January 2018; prosecutors later valued the fraud at around $2.4 billion, and its founder remains a fugitive. OneCoin was cruder still, a token that never ran on any blockchain at all, fronted by Ruja Ignatova, who vanished in 2017 and is still missing along with an estimated $4 billion or more of investors' money.
QuadrigaCX is the strangest case. The Canadian exchange's founder, Gerald Cotten, died suddenly in 2018 as the supposed sole holder of the keys to roughly $190 million of customer crypto, putting the funds permanently out of reach. Regulators later concluded the exchange had been run as a fraud and a Ponzi scheme all along. Whether the coins were lost with Cotten or long gone before, the result for customers was the same.
Notable Bitcoin hacks and frauds at a glance
The same handful of lessons, drawn from the costliest episodes.
| Year | Entity | What happened | Lesson |
|---|---|---|---|
| 2014 | Mt. Gox | Roughly 850,000 bitcoin drained from a leading exchange over years | Coins on an exchange are an IOU, not yours |
| 2016 | Bitfinex | 119,754 bitcoin stolen via a flawed multi-sig setup | Good tools still fail if set up badly; most coins were seized years later |
| 2018 | BitConnect | A roughly $2.4bn Ponzi built on a fictional trading bot | "Guaranteed" high returns are the oldest scam there is |
| 2019 | Binance | 7,074 bitcoin taken in a hot-wallet breach | A well-run custodian insures customers against its own failures |
| 2019 | QuadrigaCX | About $190m locked away, then declared a fraud | One person holding all the keys is a single point of failure |
| 2022 | Terra/Luna | Tens of billions erased when a 20% "yield" imploded | Unsustainable yield is a warning, not an opportunity |
| 2022 | Celsius | Lender froze withdrawals, then went bankrupt | "Earn" products lend your coins out at hidden risk |
| 2022 | FTX | Around $8bn of customer funds funnelled to a sister firm | Not your keys, not your coins |
Which Bitcoin scams target ordinary people?
The scams aimed at individuals are lower-tech but far more common than any exchange hack. Almost all share one goal: to get you to reveal your seed phrase or send bitcoin to an address you do not control. Phishing, fake giveaways, romance cons, fake support and address poisoning are the ones worth knowing by name.
- Phishing. A fake wallet or exchange site, often reached through a convincing email or advert, asks you to "verify" your seed phrase or log in. Hand over those twelve words and your coins are gone in seconds. No legitimate service ever needs your seed phrase; the UK's National Cyber Security Centre explains how to spot and report phishing.
- Fake giveaways. "Send one bitcoin, receive two back," posted from a hacked celebrity or brand account. In the 2020 Twitter breach, attackers hijacked accounts including Barack Obama's and Apple's and collected around $120,000 before the tweets were pulled. If it sounds like free money, it is bait.
- Romance and "pig butchering". A stranger builds a relationship over weeks or months, then introduces a can't-lose crypto investment on a slick but fake platform. The balance appears to grow until you try to withdraw. These long cons are now among the costliest cryptocurrency scams the FTC tracks.
- Fake support. Someone posing as an exchange or wallet "support agent", often appearing in your social media replies within minutes of a public complaint, walks you to a phishing page or asks for remote access to your device. Real support never messages you first.
- Address poisoning. The attacker sends a tiny transaction from an address whose first and last characters match one you have used, so it lands in your history. Later you copy the wrong address from that history and pay the thief instead. Malware that silently swaps a copied address for the attacker's works the same way, which is why you check the full address on your wallet's own screen, not just the ends.
How do you protect yourself from Bitcoin hacks and scams?
Hold your own keys, and slow down before every transaction. Most losses come from trusting a custodian that fails, or acting in a hurry when someone manufactures urgency. Move savings off exchanges into a wallet you control, back up your seed phrase offline, and treat any unexpected message about your bitcoin as hostile until proven otherwise.
Self-custody is the single biggest step. An exchange is a fine place to buy and sell bitcoin, but a poor place to store savings, because you are trusting a company not to be hacked, frozen or run as a fraud. For anything you would mind losing, withdraw to a wallet whose keys you hold, ideally a hardware wallet, and record the seed phrase offline on paper or steel rather than in a photo or a cloud note. Larger holdings justify a multi-signature setup, where several keys kept in separate places are needed to spend, so no single stolen key or coerced signature can move the funds.
Then build a few habits that cost seconds and save fortunes:
- Verify the full address on your wallet's own screen before sending, every time, never just the first and last characters.
- Never type or photograph your seed phrase, and never enter it into a website. It exists to restore your wallet, nothing else.
- Treat urgency as a red flag. "Act now", "verify immediately" and limited-time offers are pressure tactics; a genuine problem waits for you to check.
- Assume unsolicited contact is a scam. Support agents, giveaways and investment tips that arrive uninvited are almost always bait.
- Keep wallet software updated, and buy hardware wallets new and direct from the manufacturer.
None of this requires expertise, only the discipline to slow down. The rest of our Bitcoin guide series covers the tools in more depth, but the mindset is simple: verify before you trust, and hold your own keys.
Frequently asked questions
Has Bitcoin itself ever been hacked?
No. The Bitcoin network has run since 2009 without anyone forging coins or reversing a confirmed transaction by breaking its cryptography. The thefts you read about hit exchanges, lenders and individuals, not the protocol. That is exactly why self-custody, rather than trusting a third party, is the core security advice.
What is the biggest Bitcoin hack ever?
By coins stolen, Mt. Gox in 2014 remains the largest, with roughly 850,000 bitcoin drained from the exchange over several years. By dollars lost, the 2022 FTX collapse was bigger still, though that was fraud rather than a hack: customer funds were secretly diverted, not stolen by an outside attacker breaking in.
How can I tell a Bitcoin scam from a real opportunity?
Watch for guaranteed or unusually high returns, pressure to act quickly, and anyone asking for your seed phrase or a payment up front. Legitimate services never need your recovery words. If an offer arrives uninvited, or sounds like free money, treat it as a scam until proven otherwise.
Can stolen bitcoin be recovered?
Sometimes, but rarely by the victim. Because the blockchain is public, investigators can trace stolen coins, and authorities eventually recovered much of the Bitfinex and Mt. Gox losses. For an individual scammed out of a seed phrase, though, transactions are final and there is usually no way to claw the money back.
Is it safer to keep bitcoin on an exchange or in my own wallet?
For savings, your own wallet is safer. An exchange balance depends on that company staying solvent, honest and unhacked, as Mt. Gox, Celsius and FTX customers learned the hard way. Keep only what you are actively trading on an exchange, and move the rest into self-custody.