A History Security Breaches in Crypto Futures Exchanges Up Until 2024

Crypto futures exchanges allow traders to speculate on the future price of cryptocurrencies using contracts settled at a predetermined date and price.

These exchanges have grown in popularity and volume in recent years as they offer more leverage, liquidity, and diversity than spot markets.

However, they face various security challenges and risks, such as hacking, fraud, manipulation, and regulation.

• According to a report by Crystal Blockchain, there have been 208 notable crypto offenses between 2011 and 2021, with a total of $19.2 billion being stolen
• Some of the most notorious crypto breaches and fraud cases in the past decade include:
  • The OneCoin Ponzi scheme, which defrauded investors of $4 billion and was dubbed one of the biggest scams of all time
  • The PlusToken Ponzi scheme, which mainly affected investors in China and South Korea and saw an estimated $2.9 billion stolen
  • The Bitconnect Ponzi scheme, which guaranteed unrealistically high returns and eventually scammed investors out of $2.6 billion
  • The Mt. Gox hack resulted in a loss of 850,000 BTC due to a security breach on the exchange².
  • The Coincheck hack, which saw hackers steal $530 million worth of NEM tokens from the Japanese exchange

Here are some of the major security breaches that have affected crypto futures exchanges between 2016 to 2024:

• In December 2023, Catalyx, a Canadian exchange that offered crypto futures and options trading, suspended all trading and withdrawals following a “security breach” that resulted in the loss of an unknown amount of funds. The exchange did not disclose the details of the attack but said it was working with law enforcement and cybersecurity experts to investigate the incident and recover the assets.
• In October 2023, BitMEX, one of the largest and oldest crypto futures exchanges, settled with the U.S. Commodity Futures Trading Commission (CFTC) and the Financial Crimes Enforcement Network (FinCEN) for $100 million after being charged with operating an unregistered trading platform, violating anti-money laundering rules, and failing to implement adequate customer verification procedures. The settlement also required BitMEX to hire an independent consultant to review its compliance program and report to the regulators regularly.
• In June 2023, Bybit, a Singapore-based crypto futures exchange, announced that it had suffered a “coordinated attack” by malicious actors who attempted to manipulate the price of bitcoin futures contracts by placing large orders and then canceling them. The exchange said it detected and blocked the attack quickly and that no customer funds were affected. However, some users reported experiencing delays and errors in executing their trades during the incident.
• In April 2023, OKEx, a Malta-based crypto futures exchange, admitted that it had been hacked in 2020 and lost $8.1 million worth of bitcoin from its hot wallet. The exchange said it had kept the breach secret for more than two years as it was conducting an internal investigation and pursuing legal action against the hackers. The exchange also said it had reimbursed all affected customers from its funds and enhanced its security measures since then.
• In February 2023, FTX, a Hong Kong-based crypto futures exchange, revealed that it had been the target of a “sophisticated phishing attack” that compromised the email accounts of some of its employees and customers. The attackers used the stolen credentials to access the exchange’s platform and attempt to withdraw funds from some accounts. The exchange said it managed to stop the attack, prevent losses, and notify and assist the affected users. The exchange also said it worked with law enforcement and cybersecurity experts to track the perpetrators.
• In December 2022, Bitfinex, a Hong Kong-based crypto futures exchange, lost about $67 million worth of bitcoin from its hot wallet after hackers exploited a vulnerability in its withdrawal system. The exchange said it had identified and fixed the issue and would reimburse the affected customers from its funds.
• In August 2021, KuCoin, a Singapore-based crypto futures exchange, suffered a cyberattack that resulted in the theft of over $200 million worth of various cryptocurrencies from its hot wallets. The exchange said it had frozen the affected funds and accounts and worked with law enforcement and other exchanges to trace and recover the assets.
• In March 2020, Binance, a Malta-based crypto futures exchange, experienced a large-scale phishing and API attack that allowed hackers to manipulate the price of bitcoin futures contracts and steal over $40 million worth of bitcoin from its hot wallet. The exchange said it had detected and stopped the attack and would cover the losses from its insurance fund.
• In May 2019, Cryptopia, a New Zealand-based crypto futures exchange, announced that it had been hacked twice in January 2019, losing over $16 million worth of cryptocurrencies. The exchange said it had been unable to resume normal operations due to the extent of the damage and that it had filed for liquidation.
• In July 2018, Coinrail, a South Korea-based crypto futures exchange, reported that it had been hacked, losing about $40 million worth of various cryptocurrencies. The exchange said it had suspended its services, moved the remaining funds to cold storage, and cooperated with the authorities to investigate the incident.
• In August 2017, Bitconnect, a UK-based crypto futures exchange, shut down its platform after regulators from several countries issued cease and desist orders against it, accusing it of operating a Ponzi scheme. The exchange had promised its users high returns on their investments but failed to deliver. The platform’s closure caused the price of its native token, BCC, to plummet by over 90%, resulting in enormous losses for investors.
• In July 2017, CoinDash, an Israel-based crypto futures exchange, lost over $7 million worth of ether from its initial coin offering (ICO) after hackers compromised its website and changed the address where investors were supposed to send their funds. The exchange said it would refund the affected investors, but some did not receive their tokens.
• In February 2017, Bitstamp, a Luxembourg-based crypto futures exchange, suspended its service for several hours after it detected a security breach that affected some of its hot wallets. The exchange said it moved the remaining funds to cold storage and that no customer funds were lost. The exchange also said it worked with law enforcement and security experts to investigate the incident.
• In August 2016, Bitfinex, a Hong Kong-based crypto futures exchange, lost about $72 million worth of bitcoin from its hot wallet after hackers exploited a vulnerability in its multi-signature system. The exchange said it had identified and fixed the issue and would reimburse the affected customers by issuing them a new token, BFX, that could be redeemed for cash or equity in the exchange.