KuCoin

On September 25, 2020, KuCoin, a Singapore-based cryptocurrency exchange, suffered one of the largest breaches in crypto history, with hackers pilfering over $280 million across 230 cryptocurrencies from its hot wallets. The heist, detected at 19:05 UTC via large unauthorized withdrawals, included 1008 BTC ($10.7 million), 11484 ETH ($4 million), 19834042 USDT-ETH ($19.8 million), 18495798 XRP ($4.2 million), 26733 LTC ($1.2 million), 999160 USDT, $147 million in ERC-20 tokens, and $87 million in Stellar, per CoinDesk and Chainalysis. Attributed to North Korea’s Lazarus Group by Chainalysis, the attack exploited leaked hot wallet private keys, possibly via a social engineering campaign targeting employees, as noted by Hacken. KuCoin, handling $112 million daily volume per CoinMarketCap, froze services, transferred remaining funds to new wallets, and recovered 84% ($239.45 million) by November through on-chain tracking, contract upgrades, and law enforcement, covering the $45.55 million shortfall with insurance, per CEO Johnny Lyu’s letter on CryptoPotato.

Hackers laundered funds through decentralized exchanges like Uniswap, swapping 12552.96 LINK for 360.60 ETH without KYC, and mixing services like Chipmixer, per Chainalysis. Tether froze $33 million USDT, and projects like Ocean Protocol executed token swaps, securing $5 million in NOIA, per KuCoin’s updates. Twitter erupted, with @CryptoQuant flagging the outflow spike, while Reddit’s u/AltCoinFanatic praised KuCoin’s transparency but criticized its three-year-old key pairs. No arrests were reported in 2020’s regulatory haze, but KuCoin’s swift recovery, resuming services by November 22, set a benchmark. The hack, the third-largest after Coincheck and Mt. Gox per CDOTrends, underscored hot wallet risks, prompting calls for Shamir’s Secret Sharing, SOC-2 audits, and limiting hot wallet storage to 5% of assets to fortify crypto security.