October 15, 2024
Security News

FixedFloat DEX Offline After Massive Crypto Hack

FixedFloat, a Lightning Network-powered decentralized exchange, announced last week that it was the victim of an exploit that led to the theft of US$26 million worth of Ether and BTC. Sleuths on X, pointed to 1700ETH and 400BTC that appears to have been drained – and identified the following wallet as the destination. https://www.blockchain.com/explorer/addresses/eth/0x85c4fF99bF0eCb24e02921b0D4b5d336523Fa085

The Fixedfloat team responded to the speculation on X, posting — “We confirm that there was indeed a hack and theft of funds. We are not yet ready to make public comments on this matter, as we are working to eliminate all possible vulnerabilities, improve security, and investigate. Our service will be available again soon.” At this stage, it is unclear whose funds were stolen or how the breach occurred. Visiting the Fixedfloat website yields an error message on every page. 

In a decentralized exchange, funds are typically not held by the exchange itself. Instead, transactions are executed directly between users’ wallets through smart contracts. These smart contracts automate the exchange process, ensuring that all conditions of the trade are met before the transaction is finalized. This mechanism is supposed to reduce the risk of theft or loss of funds due to exchange hacks, so the idea that $26 million was available to be hacked from FixedFloat is already generating online skepticism.

Indeed, some X users are already pointing to a potential developer rug pull as a more likely scenario. Although FixedFloat says it will be returning soon, most observers think that an unlikely scenario given its loss of $26 million of its users’ funds. 

Crypto Exchange Failures – A Historical Perspective

Crypto exchanges are harder to run than they look. This feature looks at notable exchange failures of the last 14 years and the escalating ecosystem damage caused by hackers and crooked founders. How many bitcoin exchanges are there in total? Brave New Coin currently tracks over 240, but coming up with a definitive list is nearly impossible as they appear and disappear on a regular basis.

Unfortunately, crypto exchange failures or hacks often generate a perception that there was something wrong with the coins that got hacked. Typically, though, it is not a cryptocurrency that failed or a bitcoin failure, but instead it is basic mismanagement, outright founder criminality and/or mass government shutdown orders that are to blame.

According to Darwinist theory, failed crypto exchanges should result in the quality of the products and services of the exchanges that remain being higher than it would have been if these poorly managed exchanges had survived. As VC Marc Andresen said in a tweet soon after the legendary MtGox failure: “MtGox had to die for Bitcoin to thrive. Its former role from early Bitcoin days has been supplanted by better, stronger entities.”

The theory goes that markets mature and get stronger through a process similar to natural selection, where bad or “unfit” services are bankrupted in one way or another, getting out of the way to make room for the good, or “fittest” services to thrive. If the theory is sound, then this long list of failed crypto exchanges should mean that the exchange sector is healthier than it has ever been – but the fact that so many exchanges continued to sink in 2024 along with all their depositor’s funds, is not reassuring. So as we always say, be sure to do your due diligence on any exchange you’re thinking about trading with.

14 Years of Failed Crypto Exchanges

Dasset – New Zealand based exchange Dasset went into voluntary liquidation on the 15th of August 2023. Dasset founder Stephen Macaskill told liquidators Grant Thornton that a significant reduction in asset values and trading levels impacted its ability to trade profitably. Although Macaskill initially cooperated with liquidators, Grant Thornton advised investors on August 28th that Macaskill was no longer returning calls. At the same time the NZ Herald reported that the Serious Fraud Squad was investigating events at Dasset.

BlockFi – filed for bankruptcy on November the 28th, 2022. Although it attributed its exposure to the FTX collapse and substantial losses from loans as the primary reason for its failure, the company had been in trouble with the SEC for selling unregistered securities – and had been forced to pay a $100 million settle early in 2022. BlockFi’s bankruptcy proceedings are proceeding.

FTX – one of the largest crypto trading platforms, declared insolvency on November 11, 2022, and failed to fulfill withdrawal demands, leading to filing for Chapter 11 bankruptcy in the US. FTX apparently funneled customers’ funds to Alameda Research for risky trades and lost a significant amount. It also used some of these funds to purchase relatively illiquid assets. Bankruptcy filings revealed that FTX owes over $9 billion to more than 1 million creditors. FTX’s SEO Sam Bankman-Fried has been charged with multiple counts of fraud and is scheduled to stand trial in New York on October 3rd 2023. FTX’s bankruptcy proceedings are proceeding.

Celsius – In mid-July 2022, prominent crypto lending and exchange platform Celsius filed for bankruptcy. The platform had consistently offered some of the highest deposit rates for crypto assets, but had been suffering from insolvency issues for several months. About a year after its bankruptcy filing, the SEC charged Celsius founder Alex Mashinsky with securities fraud. Celsisus’ bankruptcy proceedings are proceeding.

Thodex – In mid-April 2021, major Turkish cryptocurrency exchange Thodex went offline and its CEO Faruk Fatih Ozer was reported missing. At the time Turkish authorities tracked him to Albania. The exchange is closed with some estimates as high as $2 billion in cryptocurrency missing. Ozer announced his innocence over Instagram on April 22nd saying that what looked to the trained eye like a classic exit scam, was actually a political hit job and smear campaign and that he would be returning to Turkey soon to put things right. He did not return, however. In August 2022 Ozer was arrested in Albania following an Interpol red notice against him and in April 2023 he was extradited to Turkey and detained on seven charges, including fraud and money laundering. Turkish authorities have previously stated they had evidence of crypto-asset movements from Thodex wallets to bank accounts controlled by the Ozer family. On September 8th 2023 a court in Istanbul sentenced Ozer, his sister Serap Ozer and his brother Guven Ozer to 11,196 years, 10 months and 15 days in prison each for their crimes. This is one of the longest prison sentences ever given in Turkey or anywhere else in the world. The court also ordered the confiscation of all the assets belonging to the defendants and their relatives.

Africrypt – In April 2021, Africrypt founders 21 year-old Raees Bilal Cajee and his 18-year old brother Ameer Bilal Cajee disappeared with what’s thought to be $3.6 billion in crypto. The brothers had marketed Africrypt as an “Artificial intelligence-driven trading platform”, where AI super robots traded client’s funds automatically for supposedly high profits. In reality, the operation was a classic ponzi scheme with new investor’s money paying off initial investors. The Cajee brothers fled the country in late April for destinations unknown. In a surprise move, Raees Cajee contacted the Wall Street Journal in late June, to argue that the value of stolen assets was overblown and only around $5 million was missing. He also promised to return to South Africa for a court hearing scheduled for July 19th 2021.

Local media firm IOL has reported that an affidavit has appeared, signed by Raees Cajee on July 19th, 2021. Raees explains in the affidavit that he and his brother had been forced to flee South Africa because of death threats. He also stated in the affidavit that he would keep his whereabouts confidential. “We have had our location tracked, our mobile numbers hacked, and my father was, also, at one stage kidnapped.” He says that they were in hiding in Dubai when he was met with threats to his family in Dubai and his extended family in South Africa. “This appeared to me to be a case of individuals having been contracted in Dubai by disgruntled investors who, no doubt, intended to intimidate and harass us into making unlawful payments,” Cajee said.

It is reported that Cajee’s affidavit bears the stamp of the South African High Commission in Dar Es Salaam, Tanzania, and is dated July 19, 2021. A group of aggrieved Africrypt investors remains committed to pushing for the brothers to faccriminal charges. Sean Peirce, of Durban-based Coast to Coast Special Investigations, who is representing some individuals who lost funds during the scandal says a warrant for their arrest may be made by authorities. He says private prosecution will be pursued otherwise.

Pierce represents about 35 traders and says that his group has evidence that there was no hack of Africrypt. He says it can be proven that the intent of the incident was to defraud and steal.

The legal team of the Africypt team, however, believes that many of the investors may face issues with presenting their charges. They say some of the aggrieved investors signed agreements to transfer their claims to a Dubai-based entity called Pennython Project Management, which offered payouts to investors who lost funds during the incident.

Pennython has apparently paid out some of the investors a portion of the funds lost. The group has publicly said it will payout 70% of the lost crypto in Rand to burned investors and appears to have fulfilled a part of this commitment. They say they are doing this because they are interested in the proprietary software belonging to Africrypt. Pennython’s role in the debacle is dubious and with the Cajees still at large, there is speculation that Pennython is connected to the brothers.

Coinbene – The controversial Singapore-based exchange appears to have closed its doors for good. six months ago, an announcement was sent to users which explained that ‘Due to the maintenance of CoinBene global server, there is a problem of unable to log in on the www.coinbene.com page. We are very sorry about this.’ Apparently the maintenance issue was so large that users were invited to withdraw their assets. Users could submit claims after submitting personal information via a survey hosted on a 3rd party site. There were two 4-hour windows when employees could withdraw funds, however, these were closed on November 30th. Coinbene is noted for the enormous volumes it reported when it ran trade mining programs in 2019 and for a seemingly suspicious US$105 million hack the same year. Coinbene was listed as an exchange faking considerable volume in the Bitwise Asset Management: Presentation to the U.S. Securities and Exchange Commission.

SaBi – Nigerian exchange SaBi, which was notable for being one of the first exchanges in the crypto mad country to list DeFi tokens, is no longer accessible. Trying to access the SaBi website now (sabiii.com) brings up an ‘Error code 1020’ message. A message on the error page reads “The site owner may have set restrictions that prevent you from accessing the site. Contact the site owner for access or try loading the page again.”

MyCryptowallet – Liquidators have been brought in to wind up Australian exchange MyCryptowallet. The exchange was established in 2017 and had 20,000 users. In December, angry users of the platform began to complain that they could not access funds and reported large losses on social media. MyCryptowallet’s issues appear to have been driven by the collapse of technology partner Blockchain Global. What has particularly infuriated investors is that the collapseoccurred just after the price of Bitcoin and other cryptos hit all-time highs.

Polonidex – The decentralized branch of popular CEX Poloniex was officially decommissioned on December 31st 2021. A message on the website explains that the decision was made because of ‘changes in business strategy’. Following the decommissioning date, users could no longer login, post orders, or cancel orders. Polonidex was previously known as TRXMarket and was an exchange that ran on the Tron network and was for some time the main exchange of the blockchain. It has since been replaced by platforms like Sunswap.

Braziliex – In May 2021, Brazilian cryptocurrency exchange Braziliex announced that it would be closing its services after four years of operation. The exchange explained that the decision to close was made due to an environment of greater competitiveness and lack of regulation. “We believe that the risk of operating in this environment becomes even greater in view of the entry of new competitors, as well as the existing uncertainties due to the lack of regulation”, the exchange wrote. The closing of activities was initiated on June 25th of 2021 and this was the last day that users were able to withdraw or deposit on the platform.

Livecoin – Russian based exchange Livecoin announced on January 16th 2021 that it would be closing as it could not recover from a cyber attack that occurred on December 23rd. During the attack, hackers gained control of Livecoin’s infrastructure and modified exchange rates to temporarily inflate prices to unreasonable levels. Once the exchange rates were artificially modified the hackers began cashing out the accounts for easy profits. In a post on Livecoin’s main page, the exchange said it lost control of its “servers, backend and nodes.” Exchange customers will have until March 17th 2021 to claim refunds.

Negocie Coins – As of December 2020, Negocie Coins, a Brazilian exchange that was an onramp for Brazilian Real to crypto trading is no longer accessible to users. The firm’s operators, investment firm Bitcoin Brazil, have been served with multiple lawsuits from clients across Brazil who claim that they have been unable to withdraw funds deposited to the group’s platforms.

CryTrEx – The Italian exchange announced in September 2020 it would be closing. The operators said “After more than 3 years of service, crytrex.com has been closed for bankruptcy, due to the continuous attempts of hacks and hacks that have damaged the financial statements of several users. This had a negative impact on resource management and it was not possible to continue with our service.” Crytrex was an entry level exchange that accepted deposits via credit cards.

NLexch – Netherlands based NLexch also announced its closure in September 2020 because of costly new regulations. In a statement the exchange said; “De Nederlandsche Bank demanded that every cryptocurrency business should register with them. The registration is deemed to be mandatory, and businesses that failed to comply will be forced to close down operations in the country, the fees charged in the whole process are very expensive. The cost of providing the required level of security, support and technology is not economically feasible on our own.”

Tradesatoshi – UK based platform Tradesatoshi announced in late February 2020 that it would no longer be accepting deposits and that traders must withdraw their funds by March 1st, 2020. It explained in a post that the exchange had reached a point of operation where it was “no longer economically feasible to continue to provide the required level of security, support, and technology.” In order to withdraw funds from the platform, users had to go through an additional set of AML/KYC requirements.

FCoin – Chinese exchange and trade mining adopter FCoin closed for trading in February 2020 revealing a shortage of up to USD130 million of crypto assets. The exchange explained that it had fallen short of paying its liabilities and that issues arose on the exchange because of internal system errors, not a hack or exit scam. The exchange is not currently operational and founder Zhang Jian explained in a recent Reddit post that the company is in the process of attempting to compensate users for lost funds.

Coinnest – The South Korean exchange terminated services in April 2019 after announcing on its website that it had struggled to cope with changes in the cryptocurrency and blockchain industry. In April 2018 the CEO of the exchange and another executive were detained in connection with the alleged embezzlement of assets after apparently stealing customer funds. The platform also reportedly lost $5 million in Bitcoin (BTC) and other cryptocurrencies after making a mistaken airdrop in January 2019.

Cryptopia – In January 2019 the New Zealand based exchange suffered two hacks over two weeks. On January 15th, 2019 the Cryptopia Twitter account announced that the trading platform had suffered a major security breach resulting in “significant losses.” Trading services were suspended and a police investigation was launched. This led to a lockdown and a physical investigation of the company’s headquarters the following day. The hack saw over 70,000 wallets compromised and over US$23 million in Ethereum (ETH) and ERC-20 tokens stolen. A second hack occurred on January 28th, where an additional US$284,000 from 17,000 wallets was captured. In May 2019 it was announced that the Christchurch based exchange had gone into liquidation. An investigative report by a local media outlet Stuff suggested that there were personal conflicts and tensions between the Cryptopia founding members and executive teams. To date, no one has been charged over the theft. The exchange is currently in liquidation with the process of reconciling lost assets assigned to Grant Thornton. However, in August 2020, disgruntled victims of the failed exchange hired New Zealand law firm Chapman Tripp to take on exchange liquidators Grant Thornton for what they say has been a failure by Grant Thornton to comply with its duties as a liquidator under the New Zealand Companies Act.

Most of QuadrigaCX’s cold wallets were emptied eight months before its founder’s mysterious death.

QuadrigaCX – one of crypto’s most unusual heists. Following the mysterious death of its founder Gerald Cotten in December 2018, the Canadian exchange explained that it could no longer gain access to any of the cold wallets where customer funds were allegedly stored. As investigators began looking into QuadrigaCX’s finances, six cold wallets were identified as belonging to QuadrigaCX. But it was later revealed that five of them had been emptied around April 2018. Recent investigations have stated that a large portion of QuadrigaCX’s losses occurred because of Cotten’s “fraudulent conduct” and that the exchange was run like a Ponzi scheme with Cotten using other client deposits when faced with shortfalls in assets to satisfy client withdrawals. Recent figures from the Ontario Securities Commission suggest the exchange owes over 76,000 clients a combined $215 million in assets and Ernst and Young, the bankruptcy trustee, has so far been able to recover or identify just $46 million in assets to pay out to clients.

Zaif – Japanese exchange Zaif , was hacked for ~USD60 million worth of crypto in September 2018. It first reported an unusual outflowing of funds on the platform on September 14. Following investigations, Zaif’s parent company The Tech Bureau explained that hackers had gained unauthorized access to the exchange’s hot wallets and stolen around $60 million in bitcoin, bitcoin cash, and MonaCoin. The exchange reopened seven months later in April 2019.

Coinrail – The South Korean exchange lost ~USD 40 million worth of ETH and other ERC20 tokens in June 2018 The exchange suspended services after it suffered what was self-described to be a “cyber intrusion,” It was later discovered that some of the stolen tokens were being sold on the IDEX and Ethedelta decentralized exchanges

Coinsecure – In April 2018, the ironically named ‘Coinsecure’ was hacked for 438 BTC worth ~USD3.5 million. Located in India, the hack is believed to have been an inside job with the exchange’s CSO Amitabh Saxena implicated in investigations. The exchange is not currently operational.

Bitgrail – 170 million USD worth of Nano was stolen from Italian exchange Bitgrail in February 2018 and bankruptcy followed soon after. Founder Francesco Firano has been sentenced by Italian courts to return as much of the assets to his customers as possible in January 2019. In the same sentence, it was declared that millions of dollars in cryptocurrency assets were seized from Bitgrail’s exchange accounts and had been moved to accounts managed by trustees appointed by the Court.

Coincheck – In January 2018 Japanese exchange Coincheck was hacked for ~523 million NEM valued at USD533 million at the time. Hackers initially managed to spread a virus through email that then allowed them to steal private keys. The NEM was stored in a single hot wallet and did not use the NEM multisig contract security recommended by the developers. Months later it had been suggested that most of the funds had sold on the darkweb. After being purchased by the Monex group in April 2018, Coincheck reopened in November 2018.

Youbit – A South Korean exchange, YouBit was hacked in December 2017 for an unknown amount but stated to be 17% of the exchange’s asset reserve. The exchange said hackers broke into its hot wallet but that its cold wallet remained intact. Soon after it announced bankruptcy. South Korea’s Internet and Security Agency (Kisa) began a probe into how the hackers gained access to Youbit’s systems. The security agency blamed an earlier attack on Youbit on spies working for North Korea.

BTCChina – The Chinese exchange later renamed BTCC stopped trading in September 2017 following the creation of a new law that made it illegal for Chinese mainlanders to exchange digital money unless they operate offshore. Many other exchanges such as Huobi moved operations offshore to protect themselves from the ban. BTCC reopened in June 2018 after first shifting operations to London and then to Hong Kong.

Gatecoin – In May 2016 the Hong Kong based exchange** was hacked for 250 BTC & 185,000 ETH worth ~2 million USD at the time. Funds were lifted from the exchange’s hot wallet, the hack remains unresolved. In March 2019 the exchange closed its doors following troubles with a payment service provider that paralyzed Gatecoin’s operations for months.

Harborly – Texas-based exchange Harborly launched early in 2015, and by August 14th the same year announced that it was closing down, saying the shutdown “has not been prompted by a hack, by fraudulent activity, or by a security-related incident.” The company stated that a new venture had gained traction, therefore, it was in the process of finding an acquirer.

Coin.mx – announced in late 2013, Coin.mx was a Mexican bitcoin exchange caught scamming. In July 2015 the FBI charged its founders, Anthony R. Murgio and Yuri Lebedev, for operating an underground unlicensed bitcoin exchange in violation of federal anti-money laundering (AML) laws.

Bitspark – A Hong Kong-based Bitcoin exchange that announced at the end of April 2015 that it was closing its exchange to focus on its remittance services. Its website is still live in 2020 with a message saying “Bitspark closed its doors as of 4 March 2020. Your data and funds are safe.”

Excoin – In February 2015, the company announced that it was hacked. Its last Twitter update was on March 15th, 2015 in which it said it was preparing for a relaunch of the “new Excoin trading platform.” It was never heard from again. A visit to exco.in in 2020 generates the Google warning “attackers might be trying to steal your information.”

Virtex – Opened July 2014, Virtex was a platform that traded several currencies, but then turned out to be another scam in January 2015.

Yacuna – Yacuna was a UK-based, regulated European cryptocurrency exchange. Trading Bitcoin, Litecoin and Dogecoin for Euro and GBP. The company announced closure on October 13 2015 – stating “Bitcoin is a wonderful technology and we are proud that we have developed one of the first European exchanges for virtual currency. But everything comes to an end.” Yacuna was officially closed on November 15, 2015.

Bitstake – Nigeria-based BitStake announced on October 14 2015 that its platform would shut down after operating for only 10 months. The company advised customers to withdraw coins by October 30, referring them to another exchange in Nigeria, NairaEx which is still operating today.

Melotic – In May 2014 Hong Kong-based Melotic exchange, announced it was closing its doors due to a “lack of sufficient growth”.

Coin-Swap – In March 2015 Coin-Swap.net announced by Twitter that it would be shutting down and advised its customers to “Please withdraw all funds immediately”. As its Twitter feed shows, that process was easier said than done.

AllCrypt – In March 2015, AllCrypt.com went down, and the owner cited Word Press exploitation, losing a small amount of customer funds.

Comkort – Estonian based exchange Comkort finished its Beta testing in March 2014. In July 2014, the company ceased operation.

LibertyBit – Launched in February 2013, Vancouver-based LibertyBit announced a temporary suspension of trade in June 2013, never to be heard from again.

MintPal – In July 2014, the company reported that it had been hacked, losing a large amount of VeriCoin. In October 2014, the company operating Mintpal, Moolah, announced that Mintpal was shutting down. Many users on Bitcoin Talk posted that Mintpal CEO Ryan Kennedy was a scammer – and reporting missing funds left on the exchange. Kennedy was arrested over the theft of 3,700 Bitcoins and appeared in a UK court in July 2017 charged with offences under the UK’s Fraud Act 2006 and Proceeds of Crime Act 2002.

McxNOW – Launched in September 2013, McxNOW was a digital currency exchange. The company claimed that all balances would earn interest of 25% of all company profits. Naturally, the site went missing, claiming a “maintenance period” beginning November 15, 2014.

Cryptorush – CryptoRush was a multi-currency exchange launched in February 2014, around the same time as BlackCoin. In March 2014, the company announced that its BlackCoin was stolen by users, caused by a bug in the BlackCoin daemon. Only a month later, a Reddit user identifying themselves as “DogeyMcDoge” and claiming to be a former employee of the company, wrote a post on how much of a scam Cryptorush was.

WeExchange – Also known as Weex, is a bitcoin currency exchange and trading platform launched in Dec 2012. The last volume on this exchange was on November 26, 2013. Its founder Jon Montroll was arrested in the US in February 2017 and ultimately plead guilty to securities fraud and obstruction of justice.

Kapiton – A Swedish exchange trading platform site, launched for a limited client base on April 18, 2012. However, it started experiencing problems with payments in November 2013, prompting Reddit users to call it a scam.

Vault of Satoshi – A Canada-based Bitcoin exchange, VoS officially launched in October 2013 trumpeting its auditable paper-trail, which was revolutionary at the time. The exchange closed its doors on February 5 2015 saying, “We’d like to reassure the community that it has absolutely nothing to do with insolvency, stolen funds, or any other unfortunate scenario.”

Britcoin – Opened for trading on April 17, 2013, and was the first market accepting British Pound Sterling (GBP). In August 2011, Britcoin rebranded itself as Intersango, and ultimately closed on December 19th 2012.

Bitomat – The first polish exchange went online on April 4, 2011. On July 26, 2011, Bitomat reported 17,000 client Bitcoins were missing after it lost access to its wallet.dat file. It was acquired by Mt. Gox shortly soon after, on August 11, 2011.

Bitfloor – Announced in February 2012, Bitfloor was the first FinCEN-registered Bitcoin currency exchange and trading platform, headquartered in the state of New York. On September 3, 2012, it was hacked for 24,000 BTC, valued at approximately US$250,000 when the theft took place (worth 288 million in August 2020). Compromised servers resulted in access to encrypted backup files of wallet keys. Operations resumed until April 17, 2013, but when its partner bank closed Bitfloor’s account it was forced to shut down for good.

BitMarket.eu – Announced April 5th, 2012, this multi-exchange order matching market service did well at first, but was prone to operator dishonesty like so many others. After increasingly degraded service, on December 21, 2012, the operator shared that the customer’s funds had been used for speculation, and that nearly 20,000 BTC of its customer’s funds were lost. Bitmarket founder Tobiasz Niemiro was found dead in Poland in July 2019 in suspicious circumstances.

Bitcoin Brasil – Announced on March 31st, 2011, this was the first market for the exchange of Bitcoin and the Brazilian Real. It is unclear exactly when it closed down.

FXBTC – A small Chinese exchange, and a registered company of Shanghai Yao Chi Network Technology Co., established on November 26, 2013. After making losses, the company announced its closure, but promised to stay open until May 10 the next year. Frustratingly, the site closed a day earlier, denying angry customers their money. In September 2017, China ordered all crypto exchanges to close.

Crypto-Trade – Not to be confused with CryptoTrade exchange (which has also disappeared), this trading platform, owned by Esecurity SA, was unveiled in March 2013. The platform sold bitcoin-based shares for BTC or LTC, and claimed to issue dividends. However, after claiming to have suffered losses, and unable to pay its expenditures, the company closed its doors in January 2015, never to be seen again.

Bitcoinica – Launched in New Zealand in September 8, 2011, the site suffered a significant financial loss on March 1st, 2012, when a web host had an internal security breach that gave the attacker access to the wallet in which Bitcoinica stored funds. More than 43,000 bitcoins were stolen by the attacker. The operator provided a statement that reserves were sufficient to cover the loss, but on May 11, 2012 Bitcoinica suffered another security incident in which its hot wallet was emptied again, leading to its immediate shutdown. Auckland based receivers McDonald Vague were appointed on the 10th of January 2013. The receivers released their 13th report into the liquidation in January 2019, at which time they stated that any funds for creditors was still dependent on the release of funds from the MtGox receivership.

Bitcoin-Central – This Paris-based exchange launched on December 29, 2010. It was the first to operate within European regulations, and to guarantee the fiat deposits of its users. The exchange struggled for several years before shutting down due to a lack of interest.

Tradehill – Founded June 8, 2011, Tradehill was the #2 exchange after MtGox for almost a year. On February 13, 2012, the exchange announced it was shutting down, citing regulatory problems, the loss of US$100,000, and a dispute with a payment processor as contributing factors.

The fallout from the MtGox collapse remains unresolved to this day

MtGox – The most famous exchange implosion of them all was the Tokyo-based exchange, Magic The Gathering Online eXchange. Established by Jed McCaleb in July 2010 and sold to Mark Karpelès on March 6, 2011, the exchange was actually built for trading playing cards. At its peak MtGox handled approximately 70% of all bitcoin transactions. Its death spiral began in February 2014, when the company suspended trading, closed its website, and filed for bankruptcy protection while 850,000 bitcoins evaporated from customers valued at more than US$450 million at the time (10.2 Billion today). CEO Mark Karpelès has been arrested by the Japanese police a couple of times for his part in this. In March 2019 he was sentenced to 30 months in jail by a Toyko court, but his sentenced was suspended for four years. The liquidation of MtGox saga continues to this day with the majority of the remaining funds still undistributed as at August 2020.

The Bitcoin Market – On February 6, 2010, the very first bitcoin exchange was established by Bitcointalk user dwdollar. After getting “scammed” by Paypal in June of that year, and subsequently removing the option to accept paypal from the site, the market quickly dwindled into obscurity, and MtGox rose to overtake it. It is not known when their last day of trading was.

The Antonopoulos rule

Soon after the MtGox fiasco came to a head, legendary venture capitalist Fred Wilson said, “We are witnessing the maturation of a sector and part of that will inevitably be failures, crashes, and other messes. Almost every technology that I’ve watched come into a mass adoption has gone through these sorts of growing pains.”

Clearly it has been easy to go bankrupt, get hacked, give in to corruption, or otherwise fail to make a profitable business out of operating a crypto exchange. Hopefully each new exchange failure means the ones that remain are safer and more resilient than ever. That said, no matter how secure these exchanges become, there is a simple lesson to be learnt.

“The lesson here,” says Andreas Antonopoulos, “is that if you don’t control the keys, you don’t control the bitcoin. Possession is nine-tenths of the law, and in bitcoin, possession of the keys is ten-tenths of the law. If you don’t control the keys anymore, it’s not your bitcoin! That lesson will be learned as many times as it needs to.”

North Korea Hacking Crypto Exchanges

Long recognized as a bad actor in the crypto space, North Korea continues to cause mass damage to the ecosystem – hacking crypto exchanges at a relentless pace. The Lazarus Group, a cybercrime syndicate working on behalf of the North Korean government pulled off 2020’s biggest exchange heist against Kucoin. The Singapore-based exchange lost around USD275 million of Bitcoin, Ethereum and other ERC20 tokens.

A UN report says North Korea specializes in hacking crypto exchanges

Kucoin’s CEO Johnny Lyu said the hack happened “due to the leakage of the private key of KuCoin hot wallets.” This hack alone amounted to half the crypto currency stolen in 2020, although Lyu has said that around USD204 million had been recovered.

Chainanalysis attributes the attack to Lazarus because Kucoin’s hackers used a money laundering technique very similar to one used by Lazarus in previous attacks. The technique involved sending stolen funds to mixers in structured payments of the same size. Lazarus was behind an attack on South Korean exchanges Upbit in 2019 and Coinlink and Bithumb in 2017. Additionally, they are thought to be behind an attack on Slovenian hash power provider Nicehash in 2017.

A new aspect of the 2020 Kucoin hack was Lazarus’s use of Decentralized Finance (DeFi) platforms to launder some of the funds. DeFi platforms offer users the ability to be their own custodians and there is no requirement of trust between a decentralized exchange operator and traders. Users remain anonymous and with many DeFi exchanges, there are few KYC or AML provisions.