Exchange Hacks and What Investors Can Learn
Crypto's biggest disasters rarely involve someone breaking the maths of Bitcoin itself. Far more often, money vanishes because it was sitting on an exchange that got hacked, ran out of money, or simply lied. The same lessons keep surfacing — and once you've seen the pattern, you can avoid the worst of it.
The 20-second version
Exchanges are convenient but custodial: they hold your keys, so their failure is your loss. History keeps teaching the same lesson — don't store more than you need to trade, and move the rest to a wallet you control.
Why exchanges keep failing
An exchange is where most people first buy crypto, and it's genuinely useful for that. The catch is that when your coins sit on an exchange, the exchange holds the private keys — you hold an IOU. That makes it a custodial arrangement, and it concentrates an enormous amount of value in one place. We unpack the distinction in custodial vs non-custodial wallets and what is crypto custody.
That concentration is exactly what attracts thieves and tempts bad management. Failures tend to come in two flavours: an external hack, where attackers steal the keys, and an internal collapse, where the company misuses or loses customer funds. The next three cases are the textbook examples of each.
Mt. Gox — the original catastrophe
In its day, Mt. Gox handled the majority of all Bitcoin trades. In early 2014 it abruptly halted withdrawals and filed for bankruptcy, having lost roughly 850,000 bitcoin belonging to customers and itself — a sum that was eye-watering then and would be astronomical now. The losses had been bleeding out over years through a mix of theft and shambolic record-keeping that no one had caught.
Mt. Gox gave the world the phrase that still defines crypto security culture, and creditors spent the better part of a decade waiting for partial repayment. We tell the full story in the Mt. Gox hack explained.
Not your keys, not your coins.
FTX — when the company is the threat
FTX wasn't hacked. It collapsed in November 2022 because the people running it had quietly funnelled customer deposits to an affiliated trading firm, Alameda Research. When a report cast doubt on FTX's finances, customers rushed to withdraw — and the exchange couldn't honour them, exposing a hole of around $8 billion in missing customer money. Founder Sam Bankman-Fried was later convicted of fraud.
FTX matters because it proves the danger isn't only outside hackers. A slick, well-marketed, seemingly profitable exchange can be insolvent behind the scenes while still showing your balance on screen. That on-screen number is a promise, not proof the coins exist. Read the FTX collapse explained for the full timeline.
A balance on a screen is not custody
Seeing your funds in an exchange app tells you what the company says you have, not what it actually holds. If you don't control the keys, you're trusting the operator's honesty and solvency.
The 2025 Bybit hack — biggest ever
In February 2025, the exchange Bybit suffered the largest crypto theft on record: around $1.5 billion in Ethereum drained in a single operation, widely attributed to North Korea's Lazarus Group. What made it chilling was the method. The attackers didn't smash through Bybit's defences directly — they compromised the interface of a third-party wallet tool Bybit used to approve transfers, so that when staff went to move funds from cold storage, what they approved on screen wasn't what actually executed.
It was a sophisticated supply-chain and social-engineering attack rather than a brute-force break-in, and it shows how even large, security-conscious exchanges remain high-value targets. Bybit honoured customer withdrawals afterwards, but holders had no way of knowing in advance that their funds were caught up in it.
| Case | Year | Type | Rough scale |
|---|---|---|---|
| Mt. Gox | 2014 | Hack + mismanagement | ~850,000 BTC |
| FTX | 2022 | Internal fraud / insolvency | ~$8bn customer funds |
| Bybit | 2025 | External hack (Lazarus) | ~$1.5bn in ETH |
The durable lessons
Three very different failures, one consistent moral: holding crypto on an exchange means trusting that exchange completely. You can't stop an exchange being hacked or mismanaged, but you can limit how much of your money is exposed when it happens.
- Not your keys, not your coins. If a third party holds the keys, your balance is a claim, not ownership. Self-custody removes that dependency — start with hot vs cold wallets.
- Withdraw long-term holdings. Keep on an exchange only what you're actively trading; move savings to a wallet you control. Our guide to how to store Bitcoin safely walks through it.
- Use a hardware wallet for the bulk. Keys held offline on a device like the Ledger Nano X can't be drained by an exchange's failure.
- Spread your risk. Don't keep everything on a single platform, and be wary of any exchange promising unusually high returns.
- Know the recovery steps. If something does go wrong, what to do if you get scammed covers acting fast.
Treat exchanges like a bureau de change
Use them to convert and trade, then take your holdings home. The longer large sums sit on any platform, the more of someone else's risk you're carrying.
Putting it into practice
Exchanges aren't villains — they're a necessary on-ramp, and the regulated ones have improved a great deal. But Mt. Gox, FTX and Bybit each show, in their own way, that an exchange is a single point of failure you don't control. The practical response isn't to avoid exchanges entirely; it's to pass through them rather than park in them, and to keep the coins you're serious about in self-custody.
Crypto is volatile and largely unregulated, and even with perfect security you can lose money to the market. These lessons won't make you rich — they're about not losing what you already have to someone else's mistake. — the Latest Crypto team
Pocket money can sit on an app; serious holdings should move to a device you control. A Ledger keeps your keys offline and signs every transaction on the device itself, so a compromised computer can’t touch your funds.
Key takeaways
- Exchanges are custodial: when they're hacked or fail, your funds are at risk, not just theirs.
- Mt. Gox was a hack, FTX was internal fraud, and the 2025 Bybit hack was a ~$1.5bn supply-chain attack.
- The recurring lesson is 'not your keys, not your coins' — self-custody removes the dependency.
- Keep only trading funds on exchanges and move long-term holdings to a hardware wallet you control.
Frequently asked questions
Are crypto exchanges safe to use at all?
Reputable, regulated exchanges are fine for buying, selling and trading. The risk comes from leaving large amounts sitting on them long-term. Use them as an on-ramp, then withdraw holdings you don't need on the platform.
What does 'not your keys, not your coins' mean?
If you don't hold the private keys, you don't truly control the coins — you hold a claim against whoever does. That's why moving funds to a wallet you control protects you from an exchange being hacked or going under.
Will an exchange refund me if it gets hacked?
Sometimes, as Bybit did in 2025, but there's no guarantee — Mt. Gox creditors waited years for partial repayment and FTX customers faced a lengthy bankruptcy. Never assume a refund; the safer approach is to limit what you leave on any exchange.
Keep reading
The Mt. Gox Hack Explained
How the world's biggest Bitcoin exchange lost around 850,000 BTC, what went wrong at Mt. Gox, and the lasting
The FTX Collapse Explained
How FTX went from a top crypto exchange to bankruptcy in days, what went wrong with Alameda Research and custo
How to Store Bitcoin Safely (Step by Step)
Keep your Bitcoin safe from hackers and mistakes: hot vs cold wallets, hardware wallets, seed-phrase backups,