On February 21, the cryptocurrency exchange Bybit reported that an Ethereum transaction was transferred to an unidentified address, resulting in the theft of $1.5 billion in Ethereum cryptocurrency. 

This is one in a long list of substantial cryptocurrency hacks and thefts. Chainalysis reports that more than $1.7 billion in cryptocurrency was stolen in 2023 and more than $3.8 billion in 2022. Since the hack resulting in the theft of $473 million in Bitcoin from the Mt. Gox exchange in 2011, theft and fraud have continued to be a serious risk in the cryptocurrency arena. Recent examples include the hack and theft of $477 million in cryptocurrency from the FTX exchange in November 2022; the hack and theft of $570 million in cryptocurrency from the Binance exchange in October 2022; the hack and theft of $625 million in cryptocurrency from the Ronin Network in March 2022; the hack and theft of $611 million in cryptocurrency from the Poly Network In August 2021; and the hack and theft of $532 million in cryptocurrency from the Coincheck exchange in January 2018.

It should not be surprising that cryptocurrency exchanges are a target for hacks, fraud, and theft. Cryptocurrency as a whole continues to occupy a gray space between existing frameworks for the financial industry and rapidly evolving developments in new technologies and in the way they are regulated. Well-established requirements have become more complex in crypto. Examples include Know Your Customer – better known as “KYC,” monitoring for criminal activity, reporting suspicious activity, or even determining which jurisdiction has authority over taxation or legal enforcement. Then there are examples that might be described tongue-in-cheek as “we have no law for your crime.” This includes whether entities with the power to insert, omit, or reorder blockchain transactions are performing activities that constitute market manipulation.

Cryptocurrency is built on blockchain technology, and is ostensibly secure. Like any other digital system, however, security is dependent upon the coding, the security controls and the personnel overseeing the process. Is all cryptocurrency secure? Of course not – one only has to consider the billions that have been stolen since its inception. 

Can it be secure? Of course, but like any other digital system, it depends on many moving parts. At the system level, due diligence can root out only so much regarding the actual product and the cryptocurrency exchange information security program. Investors must also exercise care about their own digital security. Malicious actors regularly engage in social engineering through phishing attacks during which they may deploy software to monitor keystrokes and obtain user account names and passwords. They monitor public wi-fi networks and continually look for means of access to cryptocurrency accounts. They also attempt to compromise consumer phones by social engineering phone service providers, persuading them to transfer consumer phone numbers to the malicious actor’s subscriber identity module – called a SIM swap. SIM swaps allow the malicious actors to manipulate and bypass multi-factor authentication, reset passwords, and continue the fraud and theft affecting cryptocurrency exchanges.  

For both cryptocurrency exchanges and individuals, many principles of security do not, and should not, change simply because they involve cryptocurrency. These include enabling two-factor authentication wherever possible, limiting sharing of private keys/account information, being cautious on public networks, and avoiding common pitfalls of scams (including looking out for fake websites or URLs, and not engaging with unsolicited offers and communications with unusually high-pressure tactics or demands).

In order to reduce the fraud and theft affecting cryptocurrency exchanges in 2025, exchanges must continuously review and enhance their information security programs, and cryptocurrency investors and users must ensure that their own information security practices are improved.  Investors and users should also consider removing their cryptocurrency from exchanges – which will continue to be the target of hacks and theft - and use Cold Wallets and Hardware Wallets to increase the security of their funds.

The Constangy Cybersecurity & Data Privacy team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving issues. If you would like additional information on how to prepare your organization, contact us directly at cyber@constangy.com.