Crypto Theft Is Not Slowing Down: How to Protect Your Digital Assets

By Oakstone Security Group

April 04, 2025

Billions of dollars in cryptocurrency have been stolen from exchanges, bridges, and individuals over the past decade. Some of those losses came from sophisticated protocol exploits. Many more came from failures that were entirely preventable. If you hold meaningful digital assets, the question of how to protect them deserves the same seriousness you would give to any other significant store of value.

A Track Record of Catastrophic Losses

The history of cryptocurrency theft is long and well-documented. Understanding it is the starting point for understanding why security decisions matter.

Mt. Gox (2014). The collapse of Mt. Gox remains the most consequential exchange failure in cryptocurrency history. At its peak, Mt. Gox handled around 70 percent of all Bitcoin transactions globally. When it filed for bankruptcy in early 2014, approximately 850,000 Bitcoin had been lost or stolen over a period of years, the result of persistent, undetected theft that the exchange’s operators failed to identify until it was too late. Customers who trusted a third party with their holdings lost everything. Many are still pursuing claims more than a decade later.

Bitfinex (2016). In August 2016, hackers exploited a vulnerability in Bitfinex’s multi-signature wallet architecture and stole approximately 120,000 Bitcoin. At the time the theft represented a loss of around $72 million. By the time US authorities made arrests in 2022, the same coins were valued at over $4.5 billion. The case illustrated both the scale of what is at risk and the long time horizons over which stolen assets retain their value.

KuCoin (2020). KuCoin suffered a breach in September 2020 that resulted in approximately $275 million in tokens being drained from the exchange’s hot wallets. The attack was attributed to the Lazarus Group, a North Korean state-sponsored threat actor. It is a useful reminder that the adversaries targeting cryptocurrency holdings are not always individual criminals. Some are nation-state actors with substantial resources and patience.

Axie Infinity Ronin Bridge (2022). In March 2022, attackers compromised the Ronin Network bridge used by the Axie Infinity gaming platform and drained approximately $625 million in cryptocurrency. The attack, again attributed to the Lazarus Group, exploited a combination of compromised validator keys and an insufficient number of signature requirements. It remains one of the largest single cryptocurrency thefts on record.

FTX (2022). The collapse of FTX in November 2022 resulted in the misappropriation of customer funds on a scale that shocked even experienced observers. Over $8 billion in customer assets were lost. Separately, approximately $400 million was drained from FTX wallets in the hours around the bankruptcy filing, in circumstances that remain partially disputed. For customers who held assets on the platform, the outcome was the same regardless of cause: the funds were gone.

These are exchange-level events. The losses run into billions and affect thousands of people simultaneously. But they share a common thread with individual-level theft: the underlying failure is almost always one of custody, access control, or operational security rather than a fundamental weakness in the cryptographic protocols themselves.

The Individual Is a Target Too

Exchange hacks are visible and well-reported. Individual-level theft is less publicised but far more common, and the methods used are often simpler.

SIM swapping. In 2018, investor Michael Terpin lost approximately $24 million in cryptocurrency following a SIM swap attack in which an attacker social-engineered his mobile carrier into transferring his phone number to a device they controlled. The attacker then used control of Terpin’s number to bypass SMS-based two-factor authentication on accounts holding his assets. Terpin subsequently filed a lawsuit against AT&T, alleging negligence in allowing the transfer. The case drew significant attention to SIM swapping as an attack vector and to the dangers of relying on SMS-based authentication for accounts holding significant value.

SIM swapping remains active and effective. Attackers target mobile carrier staff directly, using social engineering, bribery, or insider access. A phone number that has been used to secure a cryptocurrency account, an email account, or an exchange login is a single point of failure that sits entirely outside the holder’s control.

The Ledger data breach (2020). In 2020, hardware wallet manufacturer Ledger suffered a breach of its customer database. The personal details of over 270,000 customers were exposed, including names, phone numbers, and home addresses. The breach did not compromise the wallets themselves or the assets held in them. What it did was publish a directory of known cryptocurrency holders, complete with their physical locations.

In the months that followed, affected customers reported receiving targeted phishing emails, threatening messages, and in some cases physical threats. The breach demonstrated that owning a hardware wallet does not isolate you from risk. If your identity as a holder is known, the attack surface extends beyond the digital domain.

Physical attacks. There is a documented and growing pattern of violent crime targeting known cryptocurrency holders. Cases in the United States, United Kingdom, and Europe have involved home invasions, kidnappings, and coerced transfers in which victims were physically compelled to hand over access to their wallets. The common thread in most cases is that the victim’s identity as a holder of significant digital assets was publicly known or discoverable, typically through social media, forum activity, or press coverage.

The FBI’s Internet Crime Complaint Center has tracked a consistent increase in cryptocurrency-related fraud and theft year over year, with losses in the billions annually. The majority involves individual victims, not institutions.

The Self-Custody Paradox

The standard advice in response to exchange risk is to take self-custody: hold your own keys, control your own assets, remove the counterparty risk that has repeatedly led to losses at exchanges. That advice is correct. But self-custody transfers the security burden entirely to the holder, and most holders are not equipped to carry it without support.

The security of a self-custodied wallet rests on a small number of critical decisions:

Seed phrase storage. The seed phrase is the master key to a wallet. It can regenerate access on any compatible device, regardless of what happens to the original hardware. A seed phrase stored in a cloud service, photographed on a phone, or held on paper without physical protection is a single point of failure. A house fire, a burglar, or a housekeeper with a camera can end the story.

Hardware wallet integrity. Hardware wallets purchased from unofficial sources have been supplied pre-compromised. The seed phrase is generated by the device at setup; if that process is tampered with, the attacker already has your key before you store your first coin.

Transaction hygiene. Clipboard hijackers are malicious applications that silently replace copied wallet addresses with the attacker’s address. A transaction that looks correct on screen can be redirected in the moment of signing. Verification of addresses on the hardware device screen, not the host computer, is the control that prevents this.

Identity exposure. The largest holding in a well-secured self-custody setup can be compromised not by attacking the wallet but by attacking the person. Minimising the public association between your identity and your holdings is as important as securing the keys themselves.

What Oakstone Does for Digital Asset Holders

Our approach to self-custody security begins with the same structured threat assessment we apply to all personal engagements. We do not need to know the size or composition of your holdings. We need to understand how you manage access, where your backups are, how your identity connects to your holdings, and what happens if any single component fails.

From that baseline, engagements cover:

Seed phrase and backup security. A review of how seed phrases are stored and physical security controls appropriate to the value being protected. This includes the use of durable backup media, geographic distribution of backups where appropriate, and access controls that survive the holder.

Hardware wallet verification and configuration. Confirming that devices are genuine, firmware is current, and the operational practices around transaction signing reduce the risk of interception or substitution.

Exchange and hot wallet hygiene. For clients who maintain exchange accounts or hot wallets for liquidity, a review of authentication configurations, withdrawal address controls, and API key permissions.

Identity and OSINT separation. Advice on minimising the public association between your identity and your holdings. This includes reviewing what is discoverable about you through open sources and working to reduce exposure where possible.

Physical security overlay. For clients with significant holdings, ensuring that digital and physical security are considered together. A well-secured wallet is of limited protection if the holder is subject to physical coercion, and the risk of coercion is directly related to what an adversary knows about you.

Self-custody is the right foundation. Security work ensures that foundation holds.

Contact Oakstone to discuss how we can help protect your digital asset holdings.