Verify a decision

{"actor":"system:backfill","investigation_id":"cdf9027c-3fdd-4213-819f-78671c58be49","kind":"publish","page_slug":"nicehash","published_at":"2026-05-30T12:59:41.996Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"NiceHash","sections":[{"content":"NiceHash is a Ljubljana, Slovenia-based cryptocurrency mining marketplace founded in 2014 by Marko Kobal and Matjaz Skorjanc. The platform operates as an open marketplace connecting buyers and sellers of hashing power, allowing individuals to rent out their computing resources in exchange for Bitcoin without requiring buyers to own mining hardware directly. NiceHash became one of the largest hashpower brokerage services in the world during the 2017 Bitcoin bull market. The company has gone through multiple leadership changes since its founding, with Vladimir Hozjan announced as CEO in 2024 following earlier leadership transitions.","heading":"Company Overview","severity":"low","sources":[{"credibility":2,"name":"NiceHash Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/NiceHash"},{"credibility":2,"name":"NiceHash Review 2025 - MEXC News","type":"news_article","url":"https://www.mexc.com/news/266793"}]},{"content":"On December 6, 2017, NiceHash was compromised in what the company described as a highly professional attack involving sophisticated social engineering. Attackers gained access to the NiceHash payment system by compromising the computer of one of the company's engineers, obtaining that employee's credentials through an alleged spear-phishing email. The breach allowed the attacker or attackers to drain the platform's internal Bitcoin wallet, stealing approximately 4,736.42 BTC valued at roughly $63.92 million to $64 million at prevailing prices. NiceHash suspended all operations for approximately 24 hours following discovery of the breach and instructed all users to change their passwords. CEO Marko Kobal stated in a video announcement that 'a hacker or a group of hackers was able to infiltrate our systems through a compromised company computer.' The incident was reported to Slovenian law enforcement authorities and relevant international agencies. The stolen Bitcoin was tracked moving to a single wallet address after the theft, but the funds were not recovered.","heading":"The December 2017 Hack","severity":"critical","sources":[{"credibility":1,"name":"Bitcoin stolen in hack on NiceHash cryptocurrency mining marketplace - CNBC","type":"news_article","url":"https://www.cnbc.com/2017/12/07/bitcoin-stolen-in-hack-on-nicehash-cryptocurrency-mining-marketplace.html"},{"credibility":1,"name":"Bitcoin Mining Marketplace NiceHash Loses Tens of Millions - TechCrunch","type":"news_article","url":"https://techcrunch.com/2017/12/06/nicehash-hack/"},{"credibility":2,"name":"$64m in Bitcoin Stolen from NiceHash Mining Platform - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/64m-in-bitcoin-stolen-from-nicehash/"},{"credibility":1,"name":"NiceHash: More than $70 million stolen in bitcoin hack - CNN Money","type":"news_article","url":"https://money.cnn.com/2017/12/07/technology/nicehash-bitcoin-theft-hacking/index.html"},{"credibility":2,"name":"Mining Service NiceHash Hacked, $60 Million in User Funds Stolen - CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/mining-service-nicehash-hacked-60-million-in-user-funds-stolen"}]},{"content":"Cybersecurity investigators and U.S. law enforcement subsequently attributed the NiceHash breach to the Lazarus Group, a state-sponsored hacking organization operated by North Korea's Reconnaissance General Bureau (RGB). On February 17, 2021, the U.S. Department of Justice unsealed an indictment charging three North Korean nationals — Jon Chang Hyok (age 31), Kim Il (age 27), and Park Jin Hyok (age 36) — with participating in a wide-ranging criminal conspiracy that included attacks on cryptocurrency firms. The indictment referenced a December 2017 theft of approximately $75 million from a Slovenian cryptocurrency company, widely understood to refer to NiceHash. The three defendants were alleged members of Lazarus Group and APT38, units of the RGB. The tactics employed in the NiceHash breach — credential theft via spear-phishing and targeted intrusion of a payment system — are consistent with documented Lazarus Group TTPs catalogued by firms including Proofpoint, RiskIQ, and Secureworks. The NiceHash blog confirmed the North Korean hacker group had been indicted specifically for the 2017 NiceHash attack.","heading":"Attribution to North Korea's Lazarus Group","severity":"critical","sources":[{"credibility":1,"name":"Three North Korean Military Hackers Indicted - U.S. Department of Justice","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and"},{"credibility":2,"name":"DOJ Charges 3 North Korean Hackers With Stealing $100M+ From Crypto Firms - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2021/02/17/doj-charges-3-north-korean-hackers-with-stealing-100m-from-crypto-firms"},{"credibility":2,"name":"North Korean Lazarus Group hackers indicted in US - Computer Weekly","type":"news_article","url":"https://www.computerweekly.com/news/252496494/North-Korean-Lazarus-Group-hackers-indicted-in-US"},{"credibility":1,"name":"US charges three North Koreans for major hacks and cyber-thefts - Al Jazeera","type":"news_article","url":"https://www.aljazeera.com/news/2021/2/17/us-charges-three-north-koreans-for-major-hacks-and-cyber-thefts"},{"credibility":2,"name":"Lazarus Group - Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Lazarus_Group"}]},{"content":"Following the hack, NiceHash committed to fully reimbursing all affected users whose Bitcoin balances were held in NiceHash internal wallets at the time of the breach. The repayment program launched on February 2, 2018, with an initial disbursement of 10% of the total owed amount. The program was funded entirely from NiceHash's operational revenue — specifically from platform fees — rather than from any recovery of the stolen assets themselves. By June 2018, more than 55% of lost funds had been returned. The program progressed through 21 documented reimbursement rounds. In December 2019, NiceHash announced it was pausing the repayment program after reaching 82% of total reimbursements, citing financial constraints, tax obligations, and the need to remain solvent. The company stated at that time that it could not guarantee full reimbursement in the foreseeable future. However, NiceHash ultimately resumed the program and completed the final payment on December 16, 2020, bringing all affected user balances to 100% of their pre-breach levels. The full repayment took approximately three years and is considered unusual in the cryptocurrency industry where exchange hacks rarely result in complete user compensation.","heading":"User Repayment Program","severity":"medium","sources":[{"credibility":2,"name":"NiceHash Returns 100% of Stolen Funds - CoinGeek","type":"news_article","url":"https://coingeek.com/nicehash-returns-100-of-stolen-funds/"},{"credibility":2,"name":"NiceHash Halts Repayment for Victims of Hack - Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/nicehash-halts-hack-repayment/"},{"credibility":2,"name":"Crypto-mining marketplace NiceHash to fully reimburse users after hack - CryptoNinjas","type":"news_article","url":"https://www.cryptoninjas.net/2018/01/31/crypto-mining-marketplace-nicehash-fully-reimburse-users-hack/"},{"credibility":2,"name":"NiceHash Repayment Program Update - NiceHash Official","type":"official","url":"https://www.nicehash.com/blog/post/nicehash-repayment-program-update"},{"credibility":2,"name":"Hacked Mining Firm NiceHash Has Paid Back 60 Percent of Stolen Bitcoin - CCN","type":"news_article","url":"https://www.ccn.com/hacked-mining-firm-nicehash-has-paid-back-60-percent-of-stolen-bitcoin/"}]},{"content":"CEO Marko Kobal resigned from his position on December 21, 2017, approximately two weeks after the hack. The platform was relaunched the same day under new management. Separately, NiceHash co-founder Matjaz Skorjanc has a documented criminal history predating the company's founding. Skorjanc was one of the creators of the Mariposa botnet, malware discovered in 2008 that infected approximately one million computers and was used for cyberscamming, denial-of-service attacks, and harvesting personal data, causing an estimated $4 million in damages. Skorjanc served approximately four years and ten months in a Slovenian prison for his role in the Mariposa botnet. He was subsequently charged in the United States with founding and running the cybercrime forum Darkode from 2008 to 2013, a platform where cybercriminals traded hacking tools and information. Skorjanc was arrested in Germany in 2019 on a U.S. extradition request but was released in 2020 after both Germany and Slovenia rejected the extradition based on double jeopardy protections. These legal issues relate to Skorjanc's pre-NiceHash activities and have not been alleged to be directly connected to the 2017 breach.","heading":"Leadership Changes and Co-Founder Legal Issues","severity":"high","sources":[{"credibility":2,"name":"NiceHash CEO Resigns After Hackers Steal $63 Million in Bitcoin - Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/cryptocurrency/news/nicehash-ceo-resigns-hackers-steal-63-million-bitcoin/"},{"credibility":2,"name":"NiceHash Co-Founder, Wanted in the US, Arrested in Germany - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/nicehash-cofounder-arrested-in/"},{"credibility":2,"name":"US Charges NiceHash Founder With Hacking, Fraud - Total Slovenia News","type":"news_article","url":"https://www.total-slovenia-news.com/news/3871-us-charges-nicehash-founder-with-hacking-fraud"},{"credibility":2,"name":"Former NiceHash CTO Arrested in Germany Over US Hacking Charges - Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/news/former-nicehash-cto-arrested-germany-140141475.html"},{"credibility":2,"name":"NiceHash - Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/NiceHash"}]},{"content":"Following the December 2017 breach, NiceHash undertook a significant overhaul of its security infrastructure before relaunching. The company redesigned its payment system to use a dual-channel approach requiring manual creation and manual confirmation of every outgoing transaction. Withdrawals were restricted to a single daily processing window. Additional security measures implemented include mandatory two-factor authentication (2FA) via apps such as Google Authenticator or Authy, email or SMS verification for logins from new devices, IP login history tracking, withdrawal address whitelisting, multisignature technology and cold storage for the built-in BTC wallet, SSL encryption across all web and application communications, and Know Your Customer (KYC) identity verification for higher withdrawal limits. As of 2025-2026, NiceHash continues to operate as one of the largest hashpower marketplaces globally. Independent reviews note that while the platform has meaningfully improved its security posture since the 2017 incident, its centralized custody model inherently concentrates risk, and the 2017 hack remains a material part of its risk profile for users evaluating the platform.","heading":"Post-Hack Security Improvements and Current Operations","severity":"medium","sources":[{"credibility":2,"name":"NiceHash Security Page - Official","type":"official","url":"https://www.nicehash.com/security"},{"credibility":3,"name":"NiceHash Review 2026 - Fool Investor","type":"other","url":"https://foolinvestor.com/2025/12/nicehash-review/"},{"credibility":2,"name":"NiceHash Review 2025 - Is It Safe And Legit For Crypto Mining? - MEXC News","type":"news_article","url":"https://www.mexc.com/news/266793"},{"credibility":2,"name":"NiceHash Returns! Better and More Secure! - NiceHash Official","type":"official","url":"https://www.nicehash.com/news/225"}]}],"sources_used":[{"credibility":1,"name":"Bitcoin stolen in hack on NiceHash cryptocurrency mining marketplace - CNBC","type":"news_article","url":"https://www.cnbc.com/2017/12/07/bitcoin-stolen-in-hack-on-nicehash-cryptocurrency-mining-marketplace.html"},{"credibility":1,"name":"Bitcoin Mining Marketplace NiceHash Loses Tens of Millions - TechCrunch","type":"news_article","url":"https://techcrunch.com/2017/12/06/nicehash-hack/"},{"credibility":1,"name":"NiceHash: More than $70 million stolen in bitcoin hack - CNN Money","type":"news_article","url":"https://money.cnn.com/2017/12/07/technology/nicehash-bitcoin-theft-hacking/index.html"},{"credibility":1,"name":"Bitcoin: $64 Million May Have Been Stolen in NiceHash Hack - Fortune","type":"news_article","url":"https://fortune.com/2017/12/07/nicehash-bitcoin-hack-cryptocurrency/"},{"credibility":2,"name":"$64m in Bitcoin Stolen from NiceHash Mining Platform - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/64m-in-bitcoin-stolen-from-nicehash/"},{"credibility":2,"name":"NiceHash suffers security breach - Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2017/12/07/nicehash-breach/"},{"credibility":1,"name":"Three North Korean Military Hackers Indicted - U.S. Department of Justice","type":"regulatory","url":"https://www.justice.gov/archives/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and"},{"credibility":2,"name":"DOJ Charges 3 North Korean Hackers With Stealing $100M+ From Crypto Firms - CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2021/02/17/doj-charges-3-north-korean-hackers-with-stealing-100m-from-crypto-firms"},{"credibility":1,"name":"US charges three North Koreans for major hacks and cyber-thefts - Al Jazeera","type":"news_article","url":"https://www.aljazeera.com/news/2021/2/17/us-charges-three-north-koreans-for-major-hacks-and-cyber-thefts"},{"credibility":2,"name":"NiceHash Returns 100% of Stolen Funds - CoinGeek","type":"news_article","url":"https://coingeek.com/nicehash-returns-100-of-stolen-funds/"},{"credibility":2,"name":"NiceHash Halts Repayment for Victims of Hack - Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/nicehash-halts-hack-repayment/"},{"credibility":2,"name":"Crypto-mining marketplace NiceHash to fully reimburse users - CryptoNinjas","type":"news_article","url":"https://www.cryptoninjas.net/2018/01/31/crypto-mining-marketplace-nicehash-fully-reimburse-users-hack/"},{"credibility":2,"name":"NiceHash CEO Resigns After Hackers Steal $63 Million in Bitcoin - Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/cryptocurrency/news/nicehash-ceo-resigns-hackers-steal-63-million-bitcoin/"},{"credibility":2,"name":"NiceHash Co-Founder, Wanted in the US, Arrested in Germany - Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/nicehash-cofounder-arrested-in/"},{"credibility":2,"name":"NiceHash - Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/NiceHash"},{"credibility":2,"name":"Lazarus Group - Wikipedia","type":"other","url":"https://en.wikipedia.org/wiki/Lazarus_Group"},{"credibility":2,"name":"NiceHash Security Page - Official","type":"official","url":"https://www.nicehash.com/security"},{"credibility":2,"name":"Mining Service NiceHash Hacked, $60 Million in User Funds Stolen - CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/mining-service-nicehash-hacked-60-million-in-user-funds-stolen"}],"summary":"NiceHash is a Slovenian cryptocurrency mining marketplace founded in 2014 that allows users to buy and sell hashing power. In December 2017 the platform suffered one of the largest crypto exchange hacks of that year, with attackers stealing approximately 4,736 BTC (valued at roughly $64 million at the time) after compromising an employee's computer through a spear-phishing attack. The breach was subsequently attributed to North Korea's Lazarus Group, and NiceHash completed a full user repayment program in December 2020 after a three-year effort funded from operational revenue.","timeline":[{"date":"2014-01-01","event":"NiceHash founded in Ljubljana, Slovenia by Marko Kobal and Matjaz Skorjanc as a hashpower marketplace.","source":"NiceHash Wikipedia","source_url":"https://en.wikipedia.org/wiki/NiceHash"},{"date":"2017-12-06","event":"Attackers compromise a NiceHash engineer's computer via spear-phishing, gain access to the payment system, and drain approximately 4,736 BTC (approximately $64 million). NiceHash suspends all operations.","source":"TechCrunch","source_url":"https://techcrunch.com/2017/12/06/nicehash-hack/"},{"date":"2017-12-07","event":"NiceHash confirms the breach publicly. CEO Marko Kobal states that a compromised company computer was the entry point. Major news outlets report stolen amount ranging from $60 million to over $70 million.","source":"CNBC","source_url":"https://www.cnbc.com/2017/12/07/bitcoin-stolen-in-hack-on-nicehash-cryptocurrency-mining-marketplace.html"},{"date":"2017-12-21","event":"CEO Marko Kobal resigns. NiceHash relaunches its platform with redesigned payment infrastructure and enhanced security protocols.","source":"Finance Magnates","source_url":"https://www.financemagnates.com/cryptocurrency/news/nicehash-ceo-resigns-hackers-steal-63-million-bitcoin/"},{"date":"2018-02-02","event":"NiceHash launches its formal Repayment Program, making an initial disbursement of 10% of owed balances to affected users, funded from platform fees.","source":"CryptoNinjas","source_url":"https://www.cryptoninjas.net/2018/01/31/crypto-mining-marketplace-nicehash-fully-reimburse-users-hack/"},{"date":"2018-07-02","event":"NiceHash announces that more than 55% of stolen funds have been returned to affected users through the Repayment Program.","source":"CryptoNinjas","source_url":"https://www.cryptoninjas.net/2018/06/29/crypto-mining-marketplace-nicehash-repayment-program-more-than-halfway-through/"},{"date":"2019-12-18","event":"NiceHash pauses the Repayment Program after reaching 82% of total reimbursements, citing financial constraints and the need to maintain operational solvency.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/nicehash-halts-hack-repayment/"},{"date":"2019-01-01","event":"Matjaz Skorjanc (NiceHash co-founder) arrested in Germany on a U.S. extradition request related to pre-NiceHash Mariposa botnet and Darkode cybercrime forum charges.","source":"Infosecurity Magazine","source_url":"https://www.infosecurity-magazine.com/news/nicehash-cofounder-arrested-in/"},{"date":"2020-01-01","event":"Skorjanc released after Germany and Slovenia both reject U.S. extradition request, citing double jeopardy protections.","source":"NiceHash Wikipedia","source_url":"https://en.wikipedia.org/wiki/NiceHash"},{"date":"2020-12-16","event":"NiceHash completes the final installment of its Repayment Program, returning all affected user balances to 100% of pre-breach levels — approximately three years after the original hack.","source":"CoinGeek","source_url":"https://coingeek.com/nicehash-returns-100-of-stolen-funds/"},{"date":"2021-02-17","event":"The U.S. Department of Justice unseals an indictment charging three North Korean nationals (Jon Chang Hyok, Kim Il, Park Jin Hyok) as Lazarus Group members for a broad range of cyberattacks including the December 2017 theft of approximately $75 million from a Slovenian cryptocurrency company consistent with NiceHash.","source":"U.S. Department of Justice","source_url":"https://www.justice.gov/archives/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and"}]},"v":1}