Verify a decision

{"actor":"system:backfill","investigation_id":"0720b751-fc8c-476c-a495-9e5bf9518394","kind":"publish","page_slug":"kucoin-hack","published_at":"2026-05-31T06:59:43.367Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"KuCoin Exchange Hack","sections":[{"content":"At approximately 19:05 UTC on September 25, 2020, attackers began draining cryptocurrency from KuCoin's hot wallets after obtaining the private keys to those wallets. KuCoin's risk control system triggered an alert, and the exchange confirmed the breach and made a public announcement early on September 26, 2020. The stolen assets included approximately 1,008 BTC, 8,709 ETH and over 150 ERC-20 tokens worth more than $150 million, 26,733 LTC, 14,713 BSV, 18,495,798 XRP, 9,588,383 XLM, 199,038,936 TRX, and approximately $14 million in Omni- and EOS-based USDT, bringing the total estimated value stolen to approximately $281 million. Cold wallets were reported as unaffected. Upon detecting the breach, KuCoin transferred remaining assets in compromised hot wallets to newly deployed addresses, suspended deposits and withdrawals, and contacted partner exchanges and blockchain analytics firms. Tether froze the stolen USDT tokens on-chain. The exact attack vector — whether insider threat, phishing, social engineering, or infrastructure compromise — was not publicly disclosed by KuCoin; the private key leakage itself was confirmed but its root cause was not fully specified in official communications.","heading":"The September 25, 2020 Hack","severity":"critical","sources":[{"credibility":1,"name":"Over $280M Drained in KuCoin Crypto Exchange Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/09/26/over-280m-drained-in-kucoin-crypto-exchange-hack"},{"credibility":2,"name":"KuCoin September 2020 Hack: Hacken Research","type":"research","url":"https://hacken.io/insights/kucoin-september-2020-hack-hacken-research/"},{"credibility":1,"name":"KuCoin CEO Livestream Recap — Official KuCoin Announcement","type":"official","url":"https://www.kucoin.com/announcement/en-kucoin-ceo-livestream-recap-latest-updates-about-security-incident"},{"credibility":1,"name":"The KuCoin Hack: What We Know So Far — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kucoin-hack-2020-defi-uniswap/"}]},{"content":"Blockchain analytics firm Chainalysis publicly attributed the KuCoin hack to Lazarus Group, a cybercriminal syndicate widely assessed to operate on behalf of the North Korean government. The attribution rested on multiple behavioral indicators: the hackers used a structured money laundering pattern characteristic of Lazarus, specifically sending stolen funds to cryptocurrency mixers in same-sized payments just below round numbers in Bitcoin while waiting for confirmations before sending subsequent tranches. Additionally, two deposit addresses that received KuCoin funds had previously been linked to the Harvest Finance exploit, suggesting Lazarus Group involvement in that attack as well. The KuCoin hack represented a significant tactical shift for Lazarus Group, as the attackers nearly doubled their use of decentralized finance platforms — including Uniswap and KyberSwap — to obfuscate fund flows, exploiting the absence of KYC requirements on those protocols. Chainalysis noted the group increased its unique exchange deposit addresses from approximately 470 in December 2019 to over 2,078 by December 2020. KuCoin CEO Johnny Lyu stated on October 3, 2020 that the exchange had identified hacking suspects with 'substantial proof' and had formally involved law enforcement. No public criminal charges specific to the 2020 KuCoin hack have been filed as of the time of this writing; the attribution by KuCoin and Chainalysis to Lazarus Group remains an analytical finding rather than an adjudicated fact.","heading":"Attribution to Lazarus Group (DPRK)","severity":"critical","sources":[{"credibility":1,"name":"Lazarus Group Pulled Off 2020's Biggest Exchange Hack — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lazarus-group-kucoin-exchange-hack/"},{"credibility":1,"name":"KuCoin CEO Says Suspects in $281M Hack Identified; Authorities on the Case — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/10/03/kucoin-ceo-says-suspects-in-281m-hack-identified-authorities-on-the-case"},{"credibility":2,"name":"Chainalysis Finds North Korean Hackers' Role in $281M KuCoin Attack — Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/cryptocurrency/news/chainalysis-finds-north-korean-hackers-role-in-281m-kucoin-attack/"}]},{"content":"KuCoin coordinated a multi-pronged recovery effort following the breach. By early October 2020, approximately $204 million in assets had been recovered or frozen through on-chain tracking and cooperation with partner exchanges and blockchain analytics providers. Project teams whose tokens had been stolen were asked by KuCoin to perform token swaps — invalidating compromised token contracts and issuing new ones — as a mechanism to neutralize the hackers' ability to liquidate those holdings. This approach generated significant controversy: several token projects publicly objected, arguing that KuCoin was inappropriately shifting the remediation burden to decentralized communities and that token swaps would disrupt their existing user bases. Representatives of the DMM Foundation were among those quoted objecting to the practice. Law enforcement and security institution cooperation, including blockchain forensics, led to the freezing of an additional estimated $17.45 million (approximately 6% of total losses). KuCoin announced on November 11, 2020 that all stolen assets had been accounted for, with 84% recovered through on-chain tracking, contract upgrades, and judicial recovery mechanisms, and the remaining 16% — approximately $45.55 million — covered by the exchange's insurance fund. The exchange stated that no user suffered a permanent loss as a result of the hack.","heading":"Recovery Efforts and Industry Cooperation","severity":"high","sources":[{"credibility":2,"name":"KuCoin Recovered 84% of Stolen Crypto After $280M Hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/kucoin-recovered-84-of-stolen-crypto-after-280m-hack-says-co-founder"},{"credibility":1,"name":"Token Projects Are Not Happy With KuCoin's Handling of $280M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2020/11/13/token-projects-are-not-happy-with-kucoins-handling-of-280m-hack"},{"credibility":2,"name":"KuCoin Has Recovered 84% of Affected Funds — The Block","type":"news_article","url":"https://www.theblock.co/linked/84248/kucoin-280m-stolen-recovered"},{"credibility":1,"name":"KuCoin Hacked Crypto Exchange Resumes Deposit, Withdrawal Services for All Tokens — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/11/22/hacked-crypto-exchange-kucoin-resumes-deposit-withdrawal-services-for-all-tokens"}]},{"content":"The KuCoin hack represented a documented evolution in Lazarus Group's cryptocurrency laundering methodology. Prior to 2020, the group primarily relied on centralized exchanges and mixers to obscure fund flows. In the KuCoin case, Chainalysis documented that Lazarus significantly increased its use of decentralized exchanges — particularly Uniswap and KyberSwap — to convert stolen ERC-20 tokens into Ethereum and other more liquid assets, exploiting the permissionless, non-custodial nature of DeFi protocols where no KYC checks could flag or freeze transactions. Elliptic similarly documented the use of decentralized exchanges in the aftermath of the hack. Funds were also routed through cryptocurrency mixing services. The hackers' use of structured, same-sized payments to mixers — a behavioral fingerprint Chainalysis described as characteristic of Lazarus — was a primary technical basis for the Lazarus Group attribution.","heading":"Lazarus Group DeFi Money Laundering Tactics","severity":"high","sources":[{"credibility":1,"name":"The KuCoin Hack: What We Know So Far and How Hackers Used DeFi to Launder Stolen Funds — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kucoin-hack-2020-defi-uniswap/"},{"credibility":2,"name":"KuCoin Thief Sells Out Millions in Crypto Tokens — Elliptic","type":"research","url":"https://www.elliptic.co/blog/kucoin-thief-sells-out-millions-in-crypto-tokens-on-decentralized-exchanges"}]},{"content":"KuCoin CEO Johnny Lyu conducted a live video stream on September 26, 2020, disclosing the breach and outlining the exchange's immediate response measures. He confirmed that the hack resulted from the leakage of private keys to KuCoin's hot wallets, that cold wallets were unaffected, and that hot wallets had been re-deployed. Lyu pledged that all user funds affected by the breach would be covered completely by KuCoin and its insurance fund. On October 3, 2020, Lyu announced via Twitter that the exchange had identified suspects with substantial proof and had formally engaged law enforcement, though no names or further technical details were disclosed publicly at that time. Lyu later published a year-end letter describing 2020 as a year the exchange 'chose to act' rather than conceal the incident, citing the transparent public disclosure as a deliberate reputational decision.","heading":"CEO Response and Communication","severity":"medium","sources":[{"credibility":1,"name":"KuCoin CEO Livestream Recap — Official KuCoin Announcement","type":"official","url":"https://www.kucoin.com/announcement/en-kucoin-ceo-livestream-recap-latest-updates-about-security-incident"},{"credibility":1,"name":"KuCoin CEO Says Suspects in $281M Hack Identified — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/10/03/kucoin-ceo-says-suspects-in-281m-hack-identified-authorities-on-the-case"},{"credibility":2,"name":"Kucoin Boss on Strategy After Hack: 'We Chose to Act' — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/kucoin-boss-on-strategy-after-hack-we-chose-to-act/"},{"credibility":2,"name":"KuCoin Hack's $285M Recovered or Insured: CEO Johnny Lyu — Modern Consensus","type":"news_article","url":"https://modernconsensus.com/cryptocurrencies/kucoin-hacks-285m-recovered-or-insured-ceo-johnny-lyu/"}]},{"content":"KuCoin operates an insurance fund established in early 2018, designed to cover user losses in the event of a security incident. Following the 2020 hack, the exchange stated that the insurance fund was sufficient to cover all user losses irrespective of recovery outcomes. The ultimate recovery breakdown as reported by KuCoin was: approximately 84% of stolen assets recovered via on-chain tracking, contract upgrades, and judicial mechanisms, with the residual 16% (approximately $45.55 million) drawn from the insurance fund. The exchange reported that deposits and withdrawals were fully restored for all tokens by November 22, 2020, approximately eight weeks after the incident. KuCoin stated publicly that no user suffered a permanent financial loss as a result of the hack.","heading":"Insurance Fund and User Compensation","severity":"medium","sources":[{"credibility":2,"name":"KuCoin Covers Losses From 2020 Hack With Insurance — AtoZ Markets","type":"news_article","url":"https://atozmarkets.com/news/kucoin-covers-remaining-losses-from-2020-hack-with-insurance/"},{"credibility":1,"name":"KuCoin Hacked Crypto Exchange Resumes Deposit, Withdrawal Services for All Tokens — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/11/22/hacked-crypto-exchange-kucoin-resumes-deposit-withdrawal-services-for-all-tokens"}]},{"content":"On March 26, 2024, the U.S. Attorney's Office for the Southern District of New York unsealed a criminal indictment against KuCoin and two of its co-founders, Chun Gan (known as 'Michael') and Ke Tang (known as 'Eric'). The charges were separate from and unrelated to the 2020 hack, and alleged that KuCoin conspired to operate an unlicensed money transmitting business and willfully failed to maintain an adequate anti-money laundering program in violation of the Bank Secrecy Act. The DOJ alleged that since its founding in 2017, KuCoin received over $5 billion and transmitted over $4 billion in suspicious and criminal proceeds, including funds from darknet markets, ransomware, and fraud schemes. KuCoin allegedly did not require customers to provide identifying information until July 2023, when — after receiving notification of a federal criminal investigation — the exchange adopted mandatory KYC for new customers. KuCoin was also charged with never filing required suspicious activity reports and never registering with FinCEN as a money transmitting business. The two founders were Chinese nationals and remained at large at the time the indictment was unsealed. On January 28, 2025, KuCoin's operating entity PEKEN GLOBAL LIMITED (Seychelles) pleaded guilty to one count of operating an unlicensed money transmitting business and agreed to pay penalties totaling more than $297.4 million, comprising $184.5 million in criminal forfeiture and a $112.9 million criminal fine. As part of the settlement, KuCoin agreed to exit the U.S. market for at least two years, and co-founders Chun Gan and Ke Tang each forfeited $2.7 million and agreed to depart from the company with no further management role.","heading":"DOJ Criminal Charges (2024) and Guilty Plea Settlement (2025)","severity":"critical","sources":[{"credibility":1,"name":"KuCoin and Two Founders Criminally Charged — DOJ SDNY (March 2024)","type":"regulatory","url":"https://www.justice.gov/usao-sdny/pr/prominent-global-cryptocurrency-exchange-kucoin-and-two-its-founders-criminally"},{"credibility":1,"name":"KuCoin Pleads Guilty to Unlicensed Money Transmission, Agrees to Pay $297.4M — DOJ SDNY (January 2025)","type":"regulatory","url":"https://www.justice.gov/usao-sdny/pr/kucoin-pleads-guilty-unlicensed-money-transmission-charge-and-agrees-pay-penalties"},{"credibility":1,"name":"KuCoin Will Exit the U.S. for At Least Two Years as Part of DOJ Settlement — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2025/01/28/kucoin-hit-with-nearly-usd300-million-fine-after-pleading-guilty-to-u-s-doj-charges"},{"credibility":1,"name":"DOJ Accuses KuCoin of Money Laundering — Fortune","type":"news_article","url":"https://fortune.com/crypto/2024/03/26/kucoin-criminal-crypto-binance-doj-cftc-justice-sdny/"},{"credibility":2,"name":"KuCoin and Founders Charged with Operating Illegally as Money Transmitter — Money Laundering Watch","type":"news_article","url":"https://www.moneylaunderingnews.com/2024/04/kucoin-and-founders-charged-with-operating-illegally-as-money-transmitter-and-futures-commission-merchant/"}]},{"content":"Following the breach, KuCoin reported that it undertook a comprehensive upgrade of its security infrastructure, including improvements to its web, application, and API security protocols and re-deployment of its hot wallet architecture. The exchange also introduced enhanced risk control and monitoring systems. KuCoin operates a Secure Asset Fund for Users (SAFU), analogous to the fund operated by Binance, intended to provide a financial backstop for future security incidents. The exchange re-opened all deposit and withdrawal services across all supported tokens by November 22, 2020. Independent security researchers and KuCoin's own post-incident reporting noted that the pre-existing hot wallet key pairs had been in use since at least September 2017, suggesting a prolonged window of potential exposure prior to the breach. KuCoin did not publicly disclose the specific technical remediation steps taken to prevent future private key compromise.","heading":"Post-Hack Security Improvements","severity":"low","sources":[{"credibility":2,"name":"How KuCoin Survived a Massive $285M Hack — CryptoSec","type":"research","url":"https://cryptosec.com/crypto-blockchain-security/kucoin-hack/"},{"credibility":2,"name":"KuCoin September 2020 Hack: Hacken Research","type":"research","url":"https://hacken.io/insights/kucoin-september-2020-hack-hacken-research/"},{"credibility":1,"name":"Secure Asset Fund for Users (SAFU) — KuCoin Learn","type":"official","url":"https://www.kucoin.com/learn/glossary/safu"}]}],"sources_used":[{"name":"Over $280M Drained in KuCoin Crypto Exchange Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/09/26/over-280m-drained-in-kucoin-crypto-exchange-hack"},{"name":"KuCoin CEO Livestream Recap — Official KuCoin Announcement","type":"official","url":"https://www.kucoin.com/announcement/en-kucoin-ceo-livestream-recap-latest-updates-about-security-incident"},{"name":"The KuCoin Hack: DeFi Laundering Analysis — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kucoin-hack-2020-defi-uniswap/"},{"name":"Lazarus Group Pulled Off 2020's Biggest Exchange Hack — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lazarus-group-kucoin-exchange-hack/"},{"name":"KuCoin September 2020 Hack: Hacken Research","type":"research","url":"https://hacken.io/insights/kucoin-september-2020-hack-hacken-research/"},{"name":"KuCoin Thief Sells Out Millions in Crypto Tokens — Elliptic","type":"research","url":"https://www.elliptic.co/blog/kucoin-thief-sells-out-millions-in-crypto-tokens-on-decentralized-exchanges"},{"name":"KuCoin Recovered 84% of Stolen Crypto After $280M Hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/kucoin-recovered-84-of-stolen-crypto-after-280m-hack-says-co-founder"},{"name":"Token Projects Are Not Happy With KuCoin's Handling of $280M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2020/11/13/token-projects-are-not-happy-with-kucoins-handling-of-280m-hack"},{"name":"KuCoin Hacked Crypto Exchange Resumes Deposit, Withdrawal Services — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/11/22/hacked-crypto-exchange-kucoin-resumes-deposit-withdrawal-services-for-all-tokens"},{"name":"KuCoin CEO Says Suspects Identified — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/10/03/kucoin-ceo-says-suspects-in-281m-hack-identified-authorities-on-the-case"},{"name":"KuCoin and Two Founders Criminally Charged — DOJ SDNY (March 2024)","type":"regulatory","url":"https://www.justice.gov/usao-sdny/pr/prominent-global-cryptocurrency-exchange-kucoin-and-two-its-founders-criminally"},{"name":"KuCoin Pleads Guilty, Agrees to Pay $297.4M — DOJ SDNY (January 2025)","type":"regulatory","url":"https://www.justice.gov/usao-sdny/pr/kucoin-pleads-guilty-unlicensed-money-transmission-charge-and-agrees-pay-penalties"},{"name":"KuCoin Will Exit U.S. for At Least Two Years as Part of DOJ Settlement — CoinDesk","type":"news_article","url":"https://www.coindesk.com/policy/2025/01/28/kucoin-hit-with-nearly-usd300-million-fine-after-pleading-guilty-to-u-s-doj-charges"},{"name":"DOJ Accuses KuCoin of Money Laundering — Fortune","type":"news_article","url":"https://fortune.com/crypto/2024/03/26/kucoin-criminal-crypto-binance-doj-cftc-justice-sdny/"},{"name":"Kucoin Boss on Strategy After Hack: 'We Chose to Act' — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/kucoin-boss-on-strategy-after-hack-we-chose-to-act/"},{"name":"KuCoin Has Recovered 84% of Affected Funds — The Block","type":"news_article","url":"https://www.theblock.co/linked/84248/kucoin-280m-stolen-recovered"},{"name":"Secure Asset Fund for Users (SAFU) — KuCoin Learn","type":"official","url":"https://www.kucoin.com/learn/glossary/safu"}],"summary":"On September 25, 2020, the KuCoin cryptocurrency exchange suffered a major security breach in which hackers obtained the private keys to the exchange's hot wallets and stole approximately $281 million in Bitcoin, Ethereum, ERC-20 tokens, and other assets — the largest exchange hack of 2020. KuCoin subsequently recovered approximately 84% of stolen funds through on-chain tracking, project-team token swaps, and law enforcement cooperation, with the remaining 16% covered by the exchange's insurance fund. The hack was attributed to North Korea's Lazarus Group by blockchain analytics firm Chainalysis; separately, in March 2024 the U.S. Department of Justice criminally charged KuCoin and two of its founders for operating an unlicensed money transmitting business and Bank Secrecy Act violations, resulting in a $297.4 million guilty plea settlement in January 2025.","timeline":[{"date":"2020-09-25","event":"Hackers begin draining KuCoin hot wallets at approximately 19:05 UTC after obtaining hot wallet private keys. Approximately $281 million in BTC, ETH, ERC-20 tokens, LTC, BSV, XRP, XLM, TRX, and USDT is stolen.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2020/09/26/over-280m-drained-in-kucoin-crypto-exchange-hack"},{"date":"2020-09-26","event":"KuCoin CEO Johnny Lyu hosts a public livestream disclosing the breach, confirms hot wallet private key leakage, re-deploys hot wallets, and suspends deposits and withdrawals. Exchange pledges full user compensation via insurance fund.","source":"KuCoin Official Announcement","source_url":"https://www.kucoin.com/announcement/en-kucoin-ceo-livestream-recap-latest-updates-about-security-incident"},{"date":"2020-09-26","event":"Tether freezes stolen USDT tokens on-chain. Partner exchanges begin blacklisting hacker wallet addresses.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2020/09/26/over-280m-drained-in-kucoin-crypto-exchange-hack"},{"date":"2020-10-03","event":"KuCoin CEO Johnny Lyu announces that suspects have been identified with 'substantial proof' and that law enforcement has been formally engaged.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2020/10/03/kucoin-ceo-says-suspects-in-281m-hack-identified-authorities-on-the-case"},{"date":"2020-10-01","event":"Chainalysis publishes analysis documenting how hackers used DeFi protocols (Uniswap, KyberSwap) to launder stolen ERC-20 tokens, and later attributes the attack to North Korea's Lazarus Group based on money laundering behavioral fingerprints.","source":"Chainalysis","source_url":"https://www.chainalysis.com/blog/lazarus-group-kucoin-exchange-hack/"},{"date":"2020-11-11","event":"KuCoin co-founder announces 84% of stolen assets have been recovered via on-chain tracking, contract upgrades, and judicial recovery. Remaining 16% to be covered by the exchange's insurance fund.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/kucoin-recovered-84-of-stolen-crypto-after-280m-hack-says-co-founder"},{"date":"2020-11-13","event":"Multiple token project teams publicly object to KuCoin's token swap strategy, stating the burden of remediation was improperly shifted to decentralized communities.","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2020/11/13/token-projects-are-not-happy-with-kucoins-handling-of-280m-hack"},{"date":"2020-11-22","event":"KuCoin resumes deposit and withdrawal services for all supported tokens, approximately eight weeks after the hack.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2020/11/22/hacked-crypto-exchange-kucoin-resumes-deposit-withdrawal-services-for-all-tokens"},{"date":"2024-03-26","event":"The U.S. Attorney's Office for the Southern District of New York unseals a criminal indictment against KuCoin and co-founders Chun Gan and Ke Tang for operating an unlicensed money transmitting business and Bank Secrecy Act violations. This is a separate matter from the 2020 hack.","source":"DOJ SDNY","source_url":"https://www.justice.gov/usao-sdny/pr/prominent-global-cryptocurrency-exchange-kucoin-and-two-its-founders-criminally"},{"date":"2025-01-28","event":"KuCoin's operating entity PEKEN GLOBAL LIMITED pleads guilty to unlicensed money transmission and agrees to pay $297.4 million in penalties. KuCoin commits to exiting the U.S. market for at least two years. Co-founders Chun Gan and Ke Tang forfeit $2.7 million each and depart the company.","source":"CoinDesk","source_url":"https://www.coindesk.com/policy/2025/01/28/kucoin-hit-with-nearly-usd300-million-fine-after-pleading-guilty-to-u-s-doj-charges"}]},"v":1}