On September 25, 2020, KuCoin detected large unauthorized outflows from its hot wallets across multiple blockchains including Bitcoin, Ethereum, Litecoin, XRP, Stellar, TRON, and Polkadot. The exchange suspended deposits and withdrawals immediately and CEO Johnny Lyu publicly confirmed the hack on September 26, 2020. Total stolen funds were estimated at approximately $281 million, making it one of the largest exchange hacks at the time. However, KuCoin recovered approximately $204 million of the stolen funds through a combination of methods: (1) working with blockchain projects to freeze or roll back the stolen tokens at the smart contract level (several ERC-20 token projects froze the attacker’s stolen holdings), (2) law enforcement cooperation to seize funds, and (3) OTC market tracking. KuCoin covered remaining losses through its insurance fund and did not pass losses to users. In November 2020, KuCoin and Chainalysis publicly attributed the hack to Lazarus Group (North Korea) based on on-chain transaction analysis showing patterns consistent with previous Lazarus Group operations, including the use of specific crypto mixing services and fund flow patterns. The US Department of Justice and CISA subsequently corroborated North Korean attribution for this and similar exchange hacks. The KuCoin hack was part of a larger pattern of Lazarus cryptocurrency theft totaling an estimated $1.3 billion in 2020-2021 alone, used to fund North Korea’s weapons and sanctions-evasion programs.