Eighteen years of crypto history, organized around custody, security, and risk. Every major event in this list left behind a lesson that holders should not have to re-learn. Mt. Gox, The DAO, Terra/LUNA, FTX — every name is tuition paid.

History does not repeat exactly, but it rhymes. When Mt. Gox failed in 2014, no one imagined that an exchange ten times its size would do something similar eight years later. Holders who lost coins on Mt. Gox warned everyone. Most of those warnings were ignored.

2009-01 · Bitcoin's genesis block

Satoshi Nakamoto mines block zero with the headline "Chancellor on brink of second bailout for banks." For three years almost no one outside cypherpunk mailing lists knew it existed. Lesson: the cost of being early is being early-and-misunderstood; the cost of being late is being late-after-everyone-else.

2010-05 · 10,000 BTC for two pizzas

Laszlo Hanyecz pays 10,000 BTC for two Papa John's pizzas — about $41 at the time, about $1 billion at today's prices. The first lesson early holders left behind: the asset is real; do not under-value optionality on a tiny position.

2011-06 · Mt. Gox first hack

An attacker accesses an internal Mt. Gox account and dumps 200,000 BTC into the order book, crashing price from $32 to one cent in minutes. The exchange survived and most accounts were restored. The lesson — "centralized exchanges can have catastrophic single-point failures" — was on the table from year three. Almost nobody internalized it.

2013-10 · Silk Road shut down, BTC breaks $1,000

The FBI seizes the Silk Road darknet marketplace and 144,000 BTC owned by Ross Ulbricht. The narrative shift — from "internet drug money" to "macro asset" — accelerates. BTC closes above $1,000 for the first time. For holders, the lesson was about jurisdictional risk: the FBI could seize on-exchange coins, but private keys held offline remained outside their physical reach.

2014-02 · Mt. Gox collapses

850,000 BTC disappear from Mt. Gox. The exchange files for bankruptcy in Tokyo. Investigations later show the coins were drained over years through a combination of hot-wallet theft and internal mismanagement. This is the single most expensive custody lesson in crypto history. Every "not your keys, not your coins" essay traces back to this event. Holders who had moved coins off-exchange survived; everyone else either waited a decade for partial recovery or lost everything.

2015-07 · Ethereum mainnet launches

Vitalik Buterin's smart-contract platform goes live. A new attack surface is born: contracts that hold funds and execute arbitrary code. Within a year, the consequences would be visible.

2016-06 · The DAO hack

An attacker exploits a reentrancy bug in The DAO contract and drains 3.6 million ETH (about $50 million at the time, $9 billion today). The Ethereum community hard-forks to reverse the transaction; the original chain continues as Ethereum Classic. For holders, the lesson was new: smart-contract risk is not the same as exchange risk — the code itself can fail. From this point, "approval hygiene" becomes a custody concept.

2019-05 · Binance loses 7,000 BTC, invokes SAFU

An attacker uses a combination of phishing, viruses, and API exploitation to drain 7,000 BTC from a Binance hot wallet. CZ uses the SAFU fund to cover the loss; no user accounts are debited. The lesson — "self-insurance funds are real, but they only work if the exchange is honest about losses" — is one of the few positive case studies in CEX history.

2020-06 · DeFi Summer

Compound launches COMP token distribution; yield farming explodes. Total value locked in DeFi grows from $1B to $15B in six months. New attack vectors arrive almost weekly: flash loans, oracle manipulation, governance attacks, infinite-mint bugs. The custody lesson: signing a transaction is not the same as reading it. The "infinite approval" pattern, normalized by Uniswap, would silently set up the next decade of approval-phishing.

2021-11 · BTC at $69,000, NFT mania peak

Bitcoin tops $69K. OpenSea hits record monthly volume. Bored Ape Yacht Club mints near $250K each. The custody story underneath: phishing scales with prices. Discord servers are compromised, fake-mint sites get cloned daily, and Permit / setApprovalForAll attacks begin draining wallets that never touched a "buy" button.

2022-05 · Terra/LUNA implosion

The algorithmic stablecoin UST loses its peg. LUNA falls from $80 to fractions of a cent in five days. $40 billion in nominal value evaporates. Anchor Protocol depositors lose nearly everything. Lesson: "high-yield stablecoin" is an oxymoron until proven otherwise; algorithmic pegs are not equivalent to fiat-backed reserves.

2022-06 · Celsius and Three Arrows freeze

The first major dominoes of the 2022 contagion fall. Celsius Network halts withdrawals; Three Arrows Capital is forced into liquidation. Centralized lending platforms turn out to have been running on rehypothecation and undisclosed leverage. Self-custody arguments — quiet since 2019 — return.

2022-11 · FTX collapses

FTX, the second-largest exchange in the world, files for bankruptcy. Sam Bankman-Fried is later convicted of fraud. Customer funds had been commingled with Alameda Research and used for proprietary trading. The biggest custody failure since Mt. Gox. $8 billion in customer funds missing at the moment of collapse. The lesson from 2014, written in 2022's blood: Proof of Reserves is not a marketing slogan; it is a survival mechanism.

2023-03 · USDC depegs as Silicon Valley Bank fails

Circle holds 8% of USDC reserves at SVB. When SVB collapses, USDC trades at 88 cents for 36 hours. The Fed eventually backstops SVB deposits and USDC restores its peg. Lesson: even fiat-backed stablecoins carry banking-system risk. A holder's exposure to "the US banking system" can leak into supposedly crypto-only positions.

2024-01 · Spot BTC ETF approval

The SEC approves spot Bitcoin ETFs after a decade of denials. BlackRock, Fidelity, Bitwise, and others list within weeks. Institutional capital flows in. For self-custody holders, this is a mixed signal: ETF inflows raise floor prices but normalize "Bitcoin without bitcoin" — exposure to BTC price without the custody discipline that makes BTC worth holding.

2024-12 · MiCA fully effective in EU

The EU's Markets in Crypto-Assets regulation enters full force. EU-based exchanges must register; stablecoin issuers must hold reserves at EU banks under specific capital rules. Tether is delisted from most EU venues. The lesson for non-EU holders: jurisdictional fragmentation is the new normal; pick a CEX that operates in your jurisdiction or accept the off-ramp friction.

2025–2026 · Permit-phishing industrialization

EIP-2612 and Permit2 signatures become the dominant attack vector on Ethereum and L2s. Attackers no longer need a victim to send funds — a single off-chain signature transfers approval rights, which are then exercised at the attacker's chosen moment. Drainer-as-a-service kits become commercially available on dark forums. The 2026 lesson, still being written: read every off-chain signature with the same rigor you would read an on-chain transaction.

Three threads across 18 years

Thread 1 · Custodial loss. Mt. Gox (2014), QuadrigaCX (2019), Celsius (2022), FTX (2022), Multichain (2023). Every one is the same shape: a counterparty held your coins, and the counterparty was less trustworthy than advertised. The cure is self-custody.

Thread 2 · Smart-contract loss. The DAO (2016), Parity multisig freeze (2017), Wormhole bridge (2022), Ronin bridge (2022), Euler Finance (2023). The pattern: contracts holding pooled funds become magnets for exploits. The cure is approval hygiene — never grant unlimited spend, revoke after use.

Thread 3 · Signature / phishing loss. ICO phishing (2017), Discord drainer campaigns (2021–2022), Inferno Drainer (2023), Permit2 industrial phishing (2025–2026). The pattern: the attack moves from your password to your signature, and signatures cannot be reversed. The cure is hardware-wallet verification and a moment of skepticism on every transaction screen.

A note on what's next

History does not tell you when the next collapse arrives, but it does tell you the shape it will likely take. The next custody loss will look like one of the three threads above — or a combination — and "this time is different" will be the warning sign that it is not.

Bookmark this page and check back in six months. New events will be added; old entries will be revised when better information emerges. Every entry traces back to a specific lesson; the lessons themselves do not change as fast as the headlines do.

Further reading