Crypto exchange hack lawsuits represent a growing legal battleground as security breaches at digital asset platforms result in staggering losses for customers and generate increasingly complex litigation. From April 2026’s record-breaking Drift Protocol hack that cost customers $285 million to the Kelp DAO exploit that drained nearly $293 million, these incidents have spawned multiple class action lawsuits against exchanges and related platforms. These lawsuits hold exchanges accountable for security failures, negligence in asset protection, and delays in responding to breach notifications—often seeking damages in the hundreds of millions of dollars.
The scale of crypto exchange hacks has exploded in recent years, with 2026 already establishing itself as a particularly devastating year. Unlike traditional finance breaches where regulatory agencies and insurance backstops exist, crypto exchange victims often have limited recourse. The lawsuits emerging from these incidents are testing new legal theories around exchange liability, whether platforms can be held responsible for failing to use technical capabilities they possess to freeze or recover stolen assets, and what duty of care exchanges owe to their users when disasters strike.
Table of Contents
- WHAT ARE CRYPTO EXCHANGE HACKS AND WHO BEARS THE LIABILITY?
- MAJOR CRYPTO HACKS AND RESULTING LAWSUITS
- DATA BREACHES AND SECONDARY LIABILITY: THE COINBASE CASE
- EXCHANGES’ RESPONSIBILITY TO PREVENT AND RESPOND TO THREATS
- SEEKING DAMAGES AND THE CHALLENGE OF CALCULATING CRYPTO LOSSES
- THE FTX SETTLEMENT AND BROAD EXCHANGE FAILURES
- LOOKING FORWARD—INSURANCE, REGULATION, AND PREVENTION
- Conclusion
WHAT ARE CRYPTO EXCHANGE HACKS AND WHO BEARS THE LIABILITY?
A crypto exchange hack occurs when attackers exploit vulnerabilities in the exchange’s systems, gain unauthorized access, and steal cryptocurrency directly from customer wallets or the exchange’s hot wallets. These differ from traditional financial institution breaches because cryptocurrency transactions are largely irreversible once confirmed on a blockchain—if a hacker moves stolen assets from the compromised exchange to their own wallet, recovering those funds becomes significantly more difficult. The Drift Protocol hack illustrates this problem starkly: hackers stole $285 million in under 12 minutes and moved those assets through Circle’s Cross-Chain Transfer Protocol over the course of six hours during U.S.
business hours, when the company had full opportunity to intervene. Liability questions in crypto exchange hack lawsuits often center on whether the exchange itself failed to maintain adequate security measures, whether executives ignored security warnings, and whether the platform has a duty to use all available technical tools to halt or reverse theft. In the Circle/Drift case, the lawsuit argues that Circle faced liability specifically because it had the technical ability to freeze stolen assets but failed to act despite the theft occurring in real-time. This represents an emerging legal theory: exchanges may not just be liable for poor security, but for negligent failure to act when they possessed immediate remedies during active theft.
MAJOR CRYPTO HACKS AND RESULTING LAWSUITS
The Kelp DAO hack stands as the largest decentralized finance exploit of 2026, with attackers extracting approximately $293 million on April 19, 2026. This incident demonstrates how even platforms positioned as decentralized and community-governed can suffer catastrophic losses, leaving customers vulnerable and prompting litigation. The Uranium Finance attacks were even more concerning because they ultimately led to criminal charges: a Maryland man was charged by U.S. prosecutors after extracting $53.3 million from 26 liquidity pools in a second attack on the platform.
The first Uranium Finance attack alone cost users over $50 million before being compounded by the later breach, ultimately forcing the platform to shut down entirely. One critical limitation in pursuing these lawsuits is that many victims are spread across international jurisdictions with varying legal frameworks for cryptocurrency. While U.S.-based customers can pursue class actions through American courts, customers in other countries may face different legal systems entirely, differing statutes of limitations, and potential language barriers in litigation. The WazirX exchange hack, which drained $235 million—approximately 50% of the platform’s total reserves—created a situation where affected users had to navigate claims involving both the exchange’s liability and potential insurance or recovery options.
DATA BREACHES AND SECONDARY LIABILITY: THE COINBASE CASE
Not all crypto exchange incidents involve direct theft of customer funds—sometimes attackers target customer data for identity theft, fraud, or to facilitate future attacks. The Coinbase data breach in May 2025 affected nearly 70,000 customers whose names, Social Security numbers, bank details, and transaction histories were stolen by rogue overseas contractors working with cybercriminals. The estimated damages from this breach ranged from $180 million to $400 million, and at least six separate class action lawsuits were filed within days of the public disclosure.
The Coinbase breach illustrates a specific risk vector: even if an exchange’s cryptocurrency holdings remain secure, a data breach can expose customers to subsequent identity theft, fraud, and account takeover attacks. This creates secondary liability for the platform and exposes it to claims for inadequate vetting of contractors, insufficient access controls, and failure to implement zero-trust security models that would have detected the unusual data exfiltration. Unlike direct theft cases, data breach lawsuits must prove that the company’s negligence in protecting information directly caused customer harm, which sometimes requires establishing a causal chain between the breach and subsequent fraud losses.
EXCHANGES’ RESPONSIBILITY TO PREVENT AND RESPOND TO THREATS
The Kraken extortion incident in April 2026 reveals a specific vulnerability: insider-related data access by support employees who had capabilities to access customer account information. Though Kraken reported that no cryptocurrency was actually stolen and that no breach occurred—with the platform refusing to pay the extortion demand and working with law enforcement instead—the incident affected approximately 2,000 customer accounts. The case demonstrates both responsible exchange response (refusing to pay ransom, contacting authorities) and the underlying risk that exchange employees with legitimate system access can become attack vectors.
One key difference in how crypto exchanges respond to threats compared to traditional financial institutions is the permanence of blockchain-based theft. A bank can reverse fraudulent transfers; an exchange that fails to immediately freeze or reverse cryptocurrency transfers faces permanent loss. This creates pressure on exchanges to maintain expensive security infrastructure and respond to threats in real-time during business hours, weekends, and holidays. However, not all exchanges maintain 24/7 security response teams, creating a gap where significant theft can occur before anyone responds to automated alerts.
SEEKING DAMAGES AND THE CHALLENGE OF CALCULATING CRYPTO LOSSES
Crypto exchange hack lawsuits must overcome unique challenges in calculating actual damages. Unlike stolen fiat currency where the amount is straightforward, cryptocurrency values fluctuate dramatically. If a customer’s Bitcoin was stolen when the price was $65,000 per coin, but the value drops to $50,000 by the time the lawsuit settles, what is the customer entitled to recover—the original value, the current value, or something else? Courts and settlement agreements must grapple with this question, and different lawsuits may reach different conclusions.
Another limitation in pursuing crypto hack damages is that many exchanges operate with minimal capitalization relative to the size of customer deposits they hold. If a platform holding $500 million in customer cryptocurrency is hacked for $300 million, the exchange may lack sufficient assets to pay damages even if found legally liable. This creates a scenario where customers win their case but cannot practically collect their judgment. The Uranium Finance platform’s shutdown after repeated attacks exemplifies this problem—even if victims established liability, there may be no functioning company to pay damages.
THE FTX SETTLEMENT AND BROAD EXCHANGE FAILURES
Beyond individual hacks, some crypto exchange litigation emerges from complete platform failures. FTX users reached a proposed settlement with law firm Fenwick & West announced on February 27, 2026, though the settlement terms remained undisclosed with no admission of wrongdoing from the parties.
In a related development, the CFTC ordered ex-FTX engineering chief Nishad Singh to return $3.7 million in illegal profits in April 2026, demonstrating that individual executives can face personal liability for exchange failures. The FTX situation differs from hack-based claims because the underlying fraud involved misappropriation of customer funds by company leadership rather than external attack. Nevertheless, these cases often run parallel in terms of customer damages, recovery processes, and litigation timelines, with users pursuing multiple claims across different legal theories simultaneously.
LOOKING FORWARD—INSURANCE, REGULATION, AND PREVENTION
The proliferation of crypto exchange hacks has spurred development of specialized insurance products designed to cover customer losses from theft and fraud. However, these policies often contain significant exclusions, require proof of specific security controls, and may not cover losses from “hot wallet” theft (though most do cover losses from exchange insolvency). As litigation over 2026’s major hacks progresses, insurance coverage disputes will likely become part of overall recovery strategies for affected customers.
Regulatory frameworks are also evolving in response to these incidents. Some jurisdictions are implementing custody requirements that mandate exchanges hold significant customer assets in cold storage, establish insurance reserves, and implement mandatory emergency response protocols. These regulations may reduce future hacks by raising security standards, but existing litigation will continue operating under older regulatory frameworks where such protections did not exist.
Conclusion
Crypto exchange hack lawsuits represent a critical tool for holding platforms accountable for security failures and negligent asset protection. The scale of losses—from Drift Protocol’s $285 million theft to Kelp DAO’s $293 million exploit—demonstrates that these are not minor incidents but rather catastrophic events affecting tens of thousands of customers simultaneously. Class action litigation provides a mechanism for individual customers to pursue claims collectively and recover damages that would be cost-prohibitive to pursue separately.
If you believe you were affected by a crypto exchange hack or data breach, consulting with an attorney who specializes in class action securities litigation or cryptocurrency law is essential. These cases operate under complex legal theories, involve rapidly evolving standards of exchange liability, and typically involve strict deadlines for filing claims within established class actions. The legal landscape will continue shifting as courts determine what standards of care apply to crypto platforms and what damages customers can recover from exchange negligence.