Crypto Hacks & Exploits Database
Pricing
from $2.50 / 1,000 results
Crypto Hacks & Exploits Database
Searchable database of crypto hacks & exploits from DefiLlama (540+ incidents). Filter by date, min amount lost, chain, technique, classification, target type and bridge-hack flag; sort by date or size. Flat CSV/Excel, no API key, no proxy.
Pricing
from $2.50 / 1,000 results
Rating
0.0
(0)
Developer
Berkan Kaplan
Maintained by CommunityActor stats
0
Bookmarked
3
Total users
1
Monthly active users
a day ago
Last modified
Categories
Share
Crypto Hacks & Exploits Database (DeFi, from DefiLlama)
Every major crypto and DeFi hack in one searchable, exportable database. This Actor turns DefiLlama's free, public hacks dataset (540+ incidents back to 2016) into clean, flat rows you can sort, filter and pivot: amount lost, chain(s), attack technique, classification, target type and a cross-chain bridge-hack flag — ready as JSON, CSV, Excel or API.
Built for security researchers, auditors, journalists, insurers, risk desks and analysts who need structured exploit data instead of scattered blog posts. No API key, no login, no proxy, no fragile HTML scraping — one request per run, zero external cost.
- 🛡️ 540+ incidents, structured — the whole DefiLlama hacks list as flat rows, not a wall of articles
- 💸 Amount lost + how it happened — USD stolen, chain, technique, classification and target type per incident
- 🔓 Free public source — no API key, no proxy; one request per run, deterministic output
- ⚡ One run → clean JSON / CSV / Excel / API — filter to your research, sort by size or date
Quick start (API)
Get the 100 biggest hacks (≥ $1M lost), largest first, in one call:
curl -X POST "https://api.apify.com/v2/acts/foxlabs~crypto-hacks-database/run-sync-get-dataset-items?token=YOUR_APIFY_TOKEN" \-H "Content-Type: application/json" \-d '{ "minAmountUsd": 1000000, "sortBy": "amount", "maxResults": 100 }'
Prefer no code? Open the Input tab, set your filters, and click Start — then download the results as JSON, CSV or Excel.
What you get
One clean, flat record per incident:
| Field | Type | Description |
|---|---|---|
rank | integer | Position in the returned set by your chosen sort (1 = first) |
dateIso | string | Incident date, YYYY-MM-DD (empty if the date is unknown upstream) |
name | string | Target / victim name (e.g. Bybit, Ronin Bridge, Poly Network) |
amountUsd | number | null | Estimated USD value lost; null when DefiLlama has no figure |
amountUsdCompact | string | Human-readable amount, e.g. $1.40B, $624.00M, $5.0K |
chainsText | string | Chain(s) involved, comma-joined (e.g. Ethereum, BSC, Polygon) |
classification | string | High-level class, e.g. Protocol Logic, Infrastructure, Ecosystem, Rugpull |
technique | string | Attack technique, e.g. Reentrancy, Flashloan Price Oracle Attack, Access Control Exploit |
targetType | string | Victim category, e.g. DeFi Protocol, CEX, Wallet, Token, Gaming |
bridgeHack | boolean | true if the incident is a cross-chain bridge hack |
returnedFunds | boolean | true when DefiLlama records a returned-funds amount for the incident (DefiLlama's own figure — see Notes) |
returnedFundsUsd | number | null | USD amount DefiLlama records as returned; null when none |
returnedFundsUsdCompact | string | Human-readable returned amount, e.g. $240.00M; empty when none |
language | string | Smart-contract language where known (e.g. Solidity); empty otherwise |
defillamaId | string | DefiLlama's stable internal incident ID (empty for a few older records) |
generatedAtIso | string | ISO-8601 timestamp of when the run produced this row |
Sample output
Two real incidents — a top loss and a well-known returned-funds case. Values are real; rank reflects position in your sorted result set:
{"rank": 1,"dateIso": "2020-12-28","name": "LuBian","amountUsd": 3500000000,"amountUsdCompact": "$3.50B","chainsText": "Bitcoin","classification": "Infrastructure","technique": "Private Key Compromised (Brute Force)","targetType": "Other","bridgeHack": false,"returnedFunds": false,"returnedFundsUsd": null,"returnedFundsUsdCompact": "","language": "","defillamaId": "","generatedAtIso": "2026-07-05T09:00:00.000Z"}{"rank": 2,"dateIso": "2023-03-13","name": "Euler V1","amountUsd": 197000000,"amountUsdCompact": "$197.00M","chainsText": "Ethereum","classification": "Protocol Logic","technique": "Flashloan Donate Function Logic Exploit","targetType": "DeFi Protocol","bridgeHack": false,"returnedFunds": true,"returnedFundsUsd": 240000000,"returnedFundsUsdCompact": "$240.00M","language": "Solidity","defillamaId": "1183","generatedAtIso": "2026-07-05T09:00:00.000Z"}
Input & filters
Every filter is optional — with no input you get the full list, newest first. Filters combine (AND).
- Since date (
sinceDate) — keep only incidents on or after aYYYY-MM-DDdate. Empty = all time. - Min amount lost (
minAmountUsd) — keep only incidents where at least this many USD were lost.0= no filter. - Chain (
chain) — keep incidents involving this chain. Exact chain label, case-insensitive — use DefiLlama's own spelling:Ethereum,BSC,Solana,Arbitrum,Base,Polygon,Bitcoin. (Note: it'sBSC, not "BNB Chain".) - Technique contains (
technique) — substring, case-insensitive — match part of the attack technique:Private Key,Reentrancy,Flashloan,Oracle,Phishing,Access Control. - Classification (
classification) — exact class:Protocol Logic,Infrastructure,Ecosystem,Rugpull. - Target type (
targetType) — exact category:DeFi Protocol,CEX,Wallet,Token,Gaming. (For bridges, use the bridge-hacks flag below — "Bridge" is not a target type.) - Bridge hacks only (
bridgeHackOnly) — keep only cross-chain bridge exploits. - Only returned funds (
onlyReturnedFunds) — keep only incidents where DefiLlama records recovered funds (~29 incidents; see Notes). - Sort by (
sortBy) —amount(biggest loss first) ordate(most recent first). - Max results (
maxResults) — cap the rows returned (up to 100,000).
Example inputs (copy & paste)
// 1) The biggest crypto hacks of all time (>= $10M lost), largest first{ "minAmountUsd": 10000000, "sortBy": "amount", "maxResults": 500 }// 2) Every 2025+ Ethereum incident, newest first{ "sinceDate": "2025-01-01", "chain": "Ethereum", "sortBy": "date" }// 3) Flash-loan / oracle attacks on DeFi protocols, biggest first{ "technique": "Flashloan", "targetType": "DeFi Protocol", "sortBy": "amount" }// 4) Cross-chain bridge hacks only, biggest losses first{ "bridgeHackOnly": true, "sortBy": "amount", "maxResults": 200 }// 5) Private-key compromises, biggest first{ "technique": "Private Key", "sortBy": "amount" }// 6) Centralized-exchange (CEX) hacks since 2019, newest first{ "targetType": "CEX", "sinceDate": "2019-01-01", "sortBy": "date" }// 7) Rugpulls ranked by size{ "classification": "Rugpull", "sortBy": "amount" }// 8) Incidents where funds were (at least partly) returned, largest first{ "onlyReturnedFunds": true, "sortBy": "amount" }
Use cases
- Security research & threat intelligence. Pull the full incident list, group by
techniqueandclassification, and quantify which attack classes (reentrancy, flash-loan oracle, access-control, private-key compromise) are trending — with dated, sortable rows instead of blog archaeology. - Smart-contract audit prep & risk models. Filter by
chainandtargetType: "DeFi Protocol"to build a base rate of exploits per attack technique, and feedamountUsdinto loss-severity models before an audit or launch. - Journalism & incident reporting. Need the facts on a hack? Filter by
name, date range orchain, and cite a consistent amount, technique and classification — or track the biggest losses of the year withsortBy: "amount". - Insurance, underwriting & risk desks. Size DeFi/CeFi tail risk: pull incidents by
targetTypeandminAmountUsd, and analyse loss frequency and severity across chains and years. - Bridge & infrastructure monitoring. Set
bridgeHackOnly: trueto isolate cross-chain bridge exploits — historically among the largest single losses — for a focused risk view. - Dashboards, newsletters & datasets. Schedule a weekly run to keep a live exploit dataset powering a security dashboard, a "hack of the week" newsletter, or an academic study — no scraping to maintain.
Performance & throughput
Each run makes one HTTP request to DefiLlama's public hacks endpoint, then filters and sorts locally — so it's fast and deterministic. There are no external API keys, no proxies and no rate limits to manage; throughput is bounded only by your Apify plan. Because the whole dataset is small (a few hundred incidents), even the largest, unfiltered pull returns quickly.
Integrations
JavaScript (apify-client):
import { ApifyClient } from 'apify-client';const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });const run = await client.actor('foxlabs/crypto-hacks-database').call({minAmountUsd: 1000000, sortBy: 'amount', maxResults: 500,});const { items } = await client.dataset(run.defaultDatasetId).listItems();
Python (apify-client):
from apify_client import ApifyClientclient = ApifyClient("YOUR_APIFY_TOKEN")run = client.actor("foxlabs/crypto-hacks-database").call(run_input={"minAmountUsd": 1000000, "sortBy": "amount", "maxResults": 500,})for item in client.dataset(run["defaultDatasetId"]).iterate_items():print(item["dateIso"], item["name"], item["amountUsdCompact"], item["technique"])
Also works with Make / n8n / Zapier (Apify app → run this Actor, map the input), scheduled runs, webhooks, and the Apify MCP server for AI agents.
Data quality
All values come straight from DefiLlama — never fabricated; a field is empty ("" or null) exactly when the upstream record is.
- Always present:
rank,name,dateIso,targetType,bridgeHack,amountUsdCompact,generatedAtIso. - Present for nearly every incident:
amountUsd(a few incidents have no dollar estimate →null),classification,technique,chainsText. - Present for most incidents:
language(smart-contract language, where DefiLlama records it). - Recovery data (~29 incidents):
returnedFundsistrueandreturnedFundsUsdcarries DefiLlama's recorded amount for the minority of incidents with a recovery; the rest arefalse/null. Treat it as a DefiLlama-sourced signal (see Notes).
Amounts are DefiLlama's best estimates for each incident and may be revised over time.
Pricing
The Actor runs on your Apify plan's compute — there are no proxies and no third-party costs, because it makes a single request to a free public endpoint. Apify's free tier is enough to evaluate the full feature set before you scale, and scheduled re-runs are cheap since each run is one small fetch plus local filtering.
FAQ
Where does the data come from? DefiLlama's public hacks dataset (api.llama.fi/hacks) — a free, no-key endpoint tracking crypto/DeFi exploits.
Do I need an API key or account? No key for the data itself. You need an Apify token to run the Actor via the API (the Input → Start button needs nothing extra).
How fresh is the data? Each run fetches the current DefiLlama list, so you always get the latest incidents. DefiLlama adds new hacks over time.
How many incidents are there? 540+ and growing — from 2016 to the present.
What export formats are available? JSON, CSV, Excel, or via the Apify API and integrations.
How do I filter to one chain? Use chain with DefiLlama's exact label (case-insensitive), e.g. "Ethereum", "BSC", "Solana", "Arbitrum", "Bitcoin".
Why did targetType: "Bridge" return nothing? "Bridge" isn't a target type — target types are values like DeFi Protocol, CEX, Wallet. To get bridge exploits, set bridgeHackOnly: true.
How does onlyReturnedFunds work? It keeps only incidents DefiLlama flags with a returned-funds amount (~29 today); each such row also carries returnedFundsUsd. DefiLlama's recovery data is inconsistent for some large incidents, so treat it as a signal to verify — see Notes.
Can I use this data commercially? It's public data provided as-is for research and analytics; you're responsible for your own attribution and compliance. This Actor is not affiliated with DefiLlama.
Is there a rate limit? No external key or limit — throughput is bounded only by your Apify plan, and each run is a single request.
Troubleshooting
- 0 results → your filters are too narrow, or an exact-match value doesn't match DefiLlama's spelling. Chain is
BSC(not "BNB Chain"); target type isDeFi Protocol(not "DeFi");techniqueis a substring, so useFlashloan(one word), not "Flash Loan". Widen the range or fix the value. onlyReturnedFundslooks off for a big incident → it reflects DefiLlama's ownreturnedFundsdata, which is inconsistent for some large hacks (a few are flagged as returned when they weren't). Cross-check individual incidents — see Notes.- A chain / target-type / classification filter is empty → these are exact matches on DefiLlama's own labels. Use the example values in Input & filters (or run once with no filter to see the real labels in
chainsText,targetType,classification). - Some rows have an empty
dateIsoornull amountUsd→ a handful of incidents have no upstream date or dollar estimate; those values are left empty rather than guessed, and undated rows sort last.
Notes, limits & legal (honest)
- Source & attribution. Data comes from DefiLlama's public hacks dataset and is provided as-is for research and analytics. Please credit DefiLlama as the source.
- Not affiliated. This Actor is independent and not affiliated with or endorsed by DefiLlama, or by any protocol, exchange or entity named in the data.
returnedFundsis DefiLlama's figure. DefiLlama records recovered funds as a USD amount for a minority of incidents (≈29;nullfor the rest); this Actor exposes bothreturnedFunds(boolean) andreturnedFundsUsd(the amount). DefiLlama's recovery data is inconsistent — a few large incidents (e.g. Bybit) are marked as returned despite no public recovery — so treat these fields as a DefiLlama-sourced signal and verify individual incidents rather than relying on them blindly.- Amounts are estimates.
amountUsdreflects DefiLlama's best estimate per incident and can be revised as more is known. - Not advice. Nothing here is financial, security or legal advice.
Support
Questions, a field you'd like surfaced, or a custom build? Open the Issues tab on this Actor, or email info@foxlabs.com.tr. We reply fast.
If this Actor saves you time, a ⭐ review really helps.
Changelog
0.3 — 2026-07-05
- Fixed
returnedFunds— it now correctly flags incidents where DefiLlama records recovered funds (previously alwaysfalsedue to an upstream number-vs-boolean mismatch), so theonlyReturnedFundsfilter works (~29 incidents). - Added
returnedFundsUsd+returnedFundsUsdCompact(the recovered amount) anddefillamaId(stable incident ID). - Removed the always-empty
sourcefield.
0.2 — 2026-07-05
- Gold-standard docs rewrite: API quick-start, full field table, real sample output, filter reference, integration snippets (JS / Python / Make / MCP), use cases, FAQ & troubleshooting.
- Corrected filter examples to match DefiLlama's actual labels — chain
BSC(not "BNB Chain"), techniqueFlashloan(one word), target typeDeFi Protocol(not "DeFi"); bridges are matched via the bridge-hacks flag.
0.1.1 — 2026-07-05
- Fixed a dataset-schema validation error that was silently returning zero results — the full incident list is returned again.
0.1.0 — 2026-06-04
- Initial release: searchable crypto hacks & exploits database (540+ incidents) from the free DefiLlama hacks data — filter by date, amount, chain, technique, classification, target type, bridge-hack and returned-funds; sort by date or size; flat CSV/Excel rows, no API key or proxy.
Part of the foXLabs data platform — a suite of public-data scrapers for company, procurement, financial, security and AI-search intelligence. Browse the full Actor suite and free how-to guides at data.foxlabs.com.tr.
