▸ RANKED BY TOTAL DAMAGE // ALL TIME

TOP 10 BIGGEST HACKS
IN HISTORY

From nation-state cyberweapons that destroyed nuclear centrifuges to ransomware that paralyzed entire countries — these are the ten attacks that changed history and cost the world billions.
$30,000,000,000+
COMBINED ESTIMATED DAMAGE FROM ALL 10 ATTACKS
#1
NotPetya — The Most Destructive Cyberattack in History
// JUNE 2017 $10,000,000,000+ DAMAGE ATTRIBUTED: RUSSIA / GRU SANDWORM

Disguised as ransomware but built to destroy, NotPetya was not a criminal operation — it was an act of war. Deployed by Russia's GRU Sandworm unit against Ukraine in June 2017, it used the NSA-developed EternalBlue exploit to propagate across networks at machine speed, encrypting and permanently destroying data with no mechanism for recovery. There was no way to pay a ransom. There was no decryption key. The goal was pure destruction.

What made NotPetya catastrophic was how far it spread beyond its intended target. Within hours, it had escaped Ukraine's borders and was tearing through the networks of global corporations — shipping giants, pharmaceutical companies, advertising conglomerates, and logistics firms — all connected to Ukrainian suppliers or subsidiaries. The world's largest shipping company, Maersk, had to reinstall 45,000 PCs and 4,000 servers in 10 days. FedEx subsidiary TNT lost $400 million. Merck pharmaceutical lost $870 million. All collateral damage from a weapon aimed at a single country.

TOTAL DAMAGE
$10B+ estimated
MAERSK ALONE
$300M loss
MERCK PHARMA
$870M loss
COUNTRIES HIT
65+ nations
SYSTEMS DESTROYED
200,000+
EXPLOIT USED
EternalBlue (NSA)
Why it matters: NotPetya proved that cyberweapons cannot be contained. A weapon built to target one country's infrastructure escaped and caused billions in damage to global commerce. It permanently changed how governments and corporations think about nation-state cyber risk.
#2
SolarWinds — Hacking the Hackers
// 2019–2020 $100,000,000,000 INTELLIGENCE VALUE ATTRIBUTED: RUSSIA / SVR COZY BEAR

The most sophisticated espionage operation in cyber history. Russian intelligence (SVR) compromised the build environment of SolarWinds — a company that makes network management software used by 33,000 organizations worldwide. They injected malicious code called SUNBURST into a routine software update. When customers installed the update, they installed the backdoor. Quietly. Automatically. Trusting the software they paid for.

For nine months, Russian intelligence had access to the internal networks of the US Treasury Department, Department of Homeland Security, State Department, Pentagon, and dozens of Fortune 500 companies. The breach was only discovered when cybersecurity firm FireEye noticed their own red team tools had been stolen — and traced the theft back to the SolarWinds update. The full extent of what was accessed remains classified.

ACCESS DURATION
9+ months
ORGANIZATIONS HIT
18,000+
US AGENCIES HIT
9 confirmed
INVESTIGATION COST
$100M+ (US gov)
Why it matters: SolarWinds redefined supply chain risk. If you trust your software vendor, and your vendor is compromised, your trust becomes your vulnerability. Every company now must consider whether their software suppliers might be the weakest link in their security chain.
#3
WannaCry — The Ransomware That Stopped the World
// MAY 2017 $4,000,000,000+ DAMAGE ATTRIBUTED: NORTH KOREA / LAZARUS GROUP

On May 12, 2017, a self-propagating ransomware worm erupted across the internet. Within 24 hours, WannaCry had infected 230,000 computers across 150 countries. It exploited EternalBlue — the same NSA-developed Windows exploit used in NotPetya — to spread automatically without any user interaction. If your Windows system was unpatched and connected to a network, it was infected. Period.

The human cost was immediate and visible. The UK's National Health Service was devastated — hospitals canceled 19,000 appointments, diverted ambulances, and locked surgeons out of patient records mid-operation. Factories stopped production. Telecom companies went dark. A 22-year-old British security researcher named Marcus Hutchins accidentally stopped the global spread by registering an unregistered domain he found in the malware's code — a kill switch the attackers had built in but never expected anyone to find.

COUNTRIES HIT
150 nations
INFECTIONS
230,000+ systems
NHS CANCELED
19,000 appointments
RANSOM DEMAND
$300–600 per victim
STOPPED BY
Kill switch (domain)
TIME TO SPREAD
72 hours globally
Why it matters: WannaCry proved that ransomware could threaten human life — not just data. Hospitals unable to access patient records, surgeries canceled, ambulances diverted. The line between cyberattack and physical harm had been crossed permanently.
#4
Stuxnet — The First Cyberweapon
// 2009–2010 $1,000,000,000+ (NUCLEAR PROGRAM SETBACK) ATTRIBUTED: USA / NSA + ISRAEL / UNIT 8200

Stuxnet was not designed to steal data or demand ransom. It was designed to destroy physical machinery — specifically, the uranium enrichment centrifuges at Iran's Natanz nuclear facility. It is the first known piece of malware ever created to cause real-world physical damage, and it changed the definition of warfare forever.

Stuxnet spread via infected USB drives, exploited four previously unknown Windows zero-days simultaneously (an almost unheard-of level of sophistication), and searched specifically for Siemens industrial control systems managing centrifuges. When found, it altered the centrifuges' operating speeds to cause physical stress and destruction — while simultaneously sending fake "all normal" readings to operators so nothing appeared wrong. An estimated 1,000 centrifuges were destroyed. Iran's nuclear program was set back by two years.

ZERO-DAYS USED
4 simultaneous
CENTRIFUGES DESTROYED
~1,000
PROGRAM DELAY
Est. 2 years
LINES OF CODE
500,000+
Why it matters: Stuxnet proved that a cyberattack could cross from the digital world into the physical — destroying real machines, disrupting real infrastructure. Every industrial system connected to any network became a potential target. The age of cyber-physical warfare had begun.
#5
Yahoo Data Breach — 3 Billion Accounts
// 2013–2014 (DISCLOSED 2016) $350,000,000 ACQUISITION LOSS + ONGOING ATTRIBUTED: RUSSIA / STATE-SPONSORED

The largest data breach in history by sheer volume — every single Yahoo account that ever existed was compromised. 3 billion accounts. Names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions were stolen across two separate breaches in 2013 and 2014. Yahoo didn't disclose either breach until 2016, and even then dramatically underestimated the scope.

The timing was catastrophic. Yahoo was in the middle of a $4.83 billion acquisition by Verizon when the breaches became public. Verizon immediately renegotiated, ultimately paying $350 million less than originally agreed. Yahoo's CEO resigned. The company was renamed Altaba and essentially ceased to exist as an independent entity. The breach also exposed a fundamental industry failure: Yahoo was still storing passwords using MD5, a hashing algorithm considered dangerously weak since the early 2000s.

ACCOUNTS BREACHED
3,000,000,000
ACQUISITION LOSS
$350M discount
DISCLOSURE DELAY
2–3 years
PASSWORD HASHING
MD5 (obsolete)
Why it matters: 3 billion credentials in criminal hands means virtually every person who used the internet in the 2010s had their information exposed. The Yahoo breach feeds credential stuffing attacks to this day — attackers still try those passwords against other services years later.
#6
Equifax — Half of America's Financial Identity Stolen
// MAY–JULY 2017 $4,000,000,000+ TOTAL COST ATTRIBUTED: CHINA / PLA UNIT 54891

Equifax is one of the three largest credit reporting agencies in the United States — a company that holds the most sensitive financial data on hundreds of millions of Americans. In 2017, Chinese military hackers exploited a known vulnerability in Apache Struts (a patch had been available for two months) and spent 78 days inside Equifax's network, methodically exfiltrating the crown jewels of personal financial data.

147 million Americans had their Social Security numbers, birth dates, addresses, driver's license numbers, and credit card information stolen. This is the data that defines financial identity — once it's gone, it's gone forever. Unlike a password, you cannot change your Social Security number. The four Chinese military officers indicted for the breach were never extradited, and the stolen data has never appeared publicly — suggesting it was used for intelligence purposes rather than financial fraud.

PEOPLE AFFECTED
147,000,000
SSNs STOLEN
147M Americans
DAYS UNDETECTED
78 days
FTC SETTLEMENT
$575M
PATCH AVAILABLE
2 months prior
TOTAL COST
$4B+
Why it matters: 147 million people cannot change their Social Security numbers. The damage is permanent and lifelong. Equifax also demonstrated that the most sensitive data in existence is often held by companies that receive essentially no government cybersecurity oversight.
#7
Operation Aurora — China Hacks Silicon Valley
// 2009–2010 BILLIONS IN IP THEFT ATTRIBUTED: CHINA / PLA

In late 2009, Google's security team discovered something alarming: sophisticated attackers had been inside their infrastructure for months. The attackers had accessed source code repositories, attempted to access the Gmail accounts of Chinese human rights activists, and stole intellectual property of incalculable value. Google went public — an almost unprecedented move for a tech company — and triggered one of the first major public confrontations between a private corporation and a nation-state over cyber espionage.

Google wasn't alone. Operation Aurora targeted at least 34 major companies including Adobe, Intel, Juniper Networks, Northrop Grumman, and Morgan Stanley. All were breached through the same zero-day vulnerability in Internet Explorer. The attackers' primary targets appeared to be source code — the most valuable intellectual property these companies possessed. The operation marked the moment Silicon Valley understood it was a permanent target of state-sponsored espionage.

COMPANIES HIT
34+ including Google
EXPLOIT
IE zero-day
PRIMARY TARGET
Source code theft
SIGNIFICANCE
First public corp vs. nation-state
Why it matters: Operation Aurora was the moment the tech industry accepted that state-sponsored hacking wasn't someone else's problem. Google's decision to go public rather than quietly patch the breach changed how the industry discusses attribution and nation-state threats.
#8
Sony Pictures — The Nuclear Option
// NOVEMBER 2014 $100,000,000+ ESTIMATED ATTRIBUTED: NORTH KOREA / LAZARUS GROUP

North Korea doesn't accept insults quietly. When Sony Pictures announced "The Interview" — a comedy depicting the assassination of Kim Jong Un — Pyongyang issued warnings. Sony proceeded anyway. The response was devastating and unprecedented: a complete network destruction attack that left Sony Pictures unable to function as a company for weeks.

Attackers spent months inside Sony's network before detonating their payload. They stole 100 terabytes of data — unreleased films, salary information for every employee, private emails between executives, Social Security numbers, medical records, and years of confidential business communications. They then leaked it all publicly in waves, maximizing embarrassment. Finally, they deployed a wiper that destroyed the data on Sony's systems. The attack cost Sony over $100 million and the careers of several senior executives whose private emails revealed extremely poor judgment.

DATA STOLEN
100TB
ESTIMATED COST
$100M+
FILMS LEAKED
5 unreleased movies
EMPLOYEES AFFECTED
47,000
Why it matters: Sony proved that a cyberattack can be used as geopolitical retaliation — a state weaponizing hackers against a private company for producing content they disliked. It also showed that insider embarrassment (leaked emails) can be more damaging than the technical breach itself.
#9
Bangladesh Bank Heist — $81 Million Stolen in Hours
// FEBRUARY 2016 $81,000,000 STOLEN ATTRIBUTED: NORTH KOREA / LAZARUS GROUP

The most audacious bank robbery in history never involved a single gun. North Korean hackers spent months inside Bangladesh Bank's network, studying how the SWIFT international payment system worked. Then, on a Friday evening in February 2016, they submitted 35 fraudulent transfer requests worth nearly $1 billion to the Federal Reserve Bank of New York — where Bangladesh Bank holds its foreign currency reserves.

Five transfers totaling $101 million were processed before anyone noticed something was wrong. $20 million was flagged and reversed due to a typo. $81 million reached accounts in the Philippines and was laundered through casinos within days — effectively untraceable. The remaining $850 million in requests was blocked partly by luck: one transfer was flagged because the destination bank name contained the word "fandisha," which a Fed employee looked up and found meant "foundation" in Farsi — triggering a fraud check.

ATTEMPTED THEFT
$951,000,000
SUCCESSFULLY STOLEN
$81,000,000
RECOVERED
~$38M partial
LAUNDERED VIA
Philippines casinos
Why it matters: The Bangladesh Bank heist proved that state-sponsored hackers had moved beyond intelligence gathering into direct financial crime — using nation-state resources to fund the regime through bank robbery at scale. North Korea has since stolen an estimated $3+ billion in cryptocurrency using the same approach.
#10
Colonial Pipeline — Fuel Crisis on the East Coast
// MAY 2021 $4,400,000 RANSOM + $1,000,000,000 ECONOMIC IMPACT DARKSIDE RANSOMWARE GROUP (RUSSIA-BASED)

Colonial Pipeline operates the largest fuel pipeline in the United States, supplying 45% of all fuel consumed on the East Coast. In May 2021, a ransomware group called DarkSide gained access through a single compromised VPN password — an account that wasn't protected by multi-factor authentication. Within hours, they had encrypted Colonial's billing systems and stolen 100GB of data. Colonial's response was to shut down the entire pipeline preemptively.

The shutdown lasted six days and triggered the first federal state of emergency declaration caused by a cyberattack. Fuel prices spiked. Gas stations ran dry across the Southeast. Panic buying spread. Airlines scrambled to reroute flights. Colonial ultimately paid $4.4 million in Bitcoin ransom — a decision the CEO described as "the hardest decision I've ever made." The FBI later recovered $2.3 million of the ransom by seizing the attackers' Bitcoin wallet. The entire crisis began with one unprotected password.

RANSOM PAID
$4.4M Bitcoin
RECOVERED
$2.3M by FBI
PIPELINE DOWN
6 days
FUEL SUPPLY
45% of US East Coast
ATTACK VECTOR
1 compromised password
MFA ENABLED
No
Why it matters: Colonial Pipeline proved that critical infrastructure is catastrophically vulnerable to relatively unsophisticated attacks. The entire crisis — fuel shortages, emergency declarations, national panic — was triggered by a single password without multi-factor authentication. The simplest security measure in existence.