51% Attack
An attack where a miner controlling majority hashrate can double-spend, censor transactions, and reorganize the blockchain.
Key Takeaways
- A 51% attack occurs when a single entity controls more than half of a blockchain's hashrate, allowing them to mine blocks faster than the rest of the network and rewrite recent transaction history.
- The primary threat is double-spending: an attacker can reverse their own confirmed transactions and spend the same coins twice. However, they cannot steal coins from other addresses or create new coins out of thin air.
- Bitcoin's massive hashrate (exceeding 1 ZH/s as of early 2026) makes a 51% attack economically impractical: estimates put the cost at over $6 billion for a sustained attack, requiring nation-state resources with no guarantee of profit.
What Is a 51% Attack?
A 51% attack is a potential exploit against a proof-of-work blockchain in which a single miner or coordinated group gains control of more than 50% of the network's total mining power. With majority hashrate, the attacker can mine a private chain of blocks faster than the honest network, then broadcast it to overwrite recent history and reverse confirmed transactions.
The concept was first described in Satoshi Nakamoto's 2008 Bitcoin whitepaper, which modeled the probability of an attacker catching up to the honest chain as a Gambler's Ruin problem. The whitepaper showed that unless the attacker controls a majority of hashrate, the probability of success drops exponentially with each additional confirmation.
While Bitcoin itself has never been successfully 51%-attacked, several smaller proof-of-work cryptocurrencies have suffered these attacks repeatedly, resulting in millions of dollars in losses. The security model is fundamentally economic: the cost of attacking the chain must exceed what the attacker can gain.
How It Works
A 51% attack exploits the longest chain rule (or heaviest chain rule), which is how proof-of-work blockchains resolve competing versions of the chain. Nodes always follow the chain with the most accumulated proof-of-work.
- The attacker accumulates more than 50% of the network's total hashrate, either through owned hardware or rented mining power from cloud mining marketplaces
- The attacker begins mining blocks on a private fork of the blockchain without broadcasting them to the network
- While privately mining, the attacker sends cryptocurrency to an exchange or merchant on the public chain, and the recipient sees the transaction confirmed
- Once the attacker's secret chain has more accumulated work than the public chain, they broadcast it to the network
- Honest nodes detect the greater accumulated proof-of-work and reorganize onto the attacker's chain, erasing the original payment
- The attacker's chain contains a conflicting transaction sending the same coins back to their own wallet: a successful double-spend
The Math Behind Confirmations
The number of confirmations a transaction receives directly determines how difficult it is to reverse. With each additional block built on top of a transaction, an attacker needs exponentially more work to catch up with an alternative chain.
The standard recommendation of 6 confirmations (roughly 1 hour on Bitcoin) originates from Nakamoto's whitepaper analysis. After 6 confirmations, the probability of a successful reorganization drops below 0.1% if the attacker controls 10% or less of the hashrate.
| Attacker Hashrate | Confirmations Needed (99.9% certainty) |
|---|---|
| 10% | 5 |
| 20% | 11 |
| 30% | 24 |
| 40% | 89 |
| 45% | 340 |
This is why transaction finality on proof-of-work chains is probabilistic rather than absolute. Higher-value transactions warrant more confirmations.
What an Attacker Can and Cannot Do
What They Can Do
- Double-spend their own coins by reversing confirmed transactions they initiated
- Censor specific transactions by refusing to include them in mined blocks
- Prevent other miners' blocks from being confirmed by always building on their own chain
- Collect all block rewards during the attack period
What They Cannot Do
- Steal coins from addresses they do not own: private keys remain cryptographically secure regardless of hashrate control
- Create new coins beyond the protocol's block reward schedule: other nodes would reject invalid blocks
- Change consensus rules such as the 21 million BTC supply cap or block size: all full nodes independently validate every block
- Reverse other people's transactions: an attacker can only create conflicting transactions for coins they control with their own private keys
Real-World 51% Attacks
While Bitcoin has never been 51%-attacked, several smaller proof-of-work chains have suffered devastating attacks:
Ethereum Classic (2019-2020)
Ethereum Classic was hit by four major 51% attacks between January 2019 and August 2020. The most damaging occurred in August 2020, when an attacker reorganized 4,236 blocks and double-spent approximately $5.6 million worth of ETC. The attacker rented hashpower for roughly $204,000, demonstrating the extreme cost asymmetry that plagues smaller chains. Exchanges responded by increasing confirmation requirements from dozens to hundreds of blocks.
Bitcoin Gold (2018)
In May 2018, attackers used rented hashpower to double-spend approximately $18 million in BTG across multiple exchanges including Bittrex, Binance, and Bithumb. Bittrex subsequently delisted Bitcoin Gold after the project refused to compensate for losses. The attack highlighted the vulnerability of chains that share mining algorithms with larger networks.
Vertcoin (2018)
Vertcoin suffered eight blockchain reorganizations between October and December 2018, resulting in approximately 71,000 VTC being double-spent. The project's price crashed from $0.70 to $0.30, and the team eventually upgraded their mining algorithm as a mitigation.
Cost of Attacking Bitcoin
Bitcoin's security against 51% attacks is primarily economic. The network's hashrate exceeded 1 ZH/s (zettahash per second) in early 2026, making it the most expensive blockchain to attack by orders of magnitude.
| Cost Component | Estimated Cost |
|---|---|
| ASIC hardware acquisition | $4.6+ billion |
| Data center infrastructure | $1.3+ billion |
| Weekly electricity | $130+ million |
| Total (1-week attack) | $6+ billion |
For comparison, attacking smaller proof-of-work chains costs dramatically less. Ethereum Classic can be attacked for roughly $4,200 per hour, and some smaller chains for under $200 per hour. Bitcoin's hourly attack cost exceeds $2 million in electricity alone, before accounting for hardware.
Beyond cost, several structural factors make a Bitcoin 51% attack logistically implausible:
- Bitcoin dominates the SHA-256 mining algorithm, so there is no pool of dormant hashrate that could be redirected against it
- ASIC manufacturers cannot produce enough machines fast enough for a single buyer to covertly accumulate majority hashrate
- Mining is geographically distributed across North America, Central Asia, and Northern Europe, making coordination or seizure extremely difficult
- A successful attack would crash Bitcoin's price, destroying the value of the very coins the attacker is trying to steal
Mitigations
Several mechanisms protect against 51% attacks or limit their impact:
- Confirmation requirements: exchanges and merchants require more confirmations for higher-value transactions, increasing the cost and duration of any attack
- Hashrate monitoring: sudden changes in hashrate distribution are publicly visible, allowing the community to respond before an attack succeeds
- Checkpointing: some chains implement periodic checkpoints that prevent reorganizations beyond a certain depth
- Algorithm changes: vulnerable chains can switch mining algorithms to prevent hashrate rental attacks, as Vertcoin did after its 2018 attacks
- Layer-2 solutions: protocols like the Lightning Network and Spark reduce reliance on on-chain confirmations for everyday transactions, limiting the surface area for 51% attacks
Why It Matters
The 51% attack is a foundational concept in blockchain security because it defines the trust model of proof-of-work systems. Understanding this attack vector is essential for evaluating the security of any cryptocurrency.
For Bitcoin users, the practical risk is negligible: the economic cost far exceeds any potential gain. But for users of smaller proof-of-work chains, the threat is real and has been demonstrated repeatedly. This is one reason why fast finality and layer-2 solutions have become critical infrastructure. Protocols like Spark inherit Bitcoin's base-layer security while providing faster settlement, reducing the confirmation window during which a 51% attack could theoretically affect a transaction.
The economics of 51% attacks also explain why hashrate is the single most important metric for evaluating a proof-of-work chain's security. A chain's resistance to attack scales directly with the cost of acquiring majority mining power.
Risks and Considerations
- Mining pool concentration poses a theoretical risk: if a single pool controls a significant share of hashrate, a compromised or malicious pool operator could attempt reorganizations. In practice, individual miners can leave a pool at any time, limiting this risk.
- Hashrate rental marketplaces like NiceHash have made 51% attacks more accessible for smaller chains by eliminating the need to own hardware. MIT researchers detected over 40 chain reorganizations in 2019-2020 alone.
- Chains that share a mining algorithm with a much larger network (such as Bitcoin Cash sharing SHA-256 with Bitcoin) face elevated risk because attackers can temporarily redirect hashrate from the larger chain.
- The 6-confirmation standard assumes an attacker with roughly 10% of hashrate. For high-value transactions on chains with concentrated mining, more confirmations may be appropriate.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.