What Is a 51% Attack? How Majority Attacks Work (2026)

The entire promise of a decentralized blockchain rests on a single, deceptively simple assumption: no single party controls the majority of the network. As long as honest participants outnumber malicious ones, the math works, the ledger remains tamper-resistant, and the consensus that validates every transaction is trustworthy. Take that assumption away, and the cryptographic guarantees that supposedly make blockchains immutable start to crumble in very specific, very dangerous ways. That is exactly what a 51% attack is: the moment a single actor seizes enough of the network's consensus power to rewrite history.

A 51% attack, sometimes called a majority attack, is not a theoretical curiosity. It has happened repeatedly to real blockchains. Ethereum Classic, Bitcoin Gold, Vertcoin, and Verge have all been successfully attacked, with combined losses well into the tens of millions of dollars. Each time, the same pattern played out: an attacker temporarily commandeered the majority of the network's hashpower, mined a secret chain longer than the public one, broadcast it to the network, and double-spent coins that exchanges had already credited. The blockchain did not break. It worked exactly as designed. The problem was that the design assumes honest majority, and that assumption failed.

In this guide, you will learn exactly what a 51% attack is, how attackers technically pull one off, what they can and cannot do once they hold majority power, the famous cases that defined the threat, and how modern Proof-of-Work and Proof-of-Stake networks defend against it in 2026. Whether you are an investor wondering if your favorite small-cap chain is safe, a developer building on a less-known network, or simply someone trying to understand crypto's deepest security model, this is the foundational topic you cannot skip.

What Is a 51% Attack?

A 51% attack is an attack on a blockchain in which a single entity, or coalition of cooperating entities, controls more than half of the network's consensus power and uses that majority to manipulate the ledger. On a Proof-of-Work chain like Bitcoin, that consensus power is hashrate, the total computational effort dedicated to mining. On a Proof-of-Stake chain, it is the total amount of cryptocurrency staked to validate blocks. The threshold of 51% is not magical, it is simply the smallest possible majority. Once you cross it, you can outpace the rest of the network at producing valid blocks, and the longest-chain rule (or its PoS equivalent) hands you control of which version of history is canonical.

The reason 51% is the magic number traces directly to how blockchain consensus resolves conflicts. When two miners produce blocks at nearly the same height, the network temporarily holds both versions as candidates, and waits for additional blocks to pile on. Whichever fork accumulates more cumulative work first becomes the official chain, and the orphaned blocks are discarded. If you control 51% of the hashpower, you will always win this race in expectation. Given enough time, your private chain will always grow faster than the honest public chain, even if the honest network is doing everything right. That mathematical certainty is what turns a majority share of consensus power into the ability to rewrite recent history.

What makes a 51% attack so insidious is that it is not a bug, an exploit, or a software vulnerability. The blockchain protocol works exactly as intended. The attacker just provides more "work" than everyone else combined, and the protocol dutifully accepts their version of events. There is no patch you can ship overnight to fix it. The only real defenses are to make acquiring majority hashpower (or stake) prohibitively expensive, or to add additional consensus layers on top, like checkpointing or finality gadgets, that constrain what even a majority can change.

How a 51% Attack Works Step by Step

To understand the mechanics, picture a Proof-of-Work chain where blocks are mined every few minutes and a transaction is considered "settled" after some number of confirmations. The attacker's goal is to spend coins, get them credited somewhere (typically a cryptocurrency exchange where they can be sold or withdrawn into another asset), and then make those original spends disappear from the official ledger so the coins remain in the attacker's wallet. Here is how that plays out in practice.

Step one is acquisition. For a major chain like Bitcoin, this would require a multi-billion-dollar investment in mining hardware, electricity contracts, and physical facilities, which is why no one has ever attempted it. For smaller chains, particularly those that share a hashing algorithm with a larger chain, attackers have simply rented hashpower from cloud mining marketplaces like NiceHash for a few hours. This is exactly how Bitcoin Gold was attacked in 2018 and 2020, and how Ethereum Classic was attacked multiple times.

Step two is mining a secret chain in private. While the rest of the network builds on what they believe is the canonical chain, the attacker mines their own version starting from some recent block. Crucially, in this private chain, the attacker omits the transaction where they sent coins to an exchange. As far as the attacker's private chain is concerned, those coins were never spent and remain in the attacker's wallet.

Step three is the spend. On the public chain, the attacker deposits a large amount of cryptocurrency to a cryptocurrency exchange. They wait for the exchange to credit the deposit (typically after some number of confirmations), then trade those coins for another asset (often Bitcoin or a stablecoin) and withdraw that asset to a different wallet. The withdrawn asset is now safely off the attacked chain and outside the attacker's control footprint.

Step four is the broadcast. The attacker reveals their secret chain, which by now is longer than the public chain because their majority hashrate has been outpacing the honest network. The network's longest-chain rule kicks in and accepts the attacker's chain as the new canonical version of history. Step five is the reorg itself. The original deposit transaction, along with potentially hundreds of other transactions made by other users during that window, gets erased and replaced. The attacker keeps the asset they withdrew, and the coins they originally deposited reappear in their wallet, ready to spend again. That is a double-spend.

What an Attacker Can and Cannot Do

One of the most common misconceptions about 51% attacks is that they give the attacker total control over the blockchain. They do not. A 51% attack is powerful but bounded. Understanding the exact boundaries matters because it tells you what funds are actually at risk and what funds are safe even in the worst-case scenario.

What an attacker with 51% can do: they can double-spend their own recent transactions by orphaning blocks that contained those transactions. They can censor transactions by refusing to include them in any blocks they mine, which can stall confirmations indefinitely if they hold majority for long enough. They can reorder transactions within blocks they produce. They can prevent other miners' blocks from sticking, gradually starving them of block rewards. And they can perform deep chain reorganizations, sometimes hundreds of blocks deep, which is what makes the attack so damaging when it succeeds.

What an attacker with 51% cannot do: they cannot steal coins from arbitrary addresses they do not control private keys for. The cryptographic signatures protecting wallet balances are independent of consensus power. They cannot create new coins out of thin air outside the protocol's emission schedule, because every node validates that block rewards follow the rules. They cannot change protocol rules unilaterally (no changing total supply, no changing the proof-of-work algorithm itself, no editing the genesis block). And critically, they cannot alter old, deeply confirmed transactions in any practical sense. The deeper a transaction is buried, the more blocks the attacker would have to re-mine to displace it, and at some point the cost becomes prohibitive even with majority hashrate.

That last point is the foundation of why exchanges use confirmation thresholds. A transaction confirmed by one block is highly vulnerable. A transaction confirmed by six blocks (Bitcoin's classical heuristic) is much harder to reverse. A transaction confirmed by 200 blocks is essentially safe even against a sustained majority attack, because the attacker would need to outpace the honest network for 200 blocks worth of mining, which is enormously expensive in electricity and equipment depreciation.

Real-World 51% Attacks

The history of 51% attacks is dominated by mid-sized Proof-of-Work chains that share hashing algorithms with much larger chains. When a chain uses, say, SHA-256 (Bitcoin's algorithm) but has a tiny fraction of Bitcoin's total hashrate, any miner on Bitcoin can in principle redirect their gear and overwhelm that smaller chain. This is exactly what played out in the cases below.

The Ethereum Classic attacks of 2020 are particularly instructive. Across three separate incidents between July and August, attackers performed deep reorgs (one exceeded 7,000 blocks, rolling back over two days of history), stole millions, and exposed how vulnerable a chain becomes when it shares an algorithm with a much larger sibling. Ethereum Classic used the same Ethash algorithm as the pre-merge Ethereum mainnet, and at the time ETC's hashrate was a tiny fraction of ETH's. Renting just a sliver of ETH-class hashrate was enough to dominate ETC entirely. The cost of one of these attacks was estimated at less than $200,000 in rented hashpower, while the proceeds exceeded $5 million.

Bitcoin Gold (a 2017 Bitcoin fork that uses the Equihash variant Zhash instead of SHA-256) was hit hard in 2018, with the attacker depositing BTG to exchanges, trading it for Bitcoin, withdrawing the Bitcoin, then double-spending the original BTG deposits. The Bittrex exchange alone reportedly lost over $18 million and subsequently delisted Bitcoin Gold. The 2020 follow-up attack was smaller but proved that the underlying weakness had not been fixed: a chain with low hashrate and rentable hardware will always be a target.

Verge stands out for being a 51%/protocol hybrid. Verge has a multi-algorithm proof-of-work, and the attacker exploited a timestamp manipulation bug that combined with majority hashpower on just one of those algorithms to mint coins at a rate far above the intended emission. The result was effectively a 51% attack that also forged supply, which most 51% attacks cannot do.

How 51% Attacks Affect Exchanges and Users

Exchanges are the primary economic target of 51% attacks because they are where attackers convert reorgable cryptocurrency into something non-reorgable, like Bitcoin, a stablecoin, or fiat withdrawal. When a 51% attack happens, the exchange ends up bearing the loss: they credited and processed a deposit that, after the reorg, no longer exists on the chain. They paid out value against a transaction that has been retroactively deleted.

The standard response is to dramatically increase the number of required confirmations before crediting a deposit. After the 2020 Ethereum Classic attacks, several major exchanges raised their ETC confirmation requirements from around 500 to over 7,000 blocks (roughly a full day of waiting). Coinbase went even further, temporarily pausing all ETC trading. This protects the exchange because the deeper the confirmation requirement, the more expensive any reorg attempting to displace those transactions becomes. The trade-off is user experience: deposit times go from minutes to hours or days.

Sometimes the response is more drastic. Bitcoin Gold was delisted by Bittrex after the 2018 attack because the exchange concluded that the chain's economic security model was fundamentally inadequate. When a chain gets delisted by major exchanges, its liquidity collapses, attack incentives drop (less to steal), but so does the practical utility of the token. It is a defensive measure that often hurts the chain more than the attack itself did.

For individual users, the practical impact depends on what you were doing during the attack window. If you simply held coins in a self-custodial wallet and did not transact, you are unaffected because your coins exist on whichever chain wins. The supply has not changed and your private keys still control your address on the canonical chain. If you were trading or moving funds during the attack window, you might find that transactions you thought were confirmed have been erased. Always check your wallet on a reliable blockchain explorer after any reported reorg event to see your actual current balance and history.

Cost of a 51% Attack on Major Chains in 2026

The economic security of a PoW chain is essentially the cost to attack it for one hour. This number varies wildly depending on the chain's total hashrate, the availability of rentable hardware for its specific algorithm, and the current spot price of mining rentals. The website crypto51.app has tracked these estimates for years and remains the standard reference, even if its exact numbers are best understood as order-of-magnitude indicators rather than precise quotes.

For Bitcoin in 2026, the rough cost of a one-hour 51% attack is in the hundreds of millions of dollars. The total network hashrate is so vast, and the amount of SHA-256 ASIC hardware rentable on open markets is so tiny relative to that, that no plausible attacker could acquire majority hashpower without buying and deploying their own industrial-scale facilities. Even if the hardware existed, the electricity costs alone for one hour run into eight figures. This is why Bitcoin has never been 51% attacked and is generally considered the most economically secure blockchain in existence. The block reward and transaction fees in that same hour, by contrast, are worth a small fraction of the attack cost, meaning the attack is profoundly unprofitable even before you account for the fact that a successful attack would likely crash the price.

For Ethereum Classic in 2026, an hour of majority hashrate can be acquired for somewhere between $5,000 and $50,000 depending on availability of Ethash-compatible miners (which became plentiful after Ethereum's merge to PoS in 2022 freed up enormous quantities of GPU hardware). For other small PoW chains, similar or even cheaper rates apply. Crypto51 estimates that many top-100 PoW chains can be attacked for under $1,000 per hour. The math is brutal: if a chain is worth attacking (i.e., you can extract more than the attack costs through double-spends), it will eventually be attacked.

Mining economics, especially after events like the Bitcoin halving, also shape the attack surface. When block rewards drop, marginal miners shut down equipment, hashrate temporarily declines, and the cost of a 51% attack on chains using the same algorithm can dip. Conversely, when a major chain transitions away from a particular algorithm (as ETH did with the merge), the freed hardware can be turned against remaining users of that algorithm. Both effects shape why 2020-2022 saw an increase in 51% attacks on minor Ethash chains.

PoW vs PoS Defense Models

Proof-of-Work and Proof-of-Stake both face the majority attack threat, but the economics and mechanics are fundamentally different. Understanding this difference is one of the strongest arguments either way in the PoW-vs-PoS debate.

The key insight: in PoS, the attacker's capital is inside the system. To attack Ethereum, you would need to acquire and stake a majority share of ETH, which at current prices and stake ratios would cost tens of billions of dollars. Worse, if you then attempt an attack and get caught, the protocol's slashing mechanism destroys your stake. And if slashing alone is not enough, the community can socially coordinate a soft fork that explicitly removes the attacker's stake from the canonical chain, effectively zeroing your investment.

This is the asymmetry: PoW attackers can attack with one chain's worth of hardware and walk away to use that hardware elsewhere. PoS attackers have to put up the native asset itself as a bond, and lose it if they misbehave. PoS does not eliminate majority attacks, but it makes them economically destructive to the attacker in a way PoW does not.

That said, PoS has its own concentration risks: validator centralization, liquid staking dominance by a few protocols, and the emerging risk surface of MEV-driven validator coordination. The 51% problem does not vanish, it transforms.

How to Protect Yourself as a User

Most users will never personally be the target of a 51% attack because attackers go after exchanges where they can convert reorgable coin into non-reorgable value at scale. But users can still be indirectly harmed, and there are simple practices that significantly reduce your exposure.

First, wait for more confirmations than the minimum suggested by your wallet or exchange, especially on smaller chains. Six confirmations on Bitcoin is the long-standing heuristic for a reason. On smaller Proof-of-Work chains, treat any "fast" confirmation count with suspicion. If you are receiving a large payment on a chain whose hashrate would cost only a few thousand dollars per hour to overpower, wait significantly longer than the default.

Second, prefer chains with high hashrate or large staked supply for high-value transactions. The total economic security of a chain is roughly proportional to how much capital is committed to securing it. Bitcoin, post-merge Ethereum, and a small set of other major chains have economic security that makes 51% attacks effectively unaffordable. Settling million-dollar transactions on a top-100 altcoin is taking on risk most users do not realize they have.

Third, use exchanges and custodians with strong reorg protection policies. Major exchanges publish confirmation requirements for each chain, and a transparent, conservative policy is a good sign. If an exchange instantly credits deposits on a smaller chain, that exchange is effectively underwriting the 51% attack risk and may eventually be forced to delist or impose losses on users.

Fourth, for very large holdings, prefer multisig wallet arrangements and well-established chains. Multisig does not defend against a chain reorg, but it does defend against many other classes of attack that often surround 51% events (compromised exchanges, phishing during chaotic windows, rushed transactions). The combination of conservative on-chain security and chain selection compounds.

Fifth, monitor news of any chain you hold. 51% attacks are often preceded by visible hashrate concentration changes or sudden price action. Communities like Reddit's r/CryptoCurrency, dedicated security accounts on X, and on-chain analytics dashboards usually flag these events within hours.

Mitigation Strategies for Networks

Networks themselves have developed several technical and social mitigations against 51% attacks, each with different trade-offs against the core decentralization properties of a public blockchain.

Checkpointing is the most direct defense. The network periodically commits to a specific block hash as immutable. Any reorg that would overwrite a checkpointed block is rejected by nodes, regardless of the proof-of-work behind it. The downside is that checkpointing reintroduces a degree of centralization (someone has to decide what to checkpoint and when), and badly-implemented checkpointing can cause network splits. After its attacks, Ethereum Classic explored modified MERIT/MESS scoring that effectively weights the original chain higher than late-arriving alternatives, making deep reorgs harder.

ChainLocks, pioneered by Dash, are a clever variant. A masternode quorum signs each newly-mined block within seconds of its production. Once a ChainLock is in place, that block is final and cannot be reorged. ChainLocks effectively finalize blocks at the masternode layer, making 51% mining attacks against Dash basically impossible. The trade-off is that you now depend on the masternode network's honesty as well.

Finality gadgets are the PoS-era version of this idea. Ethereum's beacon chain finalizes blocks roughly every two epochs (about 12.8 minutes). Once a block is finalized, reverting it would require at least one-third of all staked ETH to be slashed simultaneously, which is an enormously expensive and detectable event. Finalized history is effectively as immutable as it gets in a permissionless system.

Merge-mining is a more organic defense: small chains attach themselves to a large chain's proof-of-work, so that the large chain's hashrate also secures the small one. Namecoin and Bitcoin have used this approach since the early days. The drawback is that the smaller chain becomes dependent on the larger one's continued cooperation.

And finally there is the simple but effective defense of switching to a less-rentable algorithm or transitioning entirely to PoS. Ethereum's merge in 2022 transformed it from a PoW chain (theoretically vulnerable to 51% mining attack) to a PoS chain where attack would require buying a majority of the staked ETH supply. Many smaller chains have followed similar paths, often after suffering an attack themselves.

Selfish Mining and Related Attacks

A 51% attack is the headline threat, but it is part of a family of consensus-level attacks that get progressively more feasible at smaller share thresholds. Understanding these is useful because they show that "you need 51%" is itself a simplification.

Selfish mining, formally analyzed by Eyal and Sirer in 2013, shows that an attacker with substantially less than 51% (potentially as little as 25-33%, depending on network conditions and propagation latencies) can profitably mine blocks privately and only release them strategically. By doing so, they cause some honest blocks to be orphaned, effectively earning a disproportionate share of block rewards. Selfish mining does not enable arbitrary double-spends like a 51% attack does, but it does undermine the fairness guarantee that block rewards should be proportional to honest hashrate.

Block withholding attacks, eclipse attacks, and timing manipulation attacks fill out the rest of the family. Each requires less raw hashrate than a full 51% attack but achieves more limited goals: censoring specific users, isolating particular nodes from the real network view, manipulating difficulty adjustment, or exploiting orphan-rate dynamics. None of these are as headline-grabbing as a clean 51% double-spend, but they are more practically achievable and have likely happened on various chains without ever being formally identified.

The general principle: the closer a single entity gets to 50%, the more options open up for subtle manipulation, and the line between "honest big miner" and "consensus-level attacker" gets blurry. This is one reason large mining pools historically have voluntarily redistributed hashpower when they approached 50% (Ghash.io famously did this in 2014 after publicly crossing the threshold), to preserve user trust and the integrity of the network they themselves rely on for revenue.

The Future of Majority Attacks

In 2026, the threat landscape for 51% attacks has shifted significantly from where it was at the peak of attack activity in 2018-2020. Most importantly, the largest smart-contract chain (Ethereum) is now PoS, and many smaller chains have followed. The pure-PoW economic-security model is increasingly concentrated in Bitcoin, which is large enough that 51% attacks against it remain effectively impossible, and a long tail of small chains, which remain regularly at risk.

The new frontier of consensus-level attacks lives in PoS territory: re-org attacks driven by MEV opportunities, where a sophisticated validator with enough stake might attempt to re-org a recent block whose contained transactions are more valuable than the block reward. Ethereum's research community has spent considerable effort modeling and mitigating these scenarios, including the "proposer-builder separation" architecture that decouples the act of choosing transactions from the act of proposing blocks.

Restaking introduces another wrinkle. Protocols like EigenLayer let validators stake the same ETH simultaneously across multiple services, which is efficient but means that the slashing-deterrence model is now stretched across more attack surfaces. If a restaker misbehaves on one service, they can be slashed, but if many restakers coordinate, the economic deterrence becomes more complex to reason about. The 51% attack of 2030 may look less like "rent NiceHash hashpower" and more like "coordinate a restaking validator coalition for one block."

Liquid staking concentration is a related concern: when a single protocol (Lido at various points) accumulates close to one-third of all staked ETH, even without malicious intent, the protocol's governance becomes a soft target for the kinds of attacks that a 51% adversary would once have needed mining hardware to attempt. The threat surface has not gone away, it has moved to social and economic layers.

None of this means PoS is broken. Ethereum has not had a successful majority attack and the cost of attempting one remains astronomical. But the security story is no longer "more hashrate equals more safety". It is now a multi-dimensional question involving stake distribution, validator client diversity, restaking exposure, MEV economics, and the social coordination capacity of the underlying community.

Frequently Asked Questions

Conclusion

A 51% attack is the limit case of blockchain security: the scenario where the protocol works perfectly but the assumptions underlying it have failed. It is not a bug in the code, it is a feature of the consensus model that becomes a weapon when economic incentives align in the wrong direction. Understanding it is essential to understanding why some chains are genuinely safe and others are theatrical security at best.

The lesson of the last decade of crypto is that hashrate (or staked supply) is destiny. Chains with overwhelming economic security, like Bitcoin and post-merge Ethereum, have never been successfully majority-attacked, and the cost of doing so is so high that they likely never will. Chains with modest economic security and rentable hardware compatibility have been attacked repeatedly, often multiple times, and will be attacked again whenever the math makes it profitable. There is no clever protocol design that fully escapes this gravity. Checkpointing helps, ChainLocks help, finality gadgets help, and PoS slashing helps, but every defense has its own trade-offs in decentralization, centralization risk, or social coordination requirements.

For users, the practical takeaway is simple. Stick to high-security chains for high-value activity, wait for ample confirmations on anything else, use exchanges with conservative reorg policies, and remember that the security guarantees of a small-cap chain are often weaker than they look on paper. For developers and protocol designers, the 51% attack remains the canary in the coal mine: any consensus mechanism's true security can only be measured against a determined majority adversary, and any design that has not modeled that scenario is not finished. Sixteen years after Bitcoin's whitepaper, the majority attack remains the deepest, most fundamental security question in all of blockchain, and the answer continues to be written in real time by every chain that survives, or fails to survive, contact with reality.

Related Guides

• What Is a Blockchain: Complete Beginner Guide to How Blockchains Work (2026)
• SIM Swap Attacks: How They Work and How to Prevent Them
• What Is an RPC Endpoint? How Wallets Reach Blockchains
• NEAR vs Solana: Layer 1 Blockchains Compared (2026)
• Cardano vs Solana: Layer 1 Blockchains Compared (2026)