Cryptocurrency exchange BitMart has pledged to dig into its own pocket to pay back users affected in a cyberattack that drained it of about $150 million worth of cryptocurrencies, according to a tweet put out by BitMart CEO Sheldon Xia on Monday.
2/4 BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed.
— Sheldon (@sheldonbitmart) December 6, 2021
“BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed.” —@sheldonbitmart
On Saturday, BitMart announced that attackers had stolen a private key and compromised two of the exchange’s hot wallets on the Ethereum (ETH) blockchain and the Binance smart chain (BSC), making off with approximately $150 million worth of assets in a “large-scale security breach.”
However, blockchain-security and data-analytics firm PeckShield – the first to notice the breach on Saturday – estimated that the loss is closer to $200 million. On the day of the breach, PeckShield tweeted out a list of affected assets/amounts on @BinanceChain, noting that the losses were worth about $100 million from the Ethereum wallet and about 96 million on the Binance Chain wallet.
Total estimated loss: ~200M (~100M on @ethereum and ~96M on @BinanceChain ). (Previously we only counted the loss on @ethereum). And here is the list of affected assets/amounts on @BinanceChain pic.twitter.com/cXXApDFtd7
— PeckShield Inc. (@peckshield) December 5, 2021
The assailants made off with a mix of more than 20 tokens, including binance coin, safemoon and shiba inu.
Bitmart hasn’t figured out exactly how the attackers pulled off the breach, but what happened after was pretty straightforward, according to Peckshield: It was a classic case of “transfer-out, swap and wash.”
We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive, anonymous Threatpost Poll!
PeckShield shared an illustration of the attack chain, shown below.
The infographic depicts funds being transferred out of BitMart, after which the thieves apparently used the decentralized exchange aggregator known as 1inch to exchange the stolen tokens for Ether. Then, they deposited the Ether coins into a privacy mixer known as Tornado Cash: A “washer” that makes the funds tough to trace by breaking the on-chain link between source and destination addresses.
It’s not known if particular users were targeted.
Hot vs. Cold Wallets
In cryptocurrency-speak, a hot wallet refers to a wallet – a collection of private keys – that’s connected to the internet. That internet connection makes them vulnerable to threat actors that can steal funds, but it also makes them faster than unconnected, more secure, slower cold wallets.
BitMart noted that the affected wallets carried only “a small percentage” of its assets and that the remainder of its wallets escaped unscathed.
The exchange has temporarily suspended withdrawals until further notice. Xia said on Twitter that BitMart is “doing our best to retrieve security setups” and resume operations. “We need time to make proper arrangements and your kind understanding during this period will be highly appreciated,” he said.
BitMart is now conducting “a thorough security review” and promised to post updates as its investigation progresses. In addition, Xia will conduct an “ask me anything” session at 8 p.m. ET on Monday evening to share more about the breach, the compensation arrangement and the company’s plan to resume operation.
Xia said that BitMart is confident that deposits and withdrawals will gradually resume tomorrow, Dec. 7, and that detailed timelines will be announced “very soon.”
The BitMart heist is just the latest in a string of attacks that have targeted cryptocurrency platforms including Poly Network, Cream Finance, Liquid and bZx. Last week, an attacker stole $120 million in cryptocurrency by compromising the BadgerDAO decentralized finance (DeFi) website, draining dozens of wallets before it could freeze its vaults.
“It’s no surprise that attackers are targeting cryptocurrency exchanges, in many ways they are the new banks, which makes this a modern version of a bank heist with arguably less risk and less effort,” Steve Forbes, government cybersecurity expert at Nominet, said via email. “With a lot of media focus around the use of cryptocurrency for nefarious purposes, I expect these criminals are also hoping to attract less attention from law enforcement.”
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!