BitMart exchange hacked, losses estimated at $196 million.
Bitcoin (BTC) exchange Bitmart suffered a massive hack that cost almost USD 200 million, following a security breach in its hot wallets hosted on the Ethereum and Binance Smart Chain (BSC) blockchain, respectively. The company itself reported this in a statement published on its blog, where they highlight the identification of a "large-scale security breach" related to the ETH and BSC wallets. As they said at the time, they identified how hackers breached the exchange's security. The thieves made off with, in company figures, approximately USD 150 million.
Security firm Peckshield has reported the hack of two hot wallets that used a 1inch DEX aggregator to exchange stolen tokens for ETH. As a result, two BitMart hot wallets have been the subject of a multi-million dollar hack. One of the hot wallets was an ETH wallet, the other a BSC wallet. The method of the attack is not yet known, although BitMart estimates losses of approximately $150 million. BitMart's other hot wallets are intact, and BitMart is conducting a security review and has suspended withdrawals until further notice.
Through BitMart's official Telegram BitMart's official channel, it claimed that withdrawals from those wallets were not out of the ordinary but later admitted the attack via the CEO's Twitter feed. In the wake of the hack, the native token of the exchange BitMart has fallen 9.7% in the last 24 hours and now stands at $0.323248.
Losses have been underestimated, says Peckshield
Security firm blockchain Peckshield Inc estimates losses to be in the region of $196 million, with approximately $100 million lost from the ETH wallet and roughly $96 million in Binance Smart Chain. BSC assets affected include SAFEMOON, X2P, FLNS, FLNS, BabyDoge, HERO, STARSHIP, FLOKI, JULb, CMCX, GMR, SPE, BETU, GMEX, ZOE, MOONSHOT, BPAY, STACK, EnergyX, BSC-USD, and BNB.
Peckshield has revealed from its investigation of the attack that the hacker withdrew funds from active wallets and exchanged them for ETH using the DEX 1inch aggregator. The funds were then routed through Tornado Cash, a privacy-blending protocol for the Ethereum blockchain that breaks the on-chain link between source and destination addresses by using a smart contract that acts as a pool that accepts ETH deposits from one address and allows withdrawal from another address. The mixer pools funds from multiple users before a transaction reaches its destination. Once the pooling takes place, it is not easy to know where the money went, who conducted the trade, and how many cryptocurrencies were involved in the transaction.
It was reported before, but it was qualified as fake news.
While the company admitted the event, it was previously reported by blockchain security and analytics firm PeckShield, via Twitter. They said the withdrawal of around USD 100 million in tokens and crypto assets in the Ethereum wallet and USD 96 million in BSC on the social network.
They then shared the list of assets transferred and their amounts. There are about twenty tokens, including alternative cryptocurrencies, such as Safemoon, BUSD, and Binance Coin (BNB). The curious thing is that many of the coins extracted were meme cryptocurrencies, such as Shiba Inu, BabyDoge, or Floki.
One thing that caught the eye is that the exchange called the notifications of the massive theft fake news a few hours before they confirmed it. This was ascertained by PeckShield, which shared screenshots from the company's Telegram group, showing the rejection stance of the now compromised exchange house. In one of the responses, the Bitmart side asserted that reports of the hack were creating "unnecessary tension" and that they had repeatedly clarified that they had not breached the exchange's security system.
"Withdrawals are normal from hot wallets," they excused, while in another message, they denied the hacking and assured that the accounts were "secured."
They will pay with their funds.
The exchange's CEO, Sheldon Xia, updated the hacking situation early Monday morning. On Twitter, he said that after completing initial security checks and identifying the affected assets, they determined that the security breach originated from a stolen private key that had two of their active wallets compromised.
"Other assets with BitMart are safe and unharmed," he said, noting that the platform will use its funds to cover the incident "and compensate affected users."
"We are also talking to various project teams to confirm the most reasonable solutions, such as token exchanges. No harm will be done to users' assets," he clarifies.
He also pointed out that they are now doing "everything possible" to recover the security configurations, as well as their operability:
"We need time to make the necessary arrangements, and your kind understanding during this period will be greatly appreciated. In terms of asset deposit and withdrawal, we are confident that the functions will start gradually on December 7, 2021. Detailed timelines will be announced very soon," Xia concluded.
Huobi commits to support BitMart.
It is helpful if other cryptocurrency exchanges are alert to large deposits made from the Tornado Cash platform. Huobi has indicated via their Twitter account that they are willing to help identify the asset entries involved in the attack. Tornado Cash was developed from open-source research by the Zcash team. Earlier this week, Tornado Cash was also used as an anonymizer in the MonoX Finance DeFi protocol hack.