Nearly $200 Million Stolen in BitMart Crypto Exchange HackThreat Actor Breaches the Exchange, Which Says It Will Cover Losses
Nearly $200 million has reportedly been stolen from the cryptocurrency exchange BitMart, according to China-based blockchain analytics firm PeckShield, which tracked the heist beginning Saturday. The CEO of BitMart, which is one of the top centralized crypto exchanges by volume, took to Twitter in the wake of the attack and indicated that the company will use its own funding to cover losses for affected users.
In a formal statement issued on Saturday, BitMart confirmed the incident, writing: "We have identified a large-scale security breach related to one of our ETH [Ethereum] hot wallets and one of our BSC [Binance Smart Chain] hot wallets today. At this moment we are still concluding the possible methods used. Hackers were able to withdraw assets of the value of approximately $150 million USD."
Hot wallets, which allow cryptocurrency owners to receive and send tokens, are internet-facing, and thus susceptible to potential attack. Conversely, cold wallets, or hardware wallets, keep crypto assets offline.
Security experts at PeckShield said on Twitter that related losses appear to be higher, per Etherscan data. The firm wrote: "Total estimated loss: ~200M (~100M on @ethereum and ~96M on @BinanceChain). (Previously we only counted the loss on @ethereum)."
A spokesperson for BitMart, whose services include spot transactions, futures trading, and lending and staking services, tells Information Security Media Group: "We will work closely with law enforcement to solve the issue. ... We are tracking the hackers' activities and doing our best to recover the stolen assets. The crypto community should work together to fight against hackers' activities. Thanks everyone for stand[ing] for BitMart."
"To the attackers, [these crypto heists] compare very favorably with ransomware attacks, which can take longer, require more effort and investment, and - in 66% of the cases - result in no payout," says Andrew Rose, resident CISO at the security firm Proofpoint. "The penny appears to have dropped that the cryptocurrency platforms, whose market enables their criminal industry, are not as mature as the figures held in their collective wallets suggest they should be."
BitMart CEO Sheldon Xia also tweeted on Monday that the exchange "has completed initial security checks and identified affected assets," adding that the breach "was mainly caused by a stolen private key."
"We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed," Xia wrote. "We need time to make proper arrangements and your kind understanding during this period will be highly appreciated.
The CEO also indicated that deposit and withdrawal functions will "gradually begin" starting Tuesday.
'A Small Percentage of Assets'
In its statement, updated on Monday, BitMart confirmed that its affected hot wallets carry "a small percentage of assets" on the platform, and that its other wallets are "secure and unharmed."
Assessing the event, PeckShield also tweeted, "Pretty straightforward: transfer-out, swap, and wash."
The firm said tens of millions of dollars began to flow to an address dubbed "BitMart Hacker" by Etherscan. The analytics firm placed losses at approximately $100 million in several cryptocurrencies on the ethereum blockchain and another $96 million in coins on the binance smart chain. Altogether, the hackers lifted upward of 20 different tokens, including Binance coin, SafeMoon and Shiba Inu.
Once in possession of the funds, the threat actors reportedly used the decentralized exchange aggregator "1inch" to obtain ether, and then the privacy mixer Tornado Cash, which can obfuscate funds by mixing illicit tokens with "clean" crypto - making the proceeds more difficult for law enforcement authorities to trace.
On the scope of the attack, Rose, who is the former CISO and head of cybersecurity for Britain's NATS Holdings, formerly the National Air Traffic Services, adds, "The unregulated nature of the coinage can lead to platforms being available which would not pass muster from a Federal Reserve or Financial Conduct Authority audit. Huge sums of money are held by online firms with little experience or maturity, and the attackers have noticed."
"This weekend's attack will certainly bring trust [associated with BitMart] into question in the eyes of the exchange's customers," says Michael Fasanello, who has served in various roles within the U.S. Justice and Treasury departments, including for Treasury's Financial Crimes Enforcement Network, or FinCEN. "The extent and frequency of these hacks will [also] pique the interest of regulators worldwide. … Make no mistake: Regulation is coming."
Fasanello, who is currently the director of training and regulatory affairs for the firm Blockchain Intelligence Group, also says, "Firms should become comfortable sparing no expense in terms of cybersecurity. Similarly, with no FDIC coverage in place, victims of these hacks - both the exchanges themselves as well as their customers - are left holding the bag with no recourse."
Other Crypto Hacks
Last week, decentralized finance platform BadgerDAO announced a sizable breach. A DAO, or decentralized autonomous organization, is an automated environment for the facilitation of crypto transactions. DAOs attempt to reach a maximum level of decentralization.
In the recent incident, BadgerDAO's front end was reportedly compromised, and hackers made off with around $120 million, according to the firm PeckShield. Crypto lender Celsius Network, which describes itself as a "platform of curated services that have been abandoned by big banks - like fair interest, zero fees, and lightning quick transactions" - reportedly lost $55 million worth of wrapped bitcoin, or wBTC, in the breach, according to CryptoPotato.
The same publication says that an attacker added a script to the front end to trick users into providing account access, which in turn led to withdrawals from clients' wallets. Following the attack, BadgerDAO suspended all smart contracts amid an investigation by the blockchain firm Chainalysis.
In August, a breach on cross-chain protocol Poly Network led to the record theft of some $612 million in crypto assets. Following the attack, Poly Network called for the assistance of other crypto exchanges - leading to $33 million worth of the stablecoin tether being frozen. Within one day, the hacker - subsequently dubbed "Mr. White Hat" - began communicating with Poly Network, expressing interest in returning the funds (see: Poly Network Says $600 Million in Cryptocurrency Stolen).
Cryptocurrency and cybersecurity experts suggested that the return may not have been as noble as it appeared, hinting that the attacker likely had trouble laundering the assets.
Nonetheless, Mr. White Hat subsequently returned all cryptoassets - following a $500,000 bug bounty offer from Poly Network, which the hacker reportedly refused. Poly Network told ISMG at the time that despite not receiving a "positive response," it paid the bounty to the cybercriminal.
The platform also later offered the threat actor a position with the company as "chief security adviser."
This story has been updated to include a comment from a BitMart spokesperson.