New Elementus Analysis Suggests Cryptopia Exchange’s Hack Resulted in Theft of $16 Million
Cryptopia was recently the victim of a highly publicized hack, leading blockchain infrastructure firm Elementus to perform some investigative work. According to their findings, the New Zealand exchange lost $16 million worth of ERC20 tokens and Ethereum. The company chose to publish their findings five days after the public annoucement of the hack.
Initially, the exchange did not reveal that there had been a hack at all. Instead, they told users that the platform had to perform unscheduled maintenance. When it was revealed that the hack happened at all, the company refrained from detailing exactly how much was lost.
During the evaluation by Elementus, the public Ethereum blockchain revealed that there were two Cryptopia core wallets that were hemorrhaging the funds on January 13th – one with ETH and one with tokens.
During the same afternoon of the siphoning, leaving the core wallets empty, the funds started coming out of the secondary wallets. Cryptopia presently has over 76,000 secondary wallets, leaving the hackers to continue their theft through January 17th, which was four days after the initial accounts were hacked. When this issue came to the attention of Cryptopia, they had already filed a report with local law enforcement by the 15th, which was the third full day of the hack.
Based on the division of the funds in Elementus’s report, there were a little less than $3.6 million in ETH stolen, less than $2.4 million in Dentacoin, less than $2 million in Oyster Pearl, and around $3 million stolen in miscellaneous tokens.
At this point, research indicates that there’s been $880,000 cashed out with the various exchanges that process these types of transactions, including Binance, Huobi, and HitBTC. There are allegedly two wallets containing the rest of the approximate $15 million in cryptocurrency, and the criminals still have it under their control.
Elementus points out a unique quality involving this hack that separates it from the typical profiles that these situations fall under. The two common profiles –
“smart contract exploits” and “unauthorized access credentials.” The smart contract exploits involve finding a vulnerability in the code that controls the smart contracts. Elementus explains, “These cases may involve many wallets, if the same vulnerability is present in all of them. But once the first wallet is breached, things come to a head rather quickly, as it typically becomes a race between the hackers and the wallet owners (sometimes assisted by white hat hackers) to get to the money first.”
Unauthorized access credentials imply that someone inside or outside of the company has direct access to a wallet’s private key, allowing them to make a transaction to transfer funds to themselves. Elementus elaborated,
“These cases typically involve the breach of a single wallet, and by the time the theft becomes publicly known, the funds are long gone.”
Cryptopia is set apart because it involves over 76,000 wallets with no smart contracts, which means that the thieves had to be able to access private keys for all of them.
Furthermore, the hack did not stop when Cryptopia found it. Instead, it continued for days, and the thieves seemed to have a “lack of urgency,” as Elementus describes it. They took their time, and still managed to steal millions over the course of four more days, even though there should not have been anything to stop Cryptopia from preventing it.
Elementus elaborated their theory – “The only plausible explanation for Cryptopia's inaction is that they no longer had access to their own wallets. It seems Cryptopia not only lost their funds, they also lost access to all, or nearly all, of their 76k+ Ethereum wallets. One possible explanation is that Cryptopia had their private keys stored in a single server with no redundancy. If the thieves managed to gain access to this server, they could have downloaded the private keys before wiping them from the server, leaving Cryptopia unable to access their own wallets.”
Wrapping up their investigation, Elementus believes that there’s about 2,000 wallets that are holding onto the last 380 ETH left with Cryptopia, which are mostly funds from deposits after the hack took place.
If the thieves still have control of those wallets without Cryptopia being able to touch them, the recovery of the funds is highly unlikely. The only way that the funds have a chance of being partially returned is if Cryptopia knows the hackers and have the ability to stop them from doing anything else.
For exchanges to contribute to stopping these hackers, there will need to be an immediate freeze of the funds upon arrival. Some platforms are already taking action to help. Binance’s CEO, for example, had already frozen funds that were potentially sent by the hacker on January 17th, which was three days before the Elementus report even came out.