In one of the biggest heists in the cryptocurrency arena, the Korean exchange Upbit was compromised on 27-Nov-2019 during which a rogue entity managed to transfer 342,000 ETH (estimated to be worth approximately 52 million US dollars or 58 billion Won at the time of transaction) from the exchange’s hot wallets to his own. Initially, Upbit used the word “unusual withdrawal” in its press release but later admitted that it was hacked. As is the norm after any major breach, Upbit suspended all deposits and withdrawals as well as transferred all assets from its hot wallets to cold wallets. The exchange announced that it would replace stolen customer assets with the company’s assets.
The attack again raised many questions on the security of crypto-exchanges, the primary one being that how even today, with the relative maturity of crypto / block-chain sector and terrible lessons acquired from the past, rogue actors can get access to such astronomical amounts that easily and why the crypto exchanges keep so much funds in their hot wallets anyways? However, Upbit has not publicly commented on the attack vector, so it’s not known how the funds were accessed and conveniently transferred outside without any hindrance or alarm from the exchange internal security system.
Funds Dispersion and Attempts to Track
As of now, the attacker is continuing to disperse the stolen funds into multiple wallets in small small accounts (currently over 50 accounts) in the hopes of avoiding scrutiny and to make it difficult for analysts and analytic platform to track the movement of funds.
However, due to the open nature of the Ethereum platform, it’s extremely difficult to do it. Ethereum tracking and analytic platform Ether-scan has tracked the movement of funds since the beginning and is assigning a specific marker to each account to which the attacker is moving funds to.
For instance, the first wallet where the stolen funds were sent to was named “Upbit Hacker 1”, then the subsequent wallets were named “Upbit Hacker 2.1” or “Upbit Hacker 10.6” depending on the order of fund routing and the sequence in which an account received funds from another. For instance, “Upbit Hacker 2.1” account directly sent funds to “Upbit Hacker 3.1” or “Upbit Hacker 3.2” which further sent the funds to multiple accounts.
Commonly Known Methods of Liquidating Stolen Funds
The most commonly known method to liquidate these funds is to trade them “over the counter” on dark web to individuals or entities who are willing to take risk and purchase them significantly below market rates. A conversion of funds to more privacy focused cryptocurrencies such as Monero, Dash, Zcash etc is another. Instant conversion services such as Changelly or Shapeshift can be employed for such purposes. Moreover, cryptocurrency exchanges don’t appear to have the facility to track stolen funds properly or have mechanisms in place to stop these funds from progressing in their system and coming out in the form of other cryptocurrencies or tokens, therefore ensuring that the funds can be laundered easily.
Another Hard Learned Lesson
The crypto-world is well aware of the concept of “not your keys—not your funds” – a dark referral to the current abysmal state of exchanges security, which have failed to stop these large scale attacks from happening time to time, therefore the funds are considered more securely stored outside the exchanges and in personal wallets. Unfortunately, the exchanges haven’t made sufficient efforts to prove otherwise, Upbit exchange hack was just another example of that. In such poor state of exchange affairs, it is vital that the common users take steps to secure their fund themselves rather than relying on cryptocurrency exchanges for security.