- Crypto trading platform Bitmart said on Saturday it had experienced "a large-scale security breach" and that hackers had withdrawn about $150 million in assets. A third-party security firm, Peckshield, which first publicized the breach, put it closer to $200 million.
- On Monday, Bitmart said it would reimburse victims.
Crypto trading platform Bitmart says it will use its own money to reimburse victims of a large-scale security breach, in which hackers took as much as $196 million.
Bitmart claims hackers withdrew about $150 million in assets. However, blockchain security and data analytics firm Peckshield, which first publicized the hack, estimates that the loss is closer to $200 million. CNBC reached out to Bitmart to ask about the multimillion dollar discrepancy, but the exchange declined to comment on this point.
Bitmart wrote in an official statement Monday morning that it had completed initial security checks and identified the affected assets. The exchange said the security breach was mainly caused by a stolen private key, which affected two of its hot wallets, but other assets were "safe and unharmed."
The affected ethereum and binance smart chain "hot wallets" carried only a "small percentage" of the exchange's assets, according to the company. Cryptocurrency can be stored "hot," "cold," or some combination of the two. A hot wallet is connected to the internet and allows owners relatively easy access to their coins so that they can access and spend their crypto. The trade-off for convenience is potential exposure to bad actors.
Peckshield was the first to notice the breach on Saturday, noting that one of Bitmart's addresses showed a steady outflow of tens of millions of dollars to an address which Etherscan referred to as the "Bitmart Hacker."
Peckshield estimated that Bitmart lost around $100 million in various cryptocurrencies on the ethereum blockchain and another $96 million from coins on the binance smart chain. The hackers made off with a mix of more than 20 tokens, including binance coin, safemoon, and shiba inu.
What happened following the breach was pretty straightforward, according to Peckshield. It was a classic case of "transfer-out, swap, and wash," according to the security firm.
After transferring the funds out of Bitmart, hackers apparently used the decentralized exchange aggregator known as "1inch" to exchange the stolen tokens for ether. From there, the ether coins were deposited into a privacy mixer known as Tornado Cash, which makes the money harder to trace.
Cybercriminals often look to a mixing or tumbling service, according to Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company. Holland previously told CNBC these services allow users to combine illicit funds with clean crypto to essentially make a new type of cryptocurrency, at which point they turn to currency swaps.
So even though the blockchain is public, there are still ways to make it difficult for investigators to trace transactions to their ultimate destination.
Bitmart offers a mix of spot transactions, leveraged futures trading, as well as lending and staking services. Its trading volume, however, has gone down by "a lot" since the hack, according to CoinGecko co-founder and chief operating officer Bobby Ong. Ong's platform reports volumes provided to them by individual exchanges.
"Crypto exchange hacks are fairly common," Ong tells CNBC. "Exchanges are a honeypot for hackers because of the high potential payoff for any successful exploit."
Ong says that while some exchanges purchase insurance coverage for their crypto holdings, this is not a uniform practice across the industry.
The company says it expects that "deposit and withdrawal functions will gradually begin" on Tuesday, Dec. 7.
This latest breach comes amid a wave of recent hacks.
Last week, crypto lender Celsius Network admitted to losing funds (though it didn't specify how much it lost exactly), as a result of the $120 million hack of the decentralized finance platform BadgerDAO.
And in August, a hacker stole more than $600 million worth of tokens from the cryptocurrency platform Poly Network. In a strange twist, the attacker subsequently returned nearly all of the money.
Correction: Bobby Ong is the co-founder and COO of CoinGecko.