Cryptocurrency exchange BitMart pays for stolen funds

On December 6, BitMart, a cryptocurrency exchange claiming to be registered in the Cayman Islands, announced the cause of the theft: "The private keys of two hot wallets were stolen." The founder of the exchange, Sheldon Xia, said that the exchange's own funds would be used to compensate affected users.

On December 4, two hot wallets of BitMart Exchange's Ethereum (ETH) and Binance Smart Chain (BSC) experienced a "large-scale security vulnerability", and crypto assets worth $150 million disappeared. The exchange claimed that the affected ETH chain and BSC chain hot wallets stored a small part of BitMart's assets, and the assets in other wallets were safe and undamaged, but the related deposit and withdrawal functions were suspended.

The first to discover the anomaly in BitMart's hot wallet was the blockchain security agency PeckShield. After counting the assets affected by the accident, the agency said that BitMart's ETH hot wallet lost $100 million and the BSC hot wallet lost $96 million.

As of press time, BitMart has not yet opened the relevant deposit and withdrawal functions. It stated that it will gradually resume deposits and withdrawals on December 7.

BitMart theft was caused by the theft of hot wallet private keys

"BitMart has completed a preliminary security check and identified the affected assets. This security vulnerability was mainly caused by the stolen private keys of our two hot wallets." On December 6, Sheldon Xia, founder of the cryptocurrency exchange BitMart, confirmed the cause of the theft on Twitter.

Unlike cold wallets of crypto assets that are isolated from the Internet, hot wallets are connected to the Internet, which allows owners to charge and withdraw assets relatively easily, but also makes it easier for hackers to take advantage of them. This time, BitMart was hacked.

Public exchange rating information shows that BitMart was founded in 2018 and registered in the Cayman Islands. It claims to have 5.5 million users worldwide and has offices in China, South Korea, and the United States. On September 28, 2021, the exchange announced that it would stop accepting new registered accounts from users in mainland China and would stop providing services to users in mainland China at 12:00 noon on November 30, 2021 (Eastern Time).

Four days after ceasing operations in mainland China, BitMart had nearly $200 million in crypto assets stolen.

Around 7 a.m. on December 5, users continued to express in BitMart’s official social group that it was difficult to withdraw their ERC-20 (Ethereum blockchain token standard) and BEP20 (BSC blockchain token standard) assets from the exchange. Some people did not see any successful transfer (transaction) information from the chain for 40 minutes to an hour. “Normally, there is successful transfer information every minute.”

The crisis has actually arrived, because BitMart’s later updated announcement showed that they discovered a "large-scale security vulnerability" in the ETH hot wallet and BSC hot wallet on December 4, but this information did not seem to be disclosed to users at the first time.

BitMart said it discovered a vulnerability on December 4

At around 8 am on December 5, a user asked "Has BitMart been hacked?" and "Is my account safe?" The community administrator responded with "No Sir," "It's safe, don't worry," etc. For a period of time, the administrator still defined such inquiries as "FUD" (spreading panic) and "fake news," and repeatedly told users to believe the official information and "stay calm."

Afterwards, some users discovered that a large number of Meme-type coins such as Safemoon, Shib, and Floki listed on BitMart were transferred from hot wallets, and the prices of these tokens in the market fell sharply. Some people attributed this to the overall market downturn that day, but others believed that these Meme assets were artificially manipulated and sold off. Others found from the on-chain address that some assets in the BitMart hot wallet had been exchanged for ETH and mixed through Tornado Cash, a well-known on-chain privacy information processing tool.

Users continued to pass on abnormal information on the chain to the community. It was not until around 10 a.m. on the 5th that BitMart announced in the community that its founder Sheldon Xia admitted on Twitter that there were "large-scale security vulnerabilities" in ETH and BSC hot wallets.

On December 6, after Sheldon Xia disclosed that the theft was caused by the theft of the hot wallet private key, a user left a message on his Twitter asking "whether it was done by an insider", but received no reply.

Security agency estimates BitMart lost nearly $200 million

On December 6, Sheldon Xia said that BitMart had completed the initial security check and identified the affected assets. However, he did not disclose which assets were affected. Previously, the exchange said the value of the assets affected by the accident was $150 million.

PeckShield, the blockchain security agency that first disclosed the BitMart security anomaly, provided a list of affected assets through on-chain data. The agency first noticed that tens of millions of dollars of crypto assets were steadily flowing out of a Bitmart address to an address marked as "Bitmart Hacker" on the Ethereum browser.

PeckShield discloses the affected assets in BitMart ETH (left) and BSC (right) hot wallets

The list disclosed by PeckShield shows that 28 crypto assets in the exchange's ETH hot wallet were affected, including Meme coins such as SHIB and SAITAMA, as well as popular GameFi assets such as GALA and SAND, and more than US$500,000 worth of mainstream assets USDC, with a total loss of approximately US$100 million; 20 crypto assets in the exchange's BSC hot wallet were affected, including Meme coins such as SAFEMOON, BabyDoge, and FLOKI, as well as more than US$350,000 worth of BSC-USD and 213.57 BNB, with a total loss of approximately US$96 million.

This is different from the $150 million amount of money affected given by BitMart, but the latter did not disclose the specific list of affected assets.

In addition to the list, PeckShield also gave the hacker's operation path, "very straightforward: transfer-out, swap, and wash."

Hacker operation path disclosed by PeckShield

According to the path map provided by the agency, after the hacker transferred funds from BitMart's ETH and BSC hot wallets, he used 1inch, a decentralized aggregation trading application deployed on the ETH and BSC dual chains, to exchange tokens, and finally deposited the exchanged assets into the encrypted asset privacy service tool Tornado Cash, which is often used by hackers to mix coins in order to hide address information that can be tracked on the chain.

Rick Holland, chief information security officer of cyber threat intelligence firm Digital Shadows, told CNBC that cyber criminals often seek out currency mixing services, which objectively cause illegal funds to be mixed with clean cryptocurrencies. In essence, it creates a new type of cryptocurrency to form a currency mixing function, which facilitates the exchange of various assets by the service users. Therefore, even if the information on the blockchain is publicly available, there are still ways to make it difficult for investigators to track the final destination of the transaction.

In the past month, there have been many thefts in the crypto asset world. Last week, the decentralized financial platform BadgerDAO was hacked and lost $120 million; at the end of October, the decentralized exchange BXH was stolen and lost nearly $150 million. When hackers attack exchanges and project platforms, the final victims are often users.

After the theft of BitMart, several projects listed on the exchange, including SAITAMA, FLOKI, and SHIB, expressed their willingness to stand together with it in the fight against hackers.

"We are also talking to multiple project teams to confirm the most reasonable solution, such as token swaps, that will not harm user assets. We are now doing our best to retrieve security settings and our operations." On December 6, Sheldon Xia said that BitMart will use its own funds to make up for the incident and compensate affected users. Xia has not yet elaborated on how to compensate users.