After being ridiculed, KuCoin attackers used DeFi to cash out hundreds of millions of stolen assets

Article: Hash Pie
Author: LucyCheng

In the early morning of September 26, 2020, Beijing time, a large number of abnormal token withdrawal transactions appeared in the KuCoin hot wallet address, which concerned the crypto community.

※ At 02:51 on September 26, 2020, the KuCoin team received the first risk control system warning and found abnormal ETH transfer records.

After several hours of silence, KuCoin finally issued an announcement admitting that the abnormal transfer was a hacker's theft of coins, and stated that the platform lost nearly $150 million in digital assets in this incident. According to Decrypt, the addresses marked as abnormal by KuCoin have received a total of 11,486 ETH, 458,866 GLA, 28,443 HAT, 21,660,273 OCEAN, 29,999 CHR, and a certain amount of ARPA, AOA, ORN, SNX and other tokens since the early morning of September 26.

Theft on the KuCoin platform

Although the platform emphasized that the total amount of theft accounted for a small proportion of its total cryptocurrency holdings, and promised to bear all losses; such a large amount of stolen coins is hard not to attract the community's keen attention, not to mention that the number of stolen DeFi tokens still accounts for a large share of the current total circulating supply of the relevant currencies.

Hackers are anxious to cash out, CeFi joins global efforts to contain them

In order to reduce platform losses and remedy the situation in a timely manner, KuCoin immediately shut down the wallet server and quickly transferred the remaining funds in the hot wallet to the cold wallet; and actively contacted many mainstream trading platforms such as Binance, Huobi, OKEx, BitMax, Bitfinex, etc., asking for help in freezing the stolen funds. On the other hand, after learning about this, the security service provider Beijing Lian'an also immediately started monitoring the relevant assets and cooperated with KuCoin to track the direction of the stolen funds.

※At 21:18 Beijing time on September 26, the hacker's attempt to transfer USDT assets was blocked

※Tether freezes 20 million USDT withdrawn from KuCoin to the Ethereum chain

Unlike most hackers who split cryptocurrencies into cold wallets after stealing coins, the KuCoin attacker seemed to be eager to cash out, and directly split the USDT into pieces and charged them to Binance and Matcha exchanges in an attempt to cash out; however, before they could operate the related accounts, they were frozen by the two exchanges. Subsequently, Bitfinex and Tether also froze about 33 million USDT on the KuCoin attack address. After working for most of the day, the hacker seemed to get nothing.

Screenshot from: Weibo of netizen Super Bitcoin

The KuCoin attacker's slightly immature cashing method made the onlookers laugh and cry. Netizens ridiculed his unprofessionalism and obsolescence, and also provided him with new ideas for using the decentralized financial market to sell the stolen goods. A crypto enthusiast named Dovey on Twitter said, "All DeFi projects are natural low-slippage mixers." As long as he converts all USDT to DAI on Curve (DAI is the only stablecoin that will not be blacklisted at present), uses Uniswap to convert DAI to ETH/DAI LP, collects fees while mining UNI, he can slowly wash the money in his hands through Tornado.

Screenshot from: Twitter of netizen Dovey Wan

On the other hand, domestic netizens suggest finding a small currency that is supported by both Uniswap and the contract market, opening a long order on the exchange, using a large amount of USDT to pull up the market on Uniswap, and closing the long order; then opening a short order on the exchange, dumping the related currency, closing the short order, and repeating the cycle to continuously arbitrage.

Transferred assets were frozen, and hackers turned to DeFi to cash out

Perhaps he noticed the ridicule from netizens, and one day later, the hacker began to cash out using Uniswap. According to data from the asset tracking platform CoinHolmes, around 3 p.m. on September 27, multiple addresses marked as KuCoin Hacker continued to transfer a large number of OCEAN tokens to Uniswap for dumping. Affected by this, the price of transactions associated with OCEAN fluctuated significantly, and the price of the token fell 10 percentage points in a short period of time between 3 and 5 p.m.

Screenshot from: Weibo of netizen Bitcoin Female Doctor

In response to this, the decentralized data sharing protocol Ocean Protocol responded quickly, announcing the suspension of the OCEAN smart contract at around 7 pm on the same day to protect the safety of user funds; at noon yesterday, it issued an announcement stating that the system had completed the contract hard fork, and coin holders only needed to wait for the wallet to complete the update before they could immediately use the new OCEAN token for transactions. Coincidentally, Ampleforth, which had nearly 25% of its circulation stolen, also issued a statement on the afternoon of September 28, saying that it had deployed a smart contract upgrade, thereby effectively preventing the KuCoin attacker from transferring the stolen AMPL.

ERC-020 tokens held by KuCoin hacker wallet (screenshot from: Etherscan)

The Ocean Protocol team's direct hard fork approach has sparked heated discussions in the market, and many users believe that this is contrary to the concept of decentralized financial protocols. However, compared with the discussion on the centralization of the project, users are more concerned about how hackers who have learned to use DeFi to dump stocks will deal with the large assets in their hands. Etherscan data shows that there are currently more than 150 ERC20 tokens including AMPL, ORN, and VIDT in the KuCoin hacker wallet, with a value of approximately US$174 million (data as of September 28, 2020).

Around 2:30 pm UTC on September 27, 40,000 SNX were transferred to an unknown address (screenshot from: Whalealert)

After a short silence, the attacker, who had tasted the sweetness for the first time, started to attack Synthetix on the evening of September 27, and successively transferred 320,000 SNX to Uniswap through three addresses, exchanged for 4,350 ETH, and collected them to a new address. Yesterday afternoon, the hacker took the opportunity again, charging COMP into the transfer address in batches, and then exchanged all the stolen COMP for Ethereum with the help of another decentralized exchange Kyber, and finally obtained a total of 3,700 ETH. SXWK, an on-chain security expert at Beijing Lian'an, analyzed that the thieves currently seem to be adopting a "currency sweep" trading method, trading only a single currency each time, and then clearing them one by one. In addition, many projects are currently carrying out targeted contract upgrades to lock the stolen currencies in this incident, and the attackers have to race against this trend and cash them out before the tokens are frozen.

The immediate response of the trading platform and the project owner prevented the KuCoin theft from causing a major fluctuation in market prices; and the hacker's subsequent magical operation cast a layer of comedy on the incident. The attacker quickly got started and used decentralized exchanges to cash out the stolen assets, which makes people think that DeFi, a financial project that does not require real-name authentication, seems to have opened a new channel for hackers to launder money.

Some people think that this is an operation that tarnishes the decentralized financial market and will turn the project into an entry and exit for problematic funds; some people argue that DeFi is a neutral financial tool and it is understandable that it is used by evil forces to conduct what they consider to be "reasonable" operations. But putting aside these games, what we can still see from this incident is the development of the decentralized financial market. After four months of outbreaks and adjustments, the current scale of DeFi projects is sufficient to support millions of dollars in liquidity.