Stolen Ethereum Out of Reach and Sneaking Through the Blockchain

GUEST BLOGGER
Hallie Ayres
Contributing Writer

On November 27, 2019, the South Korean cryptocurrency exchange Upbit released a statement confirming they had been subject to a malicious hack that transferred 342,000 ethereum (ETH) — around $50 million — from Upbit’s Ethereum hot wallet to an anonymous wallet. Since the transfer, the stolen Ethereum has evaded tracking by Upbit and the cryptocurrency community, calling into question the security protocols used by major exchange platforms.

Opposing theories from crypto experts

The theft of 342,000 ETH occurred while Upbit was transferring cryptocurrency assets from its hot wallets to its cold wallets. In cryptocurrency, a hot wallet is any device, program or service that stores currency and is connected to the internet, whereas cold storage does the same thing but is not connected to the internet. Generally, because of its connectivity, a hot wallet is more susceptible to exploitation by cybercriminals.

In its statement, Upbit explicitly noted that the transaction associated with the hack was the only peculiar transfer on their ledger, acknowledging that the other large asset transfers were related to the company’s own authorized transfers. The timing of this theft has led to suspicions about the source of the hack. Cointelegraph contributor Joseph Young wrote in a tweet, “The ‘hacker’ timed when Upbit was making crypt transfers to its cold wallet. [...] Hence, I think the probability of it being an inside job is higher than external breach.”

Other experts are skeptical, however. Taylor Monahan, the founder and CEO of MyCrypto, a third-party wallet service, spoke with Cointelegraph after analyzing the details of the incident. “The biggest thing that points to it not being an inside job is how the transactions were generated and signed. Upbit seems to follow a certain method with their programmatic transactions, and the ‘hack’ transaction in question used a different method. In addition, Upbit manually signed a transaction to secure their remaining ETH, after discovering the hack, and this too was generated differently than the ‘hack’ transaction,” she wrote. She noted that the hack must have come from someone who knows “very little about the Ethereum network” because of this identifying mistake, and she also criticized Upbit for storing so much of their assets in a hot wallet. “If Upbit utilized cold storage more regularly and limited the value held by their hot wallet, the loss could have been minimized.”

Upbit’s crisis management amid a background of skepticism

Upbit is operated by Dunamoo, a subsidiary of Kakao, one of the largest internet companies in South Korea. While hesitant to join the cryptocurrency market, likely because of regulatory uncertainty, Kakao launched Upbit in October of 2017, to overwhelming market success. In 2018, Upbit was the only one of the four major South Korean exchange platforms to announce a profit. As a result of the hack, Upbit’s CEO, Lee Sirgoo, has pledged to reimburse the stolen Ethereum through corporate assets, so user assets will remain unaffected. Sirgoo also confirmed that he took efforts to alert major cryptocurrency trading platforms to blacklist the wallet address of the thief.

Soon after the initial transfer from Upbit, the hacker began moving the stolen ethereum into different wallets. The transfers ranged from 10 ETH to 100,000 ETH, eventually emptying the original Ethereum wallet. Chiachih Wu, an analyst at the blockchain security company PeckShield, hypothesized that the hacker was transferring smaller amounts to test out platforms through which they might launder their plunder. An analysis on NewsBTC noted, “There remains millions of dollars’ worth of ethereum related to the hack in non-exchange wallets, making it likely that the hackers are waiting for the right moment to transfer those funds to exchanges in a bid to cash out their booty.”

Moving forward after a barrage of crypto hacks

As of January 14, 2020, Upbit has reopened its Ethereum transfer services and has introduced new addresses for all deposits, rendering older addresses obsolete. Upbit also announced that they have updated their wallet security services.

The Upbit debacle rounded out a year replete with high-profile attacks targeting cryptocurrency exchanges: the Binance hack in May, which resulted in $42 million in bitcoin transferred to seven different addresses; July’s Bitpoint security breach that led to $32 million in various cryptocurrencies siphoned off into cybercriminals’ wallets; and the March attack on Bithumb, which led to the theft of nearly $19 million in assets. After the heist against Bithumb, the South Korean trading platform released a statement deeming the incident an “accident involving insiders.” Bithumb announced an external audit in the wake of the loss.

Hartej Sawhney, the CEO of Zokyo, a cybersecurity company, noted in a quote for Cointelegraph, “Centralized crypto exchanges are web services, not that different from an online banking application. Most companies respect security either because of regulation or they already faced a security breach. The cryptocurrency industry could benefit from compliance standards such as PCI-DSS or HIPAA.” He continued, “Regular third-party offensive security testing needs to become standard and transparent,” and went on to list tangible efforts that could be taken by exchanges to bolster their security, which included things like establishing adequate infrastructure and education on how to avoid cyberattacks. Many analysts of the Upbit theft also noted the value of tracking services such as Whale Alert and Etherscan to identify and provide details for large-scale transfers of assets.

It doesn’t appear that this trend of large crypto hacks will slow down anytime soon. As we’ve mentioned before, fraud examiners should stay on top of this rapidly evolving landscape because it touches a spectrum of issues in the anti-fraud profession.

Blockchain is one of the biggest buzzwords, but do you understand how blockchain and distributed ledger technology (DLT) work? In the self-study course Cryptocurrency 101: Distributed Ledger Technology and Blockchain, you will gain an understanding of essential concepts of DLT as the instructor demonstrates the workings of a blockchain, its transactions, blocks and protocols that employ mining.