Singapore-based cryptocurrency exchange KuCoin has encountered leakage of its private keys tied with its KuCoin hot wallets, which ended in a hack of around USD 150 million worth of customer funds.
The platform has momentarily suspended deposits and withdrawals from its platform, while the team declares its cold wallets remain unaffected, guaranteed the exchange’s CEO Johnny Lyu.
Per the official announcement, the security incident was first observed last Friday evening (UTC), September 25, as its risk management systems monitored numerous abnormal transactions. The total value of lost funds is still being determined, though looking at the on-chain transactions, it is considered to be around USD 150 million. The hackers got the chance to leave with roughly USD 4 million worth of ether (ETH), and USD 146 million value of other ERC-20 tokens plus a large amount of bitcoin (BTC).
Timeline of the breach:
At 06:51 PM (UTC) on September 25, 2020, KuCoin team received an alert from the risk management system, showing that an abnormal ETH transaction with the TXID 0x4b738df5d7f12e3fa1cbe83b8165c542da461ef0c9255fc1a3f275259a92623b
After that, several other abnormal transactions for ETH and other ERC-20 tokens were registered, including:
All abnormal transactions originated from this wallet: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23
At 07:01 PM (UTC) on September 25, 2020, KuCoin received an alert about the abnormal remaining balance in their hot wallets.
At 07:15 PM (UTC) on September 25, 2020, the KuCoin team set up a dedicated team to cope with the security incident.
At 07:20 PM (UTC) on September 25, 2020, the team urgently closed the wallet server, but abnormal transactions were continuing.
At 08:20 PM UTC, on September 25, 2020, the KuCoin wallet team starts transferring the hot wallets’ remaining assets to its cold storage.
At 08:25 PM UTC, on September 25, 2020, the KuCoin wallet team, operation team, and security team began investigating the incident based on available information.
At 08:50 PM UTC on September 25, 2020, most of the remaining assets were transferred from the hot wallet to cold storage.
As of 09:00 PM UTC on September 25, 2020, the exchange’s team claims to be in contact with other crypto platforms, including Binance, Huobi, OKEx, By a bit, Upbit, Bibox, Gate, MXC, BitMax, BigONE, BKEX, Bit-Z, HBTC, Hoo, Crypto.com, Bingbon, Renrenbit, LBank, Max/Maicoin, CoinW and more to block suspicious addresses and trace the stolen funds.
At 02:41 AM UTC, on September 26, 2020, the team released the official announcement concerning the security incident.
At 4:30 AM UTC on September 26, KuCoin Global CEO Johnny Lyu started a live stream to update concerned stakeholders on the incident and current state of things at KuCoin. He said that “Regarding this accident, we have made a conclusion that it is because someone (unclear) stole the private key of our hot wallet.” Besides, he assured KuCoin users that KuCoin would cover all the losses.
“All the loss will be covered by KuCoin risk provisions.”
You can watch the replay of Kucoin’s live stream here:
At 08:39 AM UTC today, Bitfinex and Tether CTO Paolo Ardoino tweeted that Bitfinex has frozen approximately USD 13 million worth of Tether (USDT) the EOS blockchain and Tether froze USD 20 million worth of USDT on Ethereum.
KuCoin vowed to reimburse users who lost funds in the hack by using its insurance fund that was established to deal with such situations. Deposits and withdrawals at the exchange have been temporarily suspended while the team is investigating the incident with international law enforcement. Besides, the exchange’s team offers rewards of up to USD 100,000 to anyone who can provide valid information regarding this hack. Relevant information can be sent to email@example.com.