BitMart has stated that it will compensate victims of the $196 million hack and that trading will be restored by Tuesday.
- Bitmart, a cryptocurrency trading platform, announced on Saturday that it had experienced a "large-scale security breach" and that hackers had withdrawn about $150 million in assets. Peckshield, a third-party security firm that initially publicised the breach, estimated it to be closer to $200 million.
- Bitmart announced on Monday that it will reimburse victims.
Bitmart, a cryptocurrency trading platform, has announced that it will use its own funds to reimburse victims of a large-scale security breach in which hackers took up to $196 million.
Bitmart claims hackers withdrew around $150 million in assets. Peckshield, a blockchain security and data analytics startup that originally reported the theft, believes the loss to be closer to $200 million. CNBC contacted Bitmart to inquire about the multimillion-dollar discrepancy, but the exchange declined to comment.
Bitmart said in a statement released Monday morning that it has undertaken basic security tests and identified the assets that were compromised. The security breach was primarily triggered by a stolen private key, which affected two of the exchange's hot wallets, but other assets were "secure and unscathed," according to the exchange.
The affected ethereum and binance smart chain "hot wallets" only held a "tiny percentage" of the exchange's assets, according to the company. Cryptocurrency can be stored "hot," "cold," or some combination of the two. A hot wallet is one that is connected to the internet that allows users to access and spend their cryptocurrency with relatively easily. The trade-off for convenience is the potential of being exposed to bad actors.
On Saturday, Peckshield was the first to identify the breach, stating that one of Bitmart's addresses showed a consistent outflow of tens of millions of dollars to an address known as the "Bitmart Hacker" by Etherscan.
Bitmart lost roughly $100 million in various cryptocurrencies on the ethereum blockchain, according to Peckshield, and another $96 million in coins on the Binance smart chain. The hackers made off with a mix of more than 20 tokens, including binance coin, safemoon, and shiba inu.
What happened following the breach was pretty straightforward, according to Peckshield. It was a classic case of “transfer-out, swap, and wash,” according to the security firm.
Hackers allegedly used the decentralised exchange aggregator known as "1inch" to exchange the stolen tokens for ether after transferring the funds out of Bitmart. The ether currencies were then transferred into Tornado Cash, a privacy mixer that makes the money harder to track.
Cybercriminals often look to a mixing or tumbling service, according to Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company. Holland previously told CNBC these services allow users to combine illicit funds with clean crypto to essentially make a new type of cryptocurrency, at which point they turn to currency swaps.
So even though the blockchain is public, there are still ways to make it difficult for investigators to trace transactions to their ultimate destination.
Bitmart offers a mix of spot transactions, leveraged futures trading, as well as lending and staking services. Its trading volume, however, has gone down by “a lot” since the hack, according to CoinGecko CEO Bobby Ong. Ong’s platform reports volumes provided to them by individual exchanges.
“Crypto exchange hacks are fairly common,” Ong tells CNBC. “Exchanges are a honeypot for hackers because of the high potential payoff for any successful exploit.”
Ong says that while some exchanges purchase insurance coverage for their crypto holdings, this is not a uniform practice across the industry.
The company says it expects that “deposit and withdrawal functions will gradually begin” on Tuesday, Dec. 7.
This latest breach comes amid a wave of recent hacks.
Last week, crypto lender Celsius Network admitted to losing funds (though it didn’t specify how much it lost exactly), as a result of the $120 million hack of the decentralized finance platform BadgerDAO.
And in August, a hacker stole more than $600 million worth of tokens from the cryptocurrency platform Poly Network. In a strange twist, the attacker subsequently returned nearly all of the money.