Hackers take $196 million from crypto exchange Bitmart, security firm says

Environment

Kacper Pempel | Reuters

Hackers have taken $196 million from crypto trading platform Bitmart, a security firm said Saturday.

Bitmart confirmed the hack in an official statement Saturday night, calling it “a large-scale security breach” and writing that hackers withdrew about $150 million in assets. However, blockchain security and data analytics firm Peckshield estimates that the loss is closer to $200 million.

Bitmart added in a statement that all withdrawals had been temporarily suspended until further notice and said a thorough security review was underway.

Peckshield was the first to notice the breach on Saturday, noting that one of Bitmart’s addresses showed a steady outflow of tens of millions of dollars to an address which Etherscan referred to as the “Bitmart Hacker.”

Peckshield estimated that Bitmart lost around $100 million in various cryptocurrencies on the ethereum blockchain and another $96 million from coins on the binance smart chain. The hackers made off with a mix of more than 20 tokens, including binance coin, safemoon, and shiba inu.

Bitmart says that the affected ethereum and binance smart chain “hot wallets” carried only a “small percentage” of the exchange’s assets. The statement went on to say that all other wallets were “secure and unharmed.”

People who choose to hold their own cryptocurrency can store it “hot,” “cold,” or some combination of the two. A hot wallet is connected to the internet and allows owners relatively easy access to their coins so that they can access and spend their crypto. The trade-off for convenience is potential exposure to bad actors.

CNBC reached out to multiple Bitmart employees to ask for more clarity on the hack, including whether customer funds had specifically been targeted in the breach, and if so, whether users would be reimbursed. CNBC has not yet heard back, but an email to the work address of Bitmart founder and CEO Sheldon Xia (as listed on Xia’s unverified Twitter account) bounced back with a message that read, “Recipient address rejected: Access denied.”

Bitmart, which offers a mix of spot transactions, leveraged futures trading, as well as lending and staking services, typically ranks as one of the top centralized crypto exchanges by volume, according to CoinGecko data.

Bitmart says it is still unclear what possible methods the hackers used, but what happened after the breach was pretty straightforward, according to Peckshield. It was a classic case of “transfer-out, swap, and wash,” according to the security firm.

After transferring the funds out of Bitmart, hackers apparently used the decentralized exchange aggregator known as ‘1inch’ to exchange the stolen tokens for ether. From there, the ether coins were deposited into a privacy mixer known as Tornado Cash, which makes the money harder to trace.

Cybercriminals often look to a mixing or tumbling service, according to Rick Holland, chief information security officer at Digital Shadows, a cyberthreat intelligence company. Holland told CNBC these services allow users to combine illicit funds with clean crypto to essentially make a new type of cryptocurrency, at which point they turn to currency swaps.

So even though the blockchain is public, there are still ways to make it difficult for investigators to trace transactions to their ultimate destination. 

This latest breach comes amid a wave of recent hacks.

Last week, crypto lender Celsius Network admitted to losing funds (though it didn’t specify how much it lost exactly), as a result of the $120 million hack of the decentralized finance platform BadgerDAO.

And in August, a hacker stole more than $600 million worth of tokens from the cryptocurrency platform Poly Network. In a strange twist, the attacker subsequently returned nearly all of the money.