Bithumb hacked again: $20 million lost in suspected inside job

Posted: 1 April 2019 12:56 pm

The Bithumb hot wallet was compromised, but the cold wallets are still safe.

One of South Korea's largest cryptocurrency exchanges, Bithumb, has been robbed... again.

Last time, the losses added up to around US$30 million, while the losses this time are worth only around $20 million all up, composed of around 3 million EOS and 20 million XRP according to Dovey Wan, who first spotted the funds going amiss.

In a statement on the incident, Bithumb said it believes the theft to be an inside job.

Bithumb's English statement specifically describes the event as an "accident involving insiders," while a Google translation of the Korean statement entertainingly describes it as an "embezzlement accident."

Second time's a charm

The first time Bithumb was hacked, the cryptocurrency markets took a profound plunge in response. This time, however, the markets haven't appeared to respond at all. Observers suggest that this could be a sign that market pessimism is all tapped out, or that sentiment has become immune to theft.

juicy crypto words

And despite the evidence to the contrary, Bithumb assured users that this won't happen again, and that it would update its internal verification procedures to help prevent it.

"We only focused on defense of outside attack," it explained, and didn't effectively counter the risk of an inside job.

The hack occurred on Friday and extended over the weekend, as is relatively typical for these kinds of heists. By carrying out an attack off-hours, a thief may have a higher chance of staying under the radar for longer.

According to Wan's time line of events, the wallet that received the stolen EOS was created at 10:40am (Seoul time) on Friday. The thefts were then carried out from 10pm to midnight on the same day. So, the perpetrator probably spent the whole day at work sitting on the fact that they would be busting out a major heist that evening. It would have been a tense day.

The thief started moving the funds to other exchanges as soon as they could. But Bithumb responded relatively quickly and started moving its funds from the hot wallet to the cold wallet about an hour after the unauthorised withdrawals started.

Lessons learned

The key lesson learned here is probably that insider thefts are a risk that needs to be countered. But this is exactly what multisignature wallets are for. These wallets specifically protect against this kind of thing by requiring more than one private key to unlock.

Multisig wallets are already regarded as common sense best practice wherever a lot of funds are at stake, and most reputable exchanges use them, Bithumb included. In its statement, Bithumb mentioned that it protects withdrawals with a multisignature scheme.

But in this case, it was the EOS hot wallet, g4ydomrxhege, that was targeted. The idea is that hot wallets shouldn't have enough funds to motivate these kinds of thefts, but in this case it apparently had more than enough. It would still be much more concerning if the cold wallet was targeted though.

Wan points at some other peculiarities in the theft, such as the fact that after a single test withdrawal, and the big withdrawal of 3 million EOS, the draining was followed up by multiple withdrawals and that they all had the same superfluous memo attached to them.

The multiple withdrawals can be easily explained by the hacker draining funds as users made new deposits. However, this would mildly conflict with Bithumb's statement that "all the spilled cryptocurrency is owned by company, and all the member's asset is under the protection of cold wallet." The funds might have been moved to cold storage, but according to the EOS blockchain, some people's deposits passed straight through Bithumb's wallet and into the pockets of the thief.

For example, whoever sent 2,851 EOS to Bithumb only for the thief to pull 2,850 EOS two minutes later.

Picture not described: bithumb-heist-eg-snip.jpg Image: Getty

The memo system is less clear, but other Twitter users suggested that the memos were a side effect of whichever internal system the thief used to process the withdrawals.

It's also worth considering that the thief may have only tripped alarms so quickly because they kept withdrawing small amounts from the hot wallet. It's possible that just sticking to the single large withdrawal would have bought more time to dispose of the funds.

As it is, the EOS trail was easily picked up on the blockchain and Bithumb was quick to contact the downstream exchanges, requesting that the stolen funds be frozen. Some of these downstream exchanges have released statements saying they've frozen the suspicious transfers. The amount the perpetrator gets away with in the end won't be the same as the amount that left the Bithumb wallets.

This event may have been an expensive but worthwhile lesson for Bithumb, clearly highlighting a potential security hole which needed filling.

It's also worth noting that, like many well-funded EOS wallets, the thief's address (ifguz3chmamg) quickly received a lot of those blockchain advertisement and chain letters, including this chestnut in which a spammer laments their lost money to a thief.

Picture not described: EOS-chain-letter-snip.jpg Image: Getty

Disclosure: The author holds ETH at the time of writing.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Crypto explained

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site