The Cryptopia hacker is still at it
The hacker seems to have taken over Cryptopia's ETH wallets, and is draining them at leisure.
- It's speculated that the hacker has taken outright control of Cryptopia wallets rather than breaking into them.
- A further $180,000 of ETH was drained over two weeks after the initial hack.
- Every new hack brings new lessons for cryptocurrency exchanges. The degree to which they are heeded varies between exchanges.
Update: New Zealand police dispute the claim that more funds were stolen. However, it's clear beyond any shadow of a doubt that more funds were moved from Cryptopia wallets into a wallet that received funds during the initial theft. The blockchain doesn't lie, so either the police statement is inaccurate or there are some interesting things going on behind the scenes.
More than two weeks after the initial breach Cryptopia, once New Zealand's largest cryptocurrency exchange, is still shuttered and users are still unable to access their funds. So it might be quite cutting that the hacker still has access to them. Furthermore, it's looking like Cryptopia no longer has access to its own wallets or user funds either, blockchain firm Elementus suggests.
Of over 76,000 Ethereum wallets under Cryptopia's control, most or all of them are now under the hacker's control. Yesterday the hacker exercised that control to move out a further US$180,000 of ETH into a wallet known to be associated with the initial theft.
There are a few conclusions that can be reached from the new movement.
Firstly, Elementus pointed out that a lot of those wallets were now being emptied for the second time after having already been drained the first time, because people kept depositing funds into their Cryptopia accounts.
Some of these are people who were unlucky enough to make a deposit into an already-robbed wallet in the time between Cryptopia actually losing funds and it halting trading. But the majority of the deposits into Cryptopia accounts were from mining pools. It seems a lot of miners opted to receive their rewards by direct deposit into their accounts.
Secondly, it's probably safe to say that Cryptopia does not have control of its own wallets anymore. During the initial thefts, Cryptopia may have been in the very unpleasant position of watching funds flow out of user wallets over the course of several days while being unable to stop it.
"One possible explanation is that Cryptopia had their private keys stored in a single server with no redundancy. If the thieves managed to gain access to this server, they could have downloaded the private keys before wiping them from the server, leaving Cryptopia unable to access their own wallets," Elementus explains.
This method makes the incident quite unusual next to the more typical hot wallet breaches which take advantage of a victim's lax security practices.
"What we have learned from exchange hacks around the world, such as Coincheck and Bitfinex for example, is that hot wallets are the primary targets. To mitigate this risk, we keep over 95 per cent of crypto funds under our custody in cold storage and leaving only the absolute minimum amount in our hot wallet to facilitate immediate user withdrawals," explained Adrian Przelozny, CEO of the Independent Reserve – New Zealand's second largest (now largest?) – cryptocurrency exchange.
"A number of exchanges grew very quickly and it would be reasonable to assume that they don't always have sufficient controls in place to keep up with growth and manage the client funds they hold," he said.
It also highlights the importance of a quick response time when faced with these kinds of incidents. Some people lost money in this new wave of thefts by making more deposits into a wallet that, unbeknownst to them, had already been robbed and no longer belonged to Cryptopia.
Other exchanges have already learned this the hard way. Whoever scraped $60 million out of the Zaif exchange, for example, chose to wait until Friday evening before striking. No one was around over the weekend, so the losses weren't discovered until Monday. SIM swappers have also been known to strike on weekends because they know the phone companies will have fewer, or no, presence around to help their customers then.
One of the main lessons here might be that because cryptocurrency is 24/7, security and customer service needs to be as well. Anything less leaves security gaps which will be deliberately targeted.
"We have 24/7 customer care support to ensure quick response time in an event of an incident," Przelozny noted.
The odds of recovering funds following any cryptocurrency theft are remote. And even if a perpetrator is caught, the money might be long gone. It's also common for them to simply refuse to hand over their private keys, at which point there's not much authorities can do about it, at least not within the bounds of acceptable police procedures in most countries.
And the nature of the hack in this case, where an attacker managed to take over the wallets entirely, suggests the money won't be coming back. It looks like Cryptopia didn't just lose money from the wallets, it lost the wallets entirely.
"Unfortunately, despite the efforts of major exchanges to identify and freeze the stolen funds as fast as possible, it is very unlikely that these criminals will ever be caught. And even if the criminals are caught, or the funds effectively frozen and obtained by legitimate actors, the process of returning the Ether to its original owners is likely to be a long and challenging process for all parties," said Michael Ou, CEO of CoolBitX. "Exchanges are not banks and there’s no guarantee your funds will be credited back to your account."
Elementus strikes an optimistic note though.
The total losses can be varyingly calculated at up to $16 million, but many of the stolen tokens only had value as a result of being tradeable on Cryptopia. Functionally they're worth a lot less than their sticker price. Although not the majority on paper, most of the actual value stolen was comprised of Ether, and only a few million ETH was stolen.
"The value of stolen ETH amounts to "only" about $3.5m. While this is by no means a small amount in absolute terms, it is small relative to what we would expect Cryptopia to hold in user deposits. This leads us to think Cryptopia must have a cache of Ether stashed away," Elementus says. "If these funds are out there, they would likely either be stored on-chain in a cold wallet or off-chain in the custody of another exchange."
Only time will tell how it all shakes out. In the meantime, there are plenty of lessons to be learned.
Disclosure: At the time of writing the author holds ETH.