Cryptocurrency exchange Kucoin may have been hacked for $150 million in bitcoin and multiple ERC20 tokens.
The Seychelles-registered exchange confirmed the September 25 security breach, but did not disclose the amount stolen.
“Bitcoin, ERC-20 and, other tokens in Kucoin’s hot wallets were transferred out of the exchange,” said Kucoin in an update on Saturday.
Meanwhile, Bitfinex and Tether, issuers of the centralized stablecoin USDT, immediately froze a combined $33 million worth of USDT suspected to be part of the funds looted in the Kucoin hack – an action that has stirred questions around the influence of centralized platforms.
Paolo Ardoino, chief technology officer of both entities, tweeted that Bitfinex froze $13 million USDT on EOS as part of the hack. Tether froze $20 million USDT “sitting on this ethereum address as a precautionary measure,” he said.
In its update, Kucoin maintains that funds in its cold wallets (offline storage, which is less susceptible to hacks) are safe, even as the hot wallets were hit. Kucoin attempted to calm fretful investors, appealing:
If any user fund is affected by this incident, it will be covered completely by Kucoin and our insurance fund.
Kucoin, which prides itself “as the most advanced and secure cryptocurrency exchange”, said it will be suspending deposits and withdrawals to pave way for what it calls “a thorough security review.”
But these issues appear to have already been happening while the hack was in progress. Users started having difficulties with withdrawals on September 25th, long before the exchange had made any official announcement regarding the breach.
On September 25, at 9:55 p.m. (ET), the onchain analysis firm Cryptoquant’s Telegram signals channel detailed that Kucoin was hacked. “Usually, after being hacked,” Cryptoquant signals channel said. “The BTC outflow increases rapidly and then becomes zero. Since 20:00 UTC on September 25th, the outflow has continuously been zero.”
The Kucoin team waved off the concerns, claiming that “the transactions were simply pending.” It later emerged that about $150 million worth of BTC and other tokens had been spirited out of the exchange.
More than 11,480 ether (ETH), worth over $4 million, was received into this address. A further $146 million involved transactions related to tokens such as ampleforth, maker, OMG and YFI – all decentralized finance (defi) tokens. Others include little known digital assets like chroma, vid, and ocean token.
Kucoin chief executive officer Johnny Kyu later told investors in a livestream event on Saturday that the exchange shut down its server once it noticed funds were being moved out of its hot wallets.
The intervention failed because the private passwords to the hot wallet had already been impaired. Kucoin then switched the unaffected funds to a new address. Kucoin is the world’s 16th largest crypto exchange by volume, according to Coinmarketcap data.
What do you think about the Kucoin hack? Let us know in the comments section below.
Image Credits: Shutterstock, Pixabay, Wiki Commons
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.