KuCoin, the Asian cryptocurrency exchanger has been hacked

How the attackers hacked one of the safest and most efficient cryptocurrency exchanges in the world and stole millions of dollars in Bitcoin and ERC20 tokens.

Private Key

The Singapore exchanger KuCoin said in a statement on September 26, 2020, at 03:05:37 (UTC+8) that the Asian Digital asset that according to an internal security audit report has discovered plenty of large withdrawals in Bitcoin, Ethereum (ERC20), and more than 150 other tokens from different hot wallets hosted on KuCoin exchanger and contain total assets for customers holding their total assets of tokens on KuCoin.

Hot vs Cold. Image source: https://blog.spiking.com/differences-between-a-hot-cold-wallet-544a0cc15f71

What are hot wallets?

The hot wallets are software or desktop wallets that hold cryptocurrency and connected to the internet and it’s easier to set it up by providing the required documents and identification for later access, where the Cold. The private key of the wallet is stored on the user local machine or inside the third party exchanger database for easy access, which makes it easier to be compromised by hackers.

What are cold wallets?

The cold wallets are a Hierarchical Deterministic wallet (HD) that holds 2 chips, the firs are called a “Secure element” or “Secure microcontroller” that securely holds the Cryptographic seeds or the Cryptographic data (Public key and Private key). The second chip is “General microcontroller” the interface between the first chip and the USB port (similar to flash memory).

While KuCoin didn’t release any technical report so far till the date of this article and whenever its social engineering attack, however, the first analysis revealed by KuCoin CEO Johnny Lyu, said that the hackers found a way whenever a zero-day bug or social engineering approach to hack the KuCoin database, moreover stole users private keys and transferred what’s left inside each of the users hot wallets to a new hot wallet controlled by the hackers.

Public Key and Private Key.

Any transaction must be signed by the sender’s private key and encrypted in the way that only the receiver would decrypt the message using a private key. The attacker used stolen private keys that have been originally used by users to connect to the hot wallet and easily hijack the accounts, sign the transactions before storing them on the public blockchain, and scale the attack by transferring all tokens from many victims’ accounts to the desired address.

For that, users with Cold wallets have not been affected since the private keys are stored on an external offline device (HD wallet) which is not connected to the internet.

Since blockchain technology made it so hard for hackers to violate the decentralized network, leverage the nodes to execute a 51% attack, and revert the immutable ledger to steal money, this raises a real question for the last years, Can the blockchain be hacked?.

Many attackers shifted their focus instead of hacking the blockchain more to be on cutting edge interfaces and target ISPs, wallet providers, and exchanges or follow social engineering techniques to get access to the users’ cryptographic keys and do the job with limited resources and lower cost.

The Tokens holding in attacker wallets — More than 150 various tokens.

0xeB31973E0FeBF3e3D7058234a5eBbAe1aB4B8c23, the unknown address of potential hacker on etherscan now holds more than 1000 Bitcoin ($11 million), 11,480.915 Ether ($154 million), and the remaining ~ $30 million out from the total stolen amount $194,854,295.88 are ERC-20 tokens and other reported as per the following:

The graph database shows 2 transactions (in green color) from the KuCoin exchanger to the attacker wallet.

26,733 LTC (1.2 million).

18,495,798 XRP ($4.5 million).

14,713 BSV ($2.2 million).

9,588,383 XLM ($705,522).

228,952,838.064073 in TRX based tokens ($6.3 million).

$15 million worth of Tether (USDT) on the EOS and Omni blockchain.

Johnny Lyu said in an online conference that The customers who have been affected by this incidence should rest assured that everything will be recovered completely by KuCoin and their contingency plan-insurance fund.

Also, Read

• The Best Crypto Trading Bot
• Crypto Copy Trading Platforms
• The Best Crypto Tax Software
• Best Crypto Trading Platforms
• Best Crypto Lending Platforms
• Best Blockchain Analysis Tools
• Crypto arbitrage guide: How to make money as a beginner
• Best Crypto Charting Tool
• Ledger vs Trezor
• What are the best books to learn about Bitcoin?
• 3Commas Review
• AAX Exchange Review | Referral Code, Trading Fee, Pros and Cons
• Deribit Review | Options, Fees, APIs and Testnet
• FTX Crypto Exchange Review
• NGRAVE ZERO review
• Bybit Exchange Review
• 3Commas vs Cryptohopper
• The Best Bitcoin Hardware wallet
• Best monero wallet
• ledger nano s vs x
• Bitsgap vs 3Commas vs Quadency
• Ledger Nano S vs Trezor one vs Trezor T vs Ledger Nano X
• BlockFi vs Celsius vs Hodlnaut
• Bitsgap review — A Crypto Trading Bot That Makes Easy Money
• Quadency Review- A Crypto Trading Bot Made For Professionals
• PrimeXBT Review | Leverage Trading, Fee and Covesting
• Ellipal Titan Review
• SecuX Stone Review
• BlockFi Review | Earn up to 8.6% interests on your Crypto