Victim: Ascendex Exchange. CEX, backed by a plethora of well-known ventures that recently raised a sizable funding round. Ascendex is a relatively famous Tier-2 exchange, popular amongst the European and North American population.
Time of Hack: ~10 PM UTC. December 11
Cause: Compromised Main Hot Wallet. The exact cause of the exploit is still unknown
Assets affected:
Terra Virtua Kolect, MahaDAO, Dafi Protocol, Ferrum Network, Xend Finance, 0x, Curve DAO Token, Compound, aelf, OKB, QuickX Protocol, YIELD App, KuCoin Token, Freeway Token, Taraxa, Ultra, Dai, CPOOL Token, Polygon, REVV, Uniswap, Linear, MANTRA DAO, UniLend Finance, Stratos, PowerTrade Fuel, RioDeFi, Crowns, OIN Finance, Aergo, Akropolis, Cudos, Zignaly, XCAD Network, PlotX, Umbrella Network, Huobi Token, GEEQ, e-Radix, Content Value Network, Bonded Finance, MixMarvel, Unmarshal, Celer Network, Beyond Finance, Decentr, Proxy, Router Protocol, Ternoa
Total Value Lost: ~34,660,000 $
Response of the victim:
What has changed since: The situation has been gradually resolving with Ascendex slowly redeeming the issue and rectifying the state of the assets as well as resuming the withdrawal. This coupled with the allotting new wallet addresses to each network affected.
Results and evaluation: We marked at least a dozen of addresses across the wallets that the hacker interacted with. We also will be closely and continuously monitoring following addresses that hold the biggest portions of assets:
- 0x9eee6862b78fb6f9627d7d5a908d2114814fcecd
- 0x5629d0f06a984dab5f062aa8bb0eab75b94e7bf6
- 0x70dcf33ca09bd87bb2a301280331406ebd32c8a0
Detailed Analysis
Remarkedly, the hack itself happened in the most asset-populated wallet of the exchange that reserved most of the assets from smaller exchange wallets. CEXes often redistribute assets across several wallet addresses and, in fact, tend to make small to large scale transactions between each. One wallet, however, in most cases, serves as the main storage (apart from the cold storage wallet). Unfortunately this very wallet was compromised leading to the opportunistic mode of action from the hacker’s side.
The very first identified hacker wallet (marked as Ascendex Hacker 1) has been the first to receive the whole slew of assets. Without much faltering, hacker speedily utilized all of the available arsenal in his toolset and began to veer away stolen assets to different wallets.
Adding to the obvious covering of the tracks, the hacker also used DEX aggregators to split the funds and muddle the tracks even more. Besides the evident value in splitting assets across different wallets, this also serves as a more economical modus operandi as it saves on the fees for each transaction. Though saving might not have been the focal point of the whole charade.
After the curtains have fully dropped and the gears halted all of the motion we are beginning to see new addresses emerge. We shall now take a closer gander at the Ascendex Hacker 2 wallet. The address seems to be a provisional “haven” for all of the assets coming from Ascendex Hacker 1 and both DEX aggregators. Ascendex Hacker 2 becomes the vantage point from which the assets were transferred to the newly created pair of fresh, leathery wallets — Ascendex Hacker 4 and Ascendex Hacker 3.
Now, one of the fairly interesting addresses in this whole bunch is 0x756b4cd1f83684f78c6470d4071026509789946c. This address is of value for a reason. Firstly, it leads to quite unassuming contract (0x5ddfbb29d7e375c55b19759959ac187fe8275538) address. And, secondly, more importantly, the second transaction is routed directly to the Kraken exchange with the total value being 0,2 ETH.
There are a couple of theories as to what can be the reason for sending 0.2 ETH to a highly regulated and secured exchange like Kraken. The probable “naive theory” is that the perpetrator simply tried to quickly check whether Kraken would arrest his transaction and block the account. So instead of sending the full value in assets, the hacker sent the tiny amount first to test the waters.
A reasonable conclusion is that the test wasn’t exactly successful as this is the only transaction to the Kraken exchange made by our “hero”.
On the topic of water testing and “naive theory”. Kraken wasn’t the only exchange that was subjected to the experiment. Next comes Binance. As tradition dictates, the hacker attempted the same schema by transferring a sizable chunk of stolen assets to the newly created wallet from Ascendex Hacker 4.
Now this is where the story takes an unexpected turn. The address in question, namely 0x82e66Fdcb4E7F5c3890581954Fcc59f629ACfc00, and its cousin 0xB3a9e205bc35260f784e2328F3665F2EE8929Bb4 which to this day continuous to hold over 400,000$ worth of the following assets:
- Chroma — ~521,000
- Linear Token — ~2,000,000
- Orion Protocol — ~0.3
interaction between 0xB3a9e205bc35260f784e2328F3665F2EE8929Bb4 and 0x82e66Fdcb4E7F5c3890581954Fcc59f629ACfc00 that in turn seems to be related (by “related” we understand any interaction with the address. Including transaction to the exchange wallet for the sake of laundering in our specific case) to the Binance wallet.
0x82e66Fdcb4E7F5c3890581954Fcc59f629ACfc00 interacting with one of the Binance wallets
0xB3a9e205bc35260f784e2328F3665F2EE8929Bb4 send and receive transactions from 0x82e66Fdcb4E7F5c3890581954Fcc59f629ACfc00
Assets, Currently Active Hacker Wallets, and What to Look Out For!
This unprecedented audacity from the hacker has proved to be damaging to three parties at once. Ascendex has suffered a substantial reputational loss that may negatively impact their image in the short to mid term timeframe. Users affected by the exploit have, potentially, been exposed to the loss of some of the assets (though Ascendex claims to reimburse the majority). And projects that happen to be at the mercy of the hacker who can at his/her will freely flip the tokens, i.e. incurring losses to the projects at large.
In order to prevent further laundering of the funds and preclude the aggravation of the damages done, we marked several dozen addresses either interacted with by the hacker or in any way related to it. We also have found additionally unmarked addresses of the hacker that currently hold the biggest assets’ share:
- 0x9eee6862b78fb6f9627d7d5a908d2114814fcecd
- 0x70dcf33ca09bd87bb2a301280331406ebd32c8a0
- 0x5629d0f06a984dab5f062aa8bb0eab75b94e7bf6
