Hack Track: Upbit Cryptocurrency Exchange
Merkle Science Hack Track provides digestible insights on the movement of stolen funds from the latest cryptocurrency heists.
[Scroll below to skip to our analysis of the stolen fund movements]
Who was hacked?
Upbit is a South Korean based cryptocurrency exchange operated by Danamu, which is backed by South Korean messaging giant Kakao. The exchange is one of the four largest in South Korea by volume alongside Korbit, Bithumb and Coinone.
What was stolen?
For now, it appears only ether (ETH) was stolen by the hackers.
How much was stolen?
ETH 342,000 (close to US$50 million at the time of the hack and US$50.2 million equivalent as of 10 December 2019).
When did the hack take place?
The ETH was transferred by the hackers to an unknown ethereum wallet address at 13:06 (Korean Standard Time, GMT+9) on November 27th, 2019.
It is likely the hackers would have gained access to UpBit’s servers several hours or possibly even days prior to the funds being stolen to retrieve the private keys used to sign the outgoing ETH transaction.
Why did the hack take place?
Based on publicly available information, the stolen ETH was being stored in a hot wallet (where the private keys are available in a database connected to the internet) that did not require multiple signatures (multi-sig) by operators of the exchange to sign an outgoing transaction.
Therefore the hackers were able to retrieve the wallet’s private keys and sign the subsequent outgoing ETH transaction without significant challenges. The full details regarding the cause of the hack have not yet been disclosed by UpBit.
How do we know this hack happened?
UpBit’s CEO, Lee Seok-woo, confirmed that the hack had taken place through an official statement (screenshot below) after the firm suspended all transfer services on November 27th 2019.
What is the impact of the hack on the firm’s clients?
In the official statement, UpBit’s CEO made it clear that the stolen ETH would be covered fully by the company using their existing funds. In the meantime, all other cryptocurrencies stored on hot wallets have been transferred to cold wallets (where private keys are stored offline) to prevent further breaches and unauthorized transfers. This transfer of the remaining ETH from UpBit’s hot to cold wallets can be viewed here.
All deposits and withdrawals have also been suspended for a two week period to enable the exchange to conduct a thorough investigation into the cause of the breach.
How does this hack compare to others?
According to Coindesk, Upbit is the seventh major cryptocurrency exchange hack of 2019.
Bithumb, one of South Korea’s largest exchanges has been hacked on multiple occasions including:
- July 2017 — the details of more than 30,000 clients were comprised leading to losses in the billions of Won due to the funds being stolen from these client accounts.
- June 2018 — roughly US$31 million was stolen from the exchange, mostly in XRP following a hack.
- March 2019 — up to US$20 million stolen in EOS and XRP following a suspected insider job.
Other South Korean exchanges to be hacked include Coinrail in June 2018 and Youbit in December 2017, which eventually filed for bankruptcy.
Where are the stolen funds going?
Initially the stolen ETH 342,000 was transferred from UpBit’s hot wallet (0x5e032243d507c743b061ef021e2ec7fcc6d3ab89) to ethereum wallet address: (0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029) belonging to the hacker that we have labelled H (transaction link).
There were 77 distinct addresses in total so far (including Upbit’s Hot wallet address) from where ETH funds have been transferred to the address H. The first incoming transaction to H was on the 27th November 2019.
Funds were then sent by the hackers from address H to multiple ethereum wallet addresses, with value transferred ranging from less than ETH 0.1 to more than ETH 100,000.
The table below, comprised by Merkle Science analysts details all associated destination wallet addresses and values transferred. The transaction analysis has been completed up to the 3rd December 2019.
As the table above demonstrates, so far we have been able to identify four destination wallet addresses associated with the following entities:
- Binance, a major cryptocurrency exchange
- Huobi, a major cryptocurrency exchange
- 60cek.org (tagged on etherscan.io), a Russian language based cryptocurrency coin swap service
- Switchain (tagged on etherscan.io), powered by Changelly, a cryptocurrency coin swap service
You can see the provenance of the stolen ETH in our visualization below:
What do we know about the hackers so far?
- They are sending ETH to cryptocurrency coin swap services (Switchain, 60cek.org) to convert the hacked ETH into other cryptocurrencies. This indicates that the hackers may be trying to launder and hide the stolen ETH.
- They are sending smaller amounts to established exchanges (Binance, Huobi) to try and test what they can get away with on those platforms.
- They do not seem deterred from continuing to move the stolen funds despite being publicly tracked by multiple parties, including major media organisations.
- They are also moving funds to some small entities which Merkle Science’s analysts are working to identify and will disclose in updates of this article.
What can be done to prevent hackers from cashing out?
Other cryptocurrency exchanges, can follow the example of Binance CEO Changpeng Zhao, who immediately pledged to ensure that the stolen funds would not be transacted through their platforms.
This can be done by freezing the account of the user associated with the incoming transaction (flagged by a blockchain analysis tool), preventing them from trading ETH for other cryptocurrencies, especially anonymous ones, that could then be transferred elsewhere and are more difficult to trace.
Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services.
— -
Our team will continue to update this article on a periodic basis following continuing movements of the stolen funds.
Contact our team today to find out more about Merkle Science’s blockchain analysis products and how it could help your organization to detect and prevent illegal use of cryptocurrencies.
