UPPtopia Report: Uppsala Security Team Investigates Cryptopia Hack

During our review of hacking incidents in 2018, our prediction for 2019 is that these incidents will only continue to increase due to malware being easily available in the Dark Web at very low cost, and a lack of cybersecurity knowledge among daily Internet users.

A recent article from Alan Woodward, a renowned computer scientist who wrote the top ten 2019 cybersecurity predictions, also mentioned that cyber criminals will increasingly switch to easier targets. Rather than attempt to steal an individual’s banking details, cyber criminals will steal cryptocurrencies. It also mentions websites being hijacked to siphon visitors’ computing power for crypto mining rather than their personal details.

Sadly, just two weeks into the new year, a major crypto exchange has gotten hacked. According to their official webpage, Cryptopia is a well-known exchange based in New Zealand. They announced a security breach that resulted in significant losses of crypto assets and had to put their site in maintenance mode.

As per Cryptopia’s official statements, the New Zealand police said a forensic digital investigation and a physical scene examination are both ongoing. Due to the potentially enormous amount of ERC20 tokens suspected to be stolen, this led us to believe that an onsite security breach may have allowed cyber criminals direct access to the Cryptopia IT infrastructure.

Since there is not much information from an ongoing investigation, we were not able to further identify the initial threat vector that could have potentially led to this major hack. Hopefully more details will be released by the officials so we could learn from this incident in order to find and close unknown security gaps.

Let reviews on the facts as we know for now. (All times references are UTC+0)

1. [Cryptopia1] is identified as an address that belongs to the Cryptopia exchange.
2. [Hacker1] has received 20,752.5912 ETH directly from the Cryptopia wallet address from 13:30 January 13 to 07:37 January 14 in FIVE separate transactions. We believe this address belongs to a relay wallet, which is created currently for a specific one-time use only, as there were no further movements observed after these large transactions.
3. An additional 8,024.1588 ETH was also transferred to [Hacker1’s] address between 13:45 January 13 and 11:38 January 15 in 76,078 transactions. It is likely that these are the crypto assets that belong to Cryptopia’s customers.
4. A total of 28,776.75 ETH has been siphoned, bringing the total value to US $3.5 million.
5. We tracked the 28,773.5681 ETH being moved to another crypto address [Hacker2]. We believe this address also belongs to the suspect. At the time of publishing, this ETH amount still resides in that address.
6. The incident is not only limited to ETH. Other ERC20 tokens were also siphoned during this incident. We found that [Cryptopia2] is a Cryptopia wallet address containing large numbers of ERC20 tokens for projects such as Omisego, Kyber Network, etc. The volume involved is very significant.
7. We discovered that all the ERC20 tokens in question were moved to the following address: [Hacker3]. We think this also belongs to the suspect. Please refer to Table 1 for the list of ERC tokens currently owned by this address and large numbers of these were being transferred from [Cryptopia2]. The total value of these tokens can easily amount to a few million USD.
8. A [Transaction1] that occurred at 12:01 on October 5 2017 caught our attention it went from [Cryptopia1] to [Suspect1] address. This is interesting because [Suspect1] received 21 ETH at 12:33 on January 1 2019 from another exchange and it was later transferred to [Suspect2]. Following that, [Suspect2] only had two outgoing transactions to [Hacker1] and [Hacker3] crypto addresses. We have reason to believe this flow of transactions is to provide the ETH for gas fees that they going to use to transfer large numbers of ERC20 tokens from the exchange.
9. We think if that Cryptopia reviewed [Transaction1] records on their end and they have details KYC of the customer, it should provide some leads for the investigation. The customer who transacted with [Suspect1] may be involved in this incident.
10. Based on public reports, some specific ERC20 tokens have been sent onto exchanges for token swaps. One exchange was alerted to the hack early on, and therefore was able to freeze those stolen tokens before any further transactions.

The Uppsala Security Operations Team received reports from the community on an alleged scammer trying to leverage this incident by claiming they would like to make donations to victims. However, victims are required to send some tokens to the so-called donator’s wallet address to prove credibility. The Uppsala Security Operations Team highly recommends for all the affected victims to be wary and to not proceed with such transactions.

Partners and exchanges who implemented Sentinel Protocol’s Interactive Cooperation Framework API (ICF API) will be notified in real time when malicious wallet addresses attempt to trade or sell cryptos using their platforms.

Meanwhile, the community can stay safe by downloading the complimentary UPPward Chrome/Firefox Extension by Sentinel Protocol (https://uppward.sentinelprotocol.io/ or https://addons.mozilla.org/en-US/firefox/addon/uppward-by-sentinel-protocol/) to verify whether wallet addresses are legit before transacting. Users can also report hacks, scams, and fraud using the “Report now” feature on the extension.

For the latest news surrounding our investigation of the Cryptopia incident, follow us on our social accounts — Telegram, LinkedIn, Twitter, Facebook and Medium.