On June 1 we were made aware of a theft of 201,000 XRP (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.
The same day we made contact to Gatehub to make them aware of the potential security breach while continuing our independent investigation and contacting exchanges where the offender appeared to have laundered money.
On further investigation, we found several other accounts connected to the theft, leading us to 12 primary suspect accounts:
From analysing the data, we found the first likely victim to be 10,000 XRP (transaction 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41) on 2019–05–30 12:25:40 UTC.
As of writing this report, 2019–06–05 16:00 UTC, we gather that ~23,200,000 XRP has been stolen from 80–90 victims, of which ~13,100,000 XRP have already been laundered through exchanges and mixer services.
We have while conducting the investigation kept contact with some of the victims, with Gatehub and with the exchanges used for laundering.
While there is still no conclusive evidence pointing to the centre of the attack, here are scenarios researched in our investigation:
1. Gatehub account hacks
From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.
From interviewing victims, it does not appear that any of the victims had been victims of phishing attempts through, e.g. e-mails impersonating Gatehub.net
3. Repeating nonce
Since most victim accounts are older than December 2017, and while old accounts are more likely to be vulnerable to bad encryption implementation by transaction signing software, it seems not to be the case. To our knowledge, only a handful of accounts are vulnerable to this attack, none of which is the victims of this case.
4. Incremental nonces
While repeating nonces do not seem to be the core of the attack, it is still a possibility that a poorly implemented signing library has used incremental nonces, which makes brute force hacking a possibility. We have not been able to confirm or deny this theory.
5. RippleTrade migration
Since most victim accounts are older than December 2017, and many carry a RippleTrade username, bad practice in handling migration of user accounts could be the cause of the account access — however, it does not appear that all accounts are old RippleTrade accounts. Hence this is also unlikely.
6. Browser client hacking
While it is possible to retrieve user information by exploiting a vulnerability in the Gatehub.net API, we find it improbable to be the cause of the attacks. The victims are spread globally, and any such attacks would likely occur by sniffing access on a shared WiFi.
7. Old database leak
Since Gatehub.com is a hosted wallet provider, they store encrypted private keys. It is possible that an unknown database leak in the past has been exploited and private key brute forced offline until the offender found the funds retrievable sufficient.
Services used to cash out (not complicit)
We have identified some of the largest recipients (rounded figures):
- changelly.com: 6,000,000 XRP
- changenow.io: 3,250,000 XRP
- kucoin.com: 1,500,000 XRP
- huobi.com: 930,000 XRP
- exmo.me: 135,000 XRP
- hitbtc.com: 115,000 XRP
- binance.com: 110,000 XRP
- alfacashier.com: 50,000 XRP
A theft that involves multiple victims needs to be handled via law enforcement in various countries. We strongly advise victims to file a complaint with relevant authorities in their jurisdictions.
We are trying to get in touch with as many victims as possible, please reach out to us on firstname.lastname@example.org.