On January 14, 2019, the New Zealand-based cryptocurrency exchange Cryptopia was hacked, marking the first time this year a cryptocurrency exchange has been hacked. Following the data breach, New Zealand authorities have been conducting an investigation, and the general public has been largely kept in the dark.
So Many Questions, So Little Answers… Until Now
No one knew how the theft took place, how much was lost, or the current status of the stolen funds.
However, while everyone was wondering these things, the Elementus data company used their Elementus query engine to analyze the public database that is the Ethereum blockchain.
What Elementus discovered is really quite shocking. Among other interesting facts: the dollar value of lost funds far outweighed what was initially thought, the type of hack conducted was highly unusual, and the amount of time allotted to carry out this hack is obscure.
If anyone is inclined to verify these conclusions for themselves, Elementus posted the raw data used in their analysis online.
An Estimated $16 Million in Ethereum (ETH) and ERC-20 Tokens Stolen
The Elementus report notes that these funds only include what could be found on the Ethereum blockchain. The data company did not analyze the Bitcoin blockchain or any other blockchains to see if funds were stolen there as well.
The breakdown of assets stolen from largest to smallest can be seen below:
Where Are the Stolen Funds Now?
The hackers have been moving the funds around in small pieces, trying to sell them on various exchanges.
As for the vast majority of remaining funds that haven’t been sent to exchanges, they remain in 2 wallets controlled by the hackers.
Why Was This Hack Unusual and How Was It Carried Out?
As mentioned earlier, the Cryptopia hack is highly unusual.
In most cases when an exchange is hacked, it is hacked due to smart contract exploits in which a vulnerability in the code is exploited to steal funds. This type of hack was seen in the Parity, the DAO, and SpankChain hacks.
Another popular type of hack is via unauthorized access to credentials in which someone inside or outside of the company gains access to a wallet’s private keys. This type of hack was seen in the Coinrail, Tether, and Gatecoin hacks.
As explained by Elementus, the Cryptopia hack differs from the hacks mentioned above in 2 ways, the first being:
The funds were taken from more than 76k different wallets, none of which were smart contracts. The thieves must have gained access to not one private key, but thousands of them.
The second way it differs is because the hack continued for nearly 5 days after Cryptopia noticed the breach:
After Cryptopia discovered the hack, they watched the funds continue to flow out of their wallets for four more days, seemingly powerless to stop it. As these wallets were not smart contracts, there should have been no technical complications preventing Cryptopia from securing the funds.
The only plausible explanation for Cryptopia’s inaction is that they no longer had access to their own wallets.
Therefore, Elementus explained that the only possible explanation is that Cryptopia must have had their private keys stored in a single server with no redundancy, allowing thieves to gain access to the server, download the private keys, and delete them so Cryptopia does not gain access to their own wallets.
Cryptopia’s funds and wallets have already been compromised, and the stolen funds are now in the hacker’s possession. The only thing left to do is to inform all Cryptopia users and make sure they are aware of the situation and do not deposit any more funds to the compromised wallets.
The next thing to be done is for crypto exchanges to block all of the illicit funds being sent to them, which Binance has already started doing. After all, everything is stored on the public blockchain and we know exactly where the stolen funds are and can track them wherever they go.
What do you think will happen to the $16 million worth of stolen funds? Will exchanges continue to freeze them as they come in? Or will the hackers find a way to anonymize the funds and sell them? Let us know what you think in the comment section below.