On November 28, 2024, a blockchain analytics company shared that one of their community members had drawn attention to what appeared to be a ~$1.7 million hack of cryptocurrency exchange XT.com.
XT.com subsequently halted withdrawals for its 7.8 million users, but stopped short of calling the problem a hack. It deemed the issue an “abnormal transfer of platform wallet assets.”
Upon further investigation through Merkle Science’s Tracker tool over the last two weeks, we speculate that the XT.com hack may have been caused by an internal breach. The general movement of funds took place as follows:
- From the XT.com wallet, the hackers moved the funds to an intermediate wallet, and then swapped the tokens into liquid tokens (more suitable for cross-chain bridges).
- The hacker then engaged in chain hopping by bridging the funds across both the Optimism Bridge and the Polygon Bridge into Ethereum.
- The funds are now parked at a single address, held mostly in ETH, with a total wallet balance of about $1.9 million.
Hack Analysis and Anomalies
There are several anomalies in the XT.com hack that point to a possible internal breach.
First, the likelihood that the hack was done by a sophisticated third-party, like the Lazarus Group, are low. The total stolen amount of about $1.7 million would be relatively small for a criminal organization like Lazarus, which routinely steals in the tens and hundreds of millions for a single hack. Furthermore, a criminal organization like the Lazarus Group would have much more complex obfuscation and evasion than what the hacker did here.
Other anomalies of the XT.com hack include:
- Odd Selection of Coins - Some of the stolen funds included balances in coins that are rarely targeted for theft, such as FLOKI and MAGA. These coins were stolen despite the fact that the wallet had more commonly used currencies, such as ETH on Optimism or USDT on Arbitrum, that were untouched or partially intact. This fact suggests that the hacker wanted to avoid detection from blockchain analytics tools or online sleuths more focused on the movement of popular coins.
- Incomplete Theft of Wallet - When a criminal organization hacks a wallet, they typically take everything or close to everything. In this case, as mentioned, the XT.com wallet still had many other tokens untouched. This fact could indicate the deliberate targeting of less popular coins to minimize visibility, or the possibility that the actor was interrupted during the theft. For example, after the blockchain analytics company announced the possible hack, the actor may have been spooked by the wellspring of online chatter and decided to stop. There was substantial buzz around the XT.com hack as it was the first major hack after a short lull in such incidents.
- Continued Use of the Wallet - If a hot wallet has indeed been compromised by theft or loss of private keys, it would be commonsense for the exchange to move the remaining funds to a different, secure wallet. Otherwise, the hacker could return to drain the remaining funds from the compromised wallet. Instead of migrating the funds, however, XT.com has continued to use the wallet with an “abnormal transfer of platform wallet assets” for business operations. The fact that there appears to be little concern that an external hacker could return to steal again suggests that XT.com knows that there is no such party.
Founded in 2018, XT.com is registered in Seychelles, Europe. After its initial statement that their exchange is secure and that they hold 1.5 times the amount of user funds in reserve, XT.com has been relatively mum on the incident.
Key Takeaways
In crypto, threats can come as often from internal sources as from external ones. Crypto organizations need to know who they are doing business with, a task that they can accomplish through a tool like Merkle Science’s Know Your Blockchain Business.
Chain hopping has become such an ubiquitous laundering technique. Crypto businesses must prioritize tools that support multiple chains. Tracker notably provides support for Optimism, Arbitrium, and Ethereum, the three chains used in the XT.com laundering trail.
With the XT.com funds now sitting idle in the hacker’s wallet, crypto investigators must be able to continuously monitor it. With Tracker, they will be informed when there is further activity, so that they can respond with greater speed.
To learn more about Tracker, contact Merkle Science for a free demo.