Hack Track: AscendEX Attack Recent Fund Movement Analysis

[Update 2022.02.18]

On December 11, 2021, attackers stole $71.25 million from cryptocurrency exchange AscendEX. The attackers discovered a vulnerability in AscendEX’s hot wallet, which allowed them to access and transfer tokens hosted over the Ethereum, Binance Smart Chain, Polygon, Litecoin, and Bitcoin Cash blockchains.

According to Merkle Science’s on-chain analysis, on February 18, 2022, stolen ERC20 tokens were swapped from the attacker’s wallet 0x70dcf33ca09bd87bb2a301280331406ebd32c8a0  into ETH using a well-known decentralized exchange Uniswap. The following ERC20 tokens were transferred: MAP, REVV, MATIC, ROUTE, Huobi Token (HT), RioDEFI (RFuel), and PLOT. The transfer was done in 74 transactions. 

The attacker received 512.2 ETH, worth around $1.46 million in return. The attacker then sent 512.2 ETH to the wallet: 0x73326b6764187b7176ed3c00109ddc1e6264eb8b. This wallet had previously received 1,899 ETH (approximately $8 million) from address 0x70dcf33ca09bd87bb2a301280331406ebd32c8a0 on December 21, 2021, bringing the current wallet balance at 2,459 ETH. The funds haven’t moved out from this wallet yet.

Additionally, on December 20, 2021 — 9 days after the hack — cryptoassets amounting to $21.2 million were transferred from the attacker's main address 0x2c6900b24221de2b4a45c8c89482fff96ffb7e55 indirectly to a prominent crypto exchange indirectly using multiple hops.

On December 11, 2021, cryptocurrency exchange AscendEX — formerly known as Bitmax— confirmed that it had suffered a security breach. AscendEX reportedly suffered a loss of $77.7 million, as the attackers discovered a vulnerability in AscendEX’s hot wallet, which allowed them to access and transfer tokens hosted over the Ethereum, Binance Smart Chain, Polygon, Litecoin, and Bitcoin Cash blockchains. This news comes shortly after the BitMart hack, wherein the attackers stole nearly $200 million worth of assets from BitMart’s Ethereum and Binance Smart Chain hot wallets. BitMart later revealed that the hack was due to stolen private keys and promised to use its own funding to repay its users. 

Of late, hot wallet attacks have been on the rise. Hot wallets are connected to the internet and are used by crypto exchanges to enable quick cryptocurrency transactions between the owners and the end-users. Unlike cold wallets, hot wallets are accessible to the internet and they are more vulnerable to hacks. All wallets contain a set of private keys, without which access to one’s cryptocurrency is lost. Like the ones involved in the BitMart Hack, a custodial hot wallet is a type of hot wallet where a crypto exchange has access to private keys. With attacks on hot wallets on the rise, crypto exchanges should have robust custody and security features in place to protect users' funds. Crypto exchanges can adopt measures such as using two-factor authentication to execute transactions and conducting smart contract audits to secure user funds. Further, exchanges with insufficient blockchain monitoring processes are most vulnerable to attacks. Blockchain analytics solutions like Merkle Science allow crypto exchanges to detect illicit activity beyond the blacklists and catch undetected suspicious activity that they might have missed.

With a rapid rise in global crypto hacking incidents, increased regulatory scrutiny around circumventing crypto-related attacks, and enhanced security measures have become the need of the hour. On December 2, 2021, in his remarks before the Investor Advisory Committee, SEC Chairman Gary Gensler once again called for increased oversight over crypto,  calling it an asset class “rife with fraud, scams, and abuse. He called on crypto exchanges to register with the SEC, citing investor concerns, and stated that “ To the extent, there are challenges about how to register or come into compliance, we’d like to hear what those are. The staff is standing by, ready to better understand if any bespoke adjustments may be appropriate.”

What Happened? 

On December 11, 2021, AscendEX identified a number of unauthorized transfers from one of its hot wallets. AscendEX acknowledged that attack quickly on its Twitter Account, proactively warned the users about the stolen funds, and ran a series of procedures to safeguard its cold wallets.AscendEX neither disclosed how the tokens were transferred nor did it confirm the exact worth of tokens stolen by the attacker.

AscendEX shared the wallets addresses into which the attackers transferred the stolen assets.

• ERC20: 0x2c6900b24221de2b4a45c8c89482fff96ffb7e55
• Polygon: 0x2c6900b24221de2b4a45c8c89482fff96ffb7e55
• BSC: 0x2c6900b24221de2b4a45c8c89482fff96ffb7e55
• LTC: LSvQWLf2kGm7UdXtwKvNj4GU1B4xKWUQXR
• BCH: qp2x5rnn2fkraxcp4hr6suqmnpdehfaaaqn3tv6jke

AscendEX then announced its four-fold approach to the matter. Firstly, AscendEX assured its users that all the unimpacted assets were securely transferred to cold wallets and that only a small percentage of total exchange assets were impacted in the hack. AscendEX also promised to reimburse all the users who had suffered a loss due to the attack.

Secondly, AscendEX stated that it is working alongside blockchain analytics firms and law enforcement to monitor the transferred assets. AscendEX is also working closely with other centralized agencies to blacklist the wallets associated with the incident. Thirdly, Ascendex also reported that small projects have been affected by this hack. AscendEX is working with projects to mitigate any potential damage. It is encouraging the impacted project to freeze token transfers and to explore the possibility of reissuing tokens to its users. Lastly, post the hack, AscendEX disabled all the deposits and withdrawals as a security measure. In its security incident update, AscendEX stated that it will resume its deposit and withdrawal service on December 15, 2021, starting with Ethereum. 

On December 16, 2021, after an internal audit,  AscendEX announced that it has identified and analyzed the root cause of the breach. To ensure the safety of users’ funds in the future, AscendEX has deployed an entirely new hot wallet infrastructure. Further, AscendEX highlighted that no legacy infrastructure or hardware was reused in the creation of the new hot wallet infrastructure.  Accordingly, each account has been assigned new deposit addresses for each network. Deposits must be made to newly assigned addresses in order to be credited. AscendEX claims that the “new system leverages industry-leading security controls to protect against any single point of failure at the human, process, and workflow levels.”

Merkle Science’s On-Chain Analysis

According to Merkle Science’s On-Chain Analysis, the attackers stole $71.25 million from AscendEX’s hot wallet (0x986a2fca9eda0e06fbf7839b89bfc006ee2a23dd - H) 

Ethereum Blockchain Analysis

On Ethereum Blockchain, the attacker stole 78 types of tokens including ETH. Please refer to Table 1 for the full list of tokens stolen and their respective amounts. A total of $55.76 million worth of crypto was stolen from the Ethereum blockchain.

On December 11, 2021, 1,140 ETH ($5.76 million) was stolen from AscendEX’s hot wallet (0x986a2fca9eda0e06fbf7839b89bfc006ee2a23dd - H) was transferred to the attackers’ wallet (0x2c6900b24221de2b4a45c8c89482fff96ffb7e55 - H1). Following this, around 46.76 ETH ($188,892.30) worth of stolen ERC-20 tokens were converted into Ether in H1 using a well-known decentralized exchange (DEX) aggregator 1inch.

Further, approximately, 72.19 ETH ($291,591.19) worth of stolen WBTC (ERC-20 token) were converted into Ether in H1 using the Curve. fi router — an automated market maker protocol.

On December 13, 2021, around 1,528.56 ETH ($5.89 million) was transferred from AscedEX attackers’ main wallet address H1(mentioned above) to an unidentified wallet (0x9eee6862b78fb6f9627d7d5a908d2114814fcecd - H2). It is highly probable that H2 is the second wallet of the attackers as it received more than 97% of the incoming ETH from H1

Approximately, 444.75 ETH ($1.54 million) worth of stolen ERC-20 tokens that H2 received from H1 were converted into Ether via DEXS 1inch and Paraswap. Of the 1,973.31 ETH sitting in H2, 1,900 ETH ($7.32 million) was transferred to an unidentified wallet  (0x5629d0f06a984dab5f062aa8bb0eab75b94e7bf6 - H3) on December 13, 2021. H3 is most likely the third wallet of the attackers as it received almost all of the incoming funds from H2. As of December 13, 2021, funds from address H3 haven’t moved out.

Image 1: Ethereum on-chain flow of funds with corresponding steps

Binance Smart Chain Blockchain Analysis

On Binance Smart Chain Blockchain, the attackers stole a total of 9 token types including BNB. Please refer to Table 2 for the full list of tokens stolen from the BNB blockchain and their respective amounts. In total, $3.46 million worth of crypto was stolen from the Binance Smart Chain blockchain.

A total of 1,568.2 BNB ($884,771.80) was stolen from AscendEX’s hot wallet (0x986a2fca9eda0e06fbf7839b89bfc006ee2a23dd) and transferred to attackers’ main wallet H1. Following this,1568.10 BNB was transferred from address H1 to address H2. 1570.04 BNB was then transferred from address H2 to H4 (0x70dcf33ca09bd87bb2a301280331406ebd32c8a0). As of December 13, 2021, funds from H4 haven’t moved out yet.

Polygon Blockchain Analysis

Only 1 type of token — BNB— was stolen from the Polygon blockchain. A total of  $8.73 million worth of crypto was stolen from the Polygon blockchain. 

On December 11, 2021, 3,749,500 MATIC ($8.02 million) was stolen from AscendEX’s hot wallet (0x986a2fca9eda0e06fbf7839b89bfc006ee2a23dd) and transferred to the attackers’ wallet H1. All the funds from H1 were transferred to H2. Thereafter, 1,100 MATIC was transferred to the AscendEX’s hot wallet (0x986a2fca9eda0e06fbf7839b89bfc006ee2a23dd) from H2 and 3,748,398.99 MATIC was sent to address H4 from H2.

Litecoin and Bitcoin Cash Transfers

Additionally, $2.1 million worth of Litecoin (LTC) was stolen from AscendEX controlled wallets and transferred to attackers' wallets (LSvQWLf2kGm7UdXtwKvNj4GU1B4xKWUQXR- H5). $1.2 million worth of Bitcoin Cash (BCH) was also transferred from AscendEX controlled wallets to the attackers' address (qp2x5rnn2fkraxcp4hr6suqmnpdehfaaaqn3tv6jke - H6).

Table 1: Full list of tokens stolen from Ethereum Blockchain and their respective amounts

Table 2: Full list of tokens stolen from Binance Blockchain and their respective amounts

Table 3: Full list of tokens stolen from Polygon  Blockchain and their respective amounts