Hack Track: Analysis of the Bilaxy Hack

On 29 August 2021, Bilaxy, a Seychelles-based centralized crypto exchange, released a statement on Twitter, informing its users that its hot wallets were hacked. Additionally, Bilaxy advised its users to not deposit any funds into Bilaxy accounts until further notice. All the values in this piece are in US Dollars (USD). This news comes shortly after the Liquid Global Official Hack, wherein the attacker, due to a security breach, stole around $91 million in cryptocurrency from Liquid’s warm wallets.

With a rapid increase in global cryptocurrency hacking incidents, increased regulatory oversight and enhanced security measures have become ever more urgent. As an article from AMBCrypto noted, “while exchanges may use two-factor authentication (2FA) to execute transactions, it is not enough, as the attackers may exploit weaknesses in other layers of the protocol to execute an attack.” Since hot wallets are connected to the internet they are most vulnerable to such attacks. Hot wallets are used by crypto exchanges to enable quick cryptocurrency transactions between the owners and the end-user. 

Further, exchanges with insufficient blockchain monitoring processes are most vulnerable to attacks. Blockchain analytics solutions like Merkle Science allow crypto exchanges to detect illicit activity beyond the blacklists and catch undetected suspicious activity that they might have missed.

In its first government-wide list of priorities for anti-money laundering and countering the financing of terrorism, the Financial Crime Enforcement Network (FinCEN) made virtual currency considerations one of the top priorities. Further, FinCEN had also issued a warning, noting that in cases of hacks, criminals may leverage tools such as mixers and tumblers in order to break the connection between the sender address and the receiver address.

What Happened?

On 30 August 2021, Bilaxy published a detailed update on its Bilaxy Official Announcement Channel. As per the update, Bilaxy’s ethereum (ERC20) hot wallet 0xCCE8D59AFFdd93be338FC77FA0A298C2CB65Da59 suffered a serious hack between 18:00 and 19:00, 28 August (UTC time). Approximately 295 ERC20 tokens were transferred by the hacker to the address 0xA14d5DA3C6BF2D9304FE6D4BC6942395b4dE048b. The Bilaxy team also linked the data prepared by EtherScan, which lists down the hacked tokens and important details of the transactions made by the hacker.

Later, Bilaxy issued a clarification stating that the hacking “incident involved only part of ERC20 tokens held in the hot wallet. Other coins/tokens such as BTC, ETH were not affected.” However, according to an update from decentralized finance protocol Hoge Finance, the hack involved the transfer of nearly 300 cryptocurrencies, including Tether (USDT), USD Coin (USDC), Uniswap (UNI), SushiSwap (SUSHI) amongst others. Hoge Finance tweeted that nearly all of Bilaxy's 1 billion HOGE tokens ($141,000) were transferred from the wallet that held a diverse crypto collection of around $22 Million to the hacker’s wallet.

In the upcoming days, Bilaxy plans to “jointly work with the professional authoritative security institutions to make thoroughly system security audit and investigation.” Additionally, Bilaxy also plans to sort out its platform assets storage solution, report the hack case to the local police agency and try to track down and recover stolen funds. In a follow-up tweet, Bilaxy stated that it is working closely with third-party security auditing companies and has made initial progress.

Noting that it has suffered heavy losses in the hacking incident, the Bilaxy team informed its users that it will take at least two weeks to investigate the hack thoroughly and rebuild the system architecture to secure the Bilaxy system and user assets.

Bilaxy has been criticized for not responding to the hack in a timely manner and has failed to provide its users with frequent updates. Further, Bilaxy’s lack of focus on security has also been the subject of criticism. Other concerns about Bilaxy include the lack of public information about the team members, lack of insurance in the case of a hack, falsely inflated volumes, and overall lack of transparency.

Merkle Science has blacklisted the wallet address involved in the Bilaxy Hack

Merkle Science’s On-Chain Analysis

As per Merkle Science’s analysis, the hack took place on 28th August 2021, and a total of 297 tokens (including ETH) were stolen.  

According to our analysis crypto assets, amounting to a total of approximately $30 million were stolen tokens from the Bilaxy hot wallet (0xcce8d59affdd93be338fc77fa0a298c2cb65da59) and transferred to the hacker’s address (0xa14d5da3c6bf2d9304fe6d4bc6942395b4de048b). 

Subsequently, the hacker sent 200 ETH to the coin-mixing service, Tornado Cash. Presently, the hacker’s address (0xa14d5da3c6bf2d9304fe6d4bc6942395b4de048b) is still in possession of 139.18 ETH ($491,636) as well as more than $10 million worth of the other stolen tokens.