Hack Track: Analysis on BitMart Hack
Merkle Science
On December 4, 2021, crypto exchange BitMart suffered an attack on its Ethereum and Binance Smart Chain hot wallets, resulting in a loss of nearly $200 million USD. Founder and CEO Sheldon Xia confirmed the incident, writing on Twitter: "We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets.”
This latest breach happened amidst a rapid increase in attacks suffered by the crypto industry. According to industry reports, a total of 169 blockchain hacking incidents have taken place as of November 2021, with close to $7 billion in funds lost. With the rapid increase in global blockchain hacking incidents, regulatory scrutiny around the crypto industry is also increasing.
In its first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (AML/CFT), the U.S. Financial Crime Enforcement Network (FinCEN) made virtual currency considerations one of its top priorities. Further, FinCEN had also issued a warning, noting that in cases of hacks, criminals may leverage tools such as mixers and tumblers in order to break the connection between the sender address and the receiver address. On October 6, 2021, the U.S. Department of Justice announced the National Cryptocurrency Enforcement Team (NCET), an enforcement team dedicated to investigating and prosecuting criminal misuses of cryptocurrency — in particular, crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure.
With the rise in crypto hacking incidents, enhanced security measures by the industry have become ever more urgent. Since hot wallets are connected to the internet, they are particularly vulnerable to attacks. In fact, exchanges with insufficient blockchain monitoring processes are most vulnerable to attacks.
What Happened?
Attackers stole funds out of BitMart’s Ethereum and Binance Smart Chain hot wallets. After transferring the funds out of BitMart, hackers reportedly used decentralized exchange aggregators 1inch and PancakeSwap to exchange the stolen tokens. From there, the ether coins were deposited into a privacy mixer known as Tornado Cash, thus making it difficult to track the stolen funds.
BitMart revealed in a tweet that the attack was mainly caused by a “stolen private key that had two of our hot wallets compromised.” BitMart claims that only a small percentage of its assets were affected, and all of its other wallets remain secure and unharmed. Even so, the exchange has frozen withdrawals and is reviewing its security measures. BitMart, however, remains confident that it will be able to gradually restart its deposit and withdrawal functions.
BitMart has stated that it will use its own funding to cover the incident and compensate its users for their loss. Merkle Science has already updated its database and blacklisted wallet addresses involved in the attack
Merkle Science’s On-Chain Analysis
Ethereum Blockchain Analysis
- On the Ethereum blockchain, the hacker stole 29 types of tokens including ETH. Please refer to Table 1 below for the full list of ERC-20 and ETH tokens and the respective amounts stolen. In total $90,487,593.65 worth of crypto was stolen from Ethereum blockchain.
- 148.87 ETH ($599,576.39) was stolen from BitMart’s hot wallet 0x68b22215ff74e3606bd5e6c1de8c2d68180c85f7 and transferred to the hacker’s wallet 0x39fb0dcd13945b835d47410ae0de7181d3edf270 (H1) on December 4, 2021.
- Around 18,044.75 ETH ($74.07 million) worth of stolen ERC-20 tokens from H1 were converted into ETH using a well-known decentralized exchange aggregator 1inch.
- 18,085 ETH ($74.61 million) from H1 was then transferred to the hacker’s 2nd wallet 0x4bb7d80282f5e0616705d7f832acfc59f89f7091 (H2) on December 5, 2021.
- 100 ETH ($417,118.62) was then transferred from H1 to Tornado Cash in order to mix the stolen funds.
- Separately, H2 received 3,110.69 ETH ($12.97 million) from the swapped ERC-20 tokens via 1inch. These were not funds that were stolen from BitMart hot wallets.)
- In total, H2 received a total 21,195.73 ETH ($85.36 million) from steps 3 and 6.
- The hacker then moved more than 99.9% (21,170 ETH) of the total ETH from H2 to Tornado Cash in order to mix the funds.
Image 1: Ethereum on-chain flow of funds with corresponding steps
Binance Smart Chain Blockchain Analysis
- On Binance Smart Chain, the hacker stole 20 types of tokens including BNB. Please refer to Table 2 below for the full list of BEP-20 and BNB tokens and the respective amounts stolen. In total $120,601,070.74 worth of crypto was stolen from Binance Smart Chain.
- 213.57 BNB ($121,565) was stolen from BitMart’s hot wallet 0x8c128dba2cb66399341aa877315be1054be75da8 and was transferred to the hacker’s wallet 0x25fb126b6c6b5c8ef732b86822fa0f0024e16c61 (H3) on December 4, 2021.
- Stolen BEP-20 tokens were swapped on well-known DEXs 1inch and PancakeSwap to the value of 56,637.35 BNB into H3.
- Total 99.79% (56,523.78 BNB) of the BNB funds from H3 were transferred to Tornado Cash to mix the stolen funds.
Image 2: Binance Smart Chain on-chain flow of funds
Table 1: Stolen tokens on Ethereum blockchain and corresponding amounts
Token | Token Amount | Token Amount (USD) |
SHIB | 893,755,205,648.56 | $33,068,942.61 |
SAITAMA | 597,383,974,117,146.00 | $28,660,690.93 |
STARS | 19,142,614.60 | $2,215,749.07 |
ELON | 5,627,528,598,784.16 | $6,584,208.46 |
CRO | 5,089,853.54 | $2,955,886.63 |
GALA | 5,115,574.29 | $2,490,982.86 |
SAND | 326,938.03 | $1,819,955.15 |
HOT | 129,995,386.46 | $1,276,554.69 |
LUFFY | 929,715,379,015,928.00 | $1,231,872.88 |
WOO | 1,371,631.54 | $1,147,029.62 |
HEX | 5,686,503.41 | $949,111.54 |
MATIC | 468,124.62 | $917,719.47 |
ZEON | 293,053,737.39 | $729,358.00 |
SRK | 224,025,350.38 | $624,096.54 |
KISHU | 275,354,387,330,448.00 | $576,867.44 |
RSR | 13,870,304.45 | $520,080.94 |
USDC | 509,825.11 | $509,095.55 |
AKITA | 264,907,779,051.70 | $500,675.70 |
FTM | 287,907.77 | $446,257.04 |
XDB | 701,035.94 | $420,905.48 |
MANA | 111,885.07 | $408,473.71 |
TRU | 1,202,326.12 | $378,158.02 |
RVF | 5,447,348.00 | $356,065.90 |
ENJ | 107,409.95 | $299,897.48 |
UFO | 10,841,969,434.53 | $282,541.72 |
WPP | 57,054,202.07 | $271,497.56 |
WILD | 54,176.53 | $244,877.92 |
PBR | 186,573.34 | $464.35 |
ETH | 148.87 | $599,576.39 |
Total | $90,487,593.65 |
Table 2: Stoken tokens on Binance Smart Chain blockchain and corresponding amounts
Token | Token Amount | Token Amount (USD) |
SAFEMOON | 29,443,552,399,217.40 | $51,820,652.22 |
X2P | 1,807,890,144.80 | $49,188,731.56 |
FLNS | 9,940,017.40 | $4,551,931.57 |
BabyDoge | 1,805,819,499,726,380.00 | $3,069,893.15 |
HERO | 11,894,942.54 | $2,412,306.24 |
STARSHIP | 600,017.10 | $744,021.21 |
FLOKI | 15,407,093,855.14 | $2,302,744.25 |
JULb | 11,924.25 | $1,376,893.68 |
CMCX | 28,513,123.89 | $909,347.39 |
GMR | 5,012,723,082,519.38 | $29,073.79 |
SPE | 20,084,968.15 | $516,852.51 |
BETU | 4,097,255.08 | $542,050.46 |
GMEX | 85,019,451.78 | $277,199.97 |
ZOE | 3,806,819.73 | $491,148.27 |
MOONSHOT | 110,372,682,133,179.00 | $640,161.56 |
BPAY | 92,740,731.48 | $574,453.48 |
STACK | 2,332,295.79 | $316,847.05 |
EnergyX | 75,603,865,478,198.40 | $362,898.55 |
BSC-USD | 352,346.05 | $352,298.83 |
BNB | 213.57 | $121,565.00 |
Total | $120,601,070.74 |