On December 4, 2021, crypto exchange BitMart suffered an attack on its Ethereum and Binance Smart Chain hot wallets, resulting in a loss of nearly $200 million USD. Founder and CEO Sheldon Xia confirmed the incident, writing on Twitter: "We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets.”
This latest breach happened amidst a rapid increase in attacks suffered by the crypto industry. According to industry reports, a total of 169 blockchain hacking incidents have taken place as of November 2021, with close to $7 billion in funds lost. With the rapid increase in global blockchain hacking incidents, regulatory scrutiny around the crypto industry is also increasing.
In its first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (AML/CFT), the U.S. Financial Crime Enforcement Network (FinCEN) made virtual currency considerations one of its top priorities. Further, FinCEN had also issued a warning, noting that in cases of hacks, criminals may leverage tools such as mixers and tumblers in order to break the connection between the sender address and the receiver address. On October 6, 2021, the U.S. Department of Justice announced the National Cryptocurrency Enforcement Team (NCET), an enforcement team dedicated to investigating and prosecuting criminal misuses of cryptocurrency — in particular, crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure.
With the rise in crypto hacking incidents, enhanced security measures by the industry have become ever more urgent. Since hot wallets are connected to the internet, they are particularly vulnerable to attacks. In fact, exchanges with insufficient blockchain monitoring processes are most vulnerable to attacks.
Attackers stole funds out of BitMart’s Ethereum and Binance Smart Chain hot wallets. After transferring the funds out of BitMart, hackers reportedly used decentralized exchange aggregators 1inch and PancakeSwap to exchange the stolen tokens. From there, the ether coins were deposited into a privacy mixer known as Tornado Cash, thus making it difficult to track the stolen funds.
BitMart revealed in a tweet that the attack was mainly caused by a “stolen private key that had two of our hot wallets compromised.” BitMart claims that only a small percentage of its assets were affected, and all of its other wallets remain secure and unharmed. Even so, the exchange has frozen withdrawals and is reviewing its security measures. BitMart, however, remains confident that it will be able to gradually restart its deposit and withdrawal functions.
BitMart has stated that it will use its own funding to cover the incident and compensate its users for their loss. Merkle Science has already updated its database and blacklisted wallet addresses involved in the attack
Image 1: Ethereum on-chain flow of funds with corresponding steps
Image 2: Binance Smart Chain on-chain flow of funds
Token | Token Amount | Token Amount (USD) |
SHIB | 893,755,205,648.56 | $33,068,942.61 |
SAITAMA | 597,383,974,117,146.00 | $28,660,690.93 |
STARS | 19,142,614.60 | $2,215,749.07 |
ELON | 5,627,528,598,784.16 | $6,584,208.46 |
CRO | 5,089,853.54 | $2,955,886.63 |
GALA | 5,115,574.29 | $2,490,982.86 |
SAND | 326,938.03 | $1,819,955.15 |
HOT | 129,995,386.46 | $1,276,554.69 |
LUFFY | 929,715,379,015,928.00 | $1,231,872.88 |
WOO | 1,371,631.54 | $1,147,029.62 |
HEX | 5,686,503.41 | $949,111.54 |
MATIC | 468,124.62 | $917,719.47 |
ZEON | 293,053,737.39 | $729,358.00 |
SRK | 224,025,350.38 | $624,096.54 |
KISHU | 275,354,387,330,448.00 | $576,867.44 |
RSR | 13,870,304.45 | $520,080.94 |
USDC | 509,825.11 | $509,095.55 |
AKITA | 264,907,779,051.70 | $500,675.70 |
FTM | 287,907.77 | $446,257.04 |
XDB | 701,035.94 | $420,905.48 |
MANA | 111,885.07 | $408,473.71 |
TRU | 1,202,326.12 | $378,158.02 |
RVF | 5,447,348.00 | $356,065.90 |
ENJ | 107,409.95 | $299,897.48 |
UFO | 10,841,969,434.53 | $282,541.72 |
WPP | 57,054,202.07 | $271,497.56 |
WILD | 54,176.53 | $244,877.92 |
PBR | 186,573.34 | $464.35 |
ETH | 148.87 | $599,576.39 |
Total | $90,487,593.65 |
Token | Token Amount | Token Amount (USD) |
SAFEMOON | 29,443,552,399,217.40 | $51,820,652.22 |
X2P | 1,807,890,144.80 | $49,188,731.56 |
FLNS | 9,940,017.40 | $4,551,931.57 |
BabyDoge | 1,805,819,499,726,380.00 | $3,069,893.15 |
HERO | 11,894,942.54 | $2,412,306.24 |
STARSHIP | 600,017.10 | $744,021.21 |
FLOKI | 15,407,093,855.14 | $2,302,744.25 |
JULb | 11,924.25 | $1,376,893.68 |
CMCX | 28,513,123.89 | $909,347.39 |
GMR | 5,012,723,082,519.38 | $29,073.79 |
SPE | 20,084,968.15 | $516,852.51 |
BETU | 4,097,255.08 | $542,050.46 |
GMEX | 85,019,451.78 | $277,199.97 |
ZOE | 3,806,819.73 | $491,148.27 |
MOONSHOT | 110,372,682,133,179.00 | $640,161.56 |
BPAY | 92,740,731.48 | $574,453.48 |
STACK | 2,332,295.79 | $316,847.05 |
EnergyX | 75,603,865,478,198.40 | $362,898.55 |
BSC-USD | 352,346.05 | $352,298.83 |
BNB | 213.57 | $121,565.00 |
Total | $120,601,070.74 |