Hack Track: EXMO Hot Wallets

Speedread

• UK-based cryptocurrency exchange EXMO revealed on Monday, December 21, that its hot wallets have been compromised.

• Announcing the hack on Monday, EXMO said in a blog post that affected hot wallets compromise nearly 5% of total assets managed by the firm.

• According to an estimate by The Block, EXMO appears to have lost US$10.5 million worth of cryptocurrencies.

• A total of 306.98 BTC were stolen from the EXMO BTC hot wallets and sent to the hackers’ address.

• The total amount of BCH stolen from the EXMO hot wallet is 1,882.60.

• The hacker also stole 867 ETH, 50,000 USDT tokens, and 476,521 XRP tokens which moved around the associate addresses belonging to the hacker before finally getting deposited in the hot wallets of a prominent cryptocurrency exchange (name redacted).

Who was hacked?

UK-based cryptocurrency exchange EXMO revealed on Monday, December 21, that its hot wallets have been compromised.

What was stolen and when?

Announcing the hack on Monday, EXMO said in a blog post that affected hot wallets compromised nearly 5% of total assets managed by the firm. The stolen cryptocurrencies include BTC, XRP, ZEC, USDT, ETC, and ETH and have been transferred out of the exchange from their hot wallets. According to an estimate by The Block, EXMO appears to have lost US$10.5 million worth of cryptocurrencies.

How did the hack take place?

According to EXMO’s blog post, the exchange detected some large withdrawals on December 21st at 2:27:02 UTC. However, it is likely the hackers would have gained access to EXMO servers hours or possibly even days before to retrieve the private keys used to sign the outgoing transactions from hot wallets.

What is the impact of the hack on the firm’s clients?

In its blog post, EXMO assured its clients that the company will completely cover if any user’s fund is affected.

How does this hack compare to others?

Similar to ETERBASE and KuCoin, in this case as well, cryptocurrencies stored in hot wallets have been compromised. Hot wallets’ private keys are usually stored in a database connected to the internet and do not require multiple signatures (multi-sig) by operators of the exchange to sign an outgoing transaction. Therefore the hackers can easily retrieve the wallet’s private keys and sign the subsequent outgoing transactions without significant challenges. The full details regarding the cause of the hack have not yet been disclosed by EXMO yet.

Where are the stolen funds going?

A total of 306.98 BTC were stolen from the EXMO BTC hot wallets and sent to the hackers’ main address, referred to as BTC 1 (more details about all the addresses associated with the hackers is given below). Of the 306.98 BTC stolen from the EXMO BTC Hot Wallet address, 14.99 BTC were sent to another address associated with the hacker (BTC 2).

The total amount of BCH stolen from the EXMO hot wallet is 1,882.60. This amount was first sent to the hacker’s main address (BCH 1) and then was distributed among 5 other associate addresses of the hacker in the following manner:

• BCH 2–77.45 bitcoin cash

• BCH 3–21.61 bitcoin cash

• BCH 4–1710.61 bitcoin cash

• BCH 5–94.53 bitcoin cash

• BCH 6–5.05 bitcoin cash

Along with the 306.98 BTC and 1,882.60 BCH, the hacker also stole 867 ETH, 50,000 USDT tokens, and 476,521 XRP tokens which moved around the associate addresses belonging to the hacker before finally getting deposited in the hot wallets of a prominent cryptocurrency exchange (name redacted).

Ethereum fund movement analysis

On the 21st of December, 867 ETH were moved from EXMO’s ethereum hot wallet address 0x1Fd6267f0D86F62D88172B998390AfEE2a1F54B6 to the hacker’s address 0x15D2c32E8617e7696e7F4d1c57Fb7672F77d1A62, hereby referred to as ETH 1 through the transaction id ‘0x8559665890150e829039eeb7be0cfc5fa999eb16a2a3f9aebfabbdc7128b7021.’

This was followed by a transaction of approximately 866.98 ETH originating from address ETH 1 to a different address associated with the hacker 0xC54f9C0B211fD34c72A6037Ab373264a7e6f74E7, henceforth referred to as ETH 2.

 

Furthermore, approximately 866.94 ETH were moved from ETH 2 to a smart contract address 0x4BA6B2fF35055aF5406923406442cD3aB29F50Ce which is in turn sending the funds to the hot wallet address of another prominent cryptocurrency exchange.

Along with the 867 ETH, the EXMO Hot wallet address was also used to transfer as many as 50,000 USDT tokens which would eventually follow the same trail to the hot wallet of a prominent cryptocurrency exchange as in the case of the ether

The movement of funds from here is difficult to track as an exchange hot wallet addresses have numerous incoming and outgoing transactions on a daily basis.

Bitcoin fund movement analysis:

• On December 21, 306.98 BTC were stolen from EXMO hot wallet “3Q2ffuXf2KVShJ9dasV3viFzAHYSLijC6a” and were transferred to hackers address “1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq,” referred to as BTC 1.

 

• HackerS received 306.99 BTC through 40 incoming transactions on BTC 1 and sent 14.99 BTC in one transaction to 13eVuXW3kNL4XHVko7HTxEr1AKYKN9Zrtk, referred to as BTC 2.

 

Bitcoin cash fund movement analysis:

• At the same time, the hacker managed to steal 1,882.60 BCH from EXMO hot wallet and sent it to “qrfrw5q9gag2vp6jc5nlx0haplm2jlhx9vsvxd9u3e,” referred to as ‘BCH 1.’

• Hackers made five incoming transactions from EXMO with 1,882.60 BCH and four outgoing transactions from the hackers’ main address to another bitcoin cash address which are “qrh93qnqgj43ljqqezfzkt5y7evm82ravczxmtue6s” (BCH 2–77.45 Bitcoin Cash), “qpu5tfyzwzjghnh0qzxk94pk0xhuzqlz5c44fzdehl” (BCH 3–21.61 Bitcoin Cash), “qz8lvmf35f6g2lh65fvaxuqect6wacdmqut0rm06ld” (BCH 4–1710.61 Bitcoin Cash), “qzt7ghus5fccjgmjyy24ql2j320ndfuzpcvtd832nf” (BCH 5–94.53 Bitcoin Cash), “qr8kldz00ae3t6hkkmkyc230nq47crdvmytzsdwvhz” (BCH 6–5.05 Bitcoin Cash).

• Transaction Details for Incoming Transaction on hackers’ address from EXMO:

1. T1: 4e7a6b1b2e38c693b4b35e359cc18f7fe0de0f1894246ebbc16baa221985f1bb : 1724.60 BCH on 21st December 2020.

2. T2: 79da278b8a0cb9f8f974ad9907c9064fa33c8528127ef9c7dd4441052ad7f886 : 8.00 BCH on 21st December 2020.

3. T3: 90945409807ed3b154f943babb1567f98b9c191c6f1ead2284dd08cbfc7983b3 : 100 BCH on 21st December 2020.

4. T4: a82d4561071aeae455451aef1184527a88537c02f2f34cdfb4a3498e35044dfe : 10.00 BCH on 21st December 2020.

5. T5: c89185ef9b83f9a19b0330ccf15747072939f7685977c99b4db532e350c3537f : 40.00 BCH

• Transaction Details for Outgoing Transactions from hackers’ address:

1. T1: fbe86ad947df65ac779342ed193de87c793caeb61a552d6b68ea5890cdf92514 : 50 BCH on December 21st, 2020

2. T2: ae2e5745c715af7cc5db90ad842d736da42d0028e3124062dada0d7cabea616b : 1724 BCH on December 21st, 2020

3. T3: 86cbaeff851e5eccb8766b84825b70267493b2b82bbed38ac38b845980be073b : 100.00 BCH

4. T4: 09986ff8a53f26602ddbe9e4eb1ffdb5e30fc65f5800e32f72dbf746d75db550 : 8.00 BCH on December 21st ,2020.

 

Suspected Hacker Addresses so far Bitcoin and Bitcoin Cash:

 

Ripple fund movement analysis

Among the stolen cryptocurrencies was Ripple(XRP) as well. A collective amount of 476,521 XRP tokens were stolen from two Ripple Hot Wallets of EXMO, rUocf1ixKzTuEe34kmVhRvGqNCofY1NJzV (EXMO 1) and rUCjhpLHCcuwL1oyQfzPVeWHsjZHaZS6t2 (EXMO 2).

The stolen funds were then sent to the hacker’s address rLJdUTRzDuytbVBm8hNZ4VeYfCWzU9DRH7, also referred to as XRP 1.

Further, almost all the funds, i.e., 476,500 XRP tokens were then sent to the hot wallet address of a prominent cryptocurrency exchange.

 

What can be done to prevent hackers from cashing out?

In its blog post, EXMO has requested all centralized exchanges that might be receiving the stolen funds to block the account of the user associated with the incoming transaction. The step will prevent hackers from trading one currency for other cryptocurrencies, especially anonymous ones, that could then be transferred elsewhere and are more difficult to trace.

Merkle Science has also updated wallet addresses associated with the EXMO hack. All our partners and customers will also receive immediate information if any funds they receive are from the hackers’ wallets.

Most exchanges globally share information on stolen fund addresses to deal with such risks and collaborate with law enforcement agencies and blockchain analysis firms such as Merkle Science for additional data and investigative services.