Hack Track: Analysis of Liquid Global Security Breach
Merkle Science
[Update 2021.08.20]
In a follow-up tweet, Liquid stated that it is currently tracing the movement of stolen assets and is working closely with other exchanges to freeze and recover these assets.
Shortly after the tweet, Liquid also published a warm wallet incident report, highlighting the status of Liquid services and analyzing the impact of the hack. All the values in this piece are in US Dollars (USD). According to the report, crypto assets amounting to a total of approximately $91.35 million were moved out of Liquid wallets by an unauthorized party.
Further, out of this amount ERC- 20 assets worth $16.13 million have been frozen for on-chain movement with the help provided by the crypto community and other exchanges. The report also states that sixty-nine different crypto assets were misappropriated and sent to other exchanges or DeFi swapping venues.
An updated list of hacked address from Liquid:
- BTC - 1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q
- ETH/ERC 20 - 0x5578840aae68682a9779623fa9e8714802b59946
- ETH - 0xefb33ccafc98d5fdb27a6f5ff17350ca76bf3b53
- TRX - TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp
- XRP - rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby
And subsequent movement of funds traced from the hacked addresses:
- BTC - 12PKkwoFkXp6JtN7roWRA2gSitE6nVDds4
- BTC - 1JW1tcBXp1vZ6KGEirFNSXb5RgZSaL63Av
- ERC20 - 0xff0f573bdf4c23e41ea3ecd82efa66828706b711
- ERC20 - 0x5d8ecef85058b33cc7130b975cfe07b548fee50a
- ERC 20 - 0xD66D9EC7f0D89E0E6698953a7f44158552fbaf8f
- ERC 20 - 0x262feb0550F3b6927ee5CBaa2fcfF77c1D
- ERC 20 - 0xec06a00df7fe291c9f872449385bd593e38d8133
- ERC 20 - 0xaf9bdc92c920415cbcb8572a2dcb8aade778312b
- ERC 20 - xD66D9EC7f0D89E0E6698953a7f44158552fbaf8f
A couple of updates from Merkle Science’s on-chain analysis have also been added to the body of the Hack Track below.
On 19 August 2021, Liquid Global Official, a regulated crypto exchange in Japan confirmed that it had suffered a security breach. This situation happened amidst a rapid increase in hacking incidents suffered by crypto platforms. According to SEC Chairman Gary Gensler, the primary mission of the Securities Exchange Commission (SEC) is to provide safeguards to consumers and investors. During his speech at the Aspen Security Forum, Gensler noted that “the American public is buying, selling, and lending crypto on these trading, lending, and DeFi platforms, and there are significant gaps in investor protection.” Gensler called for greater regulatory scrutiny around these platforms and urged Congress to dedicate more resources to prevent transactions, products and resources from falling through regulatory gaps. Further, noting that platforms dealing in digital assets can fall prey to frauds, scams, hacks and abuse, Gensler pushed for increasing regulatory oversight in order to curb security breaches in crypto.
What Happened?
Through its official Twitter account, Liquid notified its users that its warm wallets were compromised and it is, therefore, moving its assets into cold wallets. In a follow-up tweet, Liquid clarified that Bitcoin, Ethereum, Tron, and Ripple have been transferred to the hacker’s following addresses :
- BTC: 1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q
- ETH/EWT: 0x5578840aae68682a9779623fa9e8714802b59946
- ETH: 0xefb33ccafc98d5fdb27a6f5ff17350ca76bf3b53
- TRX: TSpcue3bDfZNTP1CutrRrDxRPeEvWhuXbp
- XRP: rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby
Liquid also stated that “we are currently investigating and will provide regular updates. In the meantime, deposits and withdrawals will be suspended.” However, Liquid has also been subjected to criticism because of the way it dealt with the hack. This is primarily due to three reasons. Firstly, users thought Liquid did not respond to the hack in a timely manner and did not inform its users of the hack immediately.
Secondly, due to previous claims made by Liquid that it stores 100% of its crypto assets in cold wallet storage, users expected most of the assets to already be stored in cold wallets. The hack was most likely caused by the hacker gaining access to the private keys of the warm wallets of the exchange. Warm wallets are similar to hot wallets as they are deployed on an internet-connected endpoint and are used to manage liquidity. But they provide an additional layer of security. Warm wallets are not as secure as cold wallets – but they’re a good way to improve on hot wallets. It is best practice for crypto exchanges to use cold wallets, which disconnect funds from the internet, making funds more secure.
Thirdly, Liquid’s lack of focus on security has also been the subject of criticism. Just in November 2020, Liquid suffered a security breach as it failed to protect its users’ personal information such as legal names, contact details, and passwords were exposed to hackers.
Merkle Science has blacklisted the wallet addresses involved in the Liquid hack.
Merkle Science’s On-Chain Analysis
While Liquid is yet to confirm exactly how much has been taken, per Merkle Science’s analysis, the hacker has stolen over $81 million, including (a) Ripple - $13,142,723, (b) Bitcoin - $4,307,897, and (c) Ethereum and other tokens - $63,947,036.
Bitcoin
A total of ten transactions were made to the hacker’s BTC address 1Fx1bhbCwp5LU2gHxfRNiSHi1QSHwZLf7q.
The transactions originated from the following three warm wallets belonging to Liquid Global:
- 1Kt1fU43GLD1Lyoh8VfZ9UBTGb5T9nQ8U
- 12PwcbXFCPw8WQdMVehpn8qHVM11Z83h5h
- 1F2jBn5qwMkDfWR5CH4TjqKWEwQWT3rBm6
The hacker’s Bitcoin address has received a total of 107.31865344 BTC ($4,307,897). However, as per Merkle Science’s on-chain analysis, no outgoing transactions have been conducted so far.
Ripple
The hacker’s Ripple wallet address has been identified as rfapBqj7rUkGju7oHTwBwhEyXgwkEM4yby.
The hacker, through 4 transactions, received a total of 11,508,516 XRP ($13,142,723) to the aforementioned address.
All the deposited funds were subsequently transferred to the following three addresses:
- 3,508,496 XRP ($4,006,702) was transferred to rftHfofF6jtbGqMugCJimLan2ytLQUbExE
- 4,000,000 XRP ($4,564,000) were transferred to rBunFQhwefzmrZsGaGp5urbDr1ee6MtPur
- 4,000,000 XRP ($4,564,000) was transferred to rHsU7MUyc2agWUiEUvo8WvurAi7e16YxPg
Further, 74% of the total funds amounting to $3,364,040 from the address rHsU7MUyc2agWUiEUvo8WvurAi7e16YxPg have been transferred to a major global crypto exchange.
Additionally, the same exchange also received another 19.66% of the total funds amounting to $787,717 from the address rftHfofF6jtbGqMugCJimLan2ytLQUbExE. This address also transferred $137,83 (3.44%) of funds to one of the longest-standing crypto trading platforms.
[UPDATE - 2021.08.20]: The funds sent to the aforementioned major global crypto exchange from the addresses rHsU7MUyc2agWUiEUvo8WvurAi7e16YxPg and rftHfofF6jtbGqMugCJimLan2ytLQUbExE have reportedly been exchanged for BTC.
Consequently, the exchanged funds amounting to approximately 193 BTC have been, further, transferred to two new BTC addresses :
- 12PKkwoFkXp6JtN7roWRA2gSitE6nVDds4
- 1JW1tcBXp1vZ6KGEirFNSXb5RgZSaL63Av
Ethereum
The hacker used two separate Ethereum addresses for the attack:
- E1 - 0x5578840AAe68682a9779623Fa9e8714802B59946
- E2 - 0xEFB33ccafC98d5fDB27A6F5Ff17350CA76BF3b53.
Hacker Address E1 stole ETH and multiple other tokens amounting to a total of $62,305,655. Though there were outgoing transactions from Hacker Address E1, the stolen funds have not been sent to any exchanges or known entities.
Hacker Address E2 stole a total of 538.274 ETH worth $1,641,380. At the time of analysis, there are no outgoing transactions from this address.
[UPDATE 2021.08.20]: Merkle Science’s team has also observed multiple smart contract transactions from E1 where tokens are being exchanged.
The breakdown of the stolen Ethereum-based tokens can be found in the image attached below:
.