Singapore-based cryptocurrency exchange KuCoin has experienced leakage of its private keys tied with its KuCoin hot wallets, which resulted in a hack of approximately USD 150 million worth of customer funds. The platform has temporarily suspended deposits and withdrawals from its platform, while the team claims its cold wallets remain unaffected, assured the exchange’s CEO Johnny Lyu.
Per the official announcement, the security incident was first noticed Friday evening (UTC time), September 25, as its risk management systems monitored several abnormal transactions. The total value of lost funds is still being calculated, though looking at the on-chain transactions it is estimated to be around USD 150 million. The hackers have gone away with roughly USD 4 million worth of ether (ETH), and USD 146 million worth of other ERC-20 tokens plus a large amount of bitcoin (BTC).
It seems #Kucoin got hacked.
Usually, after being hacked, the $BTC outflow increases rapidly and then becomes zero. Since 20:00 UTC on September 25th, the outflow has continuously been zero.
— CryptoQuant (@cryptoquant_com) September 26, 2020
Timeline of the breach:
At 06:51 PM (UTC) on September 25, 2020, KuCoin team received an alert from the risk management system, showing that an abnormal ETH transaction with the TXID 0x4b738df5d7f12e3fa1cbe83b8165c542da461ef0c9255fc1a3f275259a92623b
After that, several other abnormal transactions for ETH and other ERC-20 tokens were registered, including:
All abnormal transactions originated from this wallet: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23
At 07:01 PM (UTC) on September 25, 2020, KuCoin received an alert about the abnormal remaining balance in their hot wallets.
At 07:15 PM (UTC) on September 25, 2020, the KuCoin team set up a dedicated team to cope with the security incident.
At 07:20 PM (UTC) on September 25, 2020, the team urgently closed the server of the wallet but abnormal transactions were still continuing.
At 08:20 PM UTC on September 25, 2020, the KuCoin wallet team starts transferring the remaining assets of the hot wallets to its cold storage.
At 08:25 PM UTC on September 25, 2020, the KuCoin wallet team, operation team and security team began investigating the incident based on available information.
At 08:50 PM UTC on September 25, 2020, most of the remaining assets were transferred from the hot wallet to cold storage.
As of 09:00 PM UTC on September 25, 2020, the exchange’s team claims to be in contact with other crypto platforms, including Binance, Huobi, OKEx, Bybit, Upbit, Bibox, Gate, MXC, BitMax, BigONE, BKEX, Bit-Z, HBTC, Hoo, Crypto.com, Bingbon, Renrenbit, LBank, Max/Maicoin, CoinW and more to block suspicious addresses and trace the stolen funds.
At 02:41 AM UTC on September 26, 2020, the team released the official announcement concerning the security incident.
(1/4) We detected some large withdrawals since Sep 26 at 03:05 UTC+8. According to the latest internal security audit report, part of BTC, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings
— KUCOIN (@kucoincom) September 26, 2020
At 4:30 AM UTC on September 26, KuCoin Global CEO Johnny Lyu started a live stream to update concerned stakeholders on the incident and current state of things at KuCoin. He said that “Regarding this accident, we have made a conclusion that it is because someone (unclear) stole the private key of our hot wallet.” Besides, he assured KuCoin users that all the losses will be covered by KuCoin.
“All the loss will be covered by KuCoin risk provisions.”
You can rewatch the live stream here:
At 08:39 AM UTC today, Bitfinex and Tether CTO Paolo Ardoino tweeted that Bitfinex has frozen approximately USD 13 million worth of Tether (USDT) on EOS blockchain and Tether froze USD 20 million worth of USDT on Ethereum.
Thanks a bunch 🙏
We’ve been receiving more and more good news & supports from our partners in the crypto space.
Together, stronger! https://t.co/vIwNXr0sYk
— lyu_johnny (@lyu_johnny) September 26, 2020
KuCoin promised to reimburse users who lost funds in the hack by using its insurance fund that was established to deal with such situations. Deposits and withdrawals at the exchange have been temporarily suspended while the team is investigating the incident with international law enforcement. Besides, the exchange’s team offers rewards of up to USD 100,000 to anyone who can provide valid information regarding this hack. Relevant information can be sent to [email protected].
Summary of Kucoin Livestream.
1.) Hot wallets got hacked for $150 M.
2.) They contracted police and promised to reimburse via insurance fund.
3.) Private keys compromised.
4.) User data SAFU.
— CRYPTOVERSE (GIVING AWAY KNOWLEDGE) (@acryptoverse) September 26, 2020