New information continues to surface related to the hacking incident at Cryptopia, a New Zealand crypto exchange that was compromised back on the 15th of January. It remains the first breach of an exchange in 2019, but details have been slow to surface.
The company is still in shutdown mode, as executives and police try to put the pieces together. Initial thoughts were that $3.6 million of coins had disappeared from the firm’s ledger, but new information suggests that the figure might really be $16 million.
The new information comes from a report prepared by Elementus, a blockchain infrastructure firm. According to their analysis:
The funds were taken from more than 76,000 different wallets, none of which were smart contracts. The thieves must have gained access to not one private key, but thousands of them.
Oddly enough, the analysis contends that the crooks began siphoning off funds on the 13th, two days before Cryptopia staff closed the platform, supposedly for maintenance, but then alerted police authorities that significant losses of untold quantities had been detected. The report goes on to reveal that the hackers took their time, feeling no urgency or threat of capture, and continued their thievery until the early hours of January 17th. Speculation is that Cryptopia staff had lost control and access to the firm’s wallets, possibly because the crooks had destroyed any records of the private keys.
One summarization of the report concludes that, “Elementus deems the incident to be unusual in that it differs from two common profiles of exchange hacks: these being either the exploitation of vulnerabilities in a wallet’s smart contract code, or unauthorized access to private key credentials, which typically involves the breach of a single wallet.” The only valid conclusion is that the crooks gained access to thousands of private keys.
As for the $16 million estimate of losses, Elementus provided a detailed list, broken down by coin program. They also noted that the hackers had only cashed in roughly $880,000 to date. The remaining $15 million and change resides presently in two wallet addresses controlled by the crooks. Details of the individual coin thefts follow:
- ETH – $3,570,124
- Dentacoin – $2,446,212
- Oyster Pearl – $1,948,223
- Lisk ML – $1,718,610
- Centrality – $1,148,144
- Mothership – $880,141
- Ormeus – $452,841
- DAPS – $384,425
- Zap – $147,158
- Pillar – $254,521
- Other tokens – $3,051,709
Total – $16,002,108
Elementus also noted that another 1,948 Ethereum wallets and $46,000 of ETH might still be “at risk” and that Cryptopia staff should freeze the funds. In the aftermath, it has also come to light that 40 clients of the beleaguered exchange have sought legal assistance in hopes of reclaiming lost funds. The odds of recovery seem bleak at this stage. Stay tuned.