Crypto Exchanges Collaborate With Bithumb to Freeze Stolen Funds After Major Hack

Details are still sketchy after Bithumb lost $18 million due to a hack.
Details are still sketchy after Bithumb lost $18 million due to a hack.

In late March, major South Korean cryptocurrency exchange Bithumb lost around $18 million as a result of a hack. While the details are still sketchy — for instance, it is unclear whether or not it was an inside job, as Bithumb initially claimed — a large portion of the stolen funds have been frozen by various exchanges who received them from hackers attempting to sell the loot.

However, despite Bithumb stressing that the hijacked assets belonged to the company and not to its clients, the customers still can’t access their funds, since withdrawals and deposits have been disabled as part of the security measures.  

Bithumb reportedly lost 3 million EOS and 20 million XRP, claims it was an inside job

On March 29, Bithumb experienced what it described as “abnormal withdrawals” through its monitoring system. Then, as per the company's manual, the exchange reportedly moved all remaining funds to a cold wallet. Additionally, deposits and withdrawals have been disabled on the platform for security reasons. In the accompanying blog post issued the day after the incident, Bithumb also assumed that the security breach was performed by insiders, citing the results of an internal inspection.   

Moreover, Bithumb blamed itself for the security breach. Specifically, the exchange team admitted that it only focused on protection from outside attacks and did not verify its staff, according to an announcement by the company. Bithumb also promised that the incident won’t occur again, because a workforce verification system is allegedly already in the works.

“We are working with major exchanges and foundations and expect to recover the loss of the cryptocurrency equivalent,” Bithumb’s statement reads. “Also we promise that we will open our progress clearly with social responsibility as a global leader company.”

Interestingly, while Bithumb never directly disclosed how much cryptocurrency was lifted in any updates regarding the hack, it has been established that more than 3 million EOS (about $12.5 million) were transferred from its hot wallet during the security breach. Moreover, according to cryptocurrency news outlet The Block, around 20 million XRP — the cryptocurrency created by Ripple — (equivalent to about $6.2 million) were also stolen.

Notably, Bithumb has stressed that the embezzled funds were owned by the company and that all assets belonging to its users are now under the protection of a cold wallet, which allegedly has not been compromised.

Thus, deposits and withdrawals on Bithumb have been disabled for more than two weeks at this point, although the exchange has announced that it will start accepting deposits and withdrawals for bitcoin (BTC) and ether (ETH) “with enhanced security” starting on April 17, 15:00 (presumably GMT+9). It is currently unclear if the trading has actually continued for those cryptocurrencies, as Bithumb has ignored Cointelegraph’s requests for comment.

Notably, earlier this year, South Korean tech news outlet ZDNet reported that Bithumb was one of just seven cryptocurrency exchanges that have passed a security audit performed by local regulators.

Major part of the stolen funds have been frozen by various exchanges

As mentioned above, Bithumb has insisted that the hijacked funds were entirely company-owned, and hence did not represent customers’ assets. In an attempt to prove this, on April 11, the South Korean crypto exchange published what it presented as results of an alleged professional external audit of its funds conducted on April 8, a little over a week after the hack.

“We have stated that we will conduct fair and objective due diligence on all assets that we have through a reliable external Audit,” the statement reads, linking to the accounting firm’s statistics. Bithumb’s statement continued:

“We are pleased to inform you that our members' valuable assets are managed and maintained in a systematic / safe manner through the attached due diligence report.”

Nevertheless, the exchange’s clients have been stripped of the option to withdraw their funds from the platform, because that option was disabled soon after the incident occurred. In one of the statements, Bithumb also claimed they were working with the Korean police, Korea Internet & Security Agency (KISA) and unspecified “security companies” to deal with the aftermath.

The news about the hack was initially broken by Dovey Wan, founding partner at blockchain-focused Primitive Ventures, who also tweeted that part of the stolen EOS had ended up on a number of exchanges, while another portion had been moved to other addresses. Thus, Wan wrote, the exchange that received the most funds (662,000 EOS) was Exmo, followed by Huobi (263,000 EOS), Changelly (192,000 EOS), ChangeNOW (140,000 EOS) and KuCoin (96,000 EOS). According to blockchain security company PeckShield cited by The Block, smaller portions of the funds were also sent to CoinSwitch, BW, Binance and HitBTC.

The head of business development at Exmo, Maria Stankevich, confirmed to Cointelegraph that 662,600 EOS (around 22% of the total stolen sum) ended up on its servers.

“Due to really hard work of the whole team and sleepless night we managed to block almost all the funds.”

Now, Exmo is waiting for Bithumb to send an official inquiry to its British address so that the exchange can transfer the stolen assets back in accordance with the local law and GDPR-compliance processes. “We are in touch with Bithumb, they are doing all the necessary legal procedures right now,” Stankevich told Cointelegraph.

Huobi, which reportedly received 263,605 EOS (around 8.7%) of the stolen funds, also verified to Cointelegraph that its security team detected and subsequently froze the assets related to “the blacklisted account(s).”

ChangeNow has published a blog post confirming that “part of the funds worth more than half a million USD worth of EOS and XRP” were sent to its wallets. Soon after receiving a message from Bithumb about the ongoing hack, ChangeNow temporarily disabled EOS and XRP deposits, and blacklisted all the malicious addresses received from Bithumb. Pauline Shangett, the marketing and PR manager at ChangeNow, told Cointelegraph:

“We have been contacted by Bithumb representatives with regards to getting the funds returned to them, and their case is being processed in close collaboration with them and the Korean police. To our knowledge, the investigation is still ongoing.”

Changelly’s chief security officer, Sophia Lee, informed Cointelegraph that, as per its recent blog entry, $480,000 in EOS and $76,000 in XRP funds have been frozen until further investigation:

“Unfortunately, we’re not in the capacity to make any comments about our communication with the Korean police at a time. Currently, we’re finalizing the report with data about transactions, so there is no public statement just yet.”

KuCoin and CoinSwitch have also confirmed to Cointelegraph that they detected some of the embezzled assets funds in their wallets. Jing Cheung of KuCoin wrote via email:

“We have frozen the suspicious accounts per Bithumb's and Korean police's requests. We are now waiting for the instructions from Korean police regarding how could we return these digital assets.”

The CoinSwitch team told Cointelegraph that, although they run a noncustodial service that holds user funds only during the time of exchange, they were able to freeze some of the assets associated with the hack.

Cointelegraph has also reached out to Binance for further comment, but they declined to comment.

The account that was used to steal EOS from Bithumb is still live, according to data obtained from Eosq. Although the majority of the embezzled assets have been transferred to other addresses, some people seem to be sending dust transactions to the account in order to ask for the money via the comment section.

It is still unclear whether or not it was an insider job

As mentioned above, Bithumb was quick to argue that the security breach was performed by insiders. That raised suspicion among some Reddit users, who suggested that it was a damage-control tactic for the exchange, which experienced an even larger hack in June 2018. Redditor u/suibhnesuibhne wrote:

“Better to say an inside job after their last hack.”

Moreover, according to recent reports from local media, the Cyber ​​Investigation Department of South Korea’s National Police Agency has seized an external server as part of the investigation held at Bithumb’s office after discovering that it could have been involved in the attack. A police representative also told the newspaper that, regardless of whether the attack was performed from the inside or outside, it appears to be difficult to track the fraudsters, as they used multiple ways to cover their trail.

Bithumb gets hacked among other bad news, but receives $200 million in investments

The security breach happened against the backdrop of other bad news for Bithumb. First, in March, reports emerged suggesting that the company was cutting up to 50% of its workforce. Specifically, it was reported that Bithumb was reducing its staff from 310 to around 150.

“Voluntary retirement is part of our support program for former employees and is intended to provide assistance and training for job placement. Apart from that, [Bithumb’s] trading volume has decreased compared to the previous year, [so] we are trying to provide internal measures. We will continue to add necessary personnel for various new businesses,” according to an unnamed Bithumb official at the time.

Then, in April, local daily news outlet The Korea Times reported that Bithumb had a net loss of 205 billion won ($180 million) in 2018 due to the prevailing bear market. Citing data from the exchange’s operator, BTCKorea.com, the newspaper revealed that South Korea’s largest exchange experienced extensive losses despite its sales growing 17.5% compared to 2017.

Nevertheless, earlier this week, the Blockchain Exchange Alliance (BXA), which became Bithumb’s parent company after acquiring a controlling share in BitHumb Holdings in January, secured $200 million in funding from Japan’s ST Blockchain Fund. As Cointelegraph Japan wrote, the money will allow BXA to expand the international side of Bithumb and roll out new trading pairs.