The Rain cryptocurrency exchange was “likely exploited” on April 29 when $14.1 million worth of Bitcoin (BTC), Ether (ETH), Solana (SOL), and XRP was transferred to a new wallet under suspicious circumstances, according to a May 13 report from on-chain sleuth ZachXBT. The report comes two weeks after the reportedly suspicious transactions took place.
Rain is a centralized crypto exchange headquartered in Bahrain. It specializes in serving customers from Southwest Asia and the Middle East. According to regional news site The National, Rain has recorded over $1 billion in trading volume since its inception.
ZachXBT’s official Telegram channel reported that the transferred funds “were quickly transferred to instant exchanges and swapped for BTC and ETH” before being deposited to two destination addresses on the Bitcoin and Ethereum networks. The Ethereum address, which ends in 6c28, is currently holding approximately 1,881 ETH, worth $5.5 million at the current price. The Bitcoin address, which ends in prp2, is holding 137.9 BTC, worth $8.6 million at the current price.
According to Arkham Intelligence data, the Ethereum destination address received its funds from an address ending in d609. The d609 address, in turn, received the funds from several Bitgo multisignature wallets. Arkham has not explicitly labeled these wallets as belonging to Rain.
On April 29, these Bitgo wallets posted 26 separate transactions, sending ETH and a variety of tokens to the address ending in d609. More than 590 ETH ($1.7 million at the current price) was sent, as well as approximately 20 billion Shiba Inu ($481,000),12,500 Chainlink ($169,000), $240,000 Tether (USDT), and $500,000 USD Coin (USDC).
These tokens were immediately swapped for ETH on Uniswap. As these swaps were being carried out, the account continued to receive more tokens from the Bitgo wallets, including Aave (AAVE), Yearn Finance (YFI), MakerDAO (MKR), and other tokens.
The account also received funds from a Binance hot wallet.
Cointelegraph contacted Rain for comment but did not receive a response by the time of publication.
Hacks and exploits continue to pose a risk for crypto users. On May 6, Gnus.AI lost more than $1.27 million when its Discord server became compromised and a private key was leaked. On May 13, cybersecurity firm Kaspersky reported that the North Korean hacker organization Kimsuky has launched a new “Durian” malware that specifically targets crypto firms.
Related: Kronos Research hacker shifts funds to Tornado Cash