Hackers took out more than $150 million from BitMart’s hot wallets
Cayman Islands-registered cryptocurrency exchange BitMart reported the hacking of Ethereum and Binance Smart Chain (BSC) hot wallets. Hackers withdrew more than $150 million from the platform.
PeckShield specialists were among the first to notice the attack. On the night of December 4-5, they noticed a number of suspicious transactions from the Ethereum network. These transfers included tokens like Gala (GALA), The Sandbox (SAND), Decentraland (MANA), Shiba Inu (SHIB), and $500,000 in Stablecoin USD Coin (USDC).
Later, data about the hacking of the BSC wallet appeared. PeckShield estimated that hackers withdrew about $200 million from the platform (~$100 million in ERC-20 tokens, ~$96 million in BEP-2 and BEP-20 tokens). RugDoc service gave a similar damage estimation.
BitMart administration initially denied information about the hack. The platform’s Telegram channel assured users that their funds were safe, and called the news about the security problem “fake.
A few hours later, the founder and CEO of the exchange, Sheldon Xia, confirmed that its wallets had been hacked. According to him, the damage from the actions of intruders amounted to $150 million.
“We discovered a massive security breach involving one of our ETH hot wallets and one BSC hot wallet. At this point, we are still figuring out the possible attack vector. The hackers were able to take out about $150 million in assets,” he wrote.
Xia stated that the compromised wallets contained “a small percentage of BitMart’s assets. The company is investigating the incident and has blocked withdrawals from the platform for the time being.
Xia specified that the hack was a result of the theft of a private key, which compromised two hot wallets. The other assets on the platform were not affected.
He also promised that the exchange will compensate the damage to the affected user from its own funds.
According to him, the functions of deposit and withdrawal of assets the team will gradually begin to include on December 7.
Hackers systematically used the aggregator 1inch to exchange stolen tokens for ETH. They then transferred the cryptocurrency to an intermediate address, from which they sent funds to the Ethereum mixer Tornado Cash.