At 02:51 AM (UTC+8) on September 25, 2020, KuCoin, one of the most well-known and trusted Centralized-Exchanges (CEX) was alerted by the risk management system indicating an abnormal Ethereum (ETH) transaction had occurred.
Shortly thereafter, six more abnormal transactions (tx) were detected, all stemming from the same wallet – with some tokens being ETH and the rest being a mix of other ERC-20 tokens.
KuCoin Global CEO, Johnny Lyu, stated that according to the latest internal security audit report, part of the Bitcoin, ERC-20, and other tokens in KuCoin’s hot wallets, were transferred out of the exchange.
He also went on to say that of the funds that were withdrawn, the total of contained assets comprised just a small percentage of the total asset holdings. “The assets in the cold-wallets are safe and unharmed, and the hot-wallets have been re-deployed”.
At 03:20 AM (UTC+8), the operation team closed the server of the wallet but found that after the shutdown, there were still cases of abnormal transactions.
At 04:20 AM (UTC+8), the KuCoin wallet team started to transfer the remaining assets from the hot-wallets to cold-storage.
At 05:00 AM (UTC+8), KuCoin begins to contact crypto platforms including Binance, Huobi, OKEx, Bybit, Upbit, Bibox, Gate, MXC, BitMax, BigONE, BKEX, BitZ, HBTC, Hoo, Crypto.com, Bingbon, Renrenbit, LBank, Max/Maicoin, CoinW, and others to blacklist suspicious addresses and to begin the tracing, freezing, or reversing, of the withdrawn assets.
At 10:41 AM (UTC+8), the KuCoin team released their first statement regarding the stolen funds.
They went on to report that of the stolen assets, approximately US $152 Million was made up of Ethereum-based tokens, including Tether (USDT), Chainlink (LINK), and Ocean Protocol (OCEAN).
KuCoin then announced that the investigation had begun with international law enforcement while offering rewards of “up to $100,000 to those who can provide valid information to us regarding this incident. Please contact [email protected]“.
Initially, the CEO failed to specify the amounts stolen from the exchange. At this time, the loss was estimated to be at $150 Million based on the txs of the wallet that had received the withdrawals from KuCoin’s hot-wallets.
The following day, estimates rose to $200 Million.
The next day, estimates again increased – to $280 Million.
At 9:00 PM (UTC+8) on September 29, 2020, Elliptic reported:
“25 September, US $281 million in crypto-assets were stolen from KuCoin, a crypto exchange in Asia. This is the third-largest theft ever to be suffered by a crypto exchange. A broad range of assets was taken, including Bitcoin, XRP, Litecoin, and a number of other tokens”.
As the hacker was trying to exchange the stolen digital assets for “clean” assets, many Centralized-Exchanges (CEX) teamed up to work together in unison to freeze certain ERC-20 tokens and disabling the wallets of the suspiciously involved. CEXs, along with companies like Tether (USDT) and Ocean Protocol (OCEAN) began disabling the withdrawals of certain tokens which also affected the innocent who had nothing to do with the hack. This left the hacker between a rock and a hard place.
The hacker still had an alternative solution with the option of using a Decentralized-Exchanges (DEX) like Uniswap and Kyber Network. The hacker was able to swap some of the stolen assets for tokens that weren’t taken from KuCoin.
So far, the hacker has successfully gotten rid of $13 Million of the $281 Million through the Uniswap Protocol, Kyber Network, DEX AG, and Tokenlon. It is too soon to tell if the CEO will ever be able to live up to his promise of reimbursing the lost funds of their customers in full.
Although the CEO has reassured the users of KuCoin that all funds lost would be covered by its insurance fund, not everyone is optimistic.
Many tokens on KuCoin are still unavailable for purchase, trading, or withdrawing, at the time of writing but it seems they are now starting to resume trading and withdrawals for some assets.
Extensive History of CEX Hacks
Since the advent of Bitcoin, there has been nothing but consistent hacks for over a decade, where billions of dollars have exited the ecosystem in the possession of bad-actors.
This is an updated list of the biggest losses suffered by CEXs. One look at this list and you can see that this isn’t going to end anytime soon. In total, the ten biggest hacks of all-time come out to nearly $1.6 Billion in damages.
#10. Cryptsy, $9.5 Million – 2016
#9. Bithumb, $31.5 Million – 2018
#8. Coinrail, $40 Million – 2014
#7. Vircurex, $50 Million – 2014
#6. NiceHash, $60 Million – 2017
#5. Zaif, $60 Million – 2018
#4. Bitfinex, $72 Million – 2016
#3. KuCoin, $275 Million – 2020
#2. Mt. Gox, $460 Million – 2014
#1. CoinCheck, $534.8 Million – 2014
Rick McDonell is the executive director of ACAMS (Association of Certified Anti-Money Laundering Specialists) and the Royal United States Institute. He had this to say about the global perception of cryptocurrencies:
“The results of this survey give a global insight into how respondents from governments, financial institutions, and the crypto industry itself think about cryptocurrency: it’s potential and it’s risks. Their views are well worth noting as policy-making and regulatory enforcement continue to take shape around the world”.
When these kinds of incidents happen time and time again, this strikes a damaging blow to the crypto-space in several ways:
- Discouraging potential retail investors
- Giving institutional investors a legitimate reason to be suspicious
- Increases the likelihood of more regulations, which often stifles innovation
- Suppresses optimal market conditions and sentiment, which postpones mainstream adoption
Kucoin initially stated that funds in its cold wallets (offline storage, which is less susceptible to hacks) were safe as the hot-wallets were getting emptied out. Kucoin reassured customers saying “the transactions were simply pending”.
Almost a week after the incident, it is clear that with this being the third-largest hack of all-time, KuCoin has suffered a massive hit to their bottom-line, as well as their reputation of being one of the safest CEXs in the industry.
The KuCoin hack again highlights the need for all users in this space to educate themselves on alternative solutions as opposed to hot-wallets that are regularly used for long-term storage, by newer and experienced investors alike.
As a painful reminder, we are constantly forced to accept the reality that as the money grows in this industry, these unfortunate events will only increase in frequency. The sooner we all accept that this will only accelerate as the overall marketcap of the crypto markets balloons, the sooner we can say good-bye to the failing industry standards that cause more harm than good.
We can also see that unless CEXs change their industry standards of keeping such a high percentage of their assets in hot-wallets, hacks will only increase as more money flows into the crypto market. At a certain point, they must realize that a customer’s convenience should not be higher up on the priority list over a customer’s safe-keeping of assets.
Truly decentralized cryptocurrencies cannot be “frozen” or manipulated by CEXs or the developers of a project. Many ERC-20s and other types of cryptocurrencies are VERY centralized. Not only is USDT very centralized and easily stopped in its tracks, but USDC (United States Dollar Coin) is also a stablecoin that is just as easy to halt or manipulate.
This allows its creators to intervene and be in full control of where the assets can be sent. It is up to the investor to realize this and make wise decisions based on due diligence. Ironically, censorship-resistance was once the main focus of a cryptocurrency. Hopefully, we will see a trend going back in that direction.