BitMart, a Cayman Islands-registered cryptocurrency exchange, said its hot wallets for Ethereum and Binance Smart Chain (BSC) were breached. Hackers withdrew more than $150 million from the platform.
We have identified a large-scale security breach, and we are now conducting a thorough security review & we’ll strive to maintain transparency. All withdrawals are temporarily suspended until further notice.
We appreciate your understanding and patience.https://t.co/WdipLLOvY9 pic.twitter.com/XFlY4RyWSe
— BitMart.Exchange (@BitMartExchange) December 5, 2021
PeckShield was among the first to spot the attack. During the night of December 4–5, they flagged a series of suspicious transactions on the Ethereum network from the platform. These transfers included tokens such as Gala (GALA), The Sandbox (SAND), Decentraland (MANA), Shiba Inu (SHIB), as well as $500 000 in the stablecoin USD Coin (USDC).
hot wallet compromised? @BitMartExchange https://t.co/pfb7215pBO pic.twitter.com/v2C1KYtaqd
— PeckShield Inc. (@peckshield) December 5, 2021
Subsequently, data emerged about the breach of the BSC wallet. PeckShield estimates that hackers withdrew about $200 million from the platform — around $100 million in ERC-20 tokens, and about $96 million in BEP-2 and BEP-20 tokens. A similar damage assessment was provided by RugDoc.
The BitMart administration initially denied the breach. In the platform’s Telegram channel, users were assured that their funds were safe, and reports of a security issue were described as ‘fake’.
Interesting from @BitMartExchange …😳😳😳 🙏🙏🙏 https://t.co/dFrzSww0fs pic.twitter.com/GuDB7bt2eC
— PeckShield Inc. (@peckshield) December 5, 2021
A few hours later, founder and CEO Sheldon Xia confirmed that the exchange’s wallets had been hacked. He said the damage from the attackers’ actions amounted to $150 million.
1/3 We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 millions.
— Sheldon Xia (@sheldonbitmart) December 5, 2021
«We have identified a large-scale security breach related to one of our ETH hot wallets and one hot BSC wallet. We are still determining the possible vector of attack. Hackers were able to withdraw assets worth approximately $150 million», — wrote he.
Xia said that the compromised wallets held a ‘negligible’ percentage of BitMart’s assets. The company is investigating the incident, and withdrawals from the platform were blocked during the investigation.
Xia clarified that the breach occurred as a result of the theft of a private key, with which two hot wallets were compromised. Other assets on the platform were not affected.
He also promised that the exchange would compensate affected users out of its own funds.
According to him, the deposits and withdrawals feature would be gradually enabled starting 7 December.
1/4 In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised. Other assets with BitMart are safe and unharmed.
— Sheldon Xia (@sheldonbitmart) December 6, 2021
Hackers systematically used the 1inch aggregator to swap stolen tokens for ETH. They then moved the cryptocurrency to an intermediate address, from which they sent funds to the Ethereum mixer Tornado Cash.
Pretty straightforward: transfer-out, swap, and wash @sheldonbitmart pic.twitter.com/LyA03sbgCZ
— PeckShield Inc. (@peckshield) December 5, 2021
Earlier in August 2021, hackers breached Bilaxy’s hot wallets.
In the same month, attackers pulled out more than $80 million in cryptocurrency from the Liquid platform.
Read ForkLog’s bitcoin news on our Telegram — news, prices and analytics.