Centralised crypto trading platform BitMart was exploited. On December 5, the founder and CEO of the company, Sheldon Xia tweeted that a major security breach was detected. He informed that the hack impacted one of Ethereum and one of Binance Smart Chain hot wallets. Attackers could withdraw cryptos worth about $150 M. The executive said that BitMart will compensate affected users. Meanwhile, it disallowed withdrawals for an uncertain period of time.
Related: DeFi Platform BadgerDAO Lost $120 M as a Result of a Hack
1/3 We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 millions.
— Sheldon Xia (@sheldonbitmart) December 5, 2021
Today, December 6, Sheldon Xia announced that initial security checks have been completed. It was found out that the exploit was a result of a stolen private key that compromised two hot wallets. The team says other assets with BitMart are safe. For now, the BitMart team is working to retrieve security set-ups and operations. Most likely, asset deposits and withdrawals will resume on December 7.
Despite the announcements of BitMart that other assets weren't affected, blockchain security platform PeckShield says that estimations show that there was a loss of about $200 M. First, PeckShield calculated the loss only on Ethereum saying that the hacked assets were valued at about $100 M. Later analysis showed that there was around $96 M stolen from Binance Smart Chain.
Total estimated loss: ~200M (~100M on @ethereum and ~96M on @BinanceChain ). (Previously we only counted the loss on @ethereum). And here is the list of affected assets/amounts on @BinanceChain pic.twitter.com/cXXApDFtd7
— PeckShield Inc. (@peckshield) December 5, 2021
On December 5, Peckshield noticed on EtherScan that an address “Bitmart Hacker” was withdrawing large amounts of funds.
According to the platform, hackers used decentralised protocols aggregator 1inch to swap tokens, and using privacy solution Tornado Cash they made it harder to trace transactions.