KuCoin Suffers $281 Million Hack

Summary #

On September 26, 2020, KuCoin, a Singapore-based cryptocurrency exchange, experienced a significant security breach, resulting in the theft of approximately $281 million worth of cryptocurrencies. The hackers obtained the private keys to the exchange’s hot wallets. The hackers sold the stolen cryptocurrency from their addresses on decentralized exchanges and anonymized the stolen cryptocurrencies through the mixing services. The incident caused a temporary drop in the price of KuCoin’s exchange token KCS by 14%, to $0.86. However, by November 11, 2020, KuCoin was able to recover all the stolen assets, so users were unaffected by the hack: 84% were regained by on-chain tracking, contract upgrade and judicial recovery; the remaining 16% were covered by the KuCoin insurance funds.

Attackers #

A North Korean hacker crew called Lazarus Group has been accused of carrying out the heist. KuCoin recommends blacklisting suspicious addresses linked to the perpetrators:

• ETH: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23
• BTC:

• 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7
• 12FACbewf5Fy9nmeaLQtm6Ugo5WS8g2Hay
• 1TYyommJW3uhjhcnHhUSuTQFqSBAxBDPV

• LTC: LQtFoidy5TmLrPP77MZzgMRffqPsmRfMXE
• XRP: r3mZvvHVLPtRWAujzBsAoXqH11jhwQZvzY
• BSV: 15mC7zKbLyErSKzGRHpy6gyqS7GyRpWjEi
• XLM: GBM3PJWNB5VKNOFXCDTTNXPMUNBMYTLAAPYDIIKLHUGMKX7ZGN2FNGFU
• USDT: 1NRsEQRg5EjmJHbPUX7YADVPcPzCQBkyU7
• TRX: TB3j1gUXaLXXq2bstiSMfjQ9R7Yh9DdDgK

Losses #

The stolen funds from KuCoin’s hot wallets amounted to approximately $281 million. The hackers targeted various cryptocurrencies, including:

• 1,008 BTC ($10,758,404.86)
• 11,543 ETH ($4,030,957.90)
• 19,834,042 USDT-ETH ($19,834,042.14)
• 18,495,798 XRP ($4,254,547.54)
• 26,733 LTC ($1,238,539.89)
• 999,160 USDT ($999,160)
• $147M worth of ERC-20 tokens
• $87M of Stellar tokens

Timeline: #

• September 26, 2020, 2:51 AM (UTC+8): KuCoin received an alert from the risk management system for the first time. A few more abnormal transactions for ETH and other ERC-20 took place soon, all from the same ETH wallet address.
• September 26, 2020, 4:20 AM (UTC+8): The KuCoin operation team closed the server of the wallet. The KuCoin wallet team started to transfer the remaining assets from the hot wallet to cold storage. KuCoin started to investigate the incident.
• September 26, 2020, 4:50 AM (UTC+8): The KuCoin wallet team transferred most of the remaining assets from the hot wallet to cold storage.
• September 26, 2020, 10:41 AM (UTC+8): The KuCoin team released the official announcement about the security incident.
• September 26, 2020, 1:56 PM (UTC+8): KuCoin offered rewards of up to $100,000 to anyone who could provide valid information to them regarding the incident.
• September 29, 2020: The hacker has sold $19.5 million worth of tokens via decentralized exchanges (dex) platforms like Uniswap, Kyber Network, Tokenlon.
• October 3, 2020, 5:51 PM (UTC+8): KuCoin CEO and founder Johnny Lyu claimed $204 million in cryptocurrency had been recovered as of October 3 and said perpetrators had been caught. KuCoin came back to full functionality.
• November 11, 2020: KuCoin recovered 84% ($239.45 million) of stolen assets. The remaining part, about $45.55 million (16%), was covered by the KuCoin insurance fund.

Security Failure Causes #

On the official website, the KuCoin team explained that the hack was made because of a leakage of the private keys of KuCoin hot wallets. The leakage could became possible due to several reasons:

• Malicious actions of responsible employees: this could have been done by someone from the exchange staff who had the appropriate access.
• Attack on web infrastructure: the attacker could gain access to the exchange’s hot wallet services.
• Social engineering attack: the hackers could obtain access to private keys as a result of a phishing attack by using exploits, viruses, and backdoors on employees who had access to private keys.