Mixin Network lost at least $141 million due to a database attack

Summary #

In the early morning of September 23, 2023 Hong Kong time, the database of Mixin Network’s cloud service provider was hacked, resulting in the loss of approximately $200M. Mixin Network is a service similar to a layer-2 protocol, designed to make cross-chain transfers cheaper and more efficient. A large number of deposit addresses have been drained. The attacker compromised the cloud, recovered the private keys of deposit addresses (and hot wallet addresses, supposedly) and transferred funds in order from the highest to the lowest balance, involving 10,000+ transactions, lasting several hours.

Attackers #

North Korean Lazarus Group is suspected to be behind the hack, but no evidence so far. The attackers used the following addresses to transfer the funds:

• Ethereum:
      - 0x52E86988bd07447C596e9B0C7765F8500113104c
      - 0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e
      - 0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa

• Bitcoin:
      - bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes

Losses #

Mixin Network lost $141,328,868.21 identified from reportedly around $200M:

• $94,48M in Ethereum
• $23,55M in DAI (Received in USDT, swapped to DAI)
• $23,30M in Bitcoin

Timeline #

• September 22, 2023, 11:45 PM UTC: Beginning of funds transfer from Mixin Network.
• September 24, 2023, 02:27 AM UTC: SlowMist, blockchain security company, reports on attack.
• September 25, 2023, 06:55 AM UTC: Mixin Network offered the hacker a reward of 10% ($20M) for funds return.
• September 25, 2023, 08:01 AM UTC: Feng Xiaodong, founder of Mixin Network, said that users will only get access to half of their assets for now according to theblock.co.

  Feng added that the company can initially only ensure that half of the total user assets on the network are not affected by the hack. For the rest of the assets, Feng said that the team is considering issuing what he called “bond tokens” for users to claim, with plans for Mixin to buy them back in the future.

• September 25, 2023, 11:08 AM UTC: 0xScope, Web3 SaaS analytic platform, revealed the hacker’s historical relationship with Mixin Network.

  An address connected to the recent $200M MixinKernel hack received 5 $ETH from the platform last year and deposited 5.9 $ETH on Binance soon after.

• September 27, 2023, 08:27 AM UTC: Mixin Network made a statement, that they are working with Google (Mandiant) and SlowMist Team, blockchain security company, to assist with the investigation.

Security Failure Causes #

Infrastructure Attack: Mixin Network relied on a centralized database, creating a single point of failure. And the private keys were stored in a recoverable manner. By compromising the cloud and getting access to the private keys of deposit addresses (and hot wallets) the attacker was able to withdraw funds.