Poloniex Exchange Suffers $122.98 Million Security Breach

Summary

On November 10, 2023, Poloniex, a custodial centralized exchange, experienced a security breach due to a private key compromise. The attacker exploited Poloniex’s hot wallets and withdrew funds across three chains: Bitcoin, Ethereum, and Tron. The total losses amounted to approximately $122.98 million, including BTC, USDT, USDC, ETH, TRX, and other assets. The stolen assets were exchanged for native tokens and transferred to sereval addresses.

Attackers

The attackers believed to be the Lazarus Group, North Korean cybercrime group. The attacker used the following addresses to transfer the funds:

Losses

Poloniex Exchange lost $122,981,391 in total from its hot wallets across three chains:

  • Bitcoin: $18,441,440
  • Ethereum: $56,753,683
  • Tron: $47,786,268

Timeline

  • November 10, 2023, 10:36 AM UTC: The first malicious transaction occurred in Ethereum chain with over $11 million USDT being drained.
  • November 10, 2023, 04:04 PM UTC: Justin Sun, majority shareholder of the exchange, tweeted that part of the stolen funds was frozen.
  • November 10, 2023, 08:12 PM UTC: A market researcher platform, X-explore, posted an analysis of the hack, suspecting Lazarus Group in the breach due to similar attack behavior to the Stake.com incident.
  • November 15, 2023: Poloniex announced the resumption of deposit and withdrawal services.
  • November 18, 2023, 06:33 AM UTC: Justin Sun sent an on-chain message to the attacker with the following content:

    We have already confirmed your identity, and the police forces of China, the USA, and Russia have been involved… Return by November 25, 2023, and we will offer a $10 million white hat reward.

  • November 20, 2023, 03:05 AM UTC: A community member noticed that the exchange wouldn’t need to involve the police in three different countries and send the same message in 15 different languages if the hacker was already identified.

Security Failure Causes

Compromised Private Key: The primary cause of the security breach was the compromise of the private key of Poloniex’s hot wallets. The attacker exploited this vulnerability to withdraw funds from the hot wallets.

Web Infrastructure Attack: The simultaneous hack of multiple wallets in various chains points to a more extensive web infrastructure attack, possibly targeting vulnerabilities in the platform’s security system.