Kronos Research halts trading after $25M API key hack

Summary

On November 19, 2023, Kronos Research, a Taipei-based cryptocurrency trading and investment firm, was targeted by a hacker who stole over $25 million from the firm’s treasury using unauthorized API keys. This breach enabled the attacker to access the company’s blockchain wallets and conduct unauthorized transactions. The attack’s impact extended beyond Kronos Research, affecting Woo X, an exchange closely affiliated with Kronos Research. As Kronos Research was a major liquidity provider for Woo X, the security incident led to a temporary suspension of certain asset pairs on Woo X due to a liquidity shortage.

Attackers

The Attacker has not been identified or communicated with Kronos Research since the hack.

Losses

At the time of the attack, Kronos Research lost around $26 million. According to Lookonchain’s X feed, the following losses occurred:

  • $24.57M in USDT
  • $488.7 in ETH
  • $125,056 in USDC

Timeline

  • November 18, 2023, 05:05 PM UTC: Initial funds transfer begins.
  • November 18, 2023, 11:11 PM UTC: ZachXBT posts a graph with six of the ETH transactions on X.
  • November 19, 2023, 11:27 AM UTC: Kronos Research releases a series of posts on X confirming the hack and stating the firm will internally cover all losses.
  • November 28, 2023, 06:30 PM UTC: Kronos Research offers a whitehat bounty of 10% and promises no legal ramifications if funds are returned by 8:00 UTC on November 30, 2023.

Security Failure Causes

  • Compromised API Keys: The breach highlights failures in secure API key management, including compromised keys, inadequate practices in key generation, storage, usage, and rotation, indicating a failure in safeguarding critical credentials.
  • Insufficient Access Controls and Principle of Least Privilege: The unauthorized access suggests that the firm’s access controls were too permissive or improperly enforced, and the principle of least privilege was likely not followed, which should limit access rights to the bare minimum necessary.
  • Lack of Anomaly Detection: The ability of the hacker to siphon off $25 million without immediate detection implies a failure in monitoring systems to detect and respond to anomalous transactions effectively.