In late September, KuCoin exchange was hacked due to a leak of the KuCoin hot wallet private keys. The following cryptocurrencies were stolen from the exchange:
1,008 BTC
14,713 BSV
26,733 LTC
9,588,383 XLM
Omni and Tether (USDT) $14 million
$153 million in Ether and ERC20s (11,542 ETH, 122 million $VELO)
$1.2MM SNX and dozens of ERC20 altcoins
18,495,798 XRP
The hacker sold the stolen crypto assets on decentralized exchanges like Uniswap and anonymized the stolen cryptocurrencies through mixing services. They took advantage of the fact that no single point of authority could block them from laundering the stolen funds.
According to KuCoin CEO and co-founder Johnny Lyu on Twitter, the Kucoin team has found suspects, but no more information was given beyond that law enforcement is involved.
Will KuCoin Cover the Losses?
Despite the exchange claiming to reimburse all losses to users, we see that there are not enough funds on the identified KuCoin wallets to pay off the losses caused by the hack. In addition, the exchange did not have a secure asset fund from which to recover losses. It is possible that these funds are kept in bank accounts of the exchange or in “secret” wallets, but we do not have such information.
Other exchanges do have insurance funds to be used in such events, like the Bittrex Digital Asset Insurance or Coinbase.
Who Is at Risk?
Since the KuCoin hack was due to leaked information about hot wallets, we consider exchanges that store large amounts of funds in hot wallets to be at risk of a similar attack. The following list includes some of the exchanges that rely on hot wallets:
Poloniex: https://etherscan.io/address/0xa910f92acdaf488fa6ef02174fb86208ad7722ba
Coinoine: https://etherscan.io/address/0x167a9333bf582556f35bd4d16a7e80e191aa6476
FTX: https://etherscan.io/address/0x2faf487a4414fe77e2327f0bf4ae2a264a776ad2
https://etherscan.io/address/0xc098b2a3aa256d2140208c3de6543aaef5cd3a94
How to Avoid Hacks in the Future?
Periodically reinitialize hot wallets. KuCoin’s hot wallet key pairs have not been changed for three years; their first transactions were made on September 17, 2017.
Two-man rule. Use secret sharing schemes. One of the most popular ways is to use Shamir’s Secret Sharing scheme.
Do not store more than 5% of all deposits in hot wallets. The other 95% must be stored in a cold wallet.
Store crypto in several hot wallets for each cryptocurrency platform. Each wallet must have its own private key.
Perform regular penetration tests, phishing simulations, and red team exercises.
Perform audits of the cryptocurrency storage system that is included in SOC2 and/or ISO27000 auditing procedures: https://gemini.com/blog/gemini-completes-soc-2-review-a-worlds-first-for-a-cryptocurrency-exchange-and-custodian
Read more of the investigation here!
https://blog.coinmarketcap.com/2020/10/16/kucoin-september-2020-hack-hacken-research/