KuCoin, a Singapore-based cryptocurrency exchange, confirmed on Saturday that it had been hacked. It stated that cybercriminals had drained approximately $150 million from its hot wallets, but its cold wallets remained untouched. KuCoin promises to cover any loss of funds.
Who Is KuCoin?
According to CoinMarketCap data, KuCoin is the world’s 8th largest cryptocurrency exchange by trading volumes of spot markets. KuCoin is based in Singapore and prides itself as being the most advanced and secure cryptocurrency exchange in the world.
The company was founded in August 2017 and has over 5 million registered users from over 200 countries worldwide. Currently, one in every 4 cryptocurrency holders trade with KuCoin.
About the Incident
Users started reporting problems with withdrawals on Friday 25 September. Initially the KuCoin team put the problem down to a possible system issue. It claimed that transactions were simply pending and asked customers to stop making withdrawals while they looked into the problem. KuCoin then conducted a security audit during which it was discovered that there had been a huge spike in withdrawals. If it had just been a system issue, there would not have been a spike.
Then in a statement posted on its website on Saturday, KuCoin confirmed that its systems had been breached. The statement specified that its hot wallets had been hacked but that “assets in the cold wallets are safe and unharmed”. As part of the breach, a hot wallet’s private crypto wallet key was compromised. This allowed the hackers to continue transferring funds out of the wallet even after the server was shutdown. Hot wallets are used by cryptocurrency exchanges to temporarily store assets being exchanged on their platform. They are also used to power conversion operations and to conduct fund transfers. As hot wallets are connected to the internet and cold wallets are stored offline, hot wallets are more susceptible to hackers.
Currently the loss is estimated at a minimum of $150 million. The hackers apparently moved $4 million worth of ethereum (ETH) tokens and $146 million worth of other ERC20-based tokens out of hot wallets. They also removed a yet unknown amount of Bitcoin (BTC). Luckily KuCoin managed to move some funds out of hot wallets to cold wallets before the hot wallets were completely drained.
As soon as the hack was detected, KuCoin temporarily suspended deposits and withdrawals to allow it to conduct what it called “a thorough security review”. KuCoin also contacted its industry partners to blocklist suspicious addresses and trace the funds affected.
On Saturday, KuCoin’s Global CEO Johnny Lyu also hosted a livestream in which he provided updates about the incident. In the livestream he states “Meanwhile, KuCoin is investigating the incident with international law enforcement, and we will offer rewards of up to $100,000 to those who can provide valid information to us regarding this incident.” He goes on to reassure its customers by saying: “Please rest assured that if any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund.”