KuCoin, a digital asset exchange based in Singapore, announced that at least $150 million worth of Bitcoin and other cryptocurrency tokens has been withdrawn from its hot wallets into an unknown wallet. In other words, KuCoin was hacked.
A statement put out by the exchange says that the attack began on Friday, September 26th around 19:05 UTC. While the exact amount of funds stolen is unknown, CoinDesk reported that an Ethereum address linked to the hacker has “received over 150 Ethereum-based tokens worth more than $150 million.”
KuCoin says that the incident is being investigated by law enforcement and that users will not lose their funds: “rest assured, if any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund,” a statement said.
In a livestream on Saturday, KuCoin chief executive, Johnny Lyu said that hackers had managed to obtain the private keys of the exchange’s hot wallets. However, as soon as the exchange saw that the withdrawals were happening, the remaining funds were transferred into new hot wallets and the old ones were abandoned.
The exchange said in a statement that “the assets in our cold wallets are safe and unharmed, and hot wallets have been re-deployed.”
KuCoin has posted a list of the addresses where some of the stolen funds were transferred, including addresses for BTC, bitcoin SV (BSV), ETH, LTC, XRP, Stellar Lumens (XLM), Tron (TRX) and Tether (USDT) wallets.
Using data from Blockchair and Tronscan, CoinDesk also found that other wallets linked to the crime have received:
- 14,713 BSV, 26,733 LTC
- 18,495,798 XRP
- 999,160 USDT
- over 1,008 BTC
- 9,588,383 XLM
- 199,038,936 TRX
Since the hack, KuCoin has been working with cryptocurrency issuers and exchanges to stop the movement of the stolen coins.
$100,000 Battle: PrimeXBT Debuts New Contests ModuleGo to article >>
For example, a statement by KuCoin says that “Bitfinex CTO, Paolo Ardoino confirmed that Tether has successfully frozen a total of 22 million USDT tokens (about $22 million).”
Similarly, KuCoin said that Velo Labs (VELO) will “re-deploy and replace” each of the VELO tokens that were taken from the exchange. Covesting (COV), Silent Notary (SNTR), and VIDT_Datalink (VIDT) have said that they will take action to freeze and/or re-issue the stolen funds.
Additionally, Ampleforth (AMPL) tweeted that “a contract upgrade was quickly deployed to disable transfers from the attacker.”
On Sep 25th, KuCoin Exchange was temporarily compromised and over $150M across various tokens were stolen. Included in this amount were 14M AMPL, accounting for about 10% of the circulating supply.
A contract upgrade was quickly deployed to disable transfers from the attacker.
— Ampleforth #AMPL (@AmpleforthOrg) September 27, 2020
With a daily average trading volume of roughly $100 million, KuCoin is one of the world’s largest cryptocurrency exchanges. The value of KuCoin tokens (KCS) fell by roughly 14% within one hour of the news of the hack breaking on Saturday, hitting $0.86. At press time, data from CoinMarketCap showed that the price had fallen to $0.83.