On Nov. 27, major South Korean cryptocurrency exchange Upbit announced that 342,000 Ether (ETH), accounting for roughly $50 million, were stolen from its hot wallet earlier that day. Details remain vague, and some users are suggesting an inside job, although experts are skeptical of the theory after analyzing the incident.
The platform’s operator has promised to compensate all stolen funds shortly. UpBit is the second “Big Four” exchange in the country to experience a major security breach this year.
Upbit brief
Upbit is one of the largest cryptocurrency exchanges in South Korea (alongside Korbit, Bithumb and Coinone) and the only major domestic platform to post a profit in 2018. It was launched in October 2017 by Dunamu Inc. — a fintech firm backed by local internet giant Kakao — after it signed “an exclusive partnership agreement” with United States cryptocurrency exchange Bittrex.
As part of the collaboration, Upbit had a shared order book arrangement, with Bittrex orders visible in its bid windows. However, in September, the South Korean trading platform ostensibly broke off its partnership with Bittrex to reorganize its ETH, Bitcoin (BTC) and Tether (USDT) markets.
Upbit has been widely considered a safe and compliant exchange overall. Recently, it was put on par with industry juggernauts like Kraken and Coinbase as one of the space’s cleanest platforms in the Blockchain Transparency Institute’s latest market surveillance report, which verifies cryptocurrency exchange volumes.
Indeed, Upbit has seemingly put a lot of effort into security measures. Last year, it reportedly became the first crypto exchange to obtain an information security management system license from the Korea Internet and Security Agency.
Further, Upbit has been following guidelines set out by the intergovernmental Anti-Money Laundering-focused body, the Financial Action Task Force. Specifically, in September this year, Upbit ceased trading support for six cryptocurrencies, including some privacy coins.
Upbit is a member of the Korean Blockchain Association — a domestic alliance comprised of 14 crypto trading platforms — which published a self-regulatory framework for its members to boost trading transparency in April 2018. It contained five key requirements, including managing clients’ coins separately from their own, holding a minimum equity of 2 billion won ($1.8 million), and publishing regular audit and financial reports.
Finally, in January 2018, Upbit partook in creating a special hotline for domestic exchanges that aims to ensure suspicious transactions being detected and frozen immediately after disclosure.
The attack and Upbit’s initial response
Upbit was relatively quick to confirm the loss. Around 3 p.m. local time, the first media reports surfaced, stating that the platform had halted all trading after a large amount of cryptocurrencies was withdrawn to an anonymous wallet.
On social media, users were already discussing a number of large-scale transactions from Upbit’s wallet that had been spotted by WhaleAlert, a service dedicated to tracking sizable cryptocurrency transactions.
There was a 342,000 ETH transaction to an unknown wallet, followed by 10 identical transactions totaling 100,000,000 TRX incoming from the exchange’s vault. At around 6 p.m. local time, Lee Sirgoo, the CEO of Upbit, published an official statement on the matter:
“At 1:06 PM on November 27, 2019, 342,000 ETH (approximately 58 billion won) were transferred from the Upbeat Ethereum Hot Wallet to an unknown wallet. Unknown wallet address is 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.”
Apologizing to users for any inconvenience caused, Lee Sirgoo outlined the measures taken by the exchange after it detected the incident. The exchange has pledged to protect user assets, stating that the 342,000 ETH (or roughly $50 million) will be covered using corporate assets.
It had already moved all crypto assets held in its hot wallet to cold storage by the time the announcement was published, the CEO stated. Some of the funds may have been moved to Bittrex’s wallets, as data provided by WhaleAlert suggests.
Deposits and withdrawals will take at least two weeks to resume, Sirgoo added, promising to inform users as soon as they reopen. The CEO also clarified that all other recent, large-scale transfers were not abnormal, but were related to the exchange moving assets between hot and cold storage facilities.
Inside job? Some experts are skeptical
Notably, Lee Sirgoo avoided using the word “hack” in his statement, which prompted some commentators on social media to suggest that the incident was actually an inside job. As CryptoX contributor Joseph Young tweeted:
“The ‘hacker’ timed when UPbit was making crypto transfers to its cold wallet (other alts like TRON, etc.). Hence, I think the probability of it being an inside job is higher than external breach.”
However, Taylor Monahan, the founder and CEO of noncustodial wallet MyCrypto, analyzed the incident in detail by studying the nature of transactions and is hesitant to confirm the theory. “Anything is possible, of course,” she told CryptoX. “But a lot of people are jumping to conclusions without real supporting evidence.” Monahan then elaborated:
“The biggest thing that points to it not being an inside job is how the transactions were generated and signed. UPbit seems to follow a certain method with their programmatic transactions, and the ‘hack’ transaction in question used a different method. In addition, UPbit manually signed a transaction to secure their remaining ETH, after discovering the hack, and this too was generated differently than the ‘hack’ transaction.”
If it were an inside job or a breach of Upbit’s backend systems, it would align with the exchange’s typical behavior, she added, while the way that the ETH transaction was generated “points to someone who knows very little about the Ethereum network.”
Monahan also commended Upbit on how they have been handling the aftermath, but criticized the exchange’s languid use of cold storage, “If Upbit utilized cold storage more regularly and limited the value held by their hot wallet, the loss could have been minimized.”
Upbit is collaborating with KISA and police
Upbit’s CEO Lee Sirgoo told CryptoX that they are currently cooperating with KISA and the National Police Agency Cyber Bureau on the matter:
“We will be able to provide you with more information once the investigation is complete.”
Nevertheless, Sirgoo was able to answer some specific questions through email upon request by CryptoX. For instance, he confirmed that the exchange has contacted all major trading platforms and asked to blacklist the attacker’s wallet address, and that the cryptocurrency community “has been extremely cooperative.”
In addition, he confirmed that Dunamu and Upbit have enough funds to reimburse the lost amount. “It should be completed shortly,” Sirgoo told CryptoX.
Exchanges continue to get hacked in 2019
2019 has witnessed a number of high-profile crypto exchange hacks, including the $42 million Binance security breach, $19 million Bithumb heist and $28 Million Bitpoint break-in, which confirms that security is still an industry-wide problem. So what could finally stop centralized exchanges from getting hacked?
Hartej Sawhney, co-founder and CEO at Zokyo cybersecurity agency, suggests that compliance standards could improve the situation. “Centralized crypto exchanges are web services, not that different from an online banking applications,” Sawhney told CryptoX, continuing:
“Most companies respect security either because of regulation or they already faced a security breach. The cryptocurrency industry could benefit from compliance standards such as PCI-DSS or HIPAA.”
Further, Sawhney listed a number of concrete measures that exchanges should follow to achieve higher security, including establishment of adequate infrastructure, processes, tools, security testing and education on how to avoid cyber attacks, adding that, “Regular third-party offensive security testing needs to become standard and transparent.”
Upbit has promised to keep CryptoX updated once it have more information. KISA has not returned CryptoX’s request for comment.