Hong Kong-based Mixin Networks, a decentralized exchange and cross-chain transfer network, was temporarily forced to suspend operations following a hack of its cloud database. The crypto company lost some $200 million in assets, making it 2023’s largest crypto theft (thus far) by several million dollars.
The breach has also prompted confusion and speculation as to how the hackers obtained so much crypto from a decentralized exchange’s database. The fact that a DeFi company was hit also leads to natural assumption that North Korea’s hackers have struck once again, but a culprit has yet to be named and the crypto company is offering a $20 million “bug bounty” for full return of the stolen funds.
DeFi crypto company loses user assets in breach
On September 24, the “Mixin Kernel” X account took to social media to announce that the crypto company had been breached the previous day and that some mainnet assets had been lost. The company reported reaching out to Google’s Mandiant about the theft and engaging third party blockchain security firm SlowMist to investigate.
Withdrawals and deposits were temporarily suspended, but Mixin has said that there should be no further disruption during the investigation. The case is unusual, however, in that user funds were stolen. When DeFi networks are attacked, the hackers generally steal the reserve liquidity pool used to facilitate transfers; an asset set owned and controlled by the crypto company itself, which one or more administrators have access to. By design, these networks are not supposed to have a path of access to user accounts that can be exploited by hackers.
The primary asset type stolen was Bitcoin that was kept in hot wallets registered with the exchange. Standard protocol would be to store these assets in a more secure “cold” format. Mixin launched in 2017, and one of its central features is the ability to transfer assets very quickly to other users via their phone number.
Mixin had some $400 million in assets across 48 chains prior to the attack. In addition to questions about its handling of funds, the crypto company’s proposed plan for compensation has raised hackles. It has declared that immediate compensation for impacted users will come in the form of “up to 50%” reimbursement, with the rest as a “tokenized liability claim” that Mixin will purchase at some unspecified future date with future profits.
No attribution yet, but clues point to Lazarus
The Mixin theft edges out the March attack on lending platform Euler, which had $197 million taken, for the biggest theft from a crypto company thus far this year. It is also the tenth largest of all time, joining a list that includes Ronin Network and Poly Network.
Most of these incidents with crypto companies have taken place since 2021, and most can be chalked up to North Korea’s state-backed hacking teams pilfering money to fuel the rogue nation’s nuclear program. There has not yet been a public attribution, but blockchain analytics firm Elliptic notes that one of the addresses used to exfiltrate the Mixin funds has previously been used by Lazarus. In action since at least 2010, the group is seen as North Korea’s primary cyber threat and is responsible for high-profile hacks of Sony, the Bangladesh Bank, and AstraZeneca among other targets.
2022 was a banner year for crypto company break-ins, and a great deal of that (nearly half of the theft total, a whopping $1.7 billion) was driven by groups linked to North Korea. Crypto theft represented a little over 82% of all funds stolen online that year. The North Korean groups are up to at least $240 million this year (and potentially double that amount after this and other thefts are officially attributed), a pace comparable to its activity from 2018 to 2021 before it hit multiple big jackpots in 2022.
Mixin may not be certain about the North Korean connection, as it has offered a $20 million “bug bounty” for return of the full $200 million that was stolen. There is no chance that the state-backed hackers would go for this offer, and there would be little sense in making it if the crypto company was absolutely convinced it was them.
The incident has also put a spotlight on “pseudo-decentralized” networks, which retain central access through a database such as this one for the sake of faster transfers and easier recovery when someone loses access to their wallet. This presents not only the risk of outside hackers gaining access to credentials and funds, but “insider threats” walking away with the money or engaging in rug pull scams. But as with everything else in the DeFi space, there is virtually no applicable regulation and marketing terms can be used in any way that companies choose to use them.
James McQuiggan, Security Awareness Advocate at KnowBe4, takes the following lessons from this incident: “We recognize that open-source software enables flexibility. However, its inherent vulnerabilities can allow criminals to exploit systems undetected. This breach clarifies that even with the most robust defenses, threats continuously evolve. This incident identifies the delicate perception of trust, reputation, and user confidence that supports the modern digital banking ecosystem. With open-source banking, cybercriminals will always go after the money, whether a crypto or natural currency. When a breach occurs, the effects can run deep. Not only do they face immediate financial repercussions, but the damage focuses on the erosion of trust, which can take years to rebuild.”
“For CISOs and cybersecurity professionals, this breach reiterates the pressing need for continuous security evaluation, threat intelligence, and fostering a culture of security awareness throughout the organization. In an age where brand reputation can be damaged overnight, a proactive and layered approach to cybersecurity is not just a best practice; it’s an imperative. Organizations must continually assess, review, and improve their incident handling of the various attack scenarios to be effectively prepared for cyber attacks and breaches,” added McQuiggan.