Close-up golden cryptocurrency coins and cash dollars showing crypto theft at crypto exchange

Victims of BitMart Crypto Theft to Be Partially Compensated; Crypto Exchange Lost $196 Million in Breach, Will Return $150 Million to Users

The BitMart crypto exchange was victimized in early December with a total loss of about $196 million in user wallet funds, an amount that puts it in the top 10 of token heists. BitMart has said that it will compensate victims of the crypto theft, but it is using its own internal estimate of $150 million in losses as a guideline.

Crypto exchange to make good on at least 3/4 of stolen money after breach

There is some dispute over the amount stolen in the “large-scale security breach” that was first reported on December 5. The crypto exchange says that it lost about $150 million dollars, and is using that amount as its guideline for refunding users; the third-party security firm Peckshield, which first publicly reported the breach, puts the amount lost at about $196 million (about $100 million in assorted Ethereum currencies and $96 million in Binance chain assets). The disparity in amounts remains unclear, but BitMart issued a statement saying that “no user assets will be harmed.”

Regardless of the actual amount, the crypto theft was not widely distributed among BitMart’s user base. In fact, the company’s internal analysis says that the funds came from just two hot wallets (those that are connected to the internet). The wallets were apparently breached via the theft of a private key. The company suspended all trading on its crypto exchange after the incident; the first illicit transfers were spotted at 2:30PM Eastern time on December 4.

BitMart began to restore crypto exchange trading functions on December 7, and while it did not set a firm timetable for compensating the victims of the crypto theft it did say it would use its own funds to do so. The company said that the stolen funds represented “only a small percentage” of its total assets. BitMart has an estimated nine million users globally and is one of the world’s top crypto exchanges by volume of trading.

While BitMart did not release details of how the crypto theft unfolded, Peckshield provided further insight from its own investigation. The security firm said that the thieves swapped and washed the stolen currency through a decentralized exchange aggregator known as 1inch, changing the various token types over to ether coins. These coins were then taken to a privacy mixer called Tornado Cash, which exchanges coins to make their origins harder to track via the usual public transaction records.

Crypto theft risk on the rise?

Since Bitcoin and other cryptocurrencies began seeing huge spikes in value again in 2020, crypto theft has been a rapidly growing segment of cyber crime. There has been something of a rash of attacks recently. Decentralized finance platform BadgerDAO was hit for about $120 million in late November, and earlier that month the Boy X Highspeed crypto exchange saw about $139 million lost due to a leaked administrator key.

In August, Poly Network was hit with a record-setting crypto theft of $600 million, though the attacker later returned it claiming that it was a vulnerability demonstration. The crime spree has drawn regulatory attention to crypto exchanges, with the US Treasury Department issuing its first sanctions of this nature in September. Russia-based Suex OTC was sanctioned for its alleged role in facilitating payments for ransomware attacks and other criminal activities.

Crypto theft is centered on “hot wallets”, or those plugged into crypto exchanges to allow holders to more readily engage in transactions. The biggest risk of a “cold wallet” is that it will wind up being one of those stories of $30 million dollars being accidentally brought to the city dump with some old clothes, but these offline hardware wallets are also not available at all with certain types of cryptocurrency.

Crypto exchanges have an increasingly shaky reputation with the security of hot wallets. Crypto investors and users are subject to all sorts of direct attacks, including phishing attempts and the installation of “clippers” that automatically replace wallet addresses whenever they are copied to or from the clipboard. But one of the biggest risks is the crypto exchange itself. If crypto exchange employees have access to hot wallet keys, they must be implicitly trusted to not pull an “inside job” and steal funds; even those that do not have that level of access to wallets may have enough to install malware or trojans to intercept credentials. Binance is even facing a probe over its possible use of customer transaction information for insider trading.

BitMart #crypto exchange was victimized in early December with a total loss of about $196 million in user wallet funds, an amount that puts it in the top 10 of token heists. #cybersecurity #respectdataClick to Tweet

In total, about $12 billion has been estimated to be lost to decentralized finance scams and theft in 2021. Crypto enthusiasts usually bristle at the idea of government regulation or involvement, but this also means putting a great deal of faith in private entities often based in foreign nations.