Singapore-headquartered cryptocurrency exchange, KuCoin reported in the hours leading up to press time that it had suffered a security breach. The funds include part of BTC, ERC-20, and other tokens in KuCoin’s hot wallets that were transferred out of the exchange.
Following the KuCoin hack, the exchange is yet to disclose the total sum lost but confirmed that it “contained few parts of its total assets holdings.”
(1/4) We detected some large withdrawals since Sep 26 at 03:05 UTC+8. According to the latest internal security audit report, part of BTC, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings
— KUCOIN (@kucoincom) September 26, 2020
In a hastily organized AMA session, KuCoin CEO Johnny Lyu provided further information regarding the incident, confirming that hackers stole the private key of the exchange’s hot wallets and that no user data was leaked.
Similar to the Binance hack in 2019, KuCoin will cover user losses from its insurance fund which is set up in 2018.
KuCoin Hack: Johnny Lyu Updates About Timeline and Reopening
Johnny Lyu provided a timeline for the incident which started at 2:51 am Singaporean time when the system provided its first alert from an in-house risk monitoring system.
The exchange subsequently received an alert for abnormal withdrawals of XRP, and notice that its hot wallet is “running out of balance.” That notice was followed by a strange BTC transfer and that of other yet to be unnamed ERC-20 tokens.
The internal security team sought to provide some urgent solutions, including shutting down the wallet server. Even after the shutdown, though, there were still cases of abnormal transfer, leading to the conclusion that the exchange’s hot wallet private keys were leaked.
Within two hours after the initial alert, all remaining balances were moved to the exchange’s cold wallet, with KuCoin simultaneously reaching out to its clients and community. Other big exchanges including Binance, BitMAX, Bybit, Huobi, Beaxy, Bibox, and others have been alerted to assist with tracking and hunting down the stolen funds.
Lyu also mentioned that KuCoin is also in contact with the International Police, important clients, and many industry experts to conduct an in-depth investigation into the incident.
A reward will be offered for information on this hacking event while the hackers’ address details will soon be made available to the public.
However, crypto monitoring platform Whale Alert reported that most of the transfers from Kucoin were sent to an Ethereum address, which currently holds more than $4 million worth of ETH and $152 million worth of more than 100 ERC-20 tokens, including OMG, AKRO, VIDT, SXP, AOA, MKR, etc.
The CEO meanwhile preferred not to disclose the net value of the stolen funds in relation to the company’s crypto holdings. However, he assured that the “affected amount […] is a small amount for KuCoin and the exchange is going to take the loss.”
When Will KuCoin Reopen?
Regarding a potential reopening after the KuCoin hack, Johnny Lyu said in the AMA,
As they already found out the reason and we already come up with some solutions, we are going to rationally open with trust in the next week.
Kucoin Hack Funds Recovery
Hours after the incident, crypto exchange Bitfinex noted that it has frozen approximately $33M in USDT tokens stolen by the hacker.
PSA: re #KuCoin hack@bitfinex froze 13M Tether USDt on EOS as part of the hack@Tether_to just froze 20M Tether USDt sitting on this Ethereum address https://t.co/GYmESH44da as precautionary measure.
Stay safe everyone!
— Paolo Ardoino (@paoloardoino) September 26, 2020
