Clients of the New Zealand-based cryptocurrency exchange Cryptopia have lost more than $16 million worth of Cryptocurrencies in a recent theft from the exchange, according to an estimation by the Blockchain analysis platform Elementus.
Since Cryptopia did not officially disclose any figures, multiple analysis firms are now trying to come up with an estimate. Previous estimates put the loss between $2.5 million to $3.5 million, and, if correct, Elementus’ numbers project an eye dropping negligence in the part of the exchange.
The blockchain analysis firm has only analyzed Ethereum and other ERC-20 tokens’ blockchain and claims that hackers stole more than $3.5 million in ETH, around $2.5 million in Dentacoin, and many other coins, taking the total figure to $16,002,108.
Moreover, these hackers slowly transferred a huge chunk of the stolen funds to several exchanges in small deposits hoping to cash out fiats. Elementus found that a total of $882,632 worth of ETH and ERC-20 tokens were transferred to many exchanges including Bibox, Binance, and Huobi.
A Unique Attack
The report by Elementus also explains the techniques used by the hackers which raised many concerns for the security of stored funds on the exchange-controlled wallets.
Until now, most of the major thefts on exchanges were attempted through vulnerabilities on smart contracts. However, in the case of Cryptopia, hackers directly targeted the wallets of clients of the exchange. This shows that they gained access to the private keys of the wallets stored by the exchange.
Moreover, unlike other thefts, the attackers did not try to pull all the funds at once. Instead, the activity spanned for around five days. Elementus also claims that Cryptopia was aware of the attack but did nothing to stop it.
“After Cryptopia discovered the hack, they watched the funds continue to flow out of their wallets for four more days, seemingly powerless to stop it. As these wallets were not smart contracts, there should have been no technical complications preventing Cryptopia from securing the funds,” Elementus stated. “The only plausible explanation for Cryptopia’s inaction is that they no longer had access to their own wallets,”
Cryptopia’s Response to the Attack
On January 15, Cryptopia publically announced about the attack on the exchange and said it has suffered “significant loss” without disclosing any figures.
The local police are now investigating the case and are considering even the exchange's role on the attack as rumors are floating that this might be an internal hack or an “exit scam.”
“The assistance of the cryptocurrency community is being sought as the investigation progresses. This is a very complex investigation, involving expert digital forensic investigators from within New Zealand and in various overseas jurisdictions, as well as overseas authorities. Members of the investigation team met with Cryptopia management and staff yesterday and today and outlined progress in the investigation,” an official statement from the New Zealand police noted.