- KuCoin has confirmed that is exchange has been hacked.
- Roughly $150 million in Bitcoin and ERC20 tokens were reportedly taken.
- The exchange promises to cover losses from user funds.
KuCoin, which touts itself as "the most advanced and secure cryptocurrency exchange to buy and sell Bitcoin, Ethereum, Litecoin, TRON, USDT, NEO, XRP, KCS, and more" has been hacked, and $150 million in funds may be gone.
The company confirmed that late on September 25 (UTC time), "Bitcoin, ERC-20 and other tokens in KuCoin's hot wallets were transferred out of the exchange."
It maintains that, while its hot wallets were hit, its cold wallets are safe. Moreover, it claimed in its announcement, "If any user fund is affected by this incident, it will be covered completely by KuCoin and our insurance fund."
The trouble started when users started complaining about withdrawal issues.
Initially, KuCoin's admin team seemed to maintain that it was experiencing a systems issue. At least one admin message on KuCoin's Telegram channel indicated that users should not withdraw or deposit funds "given the situation." It claimed that "transactions are simply pending."
KuCoin Telegram Admin recommends that no deposits or withdrawals should be initiated 'given the situation.'
What is the actual situation?? pic.twitter.com/aFDMZQa3zK
— beta.mycrypto.com (@MyCrypto) September 26, 2020
It then became apparent that about $150 million worth of tokens had been moved to a different address. The address received transactions of 11,484 Ether, worth roughly $4 million, plus $146 million in transactions of other tokens. Many are little-known, such as Gladius, Chroma, Ocean Token, and Hawala, but there were also Maker, OMG, and YFI tokens in the mix.
Adding to the confusion, Crypto data company Cryptoquant noticed that a large amount of Bitcoin left the KuCoin wallets quickly then stopped. "Since 20:00 UTC on September 25th," it tweeted, "the outflow has continuously been zero."
It seems #Kucoin got hacked.
Usually, after being hacked, the $BTC outflow increases rapidly and then becomes zero. Since 20:00 UTC on September 25th, the outflow has continuously been zero.
— CryptoQuant (@cryptoquant_com) September 26, 2020
According to Cryptoquant CEO Ki Young Ju, that spike is a telltale sign of a hack. If it were merely a systems issue, outflows would go straight to zero without a spike.
KuCoin CEO Johnny Lyu held a livestream early on September 26 to provide more details.
According to Lyu, after realizing that money was being transferred out of a KuCoin-owned hot wallet, they shut down the server. However, transfers continued because the private key to the hot wallet had been compromised. KuCoin then transferred untouched funds to a new address.
KuCoin has not confirmed the amount that was taken.
According to data from CoinMarketCap, KuCoin, based in Singapore is the 16th-most-popular crypto spot exchange when taking into account trading activity, traffic, and volume. It's responsible for $112 million in volume over the last 24 hours.