Researchers at blockchain forensics firm Elementus who extensively documented the days- long, $16 million USD hack against New Zealand-based crypto exchange Cryptopia two weeks ago now claim that the same hacker has struck again at Cryptopia.
According to Elementus, “Though Cryptopia remains silent…” about the full extent and nature of the hack, blockchain data obtained by Elementus shows an additional 1675 ETH (~$180 000 USD) was “siphoned” from 17 000 compromised Cryptopia wallets on January 28th.
Based on this information, the conclusion reached by Elementus is fairly dire:
“Cryptopia no longer has control of their Ethereum wallets, and the hacker still does. The hacker has the private keys and can withdraw funds from any Cryptopia wallet at will.”
Elementus also concludes that Cryptopia users unaware of the hack are continuing to load ETH into their insecure “hot wallets” (cryptocurrency wallets accessible on the Internet) at Cryptopia:
“Despite the hack, many Cryptopia users continue depositing funds into their Ethereum wallets. In just the two hours since these breaches took place, many of the very same Ethereum wallets that were just drained have already been topped up with more ether.”
Elementus believes these wallets may be being fed by miners of Ethereum having their “mining” proceeds delivered automatically to accounts at Cryptopia.
Elementus’s initial assessment of the hack, published January 21st, produced equally foreboding conclusions:
“This hack is quite different from other high-profile heists on the blockchain…The Cryptopia hack involved a large number of wallets. The funds were taken from more than 76k different wallets, none of which were smart contracts. The thieves must have gained access to not one private key, but thousands of them.”
“The hack continued for days after Cryptopia discovered the breach. The lack of urgency on the part of the thieves is striking. Rather than withdrawing the funds as fast as possible, as is the case in most crypto hacks, they took their time extracting the assets over the course of nearly five days.”
Cryptopia also seems to be “powerless” to stop the continued removal of funds from accounts they manage:
“After Cryptopia discovered the hack, they watched the funds continue to flow out of their wallets for four more days, seemingly powerless to stop it. As these wallets were not smart contracts, there should have been no technical complications preventing Cryptopia from securing the funds.”
“The only plausible explanation for Cryptopia’s inaction is that they no longer had access to their own wallets.”
Elementus’s conclusions suggest not just a smash-and-grab hack, but a virtual and ongoing takeover of Cryptopia.