Police in New Zealand have issued a press release stating their investigation of a prolonged hack on the Cryptopia cryptocurrency exchange, “is progressing well and advancing on several fronts.”
But according to online publication Stuff, Auckland University associate professor of commercial law, Alex Sims, has contradicted those claims by stating that authorities are in are fact “struggling” to deal with the hack:
“No one seems to have a clue what’s going on. But this hasn’t come out of the blue. There has been a lot of dialogue in recent years about the security of cryptocurrency and where to store the digital wallets…our regulators are really struggling compared with the US, Japan and European countries which have set up secure custodial services.”
While police also acknowledged, “This is a complex investigation involving the theft of cryptocurrency in an unregulated environment,” and, “This investigation is expected to take a considerable amount of time to resolve due to the complexity of the cyber environment,” both police and the exchange have been accused of downplaying the extent and impact of the hack by staff at the blockchain forensics firm Elementus.
Elementus extensively documented the days- long, $16 million USD hack on Cryptopia and then claimed the same hacker had struck again two weeks later.
The firm also made the extraordinary claim that Cryptopia appeared to have lost complete control of its own and clients’ 76 000 crypto “hot wallets” (accounts accessible by Internet), and had been forced to watch “powerless” for days as hackers drained the accounts:
“Cryptopia no longer has control of their Ethereum wallets, and the hacker still does. The hacker has the private keys and can withdraw funds from any Cryptopia wallet at will.”
Elementus further concluded that Cryptopia users unaware of the hacks (possibly miners sending block rewards) were continuing to load ETH into their insecure hot wallets at Cryptopia within hours of the initial hack:
“Despite the hack, many Cryptopia users continue depositing funds into their Ethereum wallets. In just the two hours since these breaches took place, many of the very same Ethereum wallets that were just drained have already been topped up with more ether.”
Elementus noted an apparent casualness on the part of hackers, something that may suggest the hackers are unconcerned about being successfully tracked:
“The hack continued for days after Cryptopia discovered the breach. The lack of urgency on the part of the thieves is striking. Rather than withdrawing the funds as fast as possible, as is the case in most crypto hacks, they took their time extracting the assets over the course of nearly five days.”