BitMart crypto exchange hit with $150m hack

(Image credit: Lordowski / Shutterstock)

Crypto exchange BitMart has suffered a security breach which saw the attackers make off with roughly $150 million in different cryptocurrencies, the company's leadership has confirmed.

Taking to Twitter, BitMart CEO Sheldon Xia said a “large-scale” security breach had been identified, related to two of the company’s hot ETH and BSC wallets. 

These wallets carried a “small percentage” of assets on BitMart, while all other wallets remained “secure and unharmed”, he added.

BitMart attack

A “hot” wallet is a cryptocurrency wallet that’s connected to the internet and can be used to quickly and seamlessly transfer the funds from one account to the other. ETH is the ticker for the Ether cryptocurrency, native to the Ethereum blockchain, while BSC is the ticker for the Binance Coin, native to the Binance Smart Chain - a blockchain built by the Binance exchange. The Binance Smart Chain has many similarities to the Ethereum network, but many differences, as well.

Xia further confirmed that roughly $150 million had been taken, adding that initial reports suggest the private key was stolen for the two affected wallets.

Every cryptocurrency wallet has two keys - a public key, and a private key. A public key is the one that can be easily shared, and which is used for transactions. A private key is used for access to the wallet and should never be shared, or left out in the open.

There is no word how exactly the private keys were stolen, whether or not an endpoint was compromised, or if the attacker managed to phish the information out of an employee. 

To mitigate the issue, BitMart will use its funds and compensate all those who were affected by the breach, Xia explained. “We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed,” he tweeted.

Crypto laundering through tumblers

All deposits and withdrawals have been suspended for the time being, with the CEO expecting operations to return to normal during the day.

Whether or not the company manages to retrieve the funds, remains to be seen. According to The Block Crypto, the attackers sent all the funds to an Ethereum mixing service called Tornado Cash. 

The mixing service, also known as a cryptocurrency tumbler, is a service that allows users to mix potentially tainted funds (stolen, extorted, or otherwise illegally obtained) with other, “clean” funds, making it harder for researchers and law enforcement agencies to track down exact coins. 

Usually, decentralized blockchains have their ledgers fully transparent, allowing anyone to track any transaction from point A to point B. However, a tumbler pools together funds from multiple sources for large, and often random, periods of time, and then splits them back out to numerous addresses.

The publication further said that different coins were taken, including roughly $500 million in USDC stablecoin (its price is always the same as the price of 1 USD), and “large amounts” of meme tokens, including Shiba Inu (SHIB). 

An employee is usually the weakest link in every organization’s security chain, experts are warning. Companies are advised to train their employees on the dangers of phishing, to set up state-of-the-art cybersecurity solutions, and to always deploy two-factor authentication, such as security keys

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.