Reports came in earlier today that Cryptopia, the well-known New Zealand-based cryptocurrency exchange, has suffered a devastating 2nd attack, following a first hack on 14 January that drained users’ accounts of more than 21 million USD in digital assets.
In what is a rarity for crypto exchange hacks, where the culprits usually flee the virtual scene of the crime, it seems that these hackers didn’t just return, but shockingly, they’ve never left and are even stealing from unsuspecting users who continue to send their digital assets to Cryptopia.
In this post we’ll do a recap of what happened, why it happened and how investors can try to best secure their funds.
A new report indicates that not only has the hack been going on intermittently for over two weeks, but many users are unaware of the hack and continuing to deposit funds into their Ethereum wallets which are immediately drained. Worst of all is, it appears that the hackers are still in full control of the compromised private keys and continuing to drain accounts, without any way of stopping them by either Cryptopia or the New Zealand Police Force.
With over 1 Billion USD stolen from cryptocurrency exchanges in 2018 alone and the price of Bitcoin at a precarious 3400 USD at the time of writing, this is something that the whole industry cannot afford. Cryptocurrency exchanges are off to a bad start in 2019.
Cryptopia – A Crypto Utopia Gone Wrong?
It’s an especially sad state of affairs for this writer as Cryptopia was the first digital exchange I sent funds to on in 2017.
While I soon found out it was a haven for pump & dump groups and sh*tcoins that would be delisted overnight, the exchange provided a straightforward and fun introduction to crypto trading.
It appeared well-managed and with its heart in the right place, driven by an aspirational backstory of two cryptocurrency enthusiasts who quit their day jobs and built the exchange up from a mere two-man operation in 2014 to more than 50 staff members by early 2018.
The narrative likely resonated with thousands of users, many with meagre portfolio’s who were looking to strike it rich on sub-100 sat coins or Doge pairings.
Cryptopia seemed to be ticking the right boxes security-wise, offering users the extra protection of Google Authenticator’s 2FA security logins, and seemed, at least in my mind, one of the safer exchanges to send your crypto to.
Of course, in crypto- never assume anything. As they saying goes: DYOR.
First Hack – 14 January 2019
Users trying to log in to Cryptopia on January 14 were met with a ominous message that stated that the cryptocurrency exchange was closed for unscheduled maintenance.
This will immediately trigger alarm bells and palpitations for anyone who has lost funds on a digital exchange that got hacked in the past.
More than a day later and with speculation mounting on social media, the exchange finally came clean on Twitter.
— Cryptopia Exchange (@Cryptopia_NZ) January 15, 2019
They admitted that a staff member alerted them to a massive security breach which has now been confirmed to have resulted in significant losses.
Management immediately got the New Zealand police force involved, who shut the site down while investigating the matter.
Millions of Crypto Stolen over Multiple Days
New data has shown that over 70,000 wallets were compromised and over 23 million USD in ETH and ERC-20 tokens stolen in the process.
Even worse, the hackers didn’t cease their activities as soon as the site went into shutdown and police were involved.
It appears now that they kept draining Cryptopia’s users’ account for days after, looting as they wished without any repercussions.
This was as bad as it gets for cryptocurrency exchanges, it would seem. Until yesterday.
Second Hack – 28 January 2019
Elementus, a sophisticated blockchain analytics company, reported yesterday that an additional 17,000 wallets were relieved of over 1650 ETH on Tuesday 28 January 2019, in a hack that continued almost through the whole day.
Even worse, the hackers seem to still have full control of thousands of users’ wallets, WITHOUT users even being aware of it.
Reports indicate that some Cryptopia users even sent additional digital assets to their accounts, which were promptly emptied out yet again as a result.
“No Control Over Private Keys”
Elementus went on to state that:
“Consistent with our earlier hypothesis, Cryptopia no longer has the private keys to their Ethereum wallets and the hacker does.”
This might very likely be the final nail in the coffin for Cryptopia, who will likely never recover from this security breach not only due to financial losses incurred, but as a result of the lost of trust by their loyal users.
No Answers Yet from New Zealand Police and Cryptopia
While everyone has a theory on what happened, users shouldn’t expect to get an official announcement from the exchange any time soon.
The hack is still under criminal investigation by the New Zealand Police and so far Cryptopia has failed to provide any additional information, as they claim they’ve been gagged by the authorities.
We cannot comment as this matter is now in the hands of the appropriate authorities. We will update you as soon as we can.https://t.co/9uMiKQwb6u
— Cryptopia Exchange (@Cryptopia_NZ) January 15, 2019
In any case, it is clear that the funds are long gone, and that the hacker might very well still be in full control of thousands of wallets.
How did the Cryptopia Hack Happen?
Speculation is rife, but a few major theories have to started to emerge.
Elementus reports that Cryptopia suffered a “catastrophic security breach” which they were either slow or unable to react to.
This has raised even more questions, with some investors claiming that an insider is to blame for the hack.
Worst case, some think it could even be part of a criminal exit strategy by the owners, a not uncommon course of action for unscrupulous exchanges.(but unlikely in my opinion).
While it is pointless to speculate at this point and we’re not leveling any accusations at the owners, the Cryptopia breach has once again highlighted the need for cryptocurrency investors to take pro-active steps in securing their digital assets.
How can investors protect their cryptocurrency funds from being stolen?
We have previously acknowledged the important role that exchanges play in providing fluidity to the crypto industry and acting as a first port of call for new investors looking to actively trade their virtual assets.
Yet, Any crypto owner who sends his funds and by definition his private keys to a digital exchange, should understand the following:
All digital exchanges, even the best ones, are susceptible to security attacks from hackers.
Investors are essentially giving away control and responsibility over their funds to a third party who they hope will employ the necessary security measures to prevent any successful hacking attempt.
Our team at CoolBitX, makers of bluetooth hardware wallet the CoolWallet S, want to emphasize the following:
- The safest place to story your cryptocurrency is still on a cold wallet (that’s not directly connected to the Internet.), either a hardware wallet or paper wallet.
- Diversify your portfolio and keep it on different addresses where possible to minimize risk.
- NEVER leave more of your funds on exchanges that you can afford to lose.
- Do your own research and make an informed choice on how to best protect your assets.
- Where possible, retain possession of your private keys and wallet recovery seed.
If you’ve read our story, you’ll know that we started CoolBitX in 2014 in the wake of the destructive Mt. Gox hack.
Since then, we’ve seen dozens of hacks resulting in billions of crypto stolen from everyday users. We don’t take any pleasure in this devastating attack because it hurts the industry as a whole and scares off new investors which are the lifeblood to our continued existence.
We hope that this post has been informative and educational. Stay safe in 2019. Knowledge is power.
CoolWallet S Team
Disclaimer: CoolBitX does not endorse and is not responsible for or liable for any content, accuracy, quality or other materials on this page.
Readers should do their own research before taking any actions.
CoolBitX is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in the post.