The KuCoin hack is the first high-profile case of a decentralized exchange being used to launder stolen funds.
Cybercriminals have continued to come up with new, innovative attack vectors that a lot of prominent crypto platforms are still falling prey to. For example, Johnny Lyu, the CEO of Singapore-based cryptocurrency exchange KuCoin, stated on Sept. 26 that the exchange had been on the receiving end of a major hack that resulted in the firm’s Bitcoin (BTC), Ether (ETH) and ERC-20 hot wallets being affected. Commenting on the hack, Charlie Cai, the media manager at KuCoin, told Cointelegraph:
“Following the incident, KuCoin is acting quickly and transparently to deal with it. We are trying our best to mitigate the impact of the incident by working with many blockchain projects, security firms and crypto exchanges.”
In all, it’s estimated that KuCoin lost upward of $200 million in customer funds. However, despite the security breach, the price of most premier cryptos, as well as DeFi tokens, barely showcased any negative action despite the fact that major hacks, such as this one, have traditionally resulted in market-wide sell-offs.
On a more technical front, Cai highlighted that a total of 130 million of the stolen digital tokens had already been secured or in the process of being recovered by the KuCoin security team. In this regard, Cai further stated that Tether (USDT) had successfully frozen a total of 22 million USDT stablecoins that were compromised while Velo Labs, too, announced that it will redeploy and replace each of the VELO tokens that were transferred as part of the heist. He added: “The 122 million VELO tokens (about $75.7 million) that were affected will be invalidated.”
Similarly, some of the other tokens that the company claims to have secured since the matter came to public notice include Silent Notary (SNTR), Covesting (COV), Orion Protocol (ORN), KardiaChain (KAI), NOIA Network (NOIA) and Opacity (OPQ).
Red flags addressed by KuCoin
Earlier this year in March, KuCoin was in the midst of a number of controversies. The crypto exchange was facing the possibility of a class-action lawsuit that claimed KuCoin provided its customers with “false and/or misleading statements.” Similarly, as part of another suit — Chase Williams v. KuCoin — it was alleged that the exchange was dealing unlicensed securities, which is illegal.
Furthermore, around the same time period, the KuCoin team announced to the world that it would be undergoing a massive corporate restructuring that saw the firm change its trademark from one Seychelles-registered entity to another. Not only that, but the firm also appointed a new director who previously had no major role at the exchange. It’s still unclear, meanwhile, as to where exactly KuCoin’s actual headquarters are located.
Based on the aforementioned findings, people have started to question the legitimacy of KuCoin’s operations, with some even going as far as saying that the platform might be one big exit scam. Addressing these concerns, Cai stated: “KuCoin a genuine platform backed by famous VCs. As early as 2018, we got an investment of $20 million from IDG and Matrix Partners. IDG is very ‘picky’ when investing in crypto exchanges.”
Cai then proceeded to highlight KuCoin’s cash flow streams, claiming that in August 2020 alone, $13.35 billion was traded via the company’s spot trading platform, while $13.51 billion was traded on KuCoin’s futures platform.
Security experts weigh in on the matter
To gain a more holistic view of the entire situation, Cointelegraph reached out to John Jefferies, the chief financial analyst at CipherTrace — a crypto-focused security firm. He pointed out that most of the cryptocurrencies stolen from KuCoin were ERC-20 tokens that can be easily laundered through DeFi protocols.
Furthermore, it is worth noting that following the KuCoin hack, the miscreant proceeded to transfer thousands of dollars worth of Synthetix Network Tokens (SNX) to Uniswap — the largest decentralized exchange by total value locked. It’s estimated that the hackers transferred at least $1.2 million in SNX tokens through four separate transactions. On the subject, Jefferies stated:
“This was the first high profile case of a DEX, Uniswap, being used as a money mixer. Unlike centralized exchanges, a DEX can’t freeze funds — only specific projects can. Another significant impact here is that the theft of the tokens directly impacted the firms of these stolen tokens, such as Crypterium and Tether because the hack included CRPT tokens and Tether on both EOS and Ethereum blockchains.”
Madeleine Kennedy, senior director of communications at Chainalysis — a global cryptocurrency analytics company — pointed out that her firm has found that more than $275 million in crypto funds have most likely been compromised, which makes this one of the largest hacks of a cryptocurrency exchange in recorded history. Additionally, Chainalysis announced that it was expanding its presence across the APAC region in the aftermath of the hack.
Providing her take on how exactly the hackers were able to successfully facilitate this operation, Kennedy pointed out that they attempted to swap as many ERC-20 tokens as possible at decentralized exchanges before the funds were frozen by the smart contracts or forked to reverse the transactions:
“Some funds were deposited to exchanges, some to coin swapping services, and more to DEXs, but much of the funds remain unspent. Relevant addresses are labeled in Chainalysis Reactor, KYT and Kryptos, and we are continuing to monitor their movements.”
A laid-back attitude?
Despite the major strides that have been made by crypto security researchers over the past couple of years, platforms like KuCoin’s still fall victim to such attacks. However, this latest hack raises a concern as some may question if the crypto industry is doing enough to protect itself.
Jefferies pointed out that, as things stand, only the largest exchanges in the world have the security maturity of traditional financial institutions, which are typically subject to security rules and audits. In this regard, he firmly believes that until smaller virtual asset service providers are able to display the same level of rigor as their financial service counterparts, it would not be uncommon to see such types of incidents taking place. Elucidating his thoughts on the matter:
“Trusted VASPs such as Bitgo, Coinbase, and Bitgo have undergone the grueling System and Organization Control, SOC2, audit which includes security, confidentiality, processing integrity, privacy and availability.”
It’s worth mentioning that over the course of the last few years, the security industry has developed several security standards to enable customers to decide who to trust with their assets. Auditing procedures such as SOC2 and ISO 27001 provide rigorous external validation of technologies and processes. Binance and Crypto.com, for example, claim to adopt ISO 27001.
On the subject, Dyma Budorin, a co-founder and the CEO of Hacken — a crypto-oriented cybersecurity firm — told Cointelegraph that a majority of exchanges today are like black boxes, i.e., no one knows how their private keys are managed: “Only a few crypto exchanges like Kraken, Gemini and Binance are investing a lot of money to prove proper internal controls over their personal private keys management protocols.”
A similar opinion is shared by Tom Albright, the CEO of Bittrex Global — a cryptocurrency exchange — who believes that too many exchanges these days treat security as an inconvenience, adding:
“As more and more mainstream investors get involved in crypto, there will be more vulnerable participants in the ecosystem, and exchanges have to do even more to protect these customers and help them protect themselves.”