The Japanese cryptocurrency exchange said it was moving its assets into a cold wallet
A hacker stole more than $90 million from Japanese cryptocurrency exchange Liquid on Aug. 18.
In a series of tweets
at 6:42 a.m. UTC on Aug. 19, the Liquid Global Official Twitter account detailed six ether wallets and one bitcoin, one XRP, and one tron wallet that had received $90.6 million in looted funds, the majority of it in ether and 68 separate Ethereum ERC-20 tokens.
That is far from the largest hack
this month, but it is the worst. Cross-chain protocol Poly Network lost a staggering $612 million in a hack
on August 10, but the hacker
— dubbed Mr. White Hat — promptly returned the vast majority of the stolen crypto in dribs and drabs over several days (with a little more to come), saying
he did it “for fun” and “always” planned to return the funds. Poly Network, for its part, promised
no prosecution and offered a $500,000 bug bounty for the hacker
, and a position as chief security advisor.
the attack in a brief tweet at 2:05 a.m. UTC.
“Important Notice: We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet. We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended.”
As of 9 a.m. UTC, no additional news had been posted on Liquid’s Twitter account or its blog
Warm wallets are fairly similar to hot wallets in that they are connected to the internet, and thus vulnerable to hackers.
Exchanges tend to use warm wallets as an intermediate step between hot wallets funded for user withdrawals and cold wallets which are “air-gapped” — fully offline, and thus impervious to Internet-based thieves.
A warm wallet tends to hold a few days worth of funds, and requires human approval of each transaction sending funds back and forth to the hot and cold wallets. That suggests the Liquid hacker breached its warm wallet passwords.
Liquid was hacked in November 2020, but by a different kind of attack. No funds were reported stolen, but Liquid CEO Mike Kayamori
said in a blog post
that users’ personal information was taken after a hacker got Liquid’s domain hosting provider, GoDaddy, to wrongly transfer control of one of the exchange’s core domains.
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts,” Kayamori wrote. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
The attacker made off with data like users’ email, name, address, encrypted passwords and API keys — and possibly
some anti-money laundering customer data like images of government-issued ID, selfies and proof of address — leading Kayamori to recommend customers change passwords and two-factor authentication (2FA) credentials, and be on the lookout for phishing attacks.
These are the addresses to which the Aug. 19 hacker sent Liquid’s funds:
BTC $4.8 million
ETH $44.6 million + $24 million in 68 ERC-20 tokens
ETH $1.6 million
XRP $13 million
TRX $1.7 million
Stolen funds and cyber hacks
are not new stories in the crypto space. In fact, one of the earliest and most infamous crypto heist occured in late 2011 — the hacking of the Mt. Gox Bitcoin exchange
. Check out our list of the largest crypto hacks in history
and how it had impacted the exchanges.