The cryptocurrency trading platform BitMart reported that over $150 million (USD) of cryptocurrency assets in so-called “hot wallets” were stolen due to a “large scale security breach” resulting from a stolen private key. Hot wallets, as opposed to their cold counterparts, are cryptocurrency accounts that are connected to the internet, allowing for rapid transfer and deposit of tokens. Research company PeckShield estimated the total loss of assets at approximately $200 million (USD). BitMart reported that it has frozen withdrawal transactions while the investigation is ongoing, but plans to gradually resume transactions as of Tuesday, Dec 7.
This is the latest in a series of financially motivated online attacks directed at cryptocurrency organizations. For example, last week $120 million (USD) was stolen from BadgerDAO and $30 million (USD) was stolen from MonoX Finance. Over $600 million was stolen from PolyNetwork earlier this year, although the assets were eventually returned by the alleged hacktivist. $97 million (USD) was stolen from Liquid, with 10 other organizations this year disclosing large losses. This emphasizes a key point in security – the use of public key infrastructure (PKI) does not guarantee privacy or security – particularly when the private keys that take the place of passwords are not appropriately secured. Social engineering tactics, as well as inappropriate disclosure of private keys when such keys are not segregated from development and Internet facing operations, often result in criminals obtaining illicit access to internal networks and services which can then be further exploited.
1/4 In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised. Other assets with BitMart are safe and unharmed.
— Sheldon Xia (@sheldonbitmart) December 6, 2021