Bitmart cryptocurrency exchange lost $196 million in various cryptocurrencies in a hack, which may be among the most devastating in the history of crypto, CoinDesk reported.
Bitmart hacker pulled entire balances from exchange
On Saturday, security company Peckshield drew attention to a problem, tweeting that one of Bitmart’s addresses was showing a steady outflow of complete token balances to the address “Bitmart hacker”, as defined by Etherscan. Some were worth tens of millions of dollars.
In a second tweet, Peckshield assessed the losses at $96 million on Binance Smart Chain and $100 million on Ethereum Mainnet. Different cryptocurrencies were stolen.
Hacker used Tornado Cash and 1inch
The hacker exchanged the stolen funds for ether via decentralized exchange aggregator 1inch. Then, he used a secondary address to deposit ether into Tornado Cash, a privacy mixer, making the funds harder to trace.
At first, Bitmart referred to the hack reports as ‘fake news’, claiming the withdrawals were merely routine in the exchange’s official Telegram channel. Shortly thereafter, Bitmart CEO Sheldon Xia confirmed that a hack had taken place in the wake of a “security breach.” He tweeted:
We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets. At this moment we are still concluding the possible methods used. The hackers were able to withdraw assets of the value of approximately USD 150 million.
Last year Tornado Cash, a privacy tool to conceal the history of ether transactions, underwent a trusted setup ceremony and a contract update to create self-executing code. With that, the main mixing service on Ethereum became permissionless. Tornado wrote in a blog post in May 2020, cited by CoinDesk:
With a record 1,114 contributions this was by far the largest Trusted Setup Ceremony to date. By comparison, all other trusted setup ceremonies had less than 200 participants.
Although it launched in August 2019, it was considered experimental software prior to May 2020. That’s because the developers had control over user funds. After the update, the developer key was broken. They created a crowdsourced smart contract without a private key.
How private? There may be hope. Chainalysis spokeswoman Maddie Kennedy wrote in an email to CoinDesk in 2020:
While mixers, CoinJoins and solutions like Tornado Cash can make tracing funds more difficult, Chainalysis can often still follow funds through them.