QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$77 700 000 USD
DECEMBER 2021
SINGAPORE
ASCENDEX
DESCRIPTION OF EVENTS
"AscendEX, launched under the name “BitMax” in July 2018, offers exchange, custody, and staking services to over one million retail and institutional clients globally." "Buy and sell BTC, ETH, LTC, DOGE, and other altcoins." "Trade over 100 cryptocurrencies including BTC, ETH, LTC, DOGE, Altcoins, Stablecoins and Platform Tokens." "AscendEX is a leading global digital asset financial platform founded by a group of Wall Street quantitative trading veterans in 2018." "AscendEX has a total of 253 tokens listed and provides innovative product offerings, including: ASD Investment Multiple Cards, Airdrop Multiple Cards, Staking Services, and more." "The Singapore-based cryptocurrency exchange AscendEX [was] formerly known as BitMax until March 2021."
"SINGAPORE--(BUSINESS WIRE)--AscendEX, a global cryptocurrency financial platform, has announced the close of a $50 million Series B raise led by Polychain Capital and Hack VC, with participation from Jump Capital and Alameda Research, as well as Uncorrelated Ventures, Eterna Capital, Acheron Trading, Nothing Research, and Palm Drive Capital. Imperii Partners served as an exclusive financial advisor to AscendEX in support of the Series B fundraise process."
“We are grateful to have very prominent investors involved in our latest fundraising round,” said George Cao, CEO and Co-founder of AscendEX. “Polychain Capital and Hack VC, as active catalysts of the DeFi ecosystem, have backed some of the industry’s most innovative blockchain networks, exchanges, and trading institutions. Similarly, Alameda Research, founded by Sam Bankman-Fried, has emerged as one of the most prolific investors in the industry, fueling growth within both CeFi and DeFi. Participation from Jump Capital, a seasoned Crypto and Fintech investor, further showcases the success of our deep roots in traditional finance, as AscendEX’s core team is proud of our extensive experience in Wall Street quant trading.”
"2021 has been another year of accelerated growth for all of us at AscendEX! The year began with a major milestone -- AscendEX’s native token ASD (previously BTMX) ranked as one of the “top 100” cryptocurrencies, which was a remarkable testament to our growth and the contributions from market participants, global users, and the greater blockchain industry. Throughout the year, the AscendEX team has accelerated our tradition of continuous product innovation and client-first strategies by further enhancing our platform’s core functionalities, expanding our global communities, and driving brand awareness. As the market matures with broader adoption underway, AscendEX continues to rise through consistency and excellence in performance and delivery in the ever-evolving digital asset industry."
"At around 22:00 UTC on Dec 11, 2021, AscendEX’s internal security audit report identified that a number of ERC-20, BSC, and Polygon tokens were transferred out of the exchange’s hot wallets." "On December 11th, an individual or number of criminal actors gained unauthorized passthrough access to AscendEX’s hot wallet infrastructure and initiated a number of transfers on the Ethereum, Polygon, Binance Smart Chain, Litecoin, and Bitcoin Cash networks."
"Of the stolen tokens, the relatively unknown Taraxa (TARA) accounted for the highest figure at $10.8 million. TARA is the native token of the Taraxa network, which claims to be purpose-built for audit logging of informal transactions." "Other impacted tokens include Tether (USDT) with a loss of $5.7 million, USD Coin (USDC) at $5 million, Shiba Inu worth $145,000 and Polygon MATIC valued at $691,000." "An in-depth security audit identified the breach as the result of an exploit of hardware-level vulnerability from third-party infrastructure utilized by AscendEX. The infiltration was carried out by highly sophisticated perpetrators."
"22:00 UTC 12/11, We have detected a number of ERC-20, BSC, and Polygon tokens transferred from our hot wallet. Cold Wallet is NOT affected. Investigation underway. If any user’s funds are affected by the incident, they will be covered completely by AscendEX." "These assets constituted a relatively small percentage of total exchange holdings. AscendEX cold wallets are unaffected by this incident."
"We have confirmed movement of the funds across ERC-20, Polygon, BSC, and xDAI wallets." "Shortly after these unauthorized transactions occurred, our internal monitoring systems detected an anomaly and initiated emergency security protocols." "We immediately initiated our security protocols and have implemented a number of concrete actions to mitigate the impact to our community and resolve this in earnest." "Out of the lot, around $60 million worth of tokens were transferred over the Ethereum blockchain alone. Tokens stolen from BSC and Polygon are worth $9.2 million and $8.5 million, respectively."
"We have temporarily halted all deposits and withdrawals from the platform and are working diligently to restore this service gradually after it is completely safe and secure to do so. Following a thorough security review, we will reopen the platform and allow all users to transfer assets. Trading remains active and has not been halted." "Trading, staking, and yield farming services remain active and has not been halted."
"[W]e want to reinforce our commitment to providing a secure and trusted environment for our users and resolving this situation quickly and efficiently." "We are in the process of standing up a new hot wallet infrastructure and estimate deposits and withdrawals to resume in the next 36 – 48 hours. Trading, staking, and yield farming services have not been impacted by this security incident and remain active. We plan to resume withdrawals gradually, beginning with Ethereum. Any user that wishes to withdraw their assets will be permitted to do so in an uninterrupted capacity once withdrawals reopen for the particular coin or token."
"AscendEX will release a comprehensive security post-mortem report in the coming days to provide transparency on the root cause of the incident as well as the actions we have taken to mitigate future risks." "In its post-mortem, the Singaporean exchange claimed to have identified the perpetrators’ wallets to be with Binance, Bitfinex, and OKEx."
"Doing right by our customers is our obligation. Any impacted customers will be 100% reimbursed for their losses. Especially in the cryptocurrency industry, where community is the driving force of innovation, it is important for AscendEX to always remain true to our users," the company said.
"AscendEX will fully reimburse all affected customers. Unimpacted assets have been transferred to our cold wallet for security as we continue to investigate." "We are working with all impacted projects to mitigate any potential damage to their communities and have encouraged impacted projects to freeze transfers, as contracts allow. Many projects are exploring the possibility of reissuing tokens to users." "AscendEX is working very closely with token projects and encouraging all heavily impacted projects to pursue token swaps to ensure network integrity and limit the impact to their community. Bemil Coin and Zignaly are two examples of heavily impacted projects that have exercised a token swap. AscendEX is supportive of this recourse as a way to protect the integrity of the projects’ networks."
"AscendEX continues to work in close collaboration with token projects to protect not only our community, but theirs, as well. We are supporting engineering costs for projects that perform token swaps, and many of the heavily impacted projects have already begun these swaps to ensure network integrity. Bemil Coin and Zignaly have been the first to exercise token swaps and have saved their communities more than $8M worth of tokens as a result." "Of the projects that were impacted by the attack, five have conducted a smart contract migration. These projects are Zignaly, Bemil Coin, Gather, BTC Proxy, and Aubit. As a result of the swift action taken by these projects, over $10 million in assets were recovered."
"We have deployed a completely new hot wallet infrastructure, meaning no single aspect of our legacy technology or hardware was reused." "The new infrastructure not only addresses the root cause of the issue, but it exhausts many additional redundant security measures and fail-safes to ensure a breach is probabilistically unfeasible using Defense in Depth (“DiD”) techniques." "Accordingly, each account has been assigned NEW deposit addresses for each network. Deposits must be made to newly assigned addresses in order to be credited."
"Deposit and withdrawals services will begin with Ethereum and we will gradually resume services for other assets to ensure a smooth reopening of the platform. Any user that wishes to withdraw their assets will be permitted to do so once withdrawals reopen for the particular coin or token. As a reminder, trading, staking, and yield farming services have not been impacted by this security incident and remain active." "We’re happy to announce that deposits and withdrawals will be opened at approximately 3:00 UTC, December 16th."
"AscendEX has been working closely with law enforcement and cybersecurity institutions including Ledger and Chainalysis to reinforce process controls, infrastructure security, compliance, and account-level security leveraging industry-leading security controls." "We are working with law enforcement and collaborating with leading blockchain forensic firms to track and monitor the transferred assets. We have also communicated with other exchanges to blacklist the wallets associated with the incident."
"As always, we are grateful for your continued support. As the investigation continues, we will remain in regular communication with our users, projects, and other key members of the community to resolve this situation and ensure timely, equitable solutions for any impacted users."
BitMax, now renamed AscendEx, suffered a security breach which occurred when an unauthorized actor was able to gain an unauthorized bypass into their hot wallets by exploiting a hardware vulnerability. The total funds taken were estimated at $77.7m, and varied across a wide range of currencies. The majority of funds on the platform remain safe as they were in cold storage, and the exchange has vowed to cover all user balances.
HOW COULD THIS HAVE BEEN PREVENTED?
While the most secure storage by far is a multi-signature wallet with all keys properly held by trained individuals, security of hot wallets can be improved by having additional experts review the security of systems. Our proposed framework sees 2 reviews prior to launch, and regular reviews on an ongoing basis. In the event of a breach, a comprehensive industry insurance fund would be available, which handles fraud and covers additional events beyond self-insurance.
Ascendex Hacked — Exchange Loses $77 Million in ERC20, BSC, Polygon Tokens – Bitcoin News (Dec 12)
AscendEX: Cryptocurrency Trading Platform | Bitcoin & Crypto Exchange (Dec 24)
AscendEX will list CryptoArt this afternoon - CoinCu News (Dec 25)
Hackers stole a number of tokens from the AscendEX exchange hot wallet, the loss was estimated at $ 77.7 million - CoinCu News (Dec 25)
2021 “Three Years Later… A Celebration of Success and the Best is Yet to Come” A Letter to the AscendEX Global Community | Help Center | AscendEX (Dec 25)
AscendEX loses $80M following ERC-20, BSC, Polygon hot wallet compromise (Dec 25)
Login • Instagram (Dec 25)
@peckshield Twitter (Dec 25)
Security Incident Update: Deposits & Withdrawals to Resume within 36-48 hours (est) | Help Center | AscendEX (Dec 25)
Important Notice | Help Center | AscendEX (Dec 25)
The Deposit and Withdrawal of More Assets Resumed on AscendEX | Help Center | AscendEX (Dec 25)
AscendEX Temporary Suspension Deposit & Withdrawal | Help Center | AscendEX (Dec 25)
Dec. 11 Security Incident | Help Center | AscendEX (Dec 25)
Dec. 11 Security Incident - Follow-Up Announcement | Help Center | AscendEX (Dec 25)
Dec. 11 Security Incident - Timing for Resuming Deposit and Withdrawal Services | Help Center | AscendEX (Dec 25)
Dec. 11 Security Incident Report | Help Center | AscendEX (Dec 25)
@AscendEX_Global Twitter (Dec 25)
Weekly Roundup Dec 4 Dec 10 2021 (Dec 25)
AscendEX suspends crypto withdrawals as hack wipes out $77.7 million worth of Ethereum, Polygon and other tokens | Business Insider India (Dec 25)
https://www.businesswire.com/news/home/20211103006190/en/AscendEX-Announces-a-50mm-Series-B-Raise-Led-by-Polychain-Capital-and-Hack-VC (Dec 25)
AscendEx exchange loses $77M in hack, promises full compensation - CoinGeek (Dec 25)
Crypto Exchange AscendEX (Formerly Bitmax) Hacked: $80 Million Allegedly Stolen (Dec 25)
AscendEX Exchange Loses $77.7M in Latest Crypto Hack - Crypto Briefing (Dec 25)
After theft of $77.7 million, victim AscendEX to reimburse customers | ZDNet (Dec 25)
@AscendEX_Global Twitter (Dec 25)
Crypto exchange AscendEX hacked for $78 million in latest swindle (Dec 25)
Crypto Exchange AscendEX Hacked, Losses Estimated at $77M (Dec 25)
Santa Hackathon? Visor Finance Marks 7th Hack in December (Dec 1)
Hacked AscendEX to Reimburse Users, Says 'Relatively Small Percentage' Impacted (Dec 1)
Timeline of Cyber Incidents Involving Financial Institutions - Carnegie Endowment for International Peace (Dec 12)
