EXMO

DESCRIPTION OF EVENTS

"EXMO is a British cryptocurrency exchange. The platform was established in 2014 and is constantly expanding its functionality, adding new assets to the listing, and, most importantly, increasing the number of customers. More than six years of operation without data leaks and hacks, flexible commissions, and fast technical support – these are among a list of reasons why clients choose EXMO." "EXMO exchange is registered in London, with offices in London, Moscow, and Kyiv, and employs a project team of 150+ people." "The trading platform accounts for $43 million (1,890 BTC) in 24-hour trade volume according to market aggregators. Exmo claims to have 1.6 million registered users and roughly 50,000 daily traders." "EXMO received temporary registration from the U.K.’s Financial Conduct Authority, allowing it to continue operating until July 9, 2021, pending the regulator's determination of their application."

"According to a security notice, the company detected “suspicious withdrawal activity” on Monday, 21 December. A security audit report showed large withdrawals of BTC, XRP, ZEC, USDT, ETC, and ETH from Exmo’s hot wallets. The affected hot wallets represent nearly 5% of the exchange’s total assets, the company said, adding that none of its cold wallets were affected." "According to The Block's research analyst Igor Igamberdiev, EXMO appears to have lost $10.5 million worth of funds." "Maria Stankevich, head of business development at Exmo, told Cointelegraph that the incident is “nothing very serious,”"

"All withdrawals are temporarily suspended." "We are still investigating the incident, but as of now, the security audit report showed that some amounts of BTC, XRP, ZEC, USDT, ETC and ETH in EXMO’s hot wallets were transferred out of the exchange. We reacted immediately and re-deployed hot wallets." "Compromised due to the hack amount makes up around 6% of the company’s total assets. We don’t believe it could somehow affect a going concern basis for EXMO. The company’s policy is to store around 5-10% of all its assets on hot wallets to enable fast withdrawals for users and limit potential losses from the hacks. At the moment of the hack, there was approximately 5-10% of BTC on a withdrawal wallet according to the internal rules."

"BTC, XRP, ZEC, USDT, ETC and ETH were withdrawn to the personal addresses of hackers." "According to a Cointelegraph report on Friday, hackers moved funds using Poloniex hours before the hacked British exchange announced about the attack and shared the crypto addresses to avoid." "Igamberdiev said all of the stolen ETH, XRP, and USDT has been sent to the exchange." “After we received the information from the Exmo team, we quickly identified and froze the two accounts. Unfortunately, all affected assets had been withdrawn hours before we were even contacted by Exmo,” a Poloniex spokesperson told the crypto-focused publication. “We utilize industry-leading software from Jumio, EVS and Elliptic to conduct identification, verification, OFAC, sanctions and transaction tracing. The affected accounts were created more than 4 weeks ago and were fully verified using the aforementioned software and standards.”

"Most importantly, we want to assure you that if any user fund is affected by this incident, it will be covered completely by EXMO." "We reported the case to the London police this morning and keep in touch with the Cybercrime team there. We also will conduct a thorough security review that will include all parts of our systems and data." Exmo "[c]ontacted CipherTrace, Chainalysis, and Crystal to mark the hackers’ addresses, where the funds came to, as “criminal” and “high risk.” By collaborating with these services, we are making sure the stolen crypto will never get in the hands of innocent users." "To prevent further attacks, the company said, it’s planning to set a third-party custody provider for hot wallets, decrease the level of cryptocurrency they keep in hot wallets to 4% to 7% and to expand and strengthened its security department." "Please mind that users’ account balances remain untouched by the attack. You can check it yourself by logging into the platform."

Exmo stored a relatively large amount of customer assets in hot wallets, which according to their policy ranged between 5% and 10%. Therefore, they were fortunate that only 6% were taken, instead of 9% or 10%. They were also fortunate in that numerous other assets were not taken - only the top 6 cryptocurrencies out of many dozens of assets on their platform.

In general, once crypto-assets are taken, one should not expect to recover them. USDT (Tether) and XRP (Ripple) are somewhat centralized assets and have been known to block certain transactions if requested, however this was realized too late. The hackers also managed to withdraw the ETH through Poloniex. BTC and BCH have a high level of liquidity globally, while ZEC is a protocol with built-in privacy to restore fungibility.

HOW COULD THIS HAVE BEEN PREVENTED?

While a third party wallet provider may have a better security protocol in place, this also adds third party risk and a communication link which can be breached all the same. The nature of a hot wallet makes it difficult to have certainty of the security. Better security can be provided through offline storage with a multi-signature wallet.

A hybrid approach may make sense, where a smaller amount of funds are available for quick withdrawal, however larger withdrawals are handled from an offline multi-signature wallet a few times a day. It would also be recommended that the quick withdrawal funds not come from customer funds, or that they be protected by some form of insurance.

Check Our Framework For Safe Secure Exchange Platforms

Crypto Exchange Exmo Loses 5% of Assets in Hack - The Chain Bulletin (May 12)
UK Crypto Exchange EXMO Says $4M of Hacked Funds Was Through Poloniex - CoinDesk (May 15)
EXMO Exchange Now Says It Lost 6% of Total Crypto Assets in Monday's Hack - CoinDesk (May 15)
London crypto exchange Exmo hacked (May 15)
Crypto exchange EXMO hacked, appears to have lost $10.5 million worth of funds (May 15)
Important! Security Incident Update | EXMO Info Hub (May 15)
Withdrawals/deposits for 11 cryptocurrencies are available again | EXMO Info Hub (May 15)
Withdrawals/deposits for 30+ cryptocurrencies are restored | EXMO Info Hub (May 15)
USDT ERC20, DASH and LTC Withdrawals/Deposits Are on Again | EXMO Info Hub (May 15)
Ripple Withdrawals/Deposits Are on Again | EXMO Info Hub (May 15)
Fiat, BTC and BCH withdrawals/deposits are already available | EXMO Info Hub (May 15)
Security Incident Update: Further Steps | EXMO Info Hub (May 15)
About EXMO Crypto Exchange (May 15)
Customer funds stolen in hack of UK cryptocurrency exchange EXMO - SiliconANGLE (May 15)
EXMO Hackers Cashed Out $4 Million Using Poloniex | Finance Magnates (May 15)
Exmo hackers withdraw part of stolen funds via Poloniex, exchange confirms (May 15)
Exmo crypto exchange suffers hack, halts all withdrawals (May 15)
UK Crypto Exchange Exmo Hacked, Estimates Presume Platform Lost $10.5 Million – Security Bitcoin News (May 15)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (Jun 26)

More case studies

Warp Finance
Hack

Uniswap Fake Tokens
With Liquidity