KUCOIN

DESCRIPTION OF EVENTS

"Behind KuCoin are two tech geeks who were early blockchain adopters. Having started coding at the age of 8 and founded his first startup at the age of 16, Michael heard about Bitcoin in 2012 from his boss Eric, and immediately started to mine. While he tried to sell some BTC on Mt. Gox, he discovered that, what was the world's largest platform at the time, was difficult for beginners to use. As the adoption of blockchain continued, Michael and Eric realized that it was reshaping the financial system, building a new system that not only serves the few richest, but everyone in the world - even the uneducated, unemployed and unbanked. By the end of 2013, they wrote down the first code in a cafe, beginning the journey of People’s Exchange to allow everyone to get involved with crypto."

"KuCoin is a well-known name in the crypto industry as it managed to establish itself as a prominent one-stop shop for all sorts of crypto operations. Launched in August 2017, the exchange has over 200 cryptocurrencies, more than 400 markets, and has grown into one of the most colorful crypto hubs online."

"The KuCoin platform was designed for investors of all types, with 24/7 world-class services in your preferred channel and language." "KuCoin is the most advanced and secure cryptocurrency exchange to buy and sell Bitcoin, Ethereum, Litecoin, TRON, USDT, NEO, XRP, KCS, and more."

"KuCoin boasts one of the world's most sophisticated security technology and maintenance team, and is constantly upgrading our security systems to ensure the safety of user assets and accounts."

"On 25 September, US $281 million in cryptoassets were stolen from KuCoin, a crypto exchange in Asia." "The exchange reported the breach at 19:05 UTC time on Friday when an unknown wallet initiated withdrawals of Bitcoin (BTC) and Ethereum (ETH)." "This is the third-largest theft ever to be suffered by a crypto exchange. A broad range of assets were taken, including Bitcoin, XRP, Litecoin, and a number of other tokens."

"The KuCoin security team noticed the breach and abnormal transactions two hours prior, at 02:51 AM, thinking it would be easy to solve. However, after shutting down the servers, they noticed that assets kept flowing outward, indicating that their hot wallet’s private key had been compromised."

"The assets in our cold wallets [we]re safe and unharmed, and hot wallets [were quickly] re-deployed." "[KuCoin Global CEO Johnny Lyu] mentioned that, according to the latest internal security audit report, part of the Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange" “approximately US $152 million was made up of Ethereum-based tokens (ERC20s), including Tether (USDT), Chainlink (LINK), and Ocean Protocol (OCEAN).”

"In a live stream on 4:30 UTC time Saturday, KuCoin CEO Johnny Lyu said that one or more hackers obtained the private keys to the exchange’s hot wallets." "KuCoin has been able to quickly identify all culprit wallets, and the amounts sent to them, specifically: 14,713 BSV, 26,733 LTC, 18,495,798 XRP and 999,160 USDT, along with over 1,008 BTC, 9,588,383 XLM, and 199,038,936 TRX."

"Token issuers such as Ocean Protocol and Tether began to freeze balances or forcibly move funds, so that KuCoin could retrieve the stolen assets." "[O]n September 30, Kucoin said it had managed to recover about $140 million after ten projects cooperated with it by either swapping or replacing the stolen tokens."

"Elliptic says the Kucoin hacker has sold $17.1 million worth of tokens via decentralized exchanges (dex) platforms like Uniswap, Kyber Network, Tokenlon. The shift to dex applications comes after centralized projects came to the aid of the beleaguered exchange by blocking any cashing out of the hack related funds." KuCoin has also been "in contact with a growing number of crypto platforms including Binance, Huobi, OKEx, Bybit, Upbit, Bibox, Gate, MXC, BitMax, BigONE, BKEX, BitZ, HBTC, Hoo, Crypto.com, Bingbon, Renrenbit, LBank, Max/Maicoin, CoinW and more to blocklist suspicious addresses and trace the funds affected." "Tether and several cryptocurrency assets and exchanges such as Bitfinex have blacklisted the wallet addresses, according to the updated statement."

"With $140 million now recovered while $17.1 million is already lost, it remains to be seen if the remaining $124 million, which is dominated in censorship-resistant cryptocurrencies, can be recovered."

"Hot wallets are said to have been redeployed after the hackers obtained the previous ones’ private keys, with cold wallets being unaffected by the breach." "KuCoin transferred what was left in them to new hot wallets, abandoned the old ones and froze customer deposits and withdrawals, Lyu said." "Moreover, a thorough security review will be conducted to ensure that remaining customer assets are intact and secure. KuCoin reported that deposit and withdrawals will be suspended during this period, after which the service will be gradually restored."

"After announcing the security breach, KuCoin’s token, KCS, fell in price by 14% within an hour. International law enforcement will join KuCoin in investigating the stolen funds and the public will be regularly updated on the development of the situation."

"After a thorough investigation, we have found the suspects of the 9.26 #KuCoin Security Incident with substantial proof at hand. Law enforcement officials and police are officially involved to take action." "With great support from our partners of the industry, another $64 million in assets are now out of the control of the suspicious addresses, bringing the total value to $204 million since Oct 1."

"Despite the security breach, KuCoin reassured consumers that their funds were safe." KuCoin has assured users that "user fund[s] affected by this incident ... will be covered completely by KuCoin and [their] insurance fund." "The CEO of KuCoin said that they may have found evidence of the hacker responsible for the massive security breach."

"A big thank you to all the institutions & individuals who are supporting us during the critical time."

The KuCoin platform suffered a hot wallet breach, where hundreds of millions of dollars were stolen from their hot wallets. Some of the funds were recovered through working with centralized blockchains and platforms to blacklist the coins, however the thieves still successfully kept a significant haul. KuCoin has assured all customers that they will fully cover their losses with operating revenue.

HOW COULD THIS HAVE BEEN PREVENTED?

Third party reviews by security experts can often detect issues and help improve the design of hot wallets, and we recommend the opinions of at least 2 experts before starting, however these are not foolproof. Ultimately, lowering the level of funds in the hot wallet can reduce the risk considerably, and we propose an industry insurance fund which can assist in cases like this, though platform self-insurance would also help in a subset of cases such as this one.

Check Our Framework For Safe Secure Exchange Platforms

KuCoin Security Incident Update (Sep 25)
KuCoin CEO Livestream Recap - Latest Updates About Security Incident (Sep 26)
@paoloardoino - Twitter (Sep 26)
KuCoin's CEO: The $150 Million Hack Is "Small" For KuCoin, Insurance Will Cover (Sep 26)
Ocean Protocol Foundation statement regarding the KuCoin hack (Sep 27)
KuCoin thief sells out millions in crypto tokens on decentralized exchanges - but Elliptic can still trace them. (Sep 29)
Kucoin Hack: $17M Laundered Via Decentralized Exchanges, Blockchain Analysis Firm Claims This Can Still be Traced | Security Bitcoin News (Oct 1)
Q3 Ends with BitMEX Fiasco and KuCoin Hack, More to Come? The Crypto Weekly Market Update (Oct 2)
@lyu_johnny - Twitter (Oct 3)
KuCoin CEO: We Have Found Suspects Of The Hack With Substantial Proof (Oct 3)
KuCoin Restarts Deposits, Withdrawals for Bitcoin, Ether Following $281M Hack - CoinDesk (Oct 8)
Rekt - Kucoin - REKT (May 22)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (Jun 26)
https://www.kucoin.com/ (Dec 11)
https://www.kucoin.com/about-us (Dec 11)
KuCoin Exchange Review (2021): Is It Reliable? | (Dec 11)
KuCoin’s hot wallets hit by hack - Crypto Gambling News (Dec 24)
https://www.databreaches.net/hackers-drain-kucoin-crypto-exchanges-hot-wallets/ (Dec 24)
Hackers Breach KuCoin’s Hot Wallets, Steal $150 Million - The Chain Bulletin (Dec 24)
Over $150M Drained in KuCoin Crypto Exchange Hack - CoinDesk (Dec 24)
KuCoin’s Hot Wallet Private Keys Stolen, Estimated $150 Million in Damages - Crypto Briefing (Dec 24)

More case studies

Tomatoes Finance
Permissions Attack

GemSwap "Developer
Attack"