LIQUID

DESCRIPTION OF EVENTS

"Founded in 2014, Liquid is one of the world's largest cryptocurrency-fiat exchange platforms serving millions of customers worldwide." "Liquid’s mission is to build a secure and modern-day cryptocurrency ecosystem for traders and consumers to learn, grow, and leverage the benefits of financial freedom that blockchain technology enables."

"We are consistently ranked among the top 10 cryptocurrency exchanges globally based on daily traded spot volume with deep BTC/JPY liquidity. We are focused on providing a great user experience & world-class service levels." "Buy and sell Bitcoin, Ethereum, XRP and many other cryptocurrencies with fiat or crypto." "Trade our spot and margin markets with advanced funding options, lightning fast execution and deep liquidity." "We accept deposits of major fiat currencies including USD, JPY, EUR, SGD, HKD, and AUD."

"We manage digital assets using a combination of cold wallets & Multi-party computation (MPC) technology." "We use the latest technologies to keep your funds safe, and stay ahead of vulnerabilities and exploitation attempts." "Using multi-party computing we are able to offer fast round-the-clock withdrawals while maintaining our rigorous security standards."

"On August 18, hackers stole a little over $90M in more than 69 different cryptocurrencies and tokens from Japan-based exchange Liquid Global." "The hacker managed to steal funds in BTC, ETH, TRX, and XRP."

"London-based blockchain analysis firm Elliptic said digital addresses identified by Liquid as belonging to the thief had totalled over $94 million here, including $45 million in tokens connected to the Ethereum blockchain."

"At roughly 7:50 AM SGT on August 19th, Liquid’s Operations and Technology teams detected unauthorized access of some of the crypto wallets managed at Liquid."

"A total of approximately 91.35mm USDe of crypto assets were moved out of Liquid wallets by an unauthorized party."

"In response to the compromise, Liquid said it is moving all assets into cold storage wallets for the time being. In addition, they suspended deposit and withdrawal services. The exchange also said they’re, “currently tracing the movement of the assets and working with other exchanges to freeze and recover funds.”"

"We are sorry to announce that #LiquidGlobal warm wallets were compromised, we are moving assets into the cold wallet. We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended."

"The culprit or culprits behind the attack haven’t been identified yet; however, according to Liquid’s blog (in Japanese), the attack vector could be traced back to a compromised wallet used by its Singaporean subsidiary QUOINE."

"This time, the MPC wallet (used for warehousing / delivery management of cryptographic assets) used by our Singapore subsidiary QUOINE PTE was damaged by hacking. The impact on us is currently being confirmed."

"Liquid Exchange used MPC technology provided by Israel-based Unbound Security, according to two sources familiar with the arrangement. Unbound is a highly respected cryptography company that is backed by Goldman Sachs and used by JPMorgan Chase in its Onyx blockchain-based services."

"According to Shaulov, Thursday’s attack on Liquid was probably related to a hack into the exchange’s system last November, when an attacker gathered data about the firm’s security setup."

“Although the attack was on their hot wallets that are based on MPC, my assumption is that this has nothing to do with MPC vulnerabilities,” Shaulov told CoinDesk.

"In Shaulov’s opinion, the exchange’s security policy was likely designed in such a way that the original hacker was able to bypass its entire approval process and instruct the wallets to withdraw coins, without affecting the private key."

“In my business, nothing is zero percent,” Shaulov said. “But the chances that the hacker was able to figure something out with Unbound’s MPC protocol are very, very slim.”

"Tal Be’ery, chief security officer of the MPC-powered ZenGo wallet, shared that view."

“Most likely it’s not the MPC, but some other problem,” he told CoinDesk via Telegram. “MPC enables users to effectively reduce the risk of key stealing by the factor of the different parties. So it can be 2X harder, 3X harder, etc., but not impossible.”

"16.13mm USDe of ERC-20 assets have been frozen (disabled for onchain movement) due to the assistance of the crypto community and other exchanges." "While about $16 million in assets from more centralized tokens have already been frozen according to Liquid, an analysis of the flow of funds shows that the hacker continues to swap stolen ERC-20 tokens for ETH and wETH through decentralized exchanges (DEXs). Swapping more centralized tokens into ETH will hedge against the possibility of additional frozen funds, while swapping into wETH will facilitate additional swaps."

"In total, the Japanese exchange platform estimates that 69 various cryptocurrency assets were misappropriated and forwarded to other exchanges or DeFi swapping venues."

"Two days after the hack, 6,005 of the ETH received in these swaps (worth almost $20 million) were sent to Tornado Cash, a cryptocurrency mixer that specializes on obfuscating transactions on the Ethereum blockchain."

"So far, we became aware of nine more addresses by the unauthorized party. We will be continuing to monitor the movement of funds with the support of other exchanges and partners."

"Liquid’s teams are still assessing the attack vector used and taking measures to mitigate the impact to users."

"On the day of the attack, we identified the attack vector used to gain unauthorized access to our MPC wallets, at which point we immediately resolved the breach."

"Deeper investigation into the attack and the identification of the responsible parties is ongoing. We are in contact with the relevant authorities in both Japan and Singapore regarding this incident."

"We have completed setting up our new MPC infrastructure with heightened security, and are now in the process of testing and migrating our assets to the new secure vaults. We expect to restore services early next week." "The process of testing and migrating our assets to the new MPC vaults is still underway. Additionally, we are liaising with external vendors to validate the security of the infrastructure further."

"We want to reassure our users that they will not suffer any loss due to the incident that took place on the 19th of August. There will be no impact on user balances at Liquid." "We would also like to reassure our customers that personal data was not compromised in any manner during the incident."

"We would like to announce the start of the gradual resumption of crypto deposit and withdrawal services on Liquid. Our main priority was to make certain we resumed in a safe and secure manner, and we appreciate your patience in this regard."

"FIO address services are back to being operational. You can use your FIO address for sending and receiving cryptocurrency."

"We want to reiterate that users should generate new deposit wallet addresses before transacting. The deposit addresses for all currencies are being changed as a security precaution."

"Liquid’s teams have yet to release a postmortem detailing the attack vector used by the hacker."

Liquid is one of the largest exchanges globally. Hackers were able to access their warm wallets and complete the withdrawal of all assets, most likely by simply requesting a series of withdrawals once they gained access to the system. Despite using multi-sig, all of the factors evidently were breached by the single hacker, and likely had a common interface. (aka Joke Multisig) Liquid has been working to enable deposits and withdrawals on a gradual basis, and most assets are now back online. They plan to fully compensate all affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

The reason why multi-sig is important is to separate out the breach factors. Any system where all factors are common provides no additional protection. The most secure form of storage has a multi-sig with each key held by a trusted and reputable person, but even online systems could be made more secure by requiring the approval of separate systems with independent security setups. If there's a single interface anywhere that can exclusively approve the withdrawal by itself, the multi-sig is defeated.

Check Our Framework For Safe Secure Exchange Platforms

BREAKING: Liquid exchange hacked to the tune of $80 million (Aug 25)
Liquid Exchange Loses Over $90 Million in Warm Wallet Hack - CipherTrace (Sep 15)
Japanese Crypto Exchange Liquid has Hot Wallets Hacked, Over $80M Stolen - BeInCrypto (Sep 15)
@Liquid_Global Twitter (Sep 15)
Buy, Sell & Trade Cryptocurrencies | Liquid.com (Sep 15)
About Us | Liquid.com (Sep 15)
Customer data stolen in hack targeting cryptocurrency exchange Liquid - SiliconANGLE (Sep 18)
Japanese crypto exchange Liquid hit by estimated $94 mln hack | Reuters (Sep 21)
Liquid Warm Wallet Incident Report (Sep 21)
Cryptocurrency Exchange Liquid Confirms Security Breach | Finance Magnates (Sep 21)
Hackers swipe almost $100 million from major cryptocurrency exchange | WeLiveSecurity (Sep 21)
重要なお知らせ：ハッキング被害と暗号資産の入出庫停止について (Sep 21)
Liquid Exchange Attack: Can a Crypto Wallet Ever Be 100% Safe From Hacks? (Sep 21)
SlowMist Hacked - SlowMist Zone (Jun 26)

More case studies

LCTP Global Pig
Butchering Scam

BSCToken
Scam Website