LCX Exchange Hot Wallet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:44, 22 August 2023 by Azoundria (talk | contribs) (Another 30 minutes complete. Prevention added and much more research.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

LCX Exchange

LCX Exchange is a centralized cryptocurrency exchange based in Liechtenstein. In an incident, their hot wallets were breached and significant funds were taken. While EURe stablecoins were recovered, most funds were cashed out through TornadoCash. Withdrawals have been enabled again on the platform. It's unclear if funds have been restored.

This exchange or platform is based in Liechtenstein, or the incident targeted people primarily in Liechtenstein.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About LCX Exchange

Founded in 2018, LCX Exchange operates as a centralized exchange and is registered as LCX AG in Liechtenstein[16]. The platform is tailored towards professional investors, but it does not permit trading for US investors[16]. LCX offers a blockchain ecosystem that encompasses various services, including the LCX Vault for crypto custody, a cryptocurrency exchange, a decentralized exchange (DEX) named Tiamonds, and its own initial coin offering (ICO) launched LCX Token[16].


"Digital Asset Revolution. The Future Will Be Tokenized. LCX is a regulated trading venue offering a range of digital currencies. Join our compliant token sales – get access to new and fast growing tokens first." "Domiciled in Liechtenstein, LCX operates a regulated crypto exchange, a decentralized exchange aggregator, and a token sale platform."

"LCX is a new kind of global financial technology company." "LCX.com is a fintech company that focuses on tokenization of assets, utility and security token offerings and advanced trading tools. LCX, the Liechtenstein Cryptoassets Exchange, is based in Liechtenstein, operates in accordance with the new blockchain laws and has introduced a comprehensive crypto compliance suite."

"The LCX Exchange is a regulated trading venue offering a range of digital currencies. The cryptoassets trading platform has been built from the ground up, leveraging the proficiency of our progressive crypto portfolio desk, LCX Terminal, LCX DeFi Terminal and our sophisticated crypto compliance suite." "LCX, the Liechtenstein Cryptoassets Exchange, is pioneering a blockchain infrastructure bridging the traditional monetary system and the fast-moving trusted technology landscape."

"Since 2013 the founder of LCX, Monty C. M. Metzger, has been evangelizing global leaders about the disruptive impact of blockchain technology and cryptocurrencies. At the same time, his venture capital fund Digital Leaders Ventures was unable to participate and invest – as the regulatory framework and the institutional grade platforms have been missing."

"Frustrated by the lack of solutions for professional investors, the idea of LCX was born. On November 27, 2017 at the heart of #CryptoValley at Zug, Switzerland, Monty wrote the basic idea on this napkin."

Legal Entity Registration

"LCX is a member of the World Economic Forum C4IR and had been named Blockchain Pioneer by the Blockchain Research Institute. LCX AG was founded in 2018 with headquarters in Vaduz (Liechtenstein) and branches in Crypto-Valley Zug (Switzerland) and New Delhi (India). In 2020 LCX has gained regulatory approval of 8 registrations in accordance to the blockchain laws by the Financial Market Authority Liechtenstein under Registration Nr. 288159."

"The LCX token is issued by LCX AG in accordance with laws and regulations in Liechtenstein." It's “a long-term sustainable incentive mechanism to motivate various stakeholders to participate in the ecosystem.” "According to assessments by legal firms, the LCX token can be classified as a utility token in the US, Singapore, and Liechtenstein law."

"Crypto exchange LCX has been granted eight out of the 11 crypto-related licenses in Liechtenstein, expanding its security-token services and allowing the company to continue operating in the region. The licenses make LCX a regulated crypto exchange, digital asset custody provider, price oracle provider, digital asset compliance provider, smart-contract creator and token-offering platform, said LCX CEO Monty Metzger."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"LCX AG has suffered a security breach that has seen one of its hot wallets compromised." "At 11:23 PM CET on Jan. 9th 2022, LCX’s Technology team detected unauthorized access of one crypto wallet. A total of approx. 7.94M USD of crypto assets were stolen. 0.7M USD have been frozen," the exchange detailed in a report."

LCX’s Technology team detected unauthorized access of one crypto wallet at the LCX platform.

Key Event Timeline - LCX Exchange Hot Wallet Hack
Date Event Description
January 8th, 2023 3:23:00 PM MST Start Of Theft The attack took place "January 8th 2022 between 11:23 PM and 11:37 PM CET".
January 8th, 2023 3:37:00 PM MST End Of Theft The attack took place "January 8th 2022 between 11:23 PM and 11:37 PM CET".
January 9th, 2023 3:23:00 AM MST LCX Team Detects Unauthorized Access "LCX’s Technology team detected unauthorized access of one crypto wallet at the LCX platform."[15]
January 28th, 2022 Final Update

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


On January 8th, 2022, LCX, a Liechtenstein-based exchange, experienced a hack in which funds were stolen from one of its hot wallets[16]. The stolen funds were transferred to an address controlled by unknown hackers[16]. The attack occurred at 10:23 pm GMT, during which the hackers rapidly drained LCX's hot wallet, taking various cryptocurrencies including USDC, SAND, LINK, QNT, ENJ, ETH, and MKR[16].

The hackers efficiently converted the stolen assets to ETH using popular DeFi services within a remarkably short time frame. For instance, over $3.4 million USDC was converted to ETH within just 16 minutes[16]. All stolen funds were converted within 45 minutes from the initial outbound transfer[16].

By 11:12 pm GMT, the hackers had moved the converted ETH to Tornado.Cash, a mixing service often used to obscure the origins of stolen assets on the Ethereum blockchain[16]. It's notable that the hackers employed multiple ETH contracts on Tornado, even though this wasn't strictly necessary mathematically[16]. The entire process, from the theft to depositing at Tornado, was accomplished within 1.5 hours of the initial hack, resulting in an earning rate of around $5.33 million per hour for the hackers[16].


Data Provided About Vulnerability

"LCX AG has suffered a security breach that has seen one of its hot wallets compromised." "At 11:23 PM CET on Jan. 9th 2022, LCX’s Technology team detected unauthorized access of one crypto wallet. A total of approx. 7.94M USD of crypto assets were stolen. 0.7M USD have been frozen," the exchange detailed in a report."

"On the day of the attack, we identified the attack vector used to gain unauthorized access to only one of our hot wallets. Our tech team was able to take actions immediately to secure our platform and additional assets. The early incident analysis shows that our cyber security efforts are well structured and secure. Our main server infrastructure, data storages, wallet management and vaults have not been accessed and have not been compromised. The investigation and the identification of the responsible parties is ongoing. We also have identified additional wallet addresses used by the unauthorized party. However, we have been advised to not publicly disclose the ongoing tracking activities at this point in time."

Tornado Cash Mixing Of Funds

"By 11:12 pm GMT, the hackers swiftly moved converted ETH to Tornado.Cash, a mixing service often used to anonymize stolen assets on the Ethereum blockchain. Interestingly, the hackers used the 100, 10, and 1 ETH contracts on Tornado, a move that was not necessarily required arithmetically. In total, the operation from theft to deposit at Tornado was complete within 1.5 hours of the initial hack, earning the hackers roughly $5.33 million per hour."

Total Amount Lost

The total amount lost has been estimated at $7,940,000 USD.


A total of approx. 7.94M USD of crypto assets were stolen. 0.7M USD have been frozen," the exchange detailed in a report."


"The transfer occurred at approximately 10 pm UTC on Jan. 8, 2022. The losses, according to Peckshield, total $6.8M. Most of the losses incurred included $3.4M worth of USDC, $2.2M worth of LCX, $504K worth of ETH, $468K worth of SAND, $114K worth of QNK, $47.4K worth of LINK, $10.8K worth of ENJ, and $9.7K worth of MKR."

Cryptocurrency (approx. USD value according to Coingecko):[15]

  • 162.68 ETH (502,671 USD)
  • 3,437,783.23 USDC (3,437,783 USD)
  • 761,236.94 EURe (864,840 USD)
  • 101,249.71 SAND Token (485,995 USD)
  • 1,847.65 LINK (48,557 USD)
  • 17,251,192.30 LCX Token (2,466,558 USD)
  • 669.00 QNT (115,609 USD)
  • 4,819.74 ENJ (10,890 USD)
  • 4.76 MKR (9,885 USD)

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?


Reported Immediate Reactions

LCX reports that they took several immediate actions[15]. To further reduce any damages we have taken immediate measures:

  • Pausing deposit and withdrawal functionality LCX platform.
  • Start of internal analysis and evaluation.
  • First public report @LCX Twitter.
  • Second public report @LCX Twitter.
  • Informed Monerium, Liquid Global and other partners, action has been taken.
  • Informed our compliance partner Elliptic.
  • Informed Etherscan. Hacker Wallet has been marked.
  • Detailed report sent to several Liechtenstein authorities.

Attack Vector Identified During Attack

"On the day of the attack, we identified the attack vector used to gain unauthorized access to only one of our hot wallets. Our tech team was able to take actions immediately to secure our platform and additional assets. The early incident analysis shows that our cyber security efforts are well structured and secure. Our main server infrastructure, data storages, wallet management and vaults have not been accessed and have not been compromised. The investigation and the identification of the responsible parties is ongoing. We also have identified additional wallet addresses used by the unauthorized party. However, we have been advised to not publicly disclose the ongoing tracking activities at this point in time."


Wallet Suspensions and Announcement

"Service Notice: We noticed a security incidence at our platform. We are currently investigating and will provide regular updates. User funds are safe! In the meantime deposits and withdrawals have been suspended."

"Liechtenstein-based crypto exchange LCX has confirmed the compromise of one of its hot wallets after temporarily suspending all deposits and withdrawals on the platform." "We are sorry to announce that one of our hot wallets had been compromised. We have taken security measures to protect other wallets and assets."

"They made the announcement on Twitter and have assured customers that they have taken security measures to protect other wallets and assets. Deposits and withdrawals are currently suspended. Ethereum tokens such as ETH, USDC, EURe, the native LCX token, and others have been transferred to the hacker ETH wallet"


"In partnership with financial technology company Monerium, LCX froze (disabled for onchain movement) around 611,000 stolen EURe tokens (worth around USD 692,000)."


"By 11:12 pm GMT, the hackers swiftly moved converted ETH to Tornado.Cash, a mixing service often used to anonymize stolen assets on the Ethereum blockchain. Interestingly, the hackers used the 100, 10, and 1 ETH contracts on Tornado, a move that was not necessarily required arithmetically. In total, the operation from theft to deposit at Tornado was complete within 1.5 hours of the initial hack, earning the hackers roughly $5.33 million per hour."


"The LCX token has been down 9.8% in the last 24 hours."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?


Final Update January 28th

Deposits and withdrawals were enabled on January 27th for most assets, with Monerium deposits and withdrawals resumed the following day.

"We are happy to announce that all deposit and withdrawal services have resumed 100% operations. Also deposit and withdrawal services of EUR in collaboration with Monerium have resumed." “During this difficult period, we greatly appreciate the support from our customers, other exchanges, security experts, and the broader crypto community.”



Total Amount Recovered

EURe tokens have been recovered, however it appears that all other funds have been lost.

There do not appear to have been any funds recovered in this case.


"In partnership with financial technology company Monerium, LCX froze (disabled for onchain movement) around 611,000 stolen EURe tokens (worth around USD 692,000)."


Ongoing Developments

"LCX has not yet revealed any possible solution to help return the stolen funds. The exchange has only mentioned its security measures to secure other wallets and assets." The exchange has not yet disclosed plans for any kind of reimbursement, but insisted that it would "do everything in its power to mitigate the impact from this incident and restore full service as soon as possible." "It has also halted deposit and withdrawal functionalities."


An organization called TRM Insights is actively monitoring the fund flow to aid recovery efforts as relevant[16].

Individual Prevention Policies

Individuals can prevent this loss through minimizing their use of third party platforms for storage of funds, and keeping most funds safe in a proper offline storage.

When using any third party custodial platform (such as for trading), it is important to verify that the platform has a full backing of all assets, and that assets have been secured in a proper multi-signature wallet held by several trusted and trained individuals. If this can't be validated, then users should avoid using that platform. Unfortunately, most centralized platforms today still do not provide the level of transparency and third party validation which would be necessary to ensure that assets have been kept secure and properly backed. Therefore, the most effective strategy at present remains to learn proper self custody practices and avoid using any third party custodial platforms whenever possible.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

It is unclear what level of third party security validation the LCX platform underwent. A more secure infrastructure would require multiple operator signatures on any large withdrawals.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

The establishment of an industry insurance fund could work to prevent loss throughout the industry, and incentivize greater security.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

It is unclear what level of third party security validation the LCX platform underwent. Greater validation would have resulted in a higher likelihood of catching issues.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

The establishment of an industry insurance fund could work to prevent loss throughout the industry, and incentivize greater security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - LCX - REKT (Feb 8, 2022)
  2. LCX – Buy, Sell & Trade Cryptocurrency at LCX's Regulated Exchange (Feb 16, 2022)
  3. About LCX | Liechtenstein Cryptoassets Exchange (Feb 17, 2022)
  4. LCX loses $6.8M in a hot wallet compromise over Ethereum blockchain (Feb 17, 2022)
  5. @peckshield Twitter (Feb 17, 2022)
  6. @lcx Twitter (Feb 17, 2022)
  7. https://beincrypto.com/lcx-exchange-hacked-6-8m-transferred-to-hackers-wallet/ (Feb 17, 2022)
  8. https://etherscan.io/address/0x165402279f2c081c54b00f0e08812F3fd4560a05 (Feb 17, 2022)
  9. https://www.crunchbase.com/organization/lcx (Feb 17, 2022)
  10. LCX Exchange Gets Licensed in Liechtenstein to Help Banks Create Their Own Digital Assets - CoinDesk (Feb 17, 2022)
  11. LCX Loses USD 8M in a Hot Wallet Hack (Feb 17, 2022)
  12. LCX Exchange Loses $6.8M in Hot Wallet to Hackers Amid BTC Crash - CoinQuora (Feb 17, 2022)
  13. @lcx Twitter (Feb 17, 2022)
  14. @peckshield Twitter (Feb 17, 2022)
  15. 15.0 15.1 15.2 15.3 Hot Wallet Incident Report - LCX (Feb 17, 2022)
  16. 16.00 16.01 16.02 16.03 16.04 16.05 16.06 16.07 16.08 16.09 16.10 16.11 Exploit radar: LCX Hot Wallet Hack - TRM Insights (Feb 17, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=LCX_Exchange_Hot_Wallet_Hack&oldid=4905"