796 Exchange Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

796 Homepage/Logo

796 was a virtual currency exchange based in China. A hacker exploited vulnerabilities in the exchange to tamper with the withdrawal address of a customer. The customer requested and confirmed a withdrawal. Both the customer and the exchange staff failed to notice the changed withdrawal address, and the withdrawal was therefore approved to be sent to the hacker's wallet. 796 published a report of what happened, and the situation was made right by covering the funds for the customer. No other customers appear to have been affected.

About 796 Exchange

The 796 exchange platform was based in China.

Description by CEO: “in terms of our trading volume and liquidity of Bitcoin futures, we are the world’s biggest exchange,” with the service being called “the world’s most liquid futures and options exchange for Bitcoin and Litecoin.”

CEO: Nelson Yu[1][2] (apparently the president of the American division).

Homepage:[3]

The Reality

The 796 exchange platform had a vulnerability present in their withdrawal module, which could allow an attacker to modify the withdrawal address after a withdrawal had been started.

What Happened

A vulnerability in the withdrawal module allowed modifying the bitcoin withdrawal address of a customer to a similar looking address owned by the attacker. A withdrawal of 1,000 bitcoin from the platform went to the attacker instead of the customer.

Key Event Timeline - 796 Exchange Hack
Date Event Description
January 27th, 2015 8:21:00 AM MST User Requests Withdrawal 10:21 PM local time in China, a user on the 796 exchange platform requested a withdrawal[4].
January 27th, 2015 8:26:00 AM MST Phone Call Confirmation Staff of the 796 exchange platform confirmed the withdrawal through a phone call with the customer[4].
January 27th, 2015 8:38:00 AM MST Email Confirmation The withdrawal was also confirmed through an email, which was apparently done "due to a different IP location"[4].
January 27th, 2015 8:50:54 AM MST Withdrawal Processed Blockchain Transaction The withdrawal for 1,000 bitcoin was released to the blockchain[4]. A blockchain transaction for 1,000 bitcoin can be found on the blockchain, which is referenced by the 8btc forum thread[5][6].
January 27th, 2015 1:50:00 PM MST Call From Customer About Not Receiving Withdrawal At 3:50 AM local time in China, the 796 exchange reportedly receives a call from the customer about having not received their requested funds[4].
January 28th, 2015 12:37:49 PM MST 8btc Post About The Incident The post was captured by the internet archive[7][8]. A screenshot of the post was also shared on Twitter[9]. TBD - Timezone of post assumed to be PST but no way to verify that.
January 27th, 2015 9:28:35 PM MST Bitcoin Talk Thread A thread on Bitcoin Talk discusses the theft[10]. Discussion highlights that the incident occurred when a hacker exploited vulnerabilities in the exchange's withdrawal module, allowing them to tamper with a customer's withdrawal address. The customer's request was confirmed through a phone call and email, but the altered withdrawal address went unnoticed. The exchange promptly reported the incident on social media platform Weibo, explaining the breach and outlining security improvements. The affected user was fully reimbursed with funds from major shareholders, who covered the loss. The use of the stolen funds and subsequent investigation remain unclear[10].
January 27th, 2015 11:46:55 PM MST Reddit Discussion A discussion thread on Reddit reports that the Bitcoin futures exchange 796 has been hacked, resulting in the loss of 1000 bitcoins[11]. The comments section includes various speculations and criticisms, with some users suggesting that the exchange owners might be fabricating the hacking story to abscond with users' bitcoins. The term "Goxing" is referenced, likely alluding to the infamous Mt. Gox exchange incident. Users express skepticism about the exchange's credibility and advise against using derivatives, emphasizing the risks associated with centralized exchanges. One user recommends decentralized alternatives like the Bitshares exchange. The discussion also touches on the concept of proof of stake (PoS) in blockchain networks[11]. The discussion was subsequently shared on Twitter[12].
January 28th, 2015 1:11:00 AM MST Blogspot Post A user shared a BlogSpot post about the incident on Twitter[13].
January 28th, 2015 5:16:00 AM MST Weibo Announcement Published The 796 exchange announces the breach on the social media platform Weibo[4]. The statement from 796 exchange addresses the incident of a user's 1000 BTC withdrawal being stolen. On January 27, 2015, at 22:21 local time, a user requested a withdrawal, which was confirmed by the staff through a phone call at 22:26, and later via email at 22:38, due to a different IP location. After confirmation, the customer service manager initiated the withdrawal at 22:50. When the customer reported the withdrawal did not arrive around 3:50 am, the company investigated and discovered a vulnerability in a recently updated submodule that was exploited by hackers. The attackers manipulated the user's withdrawal address and used a similar address to deceive both the user and the manual review process. The issue was fixed, and additional encryption and monitoring features have been implemented. The exchange, 796, will cover the loss by allocating undistributed profits from major shareholders, who have committed to covering the loss of funds during the transaction. Despite the inherent risks in the cryptocurrency exchange industry, 796 aims to strengthen risk prevention measures and enhance user account fund security monitoring in the future.
January 28th, 2015 4:51:42 AM MST CoinTelegraph Article Published CoinTelegraph publishes an article reporting on the Chinese Bitcoin exchange 796 losing 1,000 BTC of customer funds due to a botched customer service request. A screenshot of the erroneous transaction was posted on 8btc.com, along with an explanation from microblogging site Weibo, allegedly from 796. The statement mentioned that hackers compromised areas of the exchange in preceding days, leading to a user's address being tampered with. The hackers intentionally used a similar address to confuse users. The exchange claimed to have contained the problem and implemented additional security measures. Despite the attack, 796 asserted that its wallet system was not affected, and major shareholders covered the loss of funds during the transaction, emphasizing transparency in its business operations[1].

TBD - Want to get the original article without the platform response. However, it appears to be at a different URL which needs to be determined. TBD - May be more information in this archived version of article:[14]

January 28th, 2015 7:34:00 AM MST Comparison To Mt. Gox A Twitter user reports and compares the situation to Mt. Gox[15].
January 28th, 2015 Date Commonly Associated The widely reported date of the incident, which actually happened the day prior[16][17].
January 29th, 2015 10:08:00 PM MST Social Engineering Claim A Twitter user claims that the 796 exchange attack was the result of "social engineering" with a similar bitcoin address[18]. There is a link to a BitxBit.in website, which has subsequently broken and does not appear to be archived.
February 3rd, 2015 8:17:00 AM MST Monster Leveraged Sell Order The platform remains operational. A Twitter user reports on a monster sell order[19].
February 3rd, 2015 2:37:37 PM MST Russian CoinSide Article Russian cryptocurrency news outlet CoinSide reports that a significant loss of 1000 BTC. The information reportedly spread rapidly on the Chinese social network Weibo, thanks to the project's leader, Zhu Rongu. According to the exchange, an unidentified hacker took advantage of a vulnerability on the website, substituting Bitcoin wallet addresses to redirect funds. Nelson Yu, the president of the American division of "796," explained that the service had been dealing with increased hacker activity for the past three months and had recently migrated to a high-security cloud storage. However, this did not prevent the exchange from being compromised in the last 24 hours. The company's security team addressed the issue and resolved the vulnerability. Despite the incident, 796 Exchange aims to maintain transparency and keeps its wallets open for anyone interested in examining their statistics.. The news repost is reposted to Twitter[20]. They include a reference to the CoinTelegraph article from January 28th.
February 9th, 2015 12:30:00 AM MST Blockchain Transaction A link is provided to a blockchain transaction with the label 796[21]. TBD this appears to be an unrelated transaction from October 2014.
February 15th, 2015 7:57:00 AM MST Satoshi Trader Post A Twitter user reports actively trading $16k worth of bitcoin futures on the 796 platform[22].
March 11th, 2015 8:14:00 AM MDT Further Promotion Third party promotion called "bitcoin billionaire"[23].
March 17th, 2015 7:34:00 PM MDT Historical Futures Data Available Historical futures data for the 796 exchange platform is reportedly made available[24].
March 27th, 2015 7:04:00 PM MDT CryptoTradingHub Integration A user shows a screenshot of a CryptoTradingHub integration with the 796 exchange[25].
April 4th, 2015 4:30:00 PM MDT User Confusion Tweet A Twitter user reports confusion[26], referencing a transaction from October 2013[27]. There is no additional context to the tweet[26].
April 17th, 2015 8:31:00 PM MDT Exchange Offline Report There is a report on Twitter that the exchange has gone offline[28]. This comes from a Reddit thread[29]. TBD
February 27th, 2019 11:31:32 AM MST Inclusion In Kyle Gibson Timeline Kyle Gibson includes the incident in his "100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents"[16].
May 7th, 2019 7:49:57 PM MDT Inclusion In BitcoinExchangeGuide The incident is included as a "Hack / Theft" in a published list by BitcoinExchangeGuide.com[17].
June 29th, 2019 9:39:37 AM MDT ChainSec Article Inclusion ChainSec includes the 796 exchange hack in their timeline[30]. Unlike many other sources, they specify the correct date of January 27th.
September 26th, 2021 7:09:06 AM MDT BytWork Inclusion Included on list[31].
January 20th, 2023 1:22:18 AM MST SelfKey Inclusion SelfKey includes the 796 exchange hack in their "Comprehensive List of Cryptocurrency Exchange Hacks"[32]. "It was not a good start to the year for cryptocurrency exchanges in 2015. Chinese exchange 796 had its server compromised, and hackers tampered with withdrawal addresses to trick users. It worked, and major shareholders footed the bill so users didn’t have to lose funds themselves."

Technical Details

The 796 exchange platform suffered from a vulnerability in a submodule of the exchange's withdrawal system. This allowed the withdrawal address to be modified.

Transactions: [5][6]

Vulnerability In Withdrawal Module

According to sources, the vulnerability was present in a submodule of the exchange withdrawal system[10]. It allowed the withdrawal address to be modified by an external party. Kyle Gibson quoted from an explanation[16].

"According to the explanation, hackers had compromised areas of the exchange in the previous days, which had caused a user “to mention the current address has been tampered with, coupled with hackers deliberately [using] a similar address with the original withdrawals address to confuse users…”

Use Of Vanity Bitcoin Address

It has been suggested in multiple sources that the address in which the withdrawal was requested was similar to the customer's real wallet address[16]. This suggests that the thief may have made use of a vanity wallet address. They may have generated many potential wallet addresses until they came up with a similar looking address.

Confirmation During Withdrawal Time

The company published a detailed report on the incident to Weibo[4]. On January 27, 2015, at 22:21 local time, a user requested a withdrawal, which was confirmed by the staff through a phone call at 22:26, and later via email at 22:38, due to a different IP location. After confirmation, the customer service manager initiated the withdrawal at 22:50. The customer reported the withdrawal did not arrive around 3:50 am.

Laundering Of Funds

Limited details are available on what the attacker did with the funds.

Total Amount Lost

The amount of loss was 1,000 bitcoin[4][32]. This was estimated to be worth $230,000 USD by both Kyle Gibson[16] and BitcoinExchangeGuide[17]. ChainSec estimated the loss at $270,000[30].

The total amount lost has been estimated at $230,000 USD.

Immediate Reactions

The 796 platform published a summary of the incident online on the Weibo platform[4][10]. The original post in Chinese was titled "Notes on the theft last night". A potential translation is below.

At 22:21 last night, a user applied for a 1000 BTC cash withdrawal on the 796 exchange. Our staff called at 22:26 to confirm that it was a request from the customer, because the registered IP was from a different area. Email confirmation was requested at 22:38. After confirmation, the customer service manager issued the withdrawal at 22:50. The user made a phone call at about 3:50 in the morning saying that the cash was not received, and I immediately called the relevant person in charge of the company to study the problem. After detailed analysis of various logs and audit records, we found that there was a sub-module updated by the system a few days ago. Hackers attacked the code used, causing users to tamper with their current withdrawals addresses. In addition, the hacker's deliberate use of a withdrawal address similar to the original present address was designed to confuse the user and our division's manual review.

At present, this problem has been repaired, and encryption and monitoring functions have been added. Although cryptocurrency exchanges are often exposed to such risks, the 796 exchange has also been involved in this risk prevention after nearly two years of operation. We will continue to strengthen the monitoring of user account funds security in the future.

The stolen system was used by hackers for problems with the 796 exchange. The 796 exchange will consult with the company’s major shareholders to see about using unallocated profits to cover this loss, which has been reissued. In such a high-risk industry, problems are inevitable, which is why the 796 major shareholders have not received dividends. Before getting the venture capital, we will do our best to ensure the safety of customer assets first. The future is very long. 796 will continue to maintain the principle of openness, fairness, and integrity. Thank you for your support. Thank you for your continued use!

Reactions On Twitter

The exchange faced skepticism and discussions on Twitter and other platforms, with some questioning the credibility of the exchange[10].[33]

Ultimate Outcome

There were some ongoing improvements to the security of the 796 exchange, and the incident was widely published.

796 Exchange Security Improvements

Despite the incident, 796 implemented security measures, and the platform continued its operations with ongoing developments[10]. Nelson Yu provided a further statement to CoinTelegraph[1]:

"We have been constantly monitoring the hacking activities on our servers and 3 months back then we took the precautionary step to migrate our servers to a highly secured cloud site. Unfortunately, that didn’t stop the incident from happening last night. In the last 24 hours, our security team worked around the clock to trace back the codes and processes. At this moment, we have a pretty good idea of exactly how they did it. This was not a generalized attack. The hacker’s strategy was precisely calculated and well targeted to compromise a certain weakness on our server.

Anyways, I would like to emphasize that 796 intents to keep our business as transparent as possible to our customers and shareholders. You can always find the public addresses of our wallets and our monthly revenue numbers on our website.  If you do the math, you can always keep track of how our business is going. This spirit goes to all levels in our organization. Once the loss was verified, our CEO, Zhu Rong, posted an announcement on his Weibo at his soonest possible time. This is how we commit to our customers and we make sure this will continue as long as our organization exists.

Precisely speaking, the wallet system is not affected at all in this event. The theft happened during the transaction of the fund. That’s where the hacker attacked.

Due to this nature, major shareholders have carried out their obligation to our customers in covering this loss of fund. The remedy came from the major shareholders’ unpaid dividend."

Wide Publication Of Incident

The incident was included as an exchange hack in multiple references including the BitcoinExchangeGuide[17] and a list of incidents published by Kyle Gibson[16]. The incident has also been included in the book Blockchain: A Hype or a Hoax?[34].

In most cases, the incident has only been given a brief mention.

Users Avoiding Third Party Platforms

Many users indicated that they would avoid using third party platforms as a result of this situation[35].

and no offense guys but if you are still like how I was 2 months ago you need to get it together,take your coin out of these exchanges and store them into a paper wallet. Purchase a new computer and run bitaddress on it not connected to the internet,when you are done,burn the laptop. I used a little 300 dollar laptop if you have as much coin as I do you don't mind throwing 300 to save 30000.

Total Amount Recovered

The affected user was fully reimbursed with funds from major shareholders, who covered the loss[1][4][10].

Ongoing Developments

The exact use of the stolen funds and any subsequent investigation remain unclear[10].

Individual Prevention Policies

This situation can be avoided by always double checking the sending address. With this large an amount of money at stake, a test transaction is a must.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This type of attack is rare and limited. The best defense is to limit withdrawal addresses to those on a whitelist. In order to add a new withdrawal address, a test transaction needs to be completed using the address, with the customer indicating that they received the funds. A third party can inspect the withdrawal process for any vulnerabilities to ensure it's resilient. In the event of an exploit, an industry insurance fund could assist.

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

This type of attack is rare and limited. The best defense is to limit withdrawal addresses to those on a whitelist. In order to add a new withdrawal address, a test transaction needs to be completed using the address, with the customer indicating that they received the funds. A third party can inspect the withdrawal process for any vulnerabilities to ensure it's resilient. In the event of an exploit, an industry insurance fund could assist.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. 1.0 1.1 1.2 1.3 Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph (Dec 11, 2023)
  2. Are Advanced Trading Tools Causing the Bitcoin Price Drop? Exchanges, Experts Weigh In - CoinTelegraph (Dec 14, 2023)
  3. 796 Xchange Homepage - Archive December 4th, 2013 2:09:01 AM MST (Dec 12, 2023)
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 关于昨晚出现被盗一事的说明 - Weibo (Dec 11, 2023)
  5. 5.0 5.1 Blockchain Transaction For 1,000 BTC Withdrawal - Blockchain.com (Jan 24, 2024)
  6. 6.0 6.1 Blockchain Address - Blockchain.com (Jan 24, 2024)
  7. It is said that a large household lost 1,000 coins in 796... - 8btc Archive January 30th, 2015 7:27:42 PM MST (Jan 24, 2024)
  8. It is said that a large household lost 1,000 coins in 796... - 8btc Archive February 20th, 2015 12:01:13 AM MST (Jan 24, 2024)
  9. redtheminer - "It seems reasonable" - Twitter (Jan 24, 2024)
  10. 10.0 10.1 10.2 10.3 10.4 10.5 10.6 10.7 796 lost 1,000 bitcoin - BitcoinTalk (Jan 24, 2024)
  11. 11.0 11.1 Bitcoin futures exchange hacked - 796 lost 1000 bitcoin. - Reddit (Jan 24, 2024)
  12. Bitcoin_Spain - "Bitcoin futures exchange hacked - 796 lost 1000 bitcoin.:" - Twitter (Jan 26, 2024)
  13. digital_mine_ - "796 lost 1,000 bitcoin" - Twitter (Jan 29, 2024)
  14. Chinese Exchange Gets 'Goxed' for 1,000 bitcoins (UPDATE: Company Responds) - CoinTelegraph Archive September 4th, 2017 6:13:32 PM MDT (Dec 11, 2023)
  15. Ekmor - "Chinese Exchange Gets 'Goxed' for 1,000 bitcoins: nnReports are emerging of Chinese Bitcoin exchange 796" - Twitter (Jan 29, 2024)
  16. 16.0 16.1 16.2 16.3 16.4 16.5 100 Crypto Thefts: A Timeline of Hacks, Glitches, Exit Scams, and other Lost Cryptocurrency Incidents (Jan 25, 2020)
  17. 17.0 17.1 17.2 17.3 Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com Archive April 13th, 2020 7:45:28 AM MDT (Mar 5, 2020)
  18. FabShareables - "Chinese #Bitcoin exchange 796 gets social-engineered through address similarity" - Twitter (Jan 25, 2024)
  19. Tone Vays - "Monster #bitcoin leveraged Sell order was just attempted on 796 (not filled) bulls should still be cautious" - Twitter (Jan 25, 2024)
  20. CoinSide - "Обменник 796 Exchange потерял 1000 BTC" - Twitter (Jan 26, 2024)
  21. NotesFromBTC - "796" - Twitter (Jan 25, 2024)
  22. Satoshi Trader - "16k sold at 796 futures" - Twitter (Jan 29, 2024)
  23. CoinLion266 - "The new way to win big… all the cool kids are doing it!!!" - Twitter (Jan 25, 2024)
  24. Julia Vaingurt - "Historical data for 796 Bitcoin futures is now available." - Twitter (Jan 29, 2024)
  25. Googs1984 - "One Hour until 796 Settlement." - Twitter (Jan 29, 2024)
  26. 26.0 26.1 NotesFromBTC - "796??????????????????" - Twitter (Jan 29, 2024)
  27. Transaction Tranferring 0.09950000 BTC - Blockchain.com (Jan 29, 2024)
  28. EasyBitcoins.net - "Huge Chinese Exchange 796 has gone OFFLINE via /r/Bitcoin" - Twitter (Jan 25, 2024)
  29. Marotta117 - Huge Chinese Exchange 796 has gone OFFLINE - Reddit (Jan 25, 2024)
  30. 30.0 30.1 Exchange Hacks - ChainSec (Dec 12, 2023)
  31. Bitcoin Theft: TOP 50 Largest Thefts on Exchanges [2011-2022] - Bytwork (Dec 14, 2023)
  32. 32.0 32.1 A Comprehensive List of Cryptocurrency Exchange Hacks - SelfKey (Dec 12, 2023)
  33. https://twitter.com/aaahjoom/status/560371752132677632 (Jan 25, 2024)
  34. Blockchain: A Hype or a Hoax? - Google Books (Jan 24, 2024)
  35. LordSonjai - "and no offense guys but if you are still like how I was 2 months ago you need to get it together,take your coin out of these exchanges and store them into a paper wallet. Purchase a new computer and run bitaddress on it not connected to the internet,when you are done,burn the laptop. I used a little 300 dollar laptop if you have as much coin as I do you don't mind throwing 300 to save 30000." - BitcoinTalk (Jan 29, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=796_Exchange_Hack&oldid=5428"