Upbit Hot Wallet Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Upbit Logo/Homepage

Upbit was one of a series of exchanges which had previously undergone a government security inspection, which failed to detect vulnerabilities.

Although I found reports that Upbit had been attempting to deny the hack, I suspect that this was confusion over Upbit denying any further hacking (beyond the original ETH) was occurring.

Upbit has stated that they will reimburse customers fully for the losses, and the site appear to be online now. From notices on the website, they significantly exceeded the 2 week time estimate.

This exchange or platform is based in South Korea, or the incident targeted people primarily in South Korea.[1][2][3][4][5]

About Upbit



This exchange or platform is based in South Korea, or the incident targeted people primarily in South Korea.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

“The Upbit hack is currently the most recent one as the company announced in a blog post that on November 27, it lost 58 billion won – $49.2 million at the time – worth of ETH to hackers as they transferred the funds out of Upbit’s hot wallet to an unknown wallet."

Key Event Timeline - Upbit Hot Wallet Hack
Date Event Description
November 26th, 2019 9:06:41 PM MST Ethereum Transaction A blockchain transaction transfers 342,000 ETH[8] from Upbit's hot wallet to an anonymous attacker's ethereum wallet[9].
November 27th, 2019 2:26:00 AM MST Blog Post Announcement The company posts an update to their company blog explaining an unscheduled suspension of crypto-asset deposit and withdrawal services. The statement revealed that approximately 342,000 ETH was transferred from Upbit's Ethereum hot wallet to an anonymous wallet address. Immediate actions were taken to secure investors' assets, including the suspension of all crypto-asset deposits and withdrawals, as well as the transfer of all crypto-assets to cold wallets. Upbit assured investors that no assets were lost, and they plan to replace the 342,000 ETH with the company's assets. The exchange expects to enable crypto-asset deposits and withdrawals in about two weeks and urged the crypto community to block deposits from the anonymous address involved in the incident. Upbit also requested information from the community about the suspicious transaction or the anonymous wallet[10].
November 27th, 2019 3:02:13 PM MST CoinDesk Article CoinDesk calls the Upbit hack the seventh major crypto exchange hack of 2019, serving as a stark reminder of the risks associated with storing cryptocurrencies on exchanges. The article reflects on seven significant hacks that occurred throughout the year, emphasizing the lesson that if you don't control the private keys, you don't fully control your crypto. The highlighted incidents include hacks at Cryptopia, DragonEx, Bithumb, Binance, BiTrue, and Bitpoint. Each hack had its own unique circumstances, ranging from vulnerabilities in hot wallets to internal process exploitation. As the year concludes, the article underscores the substantial and precarious risks faced by both exchanges and users, expressing hope for fewer losses in the crypto ecosystem in 2020[8].
December 3rd, 2019 Stolen Funds Start Moving On December 3, one of the addresses where the hacker was storing the stolen ETH began to show signs of life as eight transfers to four different addresses occurred between December 3 and December 6[11].
December 3rd, 2019 Continued Movement On December 23, the address sent an additional 2,000 ETH to a new address[11].
January 21st, 2020 2:12:54 AM MST The Coin Republic Criticisms The Coin Republic reports that the South Korean government is facing criticism for inadequate security measures to protect cryptocurrency exchanges, with three platforms hacked despite government inspections. Lawmakers questioned the reliability of government checks as recent data revealed seven virtual currency hack incidents, resulting in a loss of over $100 million USD. The Ministry of Science and Technology, the Ministry of Information and Communications, the Communications Commission (KCC), and the National Police Agency submitted data to the National Assembly detailing the hacking incidents. Upbit, one of South Korea's major exchanges, denied rumors of being hacked, emphasizing the safety of users' assets. Lawmakers urged the government to establish secure regulatory systems in response to the increasing importance of cryptocurrencies[12].
February 10th, 2020 10:04:35 AM MST Ciphertrace Report Published Ciphertrace, a blockchain analytics firm, publishes their "Q4 2019 Cryptocurrency Anti-Money Laundering Report" which includes the Upbit hot wallet hack[11].

Technical Details

Blockchain transaction involved:[9]

losing $49 million at 9:00 UTC on November 26, 2019. An "abnormal transaction" resulted in a 342,000 ether loss in a few minutes.[8]

In a November 27 post to their website, Upbit CEO Lee Seok-woo announced that the exchange was hacked for 342,000 ETH (approximately US$52 million at the time). The Ethereum was moved from the company’s hot wallet to 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.[11]

Total Amount Lost

The total amount lost was announced as 342,000 ETH[8][11], which is an exact amount that can be confirmed on the blockchain[9].

According to CoinDesk, this is worth $49M USD at the time[8]. Ciphertrace has estimated the value at $52M USD[11].

The total amount lost has been estimated at $49,200,000 USD.

Immediate Reactions

"In response, Upbit immediately moved all of its funds to cold wallets and also disabled all trading activity. The company also promised to return all funds to affected users."

In response, the company transferred all cryptocurrencies in their hot wallet to cold wallet storage, and stated they will cover any stolen customer funds with Upbit assets.[11]

Blog Post On Website

The Upbit exchange shared the following announcement on their website[10]:

Dear Upbit Investors,

This announcement is to clarify the reason for the unscheduled suspension of crypto-asset deposit/withdrawal.

First of all, we apologise for any inconvenience we caused you.

At approximately 13:06 on November 27th, 2019 (KST), 342,000 ETH was sent from Upbit’s Ethereum hot wallet to an anonymous wallet address - 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.

We took immediate actions to protect your assets, and no investors’ assets were lost.

Actions include:

  • Suspensions of all crypto-asset deposits and withdrawals
  • Transfer of all crypto-assets to cold wallets. (Please note that all large-scale asset transfers following the ETH transfer was part of this process.)

In addition, Upbit will replace the 342,000 ETH with the company’s assets immediately.

We will announce again after the completion of this process.

Crypto-asset deposit and withdrawal will be enabled in approximately 2 weeks. We will notify you of the exact date once it is finalized.

We also promise to update you with any further developments.

Also, we ask for the crypto community's support in blocking deposits from the anonymous address 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.

If you find out any information regarding to this suspicious transaction or the anonymous wallet, please report to us.

Ultimate Outcome

On December 3, one of the addresses where the hacker was storing the stolen ETH began to show signs of life as eight transfers to four different addresses occurred between December 3 and December 6. On December 23, the address sent an additional 2,000 ETH to a new address. CipherTrace will continue to monitor the situation for signs of movement into any exchanges, where the funds can be frozen and returned to Upbit. Some exchanges, such as Binance, have already pledged to ensure any hacked funds will be immediately frozen if they enter their exchanges.[11]

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The primary cause of the loss was due to the funds being in a "hot wallet", an online wallet which the hacker was able to gain access to. Hot wallets are notorious for being breached, despite strong security and even in this case a government inspection.

This type of breach can be avoided by handling withdrawals manually from air-gapped wallets. Ideally, multiple human beings should be signing off on each transaction, and wallets should come from multiple trusted supply chains. The exchange should maintain the lowest possible level of funding in any hot wallets, and be prepared for the full loss of all funds in their hot wallets at any time.

Under our proposed framework, exchanges need to keep aside some funds to cover losses, which are stored in a collective multi-sig pool held by exchange operators. A premium is paid by all exchanges, which is higher for hot wallets, encouraging platforms to store more funds offline, and acting as insurance in the case of any breach. We also believe that proper training and a basic certification for all platform operators makes good sense.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.