Author: Chengdu chain security
According to industry media reports, around 1 pm on November 27, the security system of UpBit, a well-known cryptocurrency exchange in South Korea, was damaged, and 34,200 Ethereum were stolen (about 58 billion won). The corresponding digital assets were transferred from the exchange's hot wallet to an unknown wallet address.
At 12:06 on November 27th, the situational awareness system detected that the Ethereum Upbit Exchange hot wallet address transferred more than 340,000 ETH to an unknown address through a transaction.
- Overview of blockchain application cases: health care and energy industry
- The Revolutionary Potential of the Bitcoin Lightning Network from the Internet
- The EOS node's renewed conflict centralizes the characteristics of the public chain, highlighting the responsibility of Block.one?
- Digital Money and Electronic Payment: Opportunities and Challenges for Global Governance
- 26 industrial parks, 30 billion funds, the most comprehensive summary of blockchain policies across the country
- Read the simple logic behind the zero-knowledge proof
After the hacker transferred 342,000 ETH, only 111.3 ETH remained at the address, which was almost empty.
Subsequently, an official announcement announced that:
Immediately afterwards, the Chengdu Chain Security team conducted a complete review of the transaction timeline for the entire token transfer.
At 13:18 Beijing time on November 27th, Upbit TRON address TDU1uJ transferred TRON coins in batches to addresses starting with TA9FnQrL, totaling more than 1.16 billion TRON coins and 21 million BTT.
At around 1:55 on November 27, Beijing time, more than 152 million XLMs were transferred from the Upbit exchange to the Bittrex exchange.
According to our further analysis, it is believed that the transfer of EOS, XLM, and TRON tokens is likely to be a hedging operation by the exchange to trigger the risk control mechanism, and data show that Upbit and bittrex are cooperative relationships. Therefore, large amounts of EOS and The transfer of XLM to the Bittrex exchange may be Bittrex's assistance in avoiding risks.
Subsequently, at 4.56 pm Beijing time, Lee Sek-woo, CEO of Upbit ’s official Doo-myeon, issued a notice indicating that the official has suspended cryptocurrency deposit and withdrawal services, and urgently investigated the cause, and indicated that Upbit will fully bear the loss.
At this point, the entire token transfer process of Upbit has been clear, and we conducted the following analysis and judgment on the theft of ETH.
Theft of the UpBit exchange may be that the server storing the hot wallet private key is attacked and the private key is stolen, or the transaction signature server is attacked, instead of the server controlling the hot wallet API transfer being hacked.
Hereby remind the project parties:
- The private key should be stored well. Don't click as much as possible on emails of unknown origin and purpose;
- Install personal anti-virus software on personal PCs of employees to strengthen the safety awareness training of internal employees;
- For the private key storage server, it is recommended to assign someone to operate and maintain.
Can take effective protective measures:
- Rewrite server commands, such as history, cat and other commands commonly used by hackers, and develop scripts for continuous monitoring. If there are running sensitive command push notifications, operation and maintenance personnel only need to maintain new commands after rewriting the commands;
- Improve its own capital risk control system, promptly report alarms, and block transactions to prevent large losses.