Analysis of the loss of 7000 bitcoin and the theft of the coin hot wallet

On the morning of May 8, the official announcement of the currency security said that on September 7, 2019, 17:15:24 (UTC) "large-scale security breaches" were discovered in the system.

Coin said that the security vulnerability is that hackers use a combination of technologies, including phishing, viruses and other means of attack, so that hackers can access a large number of user application interface keys (API keys), two-factor authentication code (2FA code), And other information, stealing 7,000 bitcoins from the coin wallet at block height 575012. The exchange lost $41 million.

In response to the stolen money incident, Beosin Chengdu Chainan adheres to the purpose of building a blockchain with full ecological security. Our technical team takes action for the first time and makes in-depth analysis.

Attack site:


The details of the hacking transaction are as follows:

The attack last occurred at 575,013 blocks, with a total loss of up to 7,074 BTCs.

The following picture shows the hacker's detailed coin address: (the yellow mark is the main coin address)

As of now, the coin security wallet (address: 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s) has been stolen about 7,000 BTC.

At present, the balance of the hot wallet of the currency security is 3,612.69114593 BTC, and the balance is retained. The stolen part only accounts for a small percentage, indicating that the private key of the coin hot wallet is currently safe.

Event analysis:

After our analysis, at 01:17:18 (Beijing time) on May 8th, the coin transfer operation was initiated at the same time through the API interface.

The API key and Secret key will be generated after the API application of the Currency Exchange, as shown below:

The API interface has "limited user open IP restrictions" and "open cash withdrawal capabilities."

"Open withdrawal" refers to direct withdrawal using API key and Secret key, without the need for mobile phone verification code, SMS, Google verification code.

As shown below:

The API part of the official call code demo is as follows:


Our preliminary analysis considers this attack caused by the user's API key and Secret key information leakage.

If the user does not limit the ip and configures the open cash withdrawal function, any attacker can obtain the API key and Secret key information to implement the attack.

There may be four ways for users to disclose information:

1. Ordinary users generally do not use the API key. Generally, advanced users use the code to implement automated transactions. It may be that the user source leaks and the Secret key leaks.

2. The user is attacked by phishing, and the API key and Secret key are entered and intercepted by the hacker.

3. The user's API key and Secret key saved computer are stolen by attack.

4. The currency security exchange system system causes the user API key and Secret key to leak, of which only 71 users have opened the cash withdrawal function and stolen coins.

safety warning:

We recommend that all exchanges and users should pay attention to the protection of information. When users use advanced functions such as open withdrawal, they should pay more attention to security, avoid the various hazards caused by information leakage, and prevent attackers from having opportunities. .

(Source: Chengdu Chain Security)

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more