Deeply dig the death of Gatehub

On June 1, XRP Forensics discovered that 201,000 Swiss rupiah (transaction F6E9E1385E11649A6C2F88723A821AF209B54030886539DCEF9DDD00E6446948) was stolen and immediately investigated.

It turns out that the robbed account was managed by, and the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) stole a lot of money from several other Ripple accounts, which may also be managed by

On the same day, XRP Forensics contacted Gatehub to alert them to potential security breaches while continuing to investigate the theft independently and contacted some cryptocurrency exchanges as hackers might attempt to conduct through these exchanges. Money laundering .


After further investigation, some accounts related to this theft have surfaced and 12 major suspicious accounts have been discovered:













In fact, XRP Forensics discovered the first victim by analyzing the data as early as UTC time 2019-05-30 12:25:40. The hacker stole the victim's 10,000 Swiss rupiah by trading 30FBBD47F6791A00BF0C1DCFF6CBD8AECBF9EF71141544C031B8FAF3EACB4C41.

As of UTC time 2019-06-05 16:00, approximately 80-90 victims were hacked, and the total amount stolen was approximately 23,200,000 Swiss rupiah, of which approximately 13,100,000 ribo has passed the cryptocurrency exchange and hybrid services. Wash white". Later, XRP Forensics got in touch with some of the victims, and Gatehub also contacted some cryptocurrency exchanges involving hacker money laundering.

Potential scenario analysis of this attack

Although XRP Forensics does not currently have solid evidence to point out where the attack originated, the following potential attack scenarios were analyzed in the survey:

1.Gatehub account is hacked

By analyzing the victim's access log and the transactions on the Ripple ledger, it seems that no account was attacked by using the client login credentials directly on

2. Phishing

By communicating with the victims, they seem to have no one to be a victim of phishing scams, such as no one has received an email to open a link to

3. Replay attack

Most of the victim's accounts were registered in December 2017 (or earlier), and some initially thought that the old account was more susceptible to weak encryption of the transaction signature software deployment, but it seems that this is not the case. According to the actual situation, only a few accounts are vulnerable to such attacks, and no one is the victim of this attack.

Incremental nonce

Although replay attacks are not at the heart of the case, it is still possible that a poorly performing signature library uses incremental nonce, which makes brute force hacking possible. However, at this stage it is not possible to confirm or deny this possibility.

5. RippleTrade Migration

Since most victim accounts are registered in December 2017 (or earlier) and many accounts have a RippleTrade username, the unreliable handling of user account migrations may be one reason why these accounts are accessed by hackers. However, not all hacked accounts are old RippleTrade accounts. So from this perspective, the cause of this attack is also unlikely.

6. Browser client hacking

Although it is possible to retrieve user information by exploiting vulnerabilities in the application programming interface (API), we have found that this approach is unlikely to be the cause of the attack. Therefore, the victims of this attack are all over the world, and any such attacks may occur by sniffing access on shared WiFi.

7. Old database leak

Since is a managed wallet provider, they store their private key for the cryptocurrency. It is most likely because an unknown database leak was exploited by the hacker and then brute force the private key until the criminal found that sufficient funds were available.

Hackers have begun to cash out

Currently, XRP Forensics has identified some cryptocurrency exchanges that have received stolen Ripco, but only know some estimates, not exact numbers: 6,000,000 XRP 3,250,000 XRP 1,500,000 XRP 930,000 XRP 135,000 XRP 115,000 XRP 110,000 XRP 50,000 XRP

to sum up


As shown above, yellow represents the cryptocurrency exchange and account used to redeem stolen Ripco; blue represents the victim; red represents nine suspicious accounts. (Star Jun o-daily Note: Some victim funds may not be transferred through suspicious accounts, but directly sent to the exchange)

Because this victim is spread across the globe, it needs to be handled by national law enforcement agencies. XRP Forensics strongly recommends that victims file complaints with relevant law enforcement agencies within their jurisdiction.

This translation from original author: XRP Forensics editor: Thomas Silkjær Translator: Odaily Daily Planet Moni