Yesterday, 340,000 ETH on the Upbit exchange was stolen, but this server was attacked …

Author: Chengdu chain security

According to industry media reports, around 1 pm on November 27, the security system of UpBit, a well-known cryptocurrency exchange in South Korea, was damaged, and 34,200 Ethereum were stolen (about 58 billion won). The corresponding digital assets were transferred from the exchange's hot wallet to an unknown wallet address.

At 12:06 on November 27th, the situational awareness system detected that the Ethereum Upbit Exchange hot wallet address transferred more than 340,000 ETH to an unknown address through a transaction.

• Former Director of the Central Bank on Digital Currency, Blockchain Application and Fintech Development
• Opinion: "Patent thinking" may destroy China's blockchain industry, and open source is the trend
• Ethereum Foundation: What is Phase 0 of Ethereum 2.0?

After the hacker transferred 342,000 ETH, only 111.3 ETH remained at the address, which was almost empty.

Subsequently, an official announcement announced that:

Immediately afterwards, the Chengdu Chain Security team conducted a complete review of the transaction timeline for the entire token transfer.

At 13:18 Beijing time on November 27th, Upbit TRON address TDU1uJ transferred TRON coins in batches to addresses starting with TA9FnQrL, totaling more than 1.16 billion TRON coins and 21 million BTT.

At 13:02 Beijing time on November 27th, 8,628,959 EOS were transferred from the Upbit EOS wallet address to the Bittrex exchange;

At around 1:55 on November 27, Beijing time, more than 152 million XLMs were transferred from the Upbit exchange to the Bittrex exchange.

According to our further analysis, it is believed that the transfer of EOS, XLM, and TRON tokens is likely to be a hedging operation by the exchange to trigger the risk control mechanism, and data show that Upbit and bittrex are cooperative relationships. Therefore, large amounts of EOS and The transfer of XLM to the Bittrex exchange may be Bittrex's assistance in avoiding risks.

Subsequently, at 4.56 pm Beijing time, Lee Sek-woo, CEO of Upbit ’s official Doo-myeon, issued a notice indicating that the official has suspended cryptocurrency deposit and withdrawal services, and urgently investigated the cause, and indicated that Upbit will fully bear the loss.

At this point, the entire token transfer process of Upbit has been clear, and we conducted the following analysis and judgment on the theft of ETH.

Theft of the UpBit exchange may be that the server storing the hot wallet private key is attacked and the private key is stolen, or the transaction signature server is attacked, instead of the server controlling the hot wallet API transfer being hacked.

From the transaction of the transfer (hash is 0xa09871A ****** 43c029), the hacker or gang transferred all the money in the account at that time without doing extra operations, and some users recharged about 4700 in the future. Eth entered the UpBit exchange, and now the exchange has transferred the asset to the address controlled by the exchange 0x267F7 ******* 0a8E319c72CEff5.

From the current known situation, UpBit Exchange may be attacked by spear phishing emails , watering holes, and other attack methods, after obtaining the PC rights of employees and even executives of the exchange. And it is reported that a North Korean hacker used a phishing tactic to send phishing emails to users of the Upbit exchange via email on May 28 to conduct a cyber attack.

Hereby remind the project parties:

1. The private key should be stored well. Don't click as much as possible on emails of unknown origin and purpose;
2. Install personal anti-virus software on personal PCs of employees to strengthen the safety awareness training of internal employees;
3. For the private key storage server, it is recommended to assign someone to operate and maintain.

Can take effective protective measures:

1. Rewrite server commands, such as history, cat and other commands commonly used by hackers, and develop scripts for continuous monitoring. If there are running sensitive command push notifications, operation and maintenance personnel only need to maintain new commands after rewriting the commands;
2. Improve its own capital risk control system, promptly report alarms, and block transactions to prevent large losses.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!