Every cryptocurrency exchange’s worst nightmare unfortunately befell Upbit, as the South Korean exchange confirmed on November 27th that a thief has hacked the exchange out of 342,000 ether (ETH).
That haul, worth $50 million USD in the wake of the theft, makes it one of the largest crypto exchange heists in recent memory, larger even than the $40 million Binance hack and the $30 million Bithumb hack which landed earlier this year.
In an announcement post, the Upbit team said the exchange had suspended all deposits and withdrawals after the large trove of ether had been unexpectedly transferred from one of the platform’s hot wallets to a wallet under the control of an unknown entity.
In response to the incident, the exchange promised to “replace the 342,000 ETH with the company’s assets immediately” and transferred millions of dollars’ worth of other tokens into secure cold wallets.
“Please note that all large-scale asset transfers following the ETH transfer was part of this process,” Upbit said.
Moreover, the exchange estimated that its deposit and withdrawal operations would return in “approximately 2 weeks” and asked for the cryptocurrency ecosystem’s “support in blocking deposits from the anonymous address.” Relatedly, Binance founder and CEO Changpeng Zhao responded by tweeting out that Binance would “work with Upbit” and others to prevent hacked funds from ever being usable on Binance.
We will work with Upbit and other industry players to ensure any hacked funds that may make their way to Binance are immediately frozen.
— CZ Binance (@cz_binance) November 27, 2019
For now, the identity of the Upbit hacker or hackers remains unknown, but their address is now being tracked by blockchain explorer sites and public analysts. It’s an open question as to how the entity responsible might make off with the stolen funds going forward.
Can the Thief DeFi Their Way Up?
As news of the hack spread, some stakeholders in the Ethereum community began to discuss how the attacker might turn to decentralized finance, or DeFi, to further capitalize on the funds.
Every centralized exchange worth its salt will be watching the Upbit hacker’s address to prevent the swindler from cashing out via fiat off-ramps. That means the hacker will either have to try and “clean” the money via mixing techniques or take their chances by keeping it in ether, thus hoping any parties they later deal with don’t mind exchanging in tainted money.
If the attacker chooses the latter approach, the situation gets interesting because they don’t have to keep their money idle. They could put it to more aggressive use in DeFi platforms, e.g. using the ether to open up a Maker Vault in order to draw out a massive Dai loan, the sum of which could then be locked in the Dai Savings Rate smart contract to generate annual interest.
This route would put the maintainers of these platforms in difficult positions, insofar as they would open themselves up to increased regulation if they take openly centralized steps to stop such activity.
On the other hand, it’s possible the Upbit hacker’s funds will stay put for years as they bide their time in hopes of improved Ethereum privacy solutions to come. In any case, the world is watching in the mean time, which may ward the hacker off from openly partaking in DeFi platforms.
Someone Saw This Coming Months Ago
On the first day of 2019, Arjun Balaji of Paradigm published his “Crypto Theses for 2019,” an op-ed on how the year might go for the cryptocurrency industry. Therein, Balaji forecast a large exchange hack.
Notably, in response to that article Balancer chief technical officer Mike McDonald tweeted out a hashed prediction of what exchange he thought would be hacked and by what method. Nearly one year later, McDonald pointed to that hash to show that he predicted Upbit via “hot wallet compromise.”
echo -n "upbit: spearphish -> cloud api keys -> server access -> hot wallet compromise" | shasum -a 256
— Mike McDonald (@mikeraymcdonald) November 27, 2019
Whoa. As McDonald saw such an attack coming all those months ago, it seems Upbit has some serious negligence to answer for.