Review of KuCoin Security Incident: Industry Interaction to Intercept Anti-Mafia, Hackers or Bamboo Baskets?

what happened?

what happened?

KuCoin perspective:

KuCoin CEO Johnny said that at 02:51 on September 26, 2020, the KuCoin team received the first alarm from the risk control system and found an abnormal ETH transfer record. When the transaction occurs, KuCoin immediately activates its response mechanism.

ChainsMap on-chain perspective:

Today, if you open the famous Ethereum block explorer, 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23 has been marked as a theft token.

Etherscan will calculate the total value of the token assets on the address based on the dynamic price of the relevant tokens. Therefore, based on the transfer record data on the chain, most mainstream foreign media report that 150 million USD was transferred out of KuCoin this time. As confirmed by the KuCoin team, at the same time as the hackers transferred KuCoin assets on a large scale, the KuCoin Wallet team was also transferring out assets for “safety avoidance”, such as 35 million USDT that had been frozen by Tether and Bitfinex, of which 13 million were for KuCoin The coin wallet team transferred out, and 22 million was transferred out by hackers.

Accordingly, KuCoin has not announced the actual amount involved. KuCoin CEO Johnny also said that since many of the affected tokens are ERC-20 tokens, their value evaluation is still in progress, and KuCoin will confirm The specific token and amount will be announced later.

Judging from the transaction records, the first recorded transaction at this address occurred at 02:49:18 on September 26, Beijing time. This transaction stole more than 13.88 million ERC20 USDT.

Another feature of the Benqi incident is that, in addition to the mainstream ERC20 USDT, it stole a large number of various tokens from the KuCoin hot wallet. At the same time, judging from the behavior pattern, the hacker probably adopted a method of code traversal to steal coins, did not perform balance verification on various tokens, and polled to issue transfer instructions. Therefore, we can see some transactions with a transfer amount of 0 Token transfer only consumes some GAS, which is indeed a more "efficient" transfer method for hackers.

secondary title

KuCoin's response

KuCoin perspective:

KuCoin CEO Johnny said that after the incident, KuCoin technical personnel set up an emergency response team, established an emergency communication group, and began to investigate and explore some behavioral logic in the current system.

At the same time, the KuCoin operation and maintenance staff shut down the wallet server urgently, and began to transfer the existing funds in the hot wallet to the cold wallet, and the related exchange deposit and withdrawal services were also suspended.

For users, KuCoin issued a relevant announcement, solemnly stating that if any user suffers losses in this incident, all losses will be fully borne by KuCoin and its insurance fund.

ChainsMap on-chain perspective:

From the perspective of KuCoin ERC20 USDT, it was basically suspended after 06:28 on September 26, and its Bitcoin-related transactions no longer transferred to users of hot wallets after 4:34 in the morning of the same day.

secondary title

Interception on the chain: industry linkage, hackers or bamboo baskets are all in vain

KuCoin perspective:

KuCoin CEO Johnny said that KuCoin has already contacted global mainstream trading platforms including Huobi, Binance, OKex, Bybit, Bitmax, project parties, security agencies, and the police, and has taken some effective measures and is doing its best to hunt down these assets.

ChainsMap on-chain perspective:

After Beijing Lianan learned of this, it quickly started the monitoring of related assets and the linkage and cooperation mechanism with KuCoin, and soon issued a batch of ERC20 USDT trends.

It can be seen that the hacker established an independent address, first conducted a transfer test of 1 USDT, and then directly entered 50,000 USDT. Such a transaction group was carried out twice to reach two addresses respectively. After that, the hacker transferred these two addresses The USDT part of the account was entered into the address starting with 0xdf0921, and the related USDT began to be further distributed and transferred, and 11,000 USDT flowed into the Matcha Exchange. In this regard, we also synchronized the relevant information to the relevant exchanges in a timely manner and made a notice. Matcha also quickly frozen the relevant accounts.

At the same time, what KuCoin CEO Johnny did not mention in the live broadcast is that KuCoin apparently contacted Tether, the USDT issuer. TEDA also responded positively by directly freezing the relevant USDT on the chain through the smart contract. At the same time, Bitfinex also announced that it had frozen the stolen EOS USDT.

From the current point of view, the rest of the stolen ERC20 tokens and bitcoins have not yet taken any action. Under the siege and interception of the industry, it will be extremely difficult and costly for hackers to fully transfer and realize this asset.

In fact, at 21:18:35 on September 26, Beijing time, hackers tried to transfer USDT assets again

secondary title

Aftermath: How exchanges should deal with asset security

More than 24 hours have passed since the KuCoin security incident, and the hustle and bustle surrounding the incident itself has gradually dissipated

As usual, as a well-known address today, the address where hackers transferred assets has become a graffiti board and billboard. Some weird Tokens were transferred to this address for display and ridicule. This is also a black humorous phenomenon in this industry.

Of course, more serious issues are still left for us to continue to think about. Regarding the reasons for the occurrence of KuCoin-related security incidents, KuCoin needs to further investigate and make public announcements. However, for any exchange, it is the most basic to do a good job in internal risk control to prevent moral hazards, to do a good job of isolating different business networks, and to implement a multi-signature mechanism, but solid implementation of security measures is required.

At the same time, the KuCoin security incident also shows that in addition to taking precautions, reasonable responses will also effectively reduce losses when a security incident occurs. From this point of view, KuCoin still has something remarkable in this incident, such as relatively quick discovery of problems and emergency protection of existing assets, timely mobilization of the industry to carry out joint defense, especially to seize key links to prevent as much as possible Further transfer of key assets. Of course, the key point is publicity. KuCoin disclosed the information of the attack in a timely manner, and the CEO conveyed the information through live broadcast, which still achieved effective communication. These practices may be worth putting in their own by other exchanges. in the planning strategy.

For exchanges, asset security is a top priority. We hope that major exchanges will pay more attention to security measures in the future. As a professional technical security organization and a professional service provider for asset tracing on the chain, we are also willing to empower the industry and protect the asset security of customers and their users.