Today we conduct an investigation into the Cryptopia hacker who has seemingly struck again.
Last time, we have covered a security breach on the Cryptopia exchange, which resulted in nearly $17.44M lost (calculated with the prices on the day of the hack). Now, nearly 15 days after the hack, the attacker has resurfaced, stealing even more funds and showing everyone, that the wallets are not in control of the exchange.
A quick recap on the investigation so far (a more extensive analysis of the initial breach can be found here).
On January 14th, the New Zealand-based exchange Cryptopia suffered a security breach after their unscheduled maintenance, which was supposed to fix a problem with clients being unable to deposit and withdraw their funds. After the withdrawal of tens of thousands of Ethereum tokens and coins, the service has gone dormant in order to assess the damage.
On January 22nd, the New Zealand Police has made an update, saying that good progress is being made in the investigation and that the cryptocurrency exchange Cryptopia is working closely with the authorities in order to solve this hacking investigation. Since then no more news was shared.
It’s clear now, that the exchange does not have full control over their wallets, as the hacker has re-entered the wallets and started draining more funds. What looked like Cryptopia securing the remainder of their funds, turned out to be another wave of withdrawals that resulted in an additional 1,675 ETH worth of losses from nearly 17 thousand wallets. The hacker(s) have struck again.
What’s unusual here is that some users have still been depositing funds to the hacked addresses, even after the news was widely spread. It looks like most of these transactions were made directly from mining pools, which had likely automated the process in order to liquidate the mined coins immediately.
Since some of Cryptopia’s hot wallets seem to be in control of the hacker, it might be reasonable to claim, that all funds stored in them are in a way already stolen, they just haven’t all been moved to one place.
Below you can see an updated AML Risk Report for the main address containing stolen crypto from Cryptopia, the risk rating has increased following further investigation and newly made transactions:
The Coinfirm Team