Over $280M Drained in KuCoin Crypto Exchange Hack

Roughly $281 million of an Asian cryptocurrency exchange’s funds have been compromised in a security breach.

The Singapore-headquartered digital asset exchange KuCoin said in a statement it detected large withdrawals of bitcoin (BTC) and ethereum (ETH) tokens to an unknown wallet beginning at 19:05 UTC on Friday. 

In a live stream on 4:30 UTC Saturday, KuCoin CEO Johnny Lyu said one or more hackers obtained the private keys to the exchange’s hot wallets. KuCoin transferred what was left in them to new hot wallets, abandoned the old ones and froze customer deposits and withdrawals, Lyu said.

KuCoin’s cold wallets were unaffected, Lyu claimed. Cold cryptocurrency wallets are not connected to the Internet and are considered more secure than hot cryptocurrency wallets. 

In an updated statement on its website, KuCoin released a list of BTC, bitcoin sv (BSV), ETH, litecoin (LTC), XRP, Stellar lumens (XLM), tron (TRX) and tether (USDT) wallet addresses where the stolen funds were transferred.

Two Ethereum wallets belonging to KuCoin have sent more than 11,480 ETH, which currently trades at a price of about $350, to the Ethereum wallet address associated with the hack, according to data from blockchain explorer Etherscan.

The Ethereum wallet address has also received over 150 Ethereum-based tokens worth more than $150 million from the two KuCoin Ethereum wallets, Etherscan’s data shows.

The other identified wallets have received exactly 14,713 BSV, 26,733 LTC, 18,495,798 XRP and 999,160 USDT, along with over 2,015 BTC at three addresses (one, two and three), 9,588,383 XLM and 199,038,936 TRX, according to blockchain explorers Blockchair and Tronscan.

The cryptocurrencies are trading at roughly $10,700 per BTC, $165 per BSV, $45 per LTC, $0.25 per XRP, $0.07 per XLM, $0.02 per TRX and $1 per USDT, as of writing.

Tether and several cryptocurrency assets and exchanges such as Bitfinex have blacklisted the wallet addresses, according to the updated statement.

Over 200 cryptocurrency assets trade on KuCoin with a combined daily average volume of around $100 million, ranking it as one of the busiest trading exchanges, according to the cryptocurrency data site CoinGecko.

The price of KuCoin’s exchange token KCS fell by 14% to $0.86 within an hour on Saturday as news of the security breach spread on social media. 

KuCoin is investigating the hack with international law enforcement and stolen customer money will be “covered completely” by an insurance fund, Lyu said in the livestream, though the exchange has since recovered about $204 million in stolen funds, Lyu informed users in a Tweet on Oct. 3.

UPDATE (Sept. 27, 2020, 1:00 UTC): Addresses and balances for cryptocurrency wallets associated with KuCoin’s hack have been added.
UPDATE (Oct. 8, 2020, 00:25 UTC): The amount of stolen cryptocurrency reflects two additional bitcoin wallet addresses and recovered assets