Two days after hackers stole USD 196 million in digital assets, centralized cryptocurrency exchange BitMart said on Monday that the firm will reimburse all affected users.
“In response to this incident, BitMart has completed initial security checks and identified affected assets. This security breach was mainly caused by a stolen private key that had two of our hot wallets compromised. Other assets with BitMart are safe and unharmed,” Sheldon Xia, BitMart’s founder and CEO tweeted on Monday.
Hot wallets are cryptocurrency containers that are connected to the internet, allowing users to send and receive tokens. The connection makes these transfers faster and more convenient, but also means hot wallets are more vulnerable to attacks.
Xia added that BitMart will use its own funds to compensate users who lost assets in the theft. The exchange is set to reopen its deposit and withdrawal services on Tuesday, after a suspension that was put in place on Sunday.
BitMart communications team downplays the theft
On Saturday, blockchain security firm PeckShield was the first to provide information and updates about the crypto theft after tracking massive outflows of tokens that were transferred to a wallet address that is now labeled as “BitMart Hacker” on Etherscan, a blockchain analytics platform for transactions on the Ethereum network.
The stolen assets were converted into Ether via a decentralized exchange aggregator, 1inch, and then deposited into Tornado Cash, a crypto transaction mixer that combines funds of users before each transaction reaches its destination. This process makes the transactions almost impossible to track through wallet addresses, according to an update from PeckShield.
Initially, the administrators of BitMart’s Telegram channel denied claims that BitMart was hacked, saying that it was “fake news,” according to screenshots captured by PeckShield.
When the channel’s members asked why the administrator kept deleting messages related to the hack, the administrator responded by saying the messages were creating “unnecessary tension.”
“I have repeatedly confirmed to you there was no hack. Withdrawals are normal from hot wallets,” the administrator wrote.
The hack has prompted broader questions about the security and safety of centralized exchange, which is often the entry point of first-time crypto investors and are utilized by experienced traders to convert crypto to fiat money.
Crypto exchanges have long been a target of hackers, with many notable hacks taking place on decentralized finance platforms, which do not require “know your customer” procedures and simply function with connected wallets. In August, Poly Network, a DeFi platform that allows users to move tokens across blockchains, suffered a historic breach that drained USD 613 million from its coffers, although the hacker returned nearly all the stolen assets.
Some of the most recent hacks involved DeFi firm BadgerDAO, which suffered a loss of USD 120 million, and multi-chain decentralized exchange MonoX, from which hackers siphoned USD 31 million, according to data from blockchain security firm SlowMist.