It is reported that at 12:06 on November 27, beosin eagle eye, the situational awareness system of Chengdu chain security, detected that the hot wallet address of Ethereum upbit exchange transferred to the unknown address through a transaction of more than 340000 eth.
After the hacker transferred 342000 eth, only 111.3eth remained at that time, which was almost empty.
Subsequently, the official announcement said:
Then, the Chengdu chain security team made a complete resumption of the whole token transfer transaction timeline.
At 13:18 on November 27, Beijing time, the address of upbit wave field tdu1uj transferred Tron coins to the address at the beginning of ta9fnqrl in batches, with a total of more than 1.16 billion Tron coins and 21 million BTTS transferred.
At 13:02 on November 27, Beijing time, 8628959 EOS were transferred from the address of upbit EOS wallet to bittrex exchange;
At about 1:55 on November 27, Beijing time, more than 152 million xlms were transferred from upbit exchange to bittrex exchange.
According to the official further analysis, the transfer of EOS, XLM and Tron tokens is likely to be a hedging operation triggered by the risk control mechanism of the exchange, and there are data showing that upbit and bittrex are cooperative. Therefore, the transfer of large EOS and XLM to bittrex exchange may be bittrex’s assistance in risk aversion.
Later, at 4:56 p.m. Beijing time, Lee SEK woo, CEO of upbit’s official Doo myeon, issued a notice indicating that the official had suspended the cryptocurrency charging service, and urgently investigated the cause, indicating that upbit would bear the full loss.
So far, the whole token transfer process of upbit has been clear. For this eth theft, Chengdu chain security team made the following analysis and judgment:
If the upbit exchange is stolen, it may be that the server storing the private key of the hot wallet is attacked, leading to the theft of the private key, or the transaction signature server is attacked, rather than the server controlling the transfer of the hot wallet API.
Transaction from transfer (hash is 0xa09871a43c029) it can be seen that the hacker or gang transferred all the money in the account at that time in one time, and did not do any redundant operation. Later, there was another eth about 4700 recharged by the user into the upbit exchange. Now the exchange has transferred the asset to the address 0x267f7 controlled by the exchange*0a8E319c72CEff5。
From the current known situation, upbit exchange may be attacked by spear phishing email, puddle and other attacks, and further attacks will be carried out after obtaining the PC rights of employees and even executives inside the exchange. It is also reported that North Korean hackers used phishing to send phishing emails to upbit exchange users via email on May 28 for cyber attacks.
Here, Chengdu Lianan reminds the project parties:
1. The private key shall be stored well, and the email with unknown source and purpose shall not be clicked as far as possible;
2. The personal PC of employees should install mainstream anti-virus software, strengthen the safety awareness training of internal employees, and it is recommended to find a reliable third-party safety company for internal network protection and reinforcement.
3. For private key storage server, it is recommended to assign special personnel for operation and maintenance.
Effective protective measures can be taken:
1. Rewrite the commands of the server, such as history, cat and other commands commonly used by hackers, and develop scripts for continuous monitoring. If there is a push reminder to run sensitive commands, the operation and maintenance personnel only need to maintain the new commands after rewriting the commands.
2. Improve its own capital risk control system, timely alarm, and transaction blocking to prevent large losses.