Overview
Table of Contents
CoinEx Global, a well-known cryptocurrency exchange platform, has recently fallen victim to a significant security breach. The exploit led to a loss estimated at approximately $54 million. Preliminary investigations suggest a possible compromise of private keys, leading to unauthorized fund transfers from the platform’s hot wallets.
Fine Details of the Hack
- Hack Amount: ~$54 million.
- Fund Movement:
- A CoinEx exploiter, identified by the address (0x8bf8c), transferred ~6,558 ETH (equivalent to $10.4M) to the Externally Owned Account (EOA)
0x40cBe7580168d52b7FEC884120B31115c3F7E37E. - Another exploiter, with address fragment (0x483D8), shifted 1,453 ETH (valued at $2.3M) to EOA
0x1A61Df134d766f1e240FBFAEe79bBeCC04195f62.
Affected Hot Wallets (By Chain)
| $ETH: 0xce013682eddefaca8c94fe56a43a04212ebe4673 0x8bf8cd7F001D0584F98F53a3d82eD0bA498cC3dE 0xCC1AE485b617c59a7c577C02cd07078a2bcCE454 0x483D88278Cbc0C9105c4807d558E06782AEFf584 0x2118e4432d668aCFa347ddBA0efCcc6BB04DB297 0x1A61Df134d766f1e240FBFAEe79bBeCC04195f62 0x40cBe7580168d52b7FEC884120B31115c3F7E37E | $BTC: 1BHNb9UJy4cWFB5wywZkTVgoNB4JbFmswH |
| $TRON: TP75t6owoqXxskLq6FB2R37PymNTmohq9L TPFUjxQzG88Vwynrpj2W61ZAkQ9W2QYgAQ$XRP | $XRP: rpQxVcjVF2fC23r3xKyJS53jw8d5SRhZQf |
| $SOL: G3udanrxk8stVe8Se2zXmJ3QwU8GSFJMn28mTfn8t1kq | $BSC: 0x6953704e753C6FD70Eb6B083313089e4FC258A20 |
| $KDA: k:a9f3672d7ad7a1e4592702d73b220cbc61db1fa17f89a56131d965bc03959913 | $BCH: qrgxyhj8rzl4l7fgauu6q6vtu2grct4jeyrnaq2s75 |
| $XDAG: 15VY3MadZvLpXhjzFXwCUmtZcHszju6L9 |
Breakup of Stolen Funds by Wallet Address and Chain
Hack Analysis
The unauthorized movement of funds from CoinEx’s hot wallets indicates a serious security breach, with preliminary evidence pointing towards a potential compromise of private keys.
The use of multiple addresses in the hack suggests a sophisticated attacker, making tracking and recovery more challenging.
The distribution of stolen funds across different blockchain chains, such as ETH, TRON, BSC, BTC, and MATIC, indicates the hacker’s profound knowledge of various blockchain ecosystems.
This multi-chain approach further complicates the process of tracing the stolen funds. Moreover, the significant sum shifted suggests that this wasn’t a spur-of-the-moment act but a well-planned exploit.
Additional Information
The two primary addresses, CoinEx Fund Drainers:
- CoinEx Fund Drainer 1:
0xce013682eddefaca8c94fe56a43a04212ebe4673 - CoinEx Fund Drainer 2:
0xae88ac9800594b43ac25a57374a5dac3d183bbc1
were found to have had deposit/withdrawal operations with prominent cryptocurrency exchanges, Binance and HuobiGlobal, in 2021.
Such associations could mean these platforms might have been used either for cashing out or further transferring the stolen funds.
Both Binance and HuobiGlobal might hold transaction logs or additional data related to these addresses, which could prove invaluable in tracing the movement of the stolen assets.
Moreover, there’s a noteworthy connection to a Twitter post related to the CoinEx Fund Drainer 2 address. This tweet or the account associated might provide further insights or leads into the hack’s intricacies.
As per independent security researcher ZachXBT, the exploiter of Coinex Global is connected with North-Korean hacking group responsible for exploiting cryptocurrency casino ‘Stake’. In a tweet he shared his findings regarding this.
There is another uncanny coincidence where Coinex Global exploiter bridged a part of the stolen funds to the https://etherscan.io/address/0x964c192e54e5ef4176626875bb53071956579fca
which was in turn funded by another address https://etherscan.io/address/0x75497999432b8701330fb68058bd21918c02ac59. This is the same address
which got funds from the ‘Stake’ hacker on Polygon chain.
The Official Hack Response
- Immediately after the hack was discovered, CoinEx Global started investigating the breach, a report on which would be published as soon as it is completed.
- CoinEx Global has assured that the affected uses will receive 100% compensation for any loss due to this breach.
- To stem the hack, deposit & withdrawal services have been temporarily suspended until further review.