Table of Contents
- 1 Overview
- 2 About Mixin Network
- 3 Root Cause of the Hack
- 4 Detailed Analysis
- 5 Stolen Fund Details
- 6 Hack Aftermath
- 7 Lessons Learnt
- 8 Conclusion
Mixin Network, a blockchain-based peer-to-peer network for digital assets, experienced a significant security breach on September 23, 2023.
The hack resulted in a loss of approximately $200 million, with stolen assets including $95.3 million in Ether (ETH), $23.7 million in Bitcoin (BTC), and $23.6 million in Tether (USDT).
The breach occurred due to a compromise in the cloud service provider’s database, leading to unauthorized access to Mixin’s hot wallets.
About Mixin Network
Founded in 2017, the Mixin Network is a Hong Kong-based platform that operates a peer-to-peer transactional network for digital assets.
The Mixin Network, recognized for its extensive reach in the blockchain domain, facilitates transactions across an impressive array of 48 public blockchains. Its widespread adoption is evident from its robust user base of one million users.
Back in July 2023, the network’s infrastructure boasted 26 full nodes, indicating a strong and decentralized network. The top 100 assets on the platform were not just digital tokens but represented a significant market value, totaling $1.1 billion, showcasing Mixin’s substantial financial footprint in the digital asset space.
Notably, the platform’s prowess is further accentuated by its advanced cross-chain transfer protocol, a feature that has not only streamlined asset transfers across different blockchains but also positioned Mixin Network as a key player in the crypto arena, attracting considerable attention and acclaim before the unfortunate security breach.
Root Cause of the Hack
The primary cause of the Mixin Network hack was a breach in the database of their cloud service provider. This compromise led to unauthorized access to the network’s hot wallets. The centralized nature of the database used by Mixin Network was a critical vulnerability exploited in this attack.
Initial Breach and Network Compromise
The Mixin Network hack began with a sophisticated breach by suspected North Korean hacker group Lazarus, who have a notorious reputation for targeting cryptocurrency platforms.
The initial attack on Mixin Network involved compromising the network’s mainnet, leading to unauthorized access and control over a significant portion of the network’s digital assets.
Method of Asset Extraction
The hackers managed to drain substantial assets from Mixin’s mainnet. The theft primarily involved large sums of the network’s Bitcoin (BTC), Ether (ETH), and Tether (USDT) holdings.
The detailed methodology used by the attackers to extract these funds remains unclear, but the scale and precision of the operation suggest a high level of expertise and planning.
Some of the addresses associated with the exploiter:
- 0x52E86988bd07447C596e9B0C7765F8500113104c (ETH): Received 60,000 ETH (approximately $94 million).
- 0x3B5fb9d9da3546e9CE6E5AA3CCEca14C8D20041e (ETH): Handled USDT, later swapped to DAI (around $23.5 million).
- 0xB5d631A74AD9c9efcF96d6e9e2fAbcB75C67Eafa (ETH): Involved in dispersing ETH.
- Bc1qq7uefmz6nng5c4dzs9mwrxxyh9sxg5cjg85hes (BTC): Received 891 BTC (approximately $23 million).
Stolen Fund Details
Composition of Stolen Funds
Data on exploiter addresses indicated that the Mixin Network hack led to significant financial losses, with the stolen funds amounting to $95.3 million in Ethereum (ETH), $23.7 million in Bitcoin (BTC), and $23.6 million in Tether (USDT).
Notably, this theft represented a considerable portion of Mixin’s cryptocurrency reserves: 9% of its total Bitcoin holdings, a substantial 71% of its Ethereum, and an overwhelming 93% of its Tether reserves.
The stolen funds were primarily converted to Dai using decentralized exchanges, a strategy often employed by cybercriminals to evade tracking and freeze orders.
This conversion to Dai, a stablecoin that cannot be frozen like USDT, demonstrates the hackers’ familiarity with decentralized finance (DeFi) tools and their exploitation to launder stolen assets.
Response and Recovery Efforts
Mixin Network’s response to the hack was multifaceted. In collaboration with Google, the platform appointed a blockchain investigator firm to aid in the investigation and recovery efforts.
A compensation plan was announced for affected users, involving a 50% refund of their lost assets and the issuance of bond tokens for the remainder. These tokens are to be repurchased using future profits of the network.
Service Suspensions and Security Measures
In the wake of the attack, Mixin Network suspended all deposit and withdrawal services. The platform stated that these services would only be reopened after thoroughly verifying and rectifying the vulnerabilities that led to the hack.
During this period, the network ensured that regular transfers were not affected, maintaining basic operational functionality.
A thorough investigation into the background of the Mixin Network hack unearthed some fascinating historical connections between the hacker and the network itself.
Notably, in 2022, a transaction involving the transfer of 5 ETH from Mixin to an address (0x1795) was identified. The same address, intriguingly linked to the hacker, later engaged in several transactions with the prominent cryptocurrency exchange Binance.
This sequence of transactions hints at a possible pre-existing awareness or relationship between the attacker and the Mixin Network, adding a layer of complexity to the hacker’s profile and familiarity with the network’s operations.
Such connections raise questions about the depth of the attacker’s knowledge and their potential previous interactions with the network.
The Mixin Network hack underscores the importance of robust security measures, particularly for hot wallets and centralized databases. Regular audits, enhanced encryption, and the use of cold storage can be effective in preventing similar incidents.
The security breach experienced by Mixin Network serves as a crucial wake-up call for the DeFi industry, highlighting the persistent risks and the imperative for ongoing enhancements in security practices. This incident underscores the importance of implementing robust and comprehensive security measures.
It’s essential for blockchain networks to proactively engage in stringent security protocols, including but not limited to regular and thorough audits by specialized firms such as ImmuneBytes. Such proactive steps are vital in ensuring the protection of digital assets, especially given the dynamic and rapidly advancing nature of blockchain technology.
The lessons learned from this hack emphasize not just the need for strong security frameworks but also the importance of adaptability and vigilance in the face of evolving cyber threats within the blockchain ecosystem.