As rumours swirl of inside job or Exit Scam, stolen Cryptopia crypto is on the move to other exchanges.
Following the announcement of a hack on New Zealand-based exchange Cryptopia early Tuesday morning, one Reddit user has been tracking wallets that seem to be moving the service’s stolen Ethereum-based funds. This in turn has led to a group of eager blockchain observers tracking the movement of the stolen funds across to a few different exchanges.
Their observations throw up some interesting questions regarding the timeline of events, and have begun speculation that what has transpired – the theft of roughly $14 million-worth of Ethereum and ERC-20 tokens – may be internally driven, or possibly even a so-called ‘Exit Scam’.
Yesterday, in the r/cryptopia subreddit, user toldjahP created a post highlighting several Etheruem transactions shown on Etherscan. Their findings show suspiciously large movements of various cryptocurrencies from recognised Cryptopia wallets occurring something like 17 hours prior to its announcement of ‘Unscheduled Maintenance’, a state of affairs that ultimately turned into its admission of a hack a little over an hour later.
The largest single move was big enough to trigger the attention of the Whale Alert Twitter account, and concerned a transfer of ETH worth $2.5 million from a previously identified Cryptopia wallet.
— Whale Alert (@whale_alert) January 13, 2019
Just 10 minutes after that another transaction was also flagged by Whale Alert. This time, it involved a movement of CENNZ tokens – a cache that amounted to nearly 6% of the total market cap of the ERC-20 platform, Centrality.
— Whale Alert (@whale_alert) January 13, 2019
Another transaction highlighted by toldjahP is the movement of roughly $300,000-worth of the low-market cap Decentralised Anonymous Payments System token (DAPS). The nigh-on four billion DAPS tokens moved in this one transaction, which can be seen here, also makes up a significant portion of the total 52bn DAPS in circulation.
All of the funds mentioned in those transactions eventually made their way to one single address – this one
For a while, 29,000 ETH (roughly $3.6 million dollars sat at that address, along with the comments of many people claiming to be victims of the Cryptopia hack begging for their cryptocurrency back. It has since been moved to a new address.
The pièce de résistance of toldjahP’s findings, though, was a wallet that at one point held $11 million-worth of ERC-20 tokens transferred almost instantaneously from Cryptopia. The tokens came from a vast array of different projects including Dentacoin, Spank, Ethereum Dark, TenX Pay, Bytom, Golem and many more. A further summary of the events was presented by Twitter user @shaftedTangu in a comprehensive thread on the movements.
Topia hack addresses. This is topia ETH/ERC20 addresshttps://t.co/wZ7THdpYc6
— 🐒🐵I Dream Of Alts🐵🐒 (@ShaftedTangu) January 15, 2019
The sheer range of coins removed from the exchange, and the size of the haul, has lead many to speculate that what has transpired was potentially a so-called Exit Scam – the removal of funds before closing down the site and making away with them – or, perhaps more likely, an inside job. The Block’s Larry Cermak was one such voice:
What's interesting is that the exchange seemed to have strict 2FA. So there is suspicion that the hack could have been internal. The site had an “unscheduled maintenance” once the security breach was identified pic.twitter.com/GAn055smqn
— Larry Cermak (@lawmaster) January 15, 2019
And his point of view has since been echoed by the original poster on Reddit; who laid out three possible scenarios that they saw as most likely:
“1.) hacker got all privat [sic] keys, from few thousand deposit wallets and cryptopia was not able to secure those amounts, which were transferred many hours after the “hack”.
2.) hacker stole other coins then ETH and cryptopia secured all ETH/ERC20 to new wallets.
3.) inside job”
Hacked Cryptopia Funds Sent to Binance
In the last few hours observer @ShaftedTangu has been Tweeting again about the wallets. Highlighting further movements of the funds from the wallets outlined by toldjahP to various exchanges – including Binance, Coinexchangio, Digifinex and Kucoin – making attempts to attract the attention of Binance’s top man, Changpeng Zhao, regarding the news.
— 🐒🐵I Dream Of Alts🐵🐒 (@ShaftedTangu) January 16, 2019
At the time of writing (1030 UTC, 16th Jan), the Token address holding the $11m range of Altcoins from the hack has been depleted by something just north of $800,000. The last movement was a movement of approximately $35,000 worth of LINA, less than half-an-hour ago.
Amid all the rumours, Cryptopia has been unnervingly quiet via social media. Since its announcement of the problems it was facing, its only other comment was to tweet that it “cannot comment” on what’s going on, and pointing observers to a New Zealand Police statement confirming its ongoing investigation into “an issue involving potential un-authorised transaction activity at the Christchurch based crypto-currency trading company Cryptopia.”
“We are currently talking to the company to gain a further understanding of what has occurred,” the statement continues, adding that “Police are also liaising with relevant partner agencies in New Zealand and overseas.”
A further update on the investigation is expected today, we will update on further movements as we find out about them.
The hack is the first recorded event of this kind in 2019, and comes almost exactly a year after the massive $500,000,000 cache of Crypto (at the values of the day) was stolen from Japan's Coincheck.