The recent hack and theft of digital assets from the New Zealand-based Cryptopia exchange was unusually widespread and lasted much longer than typical hacks, Max Galka of Elementus.io and his team have determined after conducting an analysis.
The investigative research only used Ethereum and ERC-20 tokens as evidence, with the researchers leaving out Bitcoin’s and other blockchains involved in the attack. Elementus also posted the raw data that they used for their research.
The vast majority of stolen ether and ERC-20 tokens - $15 million worth at recent prices - remain unsold in the thieves’ wallets. In total about $16 million worth of ether and ERC-20 tokens were stolen.
Features of the Hack
The upshot of their research is that Cryptopia’s hack was an unusual one, and Elementus outline two features of the attack to support this claim.
First, the scope of the attack was unusually large and comprehensive. Elementus claim that 76,000 wallets were penetrated in the attack, meaning thousands of private keys had to be swiped from somewhere - perhaps a central location of private keys.
Elementus point out that exchange attacks “typically involve the breach of a single wallet, and by the time the theft becomes publicly known, the funds are long gone.”
Second, Elementus describe a glaring “lack of urgency” in how the attack was conducted. They highlight that the attack lasted for more than four days, during which Cryptopia - we assume helplessly - simply watched the ether and ERC-20 tokens be withdrawn.
Elementus emphasize that “there should have been no technical complications preventing Cryptopia from securing the funds.” These features of the attack lead them to generally conclude that “The only plausible explanation for Cryptopia's inaction is that they no longer had access to their own wallets.”
Some in the cryptoasset industry and community have speculated that the theft was actually an exit scam. Elementus did not at all entertain this possibility, and they don’t seem to be of the opinion that this was the case - but their analysis of the incident does not necessarily preclude it.
For example, the obvious rejoinder to Elementus’ conclusion - that “The only plausible explanation for Cryptopia's inaction is that they no longer had access to their own wallets” - is that Cryptopia themselves conducted the attack with possession of their own wallets.
But there is absolutely no public evidence, at this time, to support the "inside job" theory.
The New Zealand police, who are investigating the matter, issued a press release yesterday updating the public on their progress. Not much new information was forthcoming, however, with the department writing:
Cryptopia management and staff have been co-operating with Police and providing considerable assistance in the investigation. The investigation is expected to take some time to complete, and the digital forensic team will be on-site at Cryptopia’s premises for some days to come.