Blockchain analysis firm Elementus has reported that New Zealand-based digital asset exchange Cryptopia, which has told us it suffered a security breach on January 14th (that resulted in “significant losses”), is continuing to suffer from this attack with the hacker(s) stealing another 1,675 ETH on Sunday (January 28th).

On January 15th, Cryptopia announced that on January 14th it had “suffered a security breach which resulted in significant losses.” This was the tweet Cryptopia sent out to inform the public:

Elementus used its blockchain analysis technology (“the Elementus query engine”) to investigate what had happened at Cryptopia to find out “how the theft took place”, “how much was lost”, and “the current status of stolen funds”, and reported the results of this investigation in a blog post published on January 21st.

Here is their recap of the events that took place between January 13th and Jaunary 17th:

  • “Sunday 13-Jan, 8:28am: Funds begin moving out of Cryptopia’s two core hot wallets, one holding ether and the other holding tokens.”
  • “Sunday 13-Jan, 11:58pm: With the core wallets empty, residual quantities of funds begin leaving Cryptopia’s 76k+ secondary wallets, a process that would continue for several days.”
  • “Monday 14-Jan, 6:00am: Cryptopia suspends trading, announcing they are undergoing unscheduled maintenance.”
  • “Tuesday 15-Jan, 3:00am: Cryptopia discloses the security breach and New Zealand law enforcement steps in.”
  • “Thursday 17-Jan, 5:58am: The last of Cryptopia’s funds are drained.”

Elementus estimated that based on the loss of ETH and ERC20 tokens alone, the hackers had managed to steal around $16 million in crypto. It also pointed out two things that make the Cryptopia hack different from other famous crypto heists:

  • “The Cryptopia hack involved a large number of wallets,” which means that the “thieves must have gained access to not one private key, but thousands of them.”
  • “The hack continued for days after Cryptopia discovered the breach;” the thieves “took their time extracting the assets over the course of nearly five days.”

Elementus noted at the time that it looked like “Cryptopia not only lost their funds, they also lost access to all, or nearly all, of their 76k+ Ethereum wallets,” with one possible explanation being that “Cryptopia had their private keys stored in a single server with no redundancy.” If the hackers had obtained access to such a server, they “could have downloaded the private keys before wiping them from the server, leaving Cryptopia unable to access their own wallets.”

One conclusion from their investigation was: “1,948 Ethereum wallets and $46k in Ether remain at risk.”

Yesterday, Elementus reported via another blog post that, 15 days after the hackers moved funds out of Cryptopia’s two main hot wallets, the Cryptopia attackers had stolen on January 28th an additional 1,675 ETH from 17k Cryptopia wallets:

“Among the wallets affected are the 1,948 at-risk wallets we identified previously, some of which have continued to accrue funds as recently as today. The list also includes over 5,000 wallets that had already been drained in the original hack, but have since been topped up, presumably by unknowing Cryptopia users.”

According to Elementus, these funds started moving at 06:59 on January 28th and “continued throughout the day,” accumulating in Ethereum address 0x3b46c790ff408e987928169bd1904b6d71c00305, with the deposits to this address stopping around 21:50, and the funds then moved to Ethereum address 0xaa923cd02364bb8a4c3d6f894178d2e12231655c (“one of the wallets used in the prior series of breaches”).

Elementus has two conclusions after investigating the actions of the hackers on January 28th:

  • “Cryptopia no longer has control of their Ethereum wallets, and the hacker still does.”
  • “Despite the hack, many Cryptopia users continue depositing funds into their Ethereum wallets.”

The Elementus team believes that the reason for some Cryptopia users continuing to send funds to Cryptopia is that most of these funds are “coming from mining pools”, and they are assuming that “these payments are being sent on behalf of miners who opted to receive their rewards automatically via ‘direct deposit,’ and have since forgotten about it.”

Featured Image Credit: Photo via