Cryptopia developers have come under heavy criticism following a report that shines a light on how the recent exchange hack went down. Two weeks after millions of dollars’ worth of tokens were stolen from the exchange, it has emerged that those responsible for the crime were still transferring funds out of the compromised wallets up to five days after the Cryptopia team were made aware of the breach. The team has so far stayed silent on the scale and ramifications of the attack, which has caused some concern among the community and prompted others to take action.
Blockchain startup Elementus was one such company that grew concerned about the lack of communication, and so, because there has been “surprisingly little information about what actually happened”, they decided to use their blockchain analysis tools to dig some statistical dirt on the hack and released a report on their findings. They found that the value of stolen coins was $16 million at the time, but this only takes into account ERC20 tokens, not Bitcoin or non-Ethereum blockchain-based coins. The combined total is estimated to be in the $23 million region, which is a far cry from the $1.6-$3 million that was initially estimated, but the reason for this also seem to have been laid bare:
After Cryptopia discovered the hack, they watched the funds continue to flow out of their wallets for four more days, seemingly powerless to stop it. As these wallets were not smart contracts, there should have been no technical complications preventing Cryptopia from securing the funds. The only plausible explanation for Cryptopia’s inaction is that they no longer had access to their own wallets.
Complete Loss of Control
Elementus theorize that Cryptopia’s seeming total loss of control of all the 76,000+ Ethereum wallets within their possession may be down to all the private keys being stored on a central server that was hacked and had no backup, giving the thieves access and time to empty the funds before wiping the server. Elementus also concludes that some 2,000 wallets had deposits made to them by unsuspecting users after the hack took place, meaning that, assuming they still have control of the wallets, the thieves still have access to a combined balance of 380 ETH (about $42,000).
Cryptopia Silence Worries Investors
The vast majority of the stolen coins still remain in the hackers wallets (wallet 1, wallet 2), with those responsible perhaps waiting for the dust to settle before taking any further action, especially since other avenues such as alternative exchanges have been blocked. Not a great deal is known about the methodology of the attack, apart from the fact that thousands of independent wallet private keys were stolen, and so far Cryptopia’s only response in twelve days has been a Twitter post to say that Police are still investigating the hack. Until more information comes to light it will only continue to concern the community, particularly those who lost money, and increase accusations of an inside job.