Gatehub Hack Sees 14.5 Million XRP Stolen

Reading Time: 2 minutes

Online XRP wallet Gatehub has announced that they were hacked on June 1, leading to nearly 14.5 million XRP being stolen at a value of approximately $6 million. In a statement released June 6 the company revealed that “approximately 100 XRP Ledger wallets were compromised” and that an investigation is already underway in conjunction with the authorities. Gatehub also said that they were “working closely with a professional IT forensics team to determine whether our system was compromised or not.”

Four-day Hack

In their statement, Gatehub announced that they received word from customers and the XRP community last Saturday that some had seen funds stolen from their Gatehub-hosted XRP Ledger wallets. One of these community members was crypto analyst Thomas Silkjær, whose company found the wallet associated with the thefts and noted that it was set up on May 30, presumably with the express purpose of stealing the funds. Less than two hours after the wallet was established the first stolen funds started rolling in and then out again in large batches. The hack continued until June 3, by which time nearly 14.5 million XRP tokens had been moved into the account with 11 million moved back out across several addresses. The biggest single theft was of seven million XRP tokens from one account, making up almost half the total stolen.

No Methodology Established

The methodology behind the attack is not yet clear, but Silkjær stated that his team has been able to rule out several potential methodologies behind the attack, including individual account hacks, phishing scams, browser client hacking, and a database leak. One potential avenue is APIs, according to the Gathub statement:

API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing. We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys. That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped.

Until fault is established it is unknown if victims will get their XRP back, with Gatehub being very careful not to admit any liability before the investigation has been concluded. With the huge losses suffered by some, there is likely to be great attention paid to any forthcoming announcements from the company.