Online XRP wallet Gatehub has announced that they were hacked on June 1, leading to nearly 14.5 million XRP being stolen at a value of approximately $6 million. In a statement released June 6 the company revealed that “approximately 100 XRP Ledger wallets were compromised” and that an investigation is already underway in conjunction with the authorities. Gatehub also said that they were “working closely with a professional IT forensics team to determine whether our system was compromised or not.”
Our investigation team and a professional IT forensics team are still working around the clock to complete an internal investigation. We will post an official statement soon. You can find our Preliminary Statement here: https://t.co/HHAeAFUsjR
— GateHub (@GateHub) June 6, 2019
Four-day Hack
In their statement, Gatehub announced that they received word from customers and the XRP community last Saturday that some had seen funds stolen from their Gatehub-hosted XRP Ledger wallets. One of these community members was crypto analyst Thomas Silkjær, whose company found the wallet associated with the thefts and noted that it was set up on May 30, presumably with the express purpose of stealing the funds. Less than two hours after the wallet was established the first stolen funds started rolling in and then out again in large batches. The hack continued until June 3, by which time nearly 14.5 million XRP tokens had been moved into the account with 11 million moved back out across several addresses. The biggest single theft was of seven million XRP tokens from one account, making up almost half the total stolen.
Hello @enej_p @gatehub Today I woke up that my account has been compromised, I’ve lost 380,000 XRP on May 31 and I didn’t even login at that day! I know your team Is working intensively on this Issue please resolve it as soon as possible.
— Hossam Tlass (@IVTlass) June 3, 2019
No Methodology Established
The methodology behind the attack is not yet clear, but Silkjær stated that his team has been able to rule out several potential methodologies behind the attack, including individual account hacks, phishing scams, browser client hacking, and a database leak. One potential avenue is APIs, according to the Gathub statement:
API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing. We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys. That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped.
Until fault is established it is unknown if victims will get their XRP back, with Gatehub being very careful not to admit any liability before the investigation has been concluded. With the huge losses suffered by some, there is likely to be great attention paid to any forthcoming announcements from the company.
