VeChain Hack Caused by Human Error and Malicious Actor

Reading Time: 2 minutes

VeChain has put the loss of some 1.1 billion VET tokens ($6.45 million) last week down to human error compounded by a successful hacking attempt. VeChain CEO Sunny Lu explained on Saturday that Friday’s theft was the work of hackers who pounced on a procedural error by a member of the finance team, who had incorrectly set up a buyback wallet. The extraordinary revelation came as VeChain sought to reassure investors and clients, who include PwC, BMW, and DNV GL, that the incident was isolated and not related to a flaw in the platform.

Buyback Address Stolen

News of the hack erupted on crypto Twitter late on Friday, with users instantly spotting that 1.1 billion tokens had been transferred out of a recently created buyback wallet for the VeChain Foundation. VeChain were quick to address the instant flurry of rumors that were put forward, initially confirming that “human error” was behind the movement of the tokens, before asking exchanges to stop tokens from the receiving address coming into their platforms:

After a responsive investigation, the incident was caused by the fact that the private key of buyback address was stolen during the wallet creation process due to the negligence of the staff member. The security integrity of the mainnet and our official mobile wallet had not been affected in any way or form.

VeChain CEO Sunny Lu took to Periscope the day after the hack to offer “full transparency” about the case:

During the wallet creation process of the buyback address, one of the financial team who is in charge of this operation didn’t follow the procedure very well. The wallet was created on a non-compliant computer as a temporary intermediary before the private key was moved to offline storage. the temporary computer our staff was using was infected with a trojan, and even the deleted data was able to be recovered (including the private key.

VeChain and Lu have been praised for their swift reaction to the incident, while corporate clients will have been reassured by the way it has been handled. Many will have anticipated an incident of this nature given blockchain’s reputation as a hacker’s paradise, and VeChain’s response, plus the fact that the issue was based off an individual case of non-compliance with their PwC-audited protocols, will have reassured them that VeChain is still a sound and secure platform for them to work with. Investors, too, will be relieved that their tokens are safe and the project is not in any danger, following a rocket-propelled November for the token.