Swiss digital asset exchange Trade.io claims hackers have stolen nearly $8 million worth of cryptocurrency directly from its cold storage devices, which were supposedly kept under lock and key in a bank.
The team behind the exchange confirmed the losses in a message posted to its Medium blog on Sunday.
“Around 08:40 EST, our security team was alerted to a large transaction from one of our wallets held in cold storage,” the announcement reads. “We can confirm that […] 50M TIO ($7.8M) […] being held in cold storage has been withdrawn, and an estimated 1.3M ($201K) of that had been transferred to both Bancor & Kucoin respectively.”
Kucoin and Bancor are cryptocurrency exchanges, and both services have since disabled withdrawals and deposits of the TIO token.
The team estimates hackers successfully smuggled anywhere from 200,000 to 400,000 TIO ($30K – $60K) onto Bancor’s exchange before the deposits were disabled. The hackers also managed to send a similar amount to Kucoin.
Bancor later delisted the cryptocurrency, dodging exposure to any further collateral damage.
The TIO token is an internal cryptocurrency, intended for use as a liquidity tool by the exchange when trade activity peaks. The stolen supply belongs entirely to the development team, which means the hackers have mysteriously left user funds untouched.
Mission Impossible: Cryptocurrency Boogaloo?
The situation is very strange. For one, Trade.io claims the hackers were able to remove the millions of dollars worth of cryptocurrency from wallets that were supposedly being protected by a bank.
But, the team later confirmed that “the safety deposit boxes were not compromised.”
Even they must know how odd that sounds.
Cold wallets are hardware devices used specifically for storing digital assets like cryptocurrencies. Usually, they are suped-up USB drives with little-to-no internet connectivity, typically thought to be substantially more secure than storing keys in online storage apps, or “hot wallets.”
“While this is an extremely strange situation, unfortunately breaches of cold storage is not unprecedented even when following security protocol to a ‘T’,” the Trade.io team implores. “We use industry recommended cold storage which are maintained in safety deposit boxes in banks, along with all corresponding materials.”
However weird, it’s technically true – it is possible to steal cryptocurrency from a hardware wallet, but only if an attacker is able to compromise the device with a ‘man-in-the-middle’ style attack.
For example, not long ago, an unfortunate cryptocurrency HODLer had $34,000 worth of cryptocurrency taken directly from his Ledger hardware wallet, after a reseller loaded their own seed phrase into the device, returning later to empty the device remotely.
This kind of attack is generally the hallmark of an “inside job,” but as this situation is ongoing, it is still unclear exactly how the hackers managed to be so successful.
Regardless of whether Trade.io’s story holds weight, its dev team has proposed a hard fork, which would re-create the stolen supply and render what’s left of the pilfered cryptocurrency completely valueless.
I guess that’s one way to sweep this whole, bizarre story under the rug.
Published October 22, 2018 — 15:11 UTC