Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing on Monday that the breach was "mainly caused by a stolen private key that had two of our hot wallets compromised."
On Saturday, the platform said a security breach allowed hackers to withdraw $150 million worth of cryptocurrency. Blockchain security company PeckShield said the losses were actually around $196 million, with about $100 million in various cryptocurrencies coming from Ethereum blockchain and $96 million coming from currencies on the Binance Smart Chain.
BitMart suspended withdrawals on December 4 after securing the affected Ethereum and Binance Smart Chain hot wallets.
"Other assets with BitMart are safe and unharmed. BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps," the company said on Monday.
"No user assets will be harmed. We are now doing our best to retrieve security set-ups and our operation. We need time to make proper arrangements and your kind understanding during this period will be highly appreciated. In terms of asset deposit and withdrawals, we are confident that deposit and withdrawal functions will gradually begin on December 7, 2021."
BitMart CEO Sheldon Xia will hold a press conference on Monday night to discuss the breach and how those affected will be compensated.
CNBC reported that the hackers behind the attack used 1inch and Tornado Cash to exchange the stolen coins for other cryptocurrencies and make it more difficult to be tracked.
Paul Bischoff, privacy advocate with Comparitech, told ZDNet that the BitMart hack is the sixth-largest cryptocurrency heist of all time by amount of funds lost and the second big crypto heist this month that made the top 10.
Comparitech keeps a running list of attacks on cryptocurrency platforms and DeFi companies, which include the 2018 hack on Coincheck that involved $532 million and the Mt. Gox attack involving $470 million. In May, about $200 million was stolen from the PancakeBunny platform.
"Although blockchains are reasonably secure and reliable, the same isn't always true for the exchanges where people buy, sell, and trade crypto. Exchanges, even though they function like banks, are not insured (e.g. by the FDIC). If the exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds," Bischoff said.
"It's difficult for customers to know which exchanges have sufficient security and make an informed choice. An exchange that operates 10 years without a security incident can still be crippled and put out of business by a single large-scale heist."