More than $97 million stolen from Liquid cryptocurrency exchange

The company asked that users stop depositing any crypto assets to your Liquid wallets until further notice.

Japanese cryptocurrency exchange Liquid announced that more than $97 million in crypto assets has been stolen in an attack on Thursday morning. 

In a statement, the company said its Operations and Technology teams "detected unauthorized access of some of the crypto wallets managed at Liquid" and later discovered that a total of "approximately $91.35 million of crypto assets were moved out of Liquid wallets by an unauthorized party." 

"Of this amount, $16.13 million USDe of ERC-20 assets have been frozen (disabled for onchain movement) due to the assistance of the crypto community and other exchanges," the statement explained. "69 different crypto assets were misappropriated and sent to other exchanges or defi swapping venues. Assets placed in Liquid Earn are not impacted."

The company urged its users to refrain from depositing any crypto assets into their Liquid wallets and said they had halted all crypto withdrawals. Fiat withdrawals and deposits are still available as well as other services like trading and Liquid Earn.

Liquid said it is still assessing how the attack happened and said it will provide continuous updates on Twitter. When measuring by daily traded spot volume, the cryptocurrency-fiat exchange platform is one of the biggest in the world. CoinMarketCap data shows that Liquid processed more than $133 million of transactions in the last 24 hours. 

"During this difficult period we greatly appreciate the support from our customers, other exchanges, security experts, and the broader crypto community. Liquid will continue to do everything in its power to mitigate the impact from this incident and restore full service as soon as possible," the company said in a statement. 

While the attacker is still unknown, Liquid said whoever was behind the attack was using specific wallets to steal the funds and had taken a wide variety of coins. 

Elliptic, a blockchain analytics firm, wrote a report about the attack, finding that $32.5 million in Ether was stolen alongside $12.9 million in XRP, $4.8 million in Bitcoin, $200,000 in Tron, $9.2 million stablecoins and $37.4 million in other tokens.

"This includes $45 million in Ethereum tokens, which are currently being converted into Ether using decentralized exchanges (DEXs) such as Uniswap and SushiSwap. This enables the hacker to avoid having these assets frozen - as is possible with many Ethereum tokens," the company said in their report. 

screen-shot-2021-08-19-at-1-37-02-pm.png

The coins taken in the Liquid attack. 

Elliptic

This is not the first cyberattack Liquid has faced recently. In November, the cryptocurrency exchange portals disclosed a security breach that involved a breach of employee email accounts and then a pivot to its internal network. The attack was stopped before the hacker was able to steal any funds. 

A later investigation revealed that the attacker managed to gain access to personal information from Liquid's database that stored user details like name, home address, email and encrypted password.

Since 2017, there have been multiple attacks on cryptocurrency services like Coincheck, MyEtherWallet, BlackWallet, EtherDelta, Etherparty, Classice Ether Wallet.

This is the second major attack this month on a cryptocurrency exchange following the theft of more than $600 million from Poly Network. The incident took a strange turn this week when the hacker returned nearly all of the money that was stolen and implied that they were interested in accepting Poly Network's offer of $500,000 in exchange for the return of the money as a big bounty.

"I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network," the hacker said in a message embedded in the crypto assets being returned. Despite returning much of the money, the hacker has still kept about $200 million worth of assets locked behind a password. 

Poly Networks released a strange statement, calling the hacker "Mr. White Hat" and pledging to work with the person. They released a statement on Twitter saying they would not prosecute the hacker if they came forward. 

"To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network," the firm said in a statement.

"Poly Network previously promised to reward Mr. White Hat with a $500,000 bug bounty, but he did not accept it and has publicly stated that he has considered offering it to the technical community who have made contributions to blockchain security. We fully respect Mr. White Hat's thoughts, and to express our gratitude, we will still transfer this $500,000 bounty to a wallet address approved by Mr. White Hat for him to use it at his own discretion for the cause of cybersecurity and supporting more projects and individuals."