Upbit Promises Swift Reimbursement, Theories Over Missing Funds Swell

Published at: Nov. 28, 2019

On Nov. 27, major South Korean cryptocurrency exchange Upbit announced that 342,000 Ether (ETH), accounting for roughly $50 million, were stolen from its hot wallet earlier that day. Details remain vague, and some users are suggesting an inside job, although experts are skeptical of the theory after analyzing the incident.

The platform’s operator has promised to compensate all stolen funds shortly. UpBit is the second “Big Four” exchange in the country to experience a major security breach this year.

Upbit brief

Upbit is one of the largest cryptocurrency exchanges in South Korea (alongside Korbit, Bithumb and Coinone) and the only major domestic platform to post a profit in 2018. It was launched in October 2017 by Dunamu Inc. — a fintech firm backed by local internet giant Kakao — after it signed “an exclusive partnership agreement” with United States cryptocurrency exchange Bittrex. 

As part of the collaboration, Upbit had a shared order book arrangement, with Bittrex orders visible in its bid windows. However, in September, the South Korean trading platform ostensibly broke off its partnership with Bittrex to reorganize its ETH, Bitcoin (BTC) and Tether (USDT) markets.

Upbit has been widely considered a safe and compliant exchange overall. Recently, it was put on par with industry juggernauts like Kraken and Coinbase as one of the space’s cleanest platforms in the Blockchain Transparency Institute’s latest market surveillance report, which verifies cryptocurrency exchange volumes. 

Indeed, Upbit has seemingly put a lot of effort into security measures. Last year, it reportedly became the first crypto exchange to obtain an information security management system license from the Korea Internet and Security Agency.

Further, Upbit has been following guidelines set out by the intergovernmental Anti-Money Laundering-focused body, the Financial Action Task Force. Specifically, in September this year, Upbit ceased trading support for six cryptocurrencies, including some privacy coins.

Upbit is a member of the Korean Blockchain Association — a domestic alliance comprised of 14 crypto trading platforms — which published a self-regulatory framework for its members to boost trading transparency in April 2018. It contained five key requirements, including managing clients’ coins separately from their own, holding a minimum equity of 2 billion won ($1.8 million), and publishing regular audit and financial reports.

Finally, in January 2018, Upbit partook in creating a special hotline for domestic exchanges that aims to ensure suspicious transactions being detected and frozen immediately after disclosure.

The attack and Upbit’s initial response

Upbit was relatively quick to confirm the loss. Around 3 p.m. local time, the first media reports surfaced, stating that the platform had halted all trading after a large amount of cryptocurrencies was withdrawn to an anonymous wallet. 

On social media, users were already discussing a number of large-scale transactions from Upbit’s wallet that had been spotted by WhaleAlert, a service dedicated to tracking sizable cryptocurrency transactions. 

There was a 342,000 ETH transaction to an unknown wallet, followed by 10 identical transactions totaling 100,000,000 TRX incoming from the exchange’s vault. At around 6 p.m. local time, Lee Sirgoo, the CEO of Upbit, published an official statement on the matter: 

“At 1:06 PM on November 27, 2019, 342,000 ETH (approximately 58 billion won) were transferred from the Upbeat Ethereum Hot Wallet to an unknown wallet. Unknown wallet address is 0xa09871AEadF4994Ca12f5c0b6056BBd1d343c029.”

Apologizing to users for any inconvenience caused, Lee Sirgoo outlined the measures taken by the exchange after it detected the incident. The exchange has pledged to protect user assets, stating that the 342,000 ETH (or roughly $50 million) will be covered using corporate assets. 

It had already moved all crypto assets held in its hot wallet to cold storage by the time the announcement was published, the CEO stated. Some of the funds may have been moved to Bittrex’s wallets, as data provided by WhaleAlert suggests.

Deposits and withdrawals will take at least two weeks to resume, Sirgoo added, promising to inform users as soon as they reopen. The CEO also clarified that all other recent, large-scale transfers were not abnormal, but were related to the exchange moving assets between hot and cold storage facilities.

Inside job? Some experts are skeptical

Notably, Lee Sirgoo avoided using the word “hack” in his statement, which prompted some commentators on social media to suggest that the incident was actually an inside job. As Cointelegraph contributor Joseph Young tweeted:

“The ‘hacker’ timed when UPbit was making crypto transfers to its cold wallet (other alts like TRON, etc.). Hence, I think the probability of it being an inside job is higher than external breach.”

However, Taylor Monahan, the founder and CEO of noncustodial wallet MyCrypto, analyzed the incident in detail by studying the nature of transactions and is hesitant to confirm the theory. “Anything is possible, of course,” she told Cointelegraph. “But a lot of people are jumping to conclusions without real supporting evidence.” Monahan then elaborated: 

“The biggest thing that points to it not being an inside job is how the transactions were generated and signed. UPbit seems to follow a certain method with their programmatic transactions, and the ‘hack’ transaction in question used a different method. In addition, UPbit manually signed a transaction to secure their remaining ETH, after discovering the hack, and this too was generated differently than the ‘hack’ transaction.”

If it were an inside job or a breach of Upbit’s backend systems, it would align with the exchange’s typical behavior, she added, while the way that the ETH transaction was generated “points to someone who knows very little about the Ethereum network.” 

Monahan also commended Upbit on how they have been handling the aftermath, but criticized the exchange’s languid use of cold storage, “If Upbit utilized cold storage more regularly and limited the value held by their hot wallet, the loss could have been minimized.”

Upbit is collaborating with KISA and police

Upbit’s CEO Lee Sirgoo told Cointelegraph that they are currently cooperating with KISA and the National Police Agency Cyber Bureau on the matter: 

“We will be able to provide you with more information once the investigation is complete.” 

Nevertheless, Sirgoo was able to answer some specific questions through email upon request by Cointelegraph. For instance, he confirmed that the exchange has contacted all major trading platforms and asked to blacklist the attacker’s wallet address, and that the cryptocurrency community “has been extremely cooperative.” 

In addition, he confirmed that Dunamu and Upbit have enough funds to reimburse the lost amount. “It should be completed shortly,” Sirgoo told Cointelegraph. 

Exchanges continue to get hacked in 2019

2019 has witnessed a number of high-profile crypto exchange hacks, including the $42 million Binance security breach, $19 million Bithumb heist and $28 Million Bitpoint break-in, which confirms that security is still an industry-wide problem. So what could finally stop centralized exchanges from getting hacked? 

Hartej Sawhney, co-founder and CEO at Zokyo cybersecurity agency, suggests that compliance standards could improve the situation. “Centralized crypto exchanges are web services, not that different from an online banking applications,” Sawhney told Cointelegraph, continuing: 

“Most companies respect security either because of regulation or they already faced a security breach. The cryptocurrency industry could benefit from compliance standards such as PCI-DSS or HIPAA.” 

Further, Sawhney listed a number of concrete measures that exchanges should follow to achieve higher security, including establishment of adequate infrastructure, processes, tools, security testing and education on how to avoid cyber attacks, adding that, “Regular third-party offensive security testing needs to become standard and transparent.”

Upbit has promised to keep Cointelegraph updated once it have more information. KISA has not returned Cointelegraph’s request for comment.

Tags
Related Posts
ICON (ICX) unaffected by South Korean tax investigation into ICONLOOP, says chairman
The ICON Foundation, creator of the ICON (ICX) project, has issued an official response to the news that South Korean tax authorities are investigating its technical partner, ICONLOOP. In a statement published on Monday, the chairman of the ICON Foundation, Min Kim, said that the ICON Foundation would not be affected by the investigation, noting that ICONLOOP is operated as a separate entity. The ICON Foundation is a non-profit organization based in Switzerland. In late 2017 it conducted an initial coin offering for the native coin of the ICON blockchain, ICX, raising over $42 million in the process. ICONLOOP is …
Blockchain / March 8, 2021
Bithumb found ‘partially liable’ for a 2017 hacking incident
A judge in the Seoul Central District Court dismissed two claims filed by individuals against the controversial crypto exchange, Bithumb. The individuals were seeking $126,000 and $38,000 respectively for damages related to a data breach incident back in 2017. According to Fn News, plaintiffs Hong and Seo (both named only by their surname) stated that they had lost money due to a phishing attack using private data that was extracted in a hack of Bithumb. The third claimant, Jang, was granted $5,000 to cover his total loss. This amount reflects a much lower dollar value than his initial $27,200 claim. …
Bitcoin / Sept. 3, 2020
Crypto Exchange Upbit Finishes Security Update in Response to 2019 Hack
Strengthening its walls after a hack in late 2019, South Korean crypto exchange Upbit has finished a security upgrade for the wallets on its exchange platform, restoring functionality once again. Upbit decided to update its defenses in response to an Ethereum (ETH) hack the exchange suffered in 2019, an Upbit representative confirmed to Cointelegraph in an email on Jan. 14, 2020, adding: “It is part of our effort to increase Upbit’s overall security since the Ethereum theft incident last November. Immediately following the incident, we suspended deposit/withdrawal services and transferred all crypto-assets to cold wallets. Since then, we’ve been revamping …
Ethereum / Jan. 15, 2020
South Korea ramps up crypto investigations and regulations
On Friday, South Korea’s Financial Supervisory Service (FSS) began an investigation into payment gateway services that work with digital assets. The FSS is South Korea’s financial regulator that operates under the Financial Services Commission (FSC), both of which are government institutions. As reported by local news outlet Money Today Co., the FSS had recently demanded reports from 157 payment gateways about any service related to crypto, its plans for the future and disclosure of digital assets. But, an FSS report stated that only six held any digital assets. Related: How Terra’s collapse will impact future stablecoin regulations Although the FSS …
Blockchain / June 4, 2022
South Korean court freezes $92M in assets related to Terra tokens
More than six months after the collapse of the Terra ecosystem, South Korean authorities continue to investigate and freeze the funds of persons involved in Terra. After seizing 140 billion won ($108 million) from Terra co-founder Shin Hyun-Seong in November, the Seoul Southern District Court has recently ruled to confiscate more assets related to Terra. The South Korean court has ordered to freeze of 120 billion won ($92 million) in assets of former and incumbent CEOs of Terraform Labs’ affiliate firm Kernel Labs, The Korea Economic Daily reported on Dec. 20. Founded in 2018, Kernel Labs is a blockchain consultancy …
Regulation / Dec. 20, 2022