en
Back to the list

$27 million stablecoin (USDT) hack attack

source-logo  en.cryptonomist.ch 13 November 2023 08:33, UTC

According to the reconstruction of X user “ZachXBT,” 2 days ago there was reportedly a $27 million USDT stablecoin hack attack on a crypto address linked to the Binance Deployer account.

The stolen funds were first traded on Ethereum and then switched to Bitcoin via the Thorchain interoperability infrastructure.

This is a relatively “minor” loss for Binance, but it puts the exchange’s security in a bad light by causing a crisis of confidence among its users.

At the moment, no exponent of the exchange has agreed to shed more light on the matter.

Let’s look at all the details of the theft below.

Summary

Stablecoin hack: an address linked to “Binance Deployer” is the victim of a 27 million USDT attack

On November 12, user X “ZachXBT,” an expert in on-chain investigations, spotted a suspicious transaction flow that was allegedly traceable to a $27 million USDT stablecoin hack attack on an unknown address.

Late in the day, ZachXBT himself discovered that this address would have connections in the past to the hot wallet of Binance Deployer, an account responsible for issuing smart contracts on the BNB chain.

The address directly affected by the hack would in fact have received a transfer of several million dollars in stablecoins from that Binance wallet just days earlier.

Hence, the victim of this cyber attack is one of Binance’s secondary arteries, fortunately distant from the cold wallets where the exchange’s customer funds are kept.

Recall that hot wallets are more vulnerable than cold wallets in that they can be connected to the Internet while the latter keep their data offline.

The 27 million proceeds of the hack were immediately converted to ETH, so as to prevent the issuer of stablecoin Tether, from blocking the address where USDTs were illicitly sent.

Next, the hacker exploited a series of mixing protocols such as FixedFloat and ChangeNow to lose his tracks and gain more privacy before bridging the entire sum to Bitcoin via the Thorchain infrastructure.

According to ZachXBT:

“They will likely deposit the funds in a mixer or send them later to a shady service. To withdraw large sums from the chain, OTCs are common (they will be later, after the funds have been laundered).”

Now the entire Binance team is keeping a close eye on the account where the BTCs are kept, waiting for the hacker to make a misstep ( like transferring them to a CEX) and make the cryptos potentially censurable.

Although this is an insignificant amount by the standards of Binance, which manages billions of dollars of capital in crypto, this theft undermines the reputation of the exchange platform and puts its security standards in a bad light by causing fear and distrust among its stakeholders.

No exchange officials have commented on the matter, hoping to resolve the issue before going public.

By now, however, the entire crypto world is aware of it.

It appears someone had 27M USDT stolen yesterday.

0x0f2183c8e415e61b4ad7774bf1097019eb2d5b85798a2a229070495131d60321

USDT was quickly swapped for ETH, then transferred to a number of services (FixedFloat, ChangeNow, etc), and bridged to Bitcoin via THORChain. pic.twitter.com/SgEBwyZZSc

— ZachXBT (@zachxbt) November 12, 2023

A few days ago another exchange had also been compromised by a hack attack: we are talking about Poloniex, owned by multibillionaire Justin Sun, which was hacked for $125 million.

In this case the stolen funds, mostly in the form of stablecoins, BTC and ETH, were sent to different wallets after passing through a variety of protocols in 357 transactions.

The hacker also bought $20 million of the TRX token creating a positive impact on its price.

Justin Sun had commented on the theft with these words:

“We are offering a 5% white hat bounty to the Poloniex hacker. Please return the funds to the following ETH/TRX/BTC portfolios. We will give you 7 days to consider this offer before involving law enforcement.”

Meanwhile, the Arkham Intelligence platform had offered a bounty of 10,000 ARKM, or about $4,000 (ridiculous considering the amount stolen) for anyone who discovered information traceable to the attacker’s identity.

The estimated loss of @Poloniex hack is ~$125m, mainly on three chains: $56m (ETH), $48m (TRX), $18m (BTC).

Also an interesting tx to look into: https://t.co/2RzpoGkb7e https://t.co/tNKR8zkIzY https://t.co/vWYgyYb78U pic.twitter.com/cXZ32mXCNn

— PeckShield Inc. (@peckshield) November 10, 2023

How do hackers usually go about their business after stealing cryptocurrencies?

The two hack attacks on the Binance and Poloniex exchanges, which occurred in the span of two days, highlight the vulnerabilities of crypto platforms and bring back into vogue a terrible trend that seemed to have slowed down this year after the big thefts of 2022.

Poloniex’s is in fact the third largest hack of 2023 after those of Mixin Network and Euler Finance.

The manner in which, on the other hand, the malicious party allegedly acted upon the attack on Binance speaks volumes about some aspects of censorship that are part of the essence of the USDT stablecoin.

The hacker, in fact, as a first move cleverly converted the stolen USDT to ETH, aware that Tether could freeze the stablecoin rendering it effectively unusable.

Often those who illicitly obtain cryptocurrencies try to maximize their privacy without being too conspicuous, moving away from coins that can be censored such as USDT.

There are those who choose to then store the loot in BTC or ETH, which are easily identifiable because of their relative open and public blockchains, and those who opt for the XMR option, which is significantly more anonymous than the first two.

The main difference between the two options is that BTC and ETH are much easier to spend, while with XMR one might run into some difficulties if not sold P2P.

Generally holding BTC and ETH partially protects one from the risk of altcoin volatility, which in a bear market dumps more than the king and queen of the market.

Changpeng Zhao, CEO of Binance, had spoken openly on these kinds of discourses, shedding light on the nature of these cryptocurrencies in a recent tweet.

The topic was touched upon after his team had recovered a $12 million theft by freezing the hacker’s account, a user on X had asked whether it was fair for some entity to have the power to freeze a balance as happens in the world of fiat banking.

The post referred primarily to Tether, issuer of the USDT stablecoin, which often makes itself the subject of such open-air censorship.

This is CZ’s emblematic response:

It's a balance, and there is no perfect balance point.

If you use XMR, then there isn't much anyone can do (or to help you with), as far as I know. Bitcoin can be traced, but not frozen, until you send it to a CEX. 🤷‍♂️

— CZ 🔶 Binance (@cz_binance) November 10, 2023

Take cue hackers.

en.cryptonomist.ch