Security company Peckshield reported an alleged security breach that happened Saturday night, affecting two BitMart hot wallets, an ETH and a BSC one. BitMart estimates losing around $150 million and suspended withdrawals until further notice, announcing the intent to conduct a security review of the hot wallets and discover the attack method.
After PeckShield posted the discovery on Twitter, the company initially denied the security breach on its Telegram channel, calling it "fake news." Later on, Bitmart's CEO confirmed the breach.
One of Bitmart’s addresses shows outflows of entire token balances to an address currently labeled "Bitmart Hacker" by Etherscan. Based on its investigation of the attack, Peckshield discovered that the hacker accessed hot wallets and swapped funds for ETH using a DEX aggregator 1inch.
Afterward, the funds were routed through Tornado cash, a privacy mixing Protocol for Ethereum blockchains that uses a smart contract and can accept deposits and enable withdrawals from one address while breaking the connection between the source and destination addresses on the blockchain. Before a transaction reaches its destination, funds from multiple users are combined. As soon as the money is mixed, it's hard to determine where it went, who transacted, and how much crypto was involved.
Other crypto exchanges need to be alerted to large Tornado Cash deposits. In a tweet, Huobi said it is willing to help identify the assets involved in the hack. Zcash developed Tornado Cash through open-source research. As part of last week's MonoX Finance DeFi Protocol Hack, Tornado Cash was used as an anonymizer.
Peckshield Inc. estimated the loss at $196 million, with approximately $100 million lost from the ETH wallet and about $96 million lost from Binance Smart Chain, making this one of the most devastating centralized exchange hacks to date, right next to the Cream Finance $130 million-hack that occurred in late October.