Crypto sleuth ZachXBT has reported an exploit, involving Australian crypto platform CoinSpot, allegedly suffering over $2 million worth of Ether.
According to a Telegram post by ZachXBT in the early hours of Thursday, attackers drained funds from CoinSpot’s hot wallet using two separate transactions. Per Etherscan data, one transaction involved 1,262 ETH and the other drained 20.99 ETH, both sent to the same addresses.
The transferred funds were then swapped for wrapped BTC (WBTC), Tether (USDT) and USD Coin (USDC) using Uniswap, THORchain, etc.
“Funds were then bridged to Bitcoin via Thorswap and Wan Bridge,” the post read.
In December 2021, CoinSpot users fell to a phishing campaign. The phishing attack employed a new theme revolving around withdrawal confirmations with the end goal of stealing two-factor authentication (2FA) codes.
Specifically, the threat actors send emails from a Yahoo address, replicating real emails from CoinSpot, at the time. They then asked the recipients to confirm or cancel a withdrawal transaction.
Melbourne-headquartered CoinSpot cashed in over half a billion dollars worth of profits to its founder and CEO Russell Wilson. In July, the crypto exchange paid out $538 million in dividends over the past two years.
Global blockchain security firm CertiK confirmed to Cointelegraph that the breach took place swiftly. The hack was probably caused by a “private key compromise” at least in one of CoinSpot’s hot wallets.
The attacker’s address that received ETH, immediately swapped the stolen funds for Bitcoin (BTC) using THORchain, CertiK report noted. The Bitcoin was sent to four different wallets later, BTCScan noted.
Private keys being compromised and allowing hackers to siphon a project’s funds is nothing new in the web3 ecosystem. In September, Hong Kong-based cryptocurrency exchange CoinEx revealed that compromised private keys led to over $70 million theft.