KuCoin Hack — September 2020 Post-Mortem (Aggregated)
Overview
On September 25, 2020, hackers stole more than $275 million worth of crypto from KuCoin in one of the largest ever exchange hacks. The criminals managed to steal over $281m worth of coins and tokens.
Root Cause
The hack was made possible by a leakage of the private keys of KuCoin hot wallets. KuCoin's hot wallet key pairs had not been changed for 3 years.
Stolen Assets
1,008 BTC was stolen, along with 14,713 BSV, 26,733 LTC, 9,588,383 XLM, Omni and EOS-based tether (USDT) worth $14 million, $153 million in ether and ERC20s, and over 18 million XRP.
Exit Addresses
The hacker made withdrawals from the KuCoin hot wallets to (examples):
• ETH: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23
• BTC: 1TYyommJW3uhjhcnHhUSuTQFqSBAxBDPV
Attribution and Recovery
Lazarus Group pulled off the biggest cryptocurrency theft of the year, stealing roughly $275 million worth of cryptocurrency. More than $204m worth of funds was recovered within weeks.
Money Laundering Methods
One new aspect of the KuCoin hack was how Lazarus Group used DeFi platforms to launder a portion of the stolen funds. The hackers sold stolen cryptocurrency on decentralized exchanges and anonymized funds through mixing services.