Bitmart Postmortem — CoinYield

BitMart Security Breach - December 5, 2021

Overview

BitMart, a centralized cryptocurrency exchange, suffered a significant security incident resulting in substantial asset losses from its hot wallets.

What Happened

BitMart experienced unauthorized withdrawals from two of its hot wallets on separate blockchain networks. The exchange initially denied reports as "fake news" before CEO Sheldon Xia acknowledged a "security breach" and temporarily suspended all withdrawals.

Financial Impact

• Total Loss: ~$196 million across both networks

• Ethereum: ~$100 million in stolen assets (primarily memecoins)

• Binance Smart Chain (BSC): ~$96 million in stolen assets

The stolen assets consisted largely of memecoins including SHIB and SAFEMOON. Notably, the attacker left behind approximately $40 million of BitMart's own token, likely due to liquidity constraints for exchanging it.

Attack Timeline & Vector

Ethereum Attack: Initiated at 21:31:09 UTC with a ~$33 million SHIB transaction

• Affected wallet: 0x68b22215ff74e3606bd5e6c1de8c2d68180c85f7 (labeled "Bitmart 2")

BSC Attack: Commenced approximately 30 minutes later with ~$41 million SAFEMOON

Attack Sequence

The attacker:

1. Accessed the hot wallets containing user funds

2. Transferred assets to external addresses

3. Swapped various memecoins to ETH and BNB using 1inch

4. Laundered proceeds through TornadoCash

Attacker Addresses:

• Ethereum: 0x39fb0dcd13945b835d47410ae0de7181d3edf270

• Ethereum: 0x4bb7d80282f5e0616705d7f832acfc59f89f7091

• BSC: 0x25fb126b6c6b5c8ef732b86822fa0f0024e16c61

Technical Root Cause

BitMart had not publicly disclosed the specific security vulnerability. The article speculates this may involve "basic OPSEC errors" but states: "It remains to be seen how the attacker managed to gain access to the wallets in question."

Response & Remediation

• BitMart initially denied reports, then downplayed the breach

• CEO initially reported $150 million loss (vs. actual $196 million)

• Temporarily suspended all withdrawals

• Fund Recovery Status: No reimbursement commitment announced at time of publication

• BitMart claims <0.5% of assets held in hot wallets (suggesting ~$39 billion total assets)

Key Criticism

The article emphasizes the contradiction between centralized exchange promises and actual security performance, questioning: "If CeFi isn't any safer, why use it?" and whether middlemen deserve profits given their security failures.