Rain Crypto Exchange Hack - April 29, 2024
Overview
The security breach at Rain (a Bahrain/UAE-regulated crypto exchange) occurred on April 29, 2024 and was first detected publicly by blockchain investigator ZachXBT, who observed suspicious outflows of $14.8 million moving to decentralised exchanges. Rain is regulated in both the UAE and Bahrain.
How the Attack Unfolded
• The stolen funds were divided up into wallets containing 137.9 BTC and 1,881 ETH, both of which had been inactive since the exploit occurred on April 29
• The hackers used DEX platforms to convert the stolen funds into Bitcoin and Ethereum to obscure their origins
• The incident wasn't publicly reported until two weeks later when ZachXBT outed the exchange
Likely Cause / Root Cause
Most likely, this incident was caused by a failure to properly secure the private keys that manage blockchain accounts. Since the incident only involved unusual transfers — not smart contract interactions — the attacker must have had the ability to generate valid digital signatures for the attack transactions. This points strongly to a hot-wallet private-key compromise rather than a smart-contract bug.
Attacker Attribution
The U.S. Department of Justice identified the attackers as the North Korean Lazarus Group. The attackers gained access to Rain by using LinkedIn to contact an employee with a fake job offer (a known Lazarus social-engineering pattern).
Financial Impact
• Total stolen: ~$14.8 million
• Composed of 137.9 BTC and 1,881 ETH (post-conversion)
Company Response
The exchange said in a statement on its website that customer funds remain secure despite the incident. The breach affected the company's own treasury holdings rather than user-segregated assets per Rain's communication.
Sources