Another day, another crypto hack. This time it’s Korea, the crypto-mad Asian country, where an exchange called Coinrail lost more than $40 million in altcoins, ICO-issued tokens that aren’t bitcoin or Ethereum, after it was hit by an apparent attack over the weekend.
Korea may be a hot spot for crypto investment, but Coinrail is one of its smaller exchanges, just about ranking inside the world’s top 90 based on trading volume, according to coinmarketcap.com. Nonetheless, even the smaller exchanges have plenty of coins, as the size of this heist illustrates.
Most notably, the hackers got away with $19.5 million-worth of NPXS tokens that were issued by payment project Pundi X’s ICO. Added to that they scored a further $13.8 million from Aston X, an ICO project building a platform to decentralize documents, $5.8 million in tokens for Dent, a mobile data ICO, and over $1.1 million Tron, a much-hyped project originating from China.
That’s according to a wallet address that has been identified as belonging to the alleged attacker, who also got hold of smaller volumes of a further five tokens from Coinrail.
In all the cases, the companies issuing the tokens themselves were not hacked, the tokens that were nabbed belong to Coinrail users.
해킹공격시도로 인한 시스템 점검중입니다. 일부코인(펀디엑스,NPXS)이 확인되었으며 추가적인 코인피해가 있는지 여부를 확인중입니다. 추후 자세한 사항은 재공지하겠습니다 / There has been an cyber intrusion in our system. We're confirming it and some coins(Pundi X, NPXS) are confirmed.— coinrail (@Coinrail_Korea) June 10, 2018
It isn’t clear how, or indeed whether, Coinrail will go about compensating its customers — Japan’s Coincheck refunded its customers following a high-profile attack earlier this year — but some of the ICO projects are taking steps in response.
Pundi was hit the hardest, claiming that some three percent of its total volume of tokens was impacted by this attack. It said it has frozen the tokens that were stolen and it has ceased trading of its tokens across all exchanges to help with the post-attack investigation, which it said includes the Korean police. NPER, which had around $860,000-worth of tokens taken from Coinrail, said it had frozen the stolen funds and it plans incinerate the tokens to render them useless to the hacker. Aston has also frozen its affected tokens, according to Coinrail.
Other projects have yet to comment, although Coinrail said in a statement on its website that two-thirds of the stolen tokens have been frozen with more action likely to happen.
Coinrail took its service offline and it said in a statement that it has moved the remainder of its assets — which it said is 70 percent of its total holdings — to cold storage while it reviews its security system and fully investigates the incident.
Some have suggested that the hack was responsible for bitcoin’s valuation dropping by over five percent in what is the cryptocurrency’s biggest decline for two weeks. However, Coinrail is so obscure that this theory seems unlikely.
What is for certain is that the hack serves as another strong reminder that the space remains unregulated — there’s with little recourse for victims of a crypto exchange hack, unlike say a bank robbery or payment fraud. More importantly, those who do buy bitcoin, Ethereum or other crypto tokens should keep their tokens securely in a private wallet (ideally using a hardware device for access) rather than leaving them within an exchange where they could be stolen.
For those of you keeping score on recent hacks on exchanges, here are a few: Coincheck lost an estimated $400 million earlier this year, last November saw Tether claim it lose $31 million following an attack while EtherDelta suspended its exchange service for a period in December after it was compromised.
The Mt. Gox hacking in 2014 is the mother of all crypto attacks, of course. In total the exchange lost around 744,408 BTC. That was worth around $350 million at the time, but today a holding of that size would be valued at some $5.3 billion.