article

15 days later, the Cryptopia hack continues

Author
Max Galka
Date
Jan 29, 2019

In our investigation of the Cryptopia hack, posted last week, we highlighted that thousands of Cryptopia wallets may still be at risk.

We were right.

Today, 15 days after the initial breach, another 17k Cryptopia wallets were drained of 1,675 ETH

After going dormant for many days following the prior $16 million heist, the Cryptopia hacker started up again today, siphoning an additional 1,675 ETH (worth about $180k at today's market rates) from an another 17k Cryptopia wallets.

Among the wallets affected are the 1,948 at-risk wallets we identified previously, some of which have continued to accrue funds as recently as today. The list also includes over 5,000 wallets that had already been drained in the original hack, but have since been topped up, presumably by unknowing Cryptopia users.

The funds began moving at 6:59 AM this morning (Monday, 28-Jan) and continued throughout the day, accumulating in this Ethereum address:

0x3b46c790ff408e987928169bd1904b6d71c00305

Could this be Cryptopia securing their remaining funds?

Nope. Initially, it looked like that could be the case, but by 9:50 PM this evening, it became obvious this was the same hacker. At that time, the incoming transfers stopped and the funds were moved into the address below, one of the wallets used in the prior series of breaches.

0xaa923cd02364bb8a4c3d6f894178d2e12231655c

Conclusions

Though Cryptopia remains silent, two things now seem apparent.

1) Cryptopia no longer has control of their Ethereum wallets, and the hacker still does.

The hacker has the private keys and can withdraw funds from any Cryptopia wallet at will.

2) Despite the hack, many Cryptopia users continue depositing funds into their Ethereum wallets.

In just the two hours since these breaches took place, many of the very same Ethereum wallets that were just drained have already been topped up with more ether.

Why do people continue sending funds to Cryptopia despite there having been a very public security breach?

Most of the funds are coming from mining pools. Presumably, these payments are being sent on behalf of miners who opted to receive their rewards automatically via "direct deposit," and have since forgotten about it.

If any mining pools wish to check whether they are sending payouts to one of Cryptopia's 100k+ wallets, feel free to get in touch and we will take a look.

For an explanation of what happened previously and why we anticipated another round of security breaches was yet to come, see our prior analysis here.