BitMart, which provides real-time trading services including Bitcoin, Ethereum, and Tether trading, said that the hackers were able to withdraw about $150 million in assets.
However, blockchain security and data analytics firm Peckshield, which was the first to notice the breach on Saturday, estimated that the loss is closer to $200 million. Data suggest that the hackers stole $100 million worth of various cryptocurrencies on the Ethereum blockchain and $96 million on Binance Smart Chain.
One of Bitmart’s addresses currently shows a steady outflow of tens of millions of dollars of token balances to an address referred to as the “Bitmart Hacker” by Etherscan.
“We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets today. At this moment we are still concluding the possible methods used,” BitMart said in Monday’s statement.
“The affected ETH hot wallet and BSC hot wallet carry a small percentage of assets on BitMart and all of our other wallets are secure and unharmed. We are now conducting a thorough security review and we will post updates as we progress,” Bitmart said. “At this moment we are temporarily suspending withdrawals until further notice.”
The exchange thanked its customers for their “kind understanding and patience in this situation” and said they would remain transparent as they continue to conduct a review.
BitMart CEO Sheldon Xia later said on Twitter on Monday that the company has completed initial security checks and identified the assets that were affected by the large-scale hack.
The security breach was mainly caused by the hackers stealing a private key that opened two hot wallets—a virtual currency wallet that allows a cryptocurrency owner to easily receive and send tokens—Xia said. He again reiterated that other assets with BitMart are “safe and unharmed.”
The global digital asset trading platform will be using its own funds to compensate users who have been affected by the hacking incident, the CEO said. “We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps. No user assets will be harmed,” Xia added.
BitMart is currently working to “retrieve security set-ups” and its “operation” and will announce a timetable to gradually continue deposits and withdrawals, Xia said, adding that he is “confident” they will resume on Dec. 7.
Xia will be conducting a question and answer session via Telegram at 8 p.m. EST on Monday where he will provide more information regarding the security breach and the compensation arrangement, as well as how the company plans to resume its operations following the breach.
According to an analysis by Peckshield, the hackers withdrew funds from hot wallets and swapped the stolen assets for Ether using decentralized exchange aggregator 1inch. The funds were then sent and deposited through a privacy protocol called Tornado Cash, making the transactions much more difficult to track.
The Epoch Times has contacted BitMart for comment.
The security breach comes shortly after new research by Elliptic revealed that investors have lost billions of dollars this year due to theft and fraud among criminals targeting decentralized finance (DeFi) products and services.
In its report, published last week, the London-based firm found that more than $10 billion worth of user funds have been stolen in cases of fraud and theft on DeFi products, the ecosystem of cryptocurrencies, exchanges, and shadow banks that aim to recreate traditional financial services using blockchain technology.
Specifically, DeFi users and investors have suffered more than $12 billion in losses due to theft and fraud, and those losses are only accelerating, with losses totaling $10.5 billion in 2021 to date, up from $1.5 billion in 2020, according to the research.