Liquid, a Japanese cryptocurrency exchange, lost $97 million worth of digital coins after a cyberattack on August 19. This was the second major cryptocurrency heist of the month, following a series of cyber attacks against Poly Network.
The breach was announced on Liquid’s official twitter account last Thursday. According to the platform, the assets were taken from warm wallets and subsequently transferred to multiple addresses. Liquid suspended deposits and withdrawals for cryptocurrencies following the attack. They also began the process of transferring assets to cold wallets. Fiat deposits and withdrawals remained open.
“During this difficult period we greatly appreciate the support from our customers, other exchanges, security experts, and the broader crypto community,” Liquid wrote on a blog post regarding the situation. “Liquid will continue to do everything in its power to mitigate the impact from this incident and restore full service as soon as possible.”
Liquid unable to freeze converted assets
In an update on August 20, Liquid announced that its token issuers had frozen over $17 million worth of stolen Ethereum tokens, effectively disabling further on chain movements.
However, of the total amount stolen, $45 million worth of Ethereum tokens had already been transferred using non-custodial cryptocurrency exchanges such as Uniswap. Unlike Liquid, which uses custodial trading, the cryptocurrency exchanges used for transferring the stolen funds were fully decentralized. In decentralized cryptocurrency exchanges like Uniswap, the operators facilitating those trades had no way of accessing the funds involved. Therefore, Liquid remains unable to freeze the stolen assets.
The hackers covered their tracks by sending their assets through Tornado Cash, a fully decentralized cryptocurrency mixing service built on Ethereum. The Tornado Cash protocol allows users to move Ethereum and break the link between the address used to deposit assets and the asset used to withdraw them, thus obscuring the path of the transfer.
Tracking the liable parties
Upon the breach, Liquid was able to track down four addresses tied to the attacks. By August 22, Liquid announced that they had found eleven more associated addresses. The firm is employing the support of other exchanges to further monitor the movement of the stolen assets.
“We are still in the process of testing and migrating our assets to the new secure vaults,” Liquid said in their most recent blog post. “We are still expecting to restore services gradually early next week.”
Liquid was among the two cryptocurrency platforms breached by cybercriminals this week, following the recent attack on decentralized platform Poly Network, where an unknown culprit stole $610 million worth of cryptocurrencies.
Strangely, the attacker sent back $260 million to the affected networks. According to the attacker, the breach was an attempt to highlight the vulnerabilities in the network before any hackers could exploit them. The hacker intends to help Poly Network improve security, but is reluctant to return the remaining assets due to Poly Network’s hostile response to the breach.
“They urged others to blame and hate me before I had a chance to reply,” the hacker stated. “I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”
Liquid was also one of the many Japanese platforms targeted by cybercriminals. Tokyo-based bitcoin exchange giant Mt. Gox famously declared bankruptcy in 2014 after losing $450 million to hackers. In 2018, Coincheck, another Tokyo-based platform, had $534 million stolen from hot wallets.
If you are interested in cryptocurrency and cybersecurity threats, do read our article on the recent waves of 51 percent attacks.