Gatecoin, a Hong Kong-based cryptocurrency exchange, has confirmed that it experienced a security breach that led to theft of 15% of its crypto-asset deposits. The intrusion was confirmed by a initial forensic investigation conducted by cyber security firm, Tehtri Security.
The breach took place between Monday, 9 May, late night Hong Kong Time (HKT), to Thursday evening HKT, 12 May. On Monday night, Gatecoin experienced a disruption of its service caused by a server reboot, and thus far the exchange operator strongly believes that the breach is linked to this event.
On Friday night HKT, 13 May, the Gatecoin team detected some suspicious transactions and immediately suspended services to investigate, and to prevent any more unauthorized access to the ether (ETH) and bitcoin (BTC) hot wallets.
Aurélien Menant, CEO of Gatecoin, stated:
We have previously communicated the fact that most clients’ crypto-asset funds are stored in multi-signature cold wallets. However, the malicious external party involved in this breach, managed to alter our system so that ETH deposit transfers by-passed the multi-sig cold storage and went directly to the hot wallet during the breach period. This means that losses of ETH funds exceed the 5% limit that we imposed on our hot wallets.
The hot wallet breach resulted in a total loss of ETH 185,000 and BTC 250, which is equivalent to USD 2 million and approximately 15% of total crypto-asset deposits held by Gatecoin. So far, the forensic investigation has identified the wallet addresses used by the hackers:
According to the company, a customized platform that will enable all Gatecoin clients to withdraw their remaining funds in cryptocurrencies, The DAO (DAO), DigixDAO (DGD), and Augur (REP), as well as fiat currencies, USD, EUR and HKD, will be released on 28 May 2016. The exact date when withdrawals for ETH and BTC funds will be available has not been confirmed.
Gatecoin reports that all DGD, REP and DAO funds are secure and has funded the DAO contracts for DAO token holders. Although 5% of all BTC funds were compromised in the breach, 95% remain stored in multi-sig cold wallets along with the remaining crypto-assets.
All fiat currency funds held in USD, EUR and HKD are secured in segregated client accounts and can be withdrawn by clients after 28 May 2016.
The Gatecoin team indicated that it is working on raising additional funding to cover the losses of BTC and ETH and plans to be able to reimburse all customers that have experienced losses as soon as possible.
We sincerely apologize for all the concern experienced by our clients and for the inconvenience caused while clients wait for their fund withdrawals to be processed. Gatecoin would also like to express our gratitude to the community of exchanges that have very kindly volunteered to help identify the parties responsible for the stolen funds.
The hacking of ETH from Gatecoin and the exchange’s carrying of the DAO token is noteworthy as the DAO is in the midst of its token sale that has raised more than USD130 million worth of ETH.