Australian Crypto Wallet CoinSpot Hacked for $2.4 Million Worth of Ether – Report

Author

Sujha Sundararajan

Author

Sujha Sundararajan

About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Author Profile

Share

Copied

Last updated: 

November 13, 2023

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Crypto sleuth ZachXBT has reported an exploit, involving Australian crypto platform CoinSpot, allegedly suffering over $2 million worth of Ether.

According to a Telegram post by ZachXBT in the early hours of Thursday, attackers drained funds from CoinSpot’s hot wallet using two separate transactions. Per Etherscan data, one transaction involved 1,262 ETH and the other drained 20.99 ETH, both sent to the same addresses.

The transferred funds were then swapped for wrapped BTC (WBTC), Tether (USDT) and USD Coin (USDC) using Uniswap, THORchain, etc.

“Funds were then bridged to Bitcoin via Thorswap and Wan Bridge,” the post read.

In December 2021, CoinSpot users fell to a phishing campaign. The phishing attack employed a new theme revolving around withdrawal confirmations with the end goal of stealing two-factor authentication (2FA) codes.

Specifically, the threat actors send emails from a Yahoo address, replicating real emails from CoinSpot, at the time. They then asked the recipients to confirm or cancel a withdrawal transaction.

Melbourne-headquartered CoinSpot cashed in over half a billion dollars worth of profits to its founder and CEO Russell Wilson. In July, the crypto exchange paid out $538 million in dividends over the past two years.

CertiK Says Private Key Compromise Caused Hack

Global blockchain security firm CertiK confirmed to Cointelegraph that the breach took place swiftly. The hack was probably caused by a “private key compromise” at least in one of CoinSpot’s hot wallets.

The attacker’s address that received ETH, immediately swapped the stolen funds for Bitcoin (BTC) using THORchain, CertiK report noted. The Bitcoin was sent to four different wallets later, BTCScan noted.

Private keys being compromised and allowing hackers to siphon a project’s funds is nothing new in the web3 ecosystem. In September, Hong Kong-based cryptocurrency exchange CoinEx revealed that compromised private keys led to over $70 million theft.