23 Oct 2018 · 2 min read

The Mysterious Case of a Cold Wallet Becoming “Hot”: USD 7.5m Stolen

Hackers may have gotten away with almost USD 8 million worth of digital assets from what Swiss crypto exchange Trade.io claims is cold storage devices held in safety deposit boxes.

Source: iStock/oonal

Cold storage of digital assets refers to storing the private keys to digital wallets in offline devices that are physically locked away from any unauthorized access. This type of storage is supposed to make hacker attacks impossible to carry out, although Trade.io now brings that into question.

Now, the company claims that “at no point was the trade.io exchange or liquidity pool accessed or affected, and both remain operational.”

“The breach was limited to one particular hardware wallet that was purchased directly from the manufacturer. Consequently, no customer accounts were directly affected, or customer funds lost,” according to an announcement by Trade.io.

They added that investigations are ongoing, but have so far concluded that there was no technical hack on the cold storage unit.

“There is also nothing to indicate theft by internal actors”, the company said.

Moreover, the company decided to fork its own token TIO: the name of the forked token will be Trade Token X with the ticker TIOx. The company plans to announce more details soon.

TIO price chart:

This weekend, the firm, which claims it is “providing the ultimate in security and transparency,” wrote that it discovered “irregular trading activity” in trading pairs involving TIO token on Bancor and Kucoin exchanges, following “a large transaction” from one of its “wallets held in cold storage.”

Trade.io confirmed that 50 million TIO tokens, worth approximately USD 7.5 million, had been withdrawn from its exchange before it noticed any irregularities. Out of that amount, the firm said an estimated 1.3 million TIO had been sent to Bancor and Kucoin.

The Swiss-based crypto exchange, which completed an initial coin offering (ICO) in January this year, further said that all withdrawals and deposits of TIO will remain disabled on its platform until further notice. In addition, Bancor has delisted TIO, while Kucoin has suspended all TIO deposits.

The unauthorized transfer and “irregular trading activity” on Trade.io is extremely strange, considering the company’s claim that the relevant cold storage devices were held in “safety deposit boxes in banks.” The company also added that “we have confirmed that the safety deposit boxes were not compromised,” which normally could only mean that the devices must have been tampered with by an insider prior to being placed at the bank.

While Trade.io’s story indeed sounds unlikely, there is a chance it could have happened, and there are reports of people in the past who have purchased cold storage devices from resellers that had previously been tampered with.