Hacks in-depth — BitMart

6 min readNov 28, 2022

In the second part of Tookey.io’s “Hacks in-depth” we’d like to take a look at the BitMart hack on December 4, 2021, providing you with analysis and insights on what really occurred there.

Hack Track: Analysis of BitMart Hack

BitMart’s Ethereum and Binance Smart Chain hot wallets were attacked on December 4, 2021, resulting in a loss of roughly $200 million USD. Sheldon Xia, the company’s founder, and CEO acknowledged the issue on Twitter, stating, “We have uncovered a large-scale security compromise relating to one of our ETH hot wallets and one of our BSC hot wallets.”

This newest hack occurred during a period of tremendous growth in attacks on the crypto sector. Based on the most recent industry statistics, 169 blockchain hacking incidents occurred as of November 2021, with about $7 billion in money stolen. As the number of worldwide blockchain hacking incidents rises, so does regulatory scrutiny of the crypto business.

With the surge in crypto hacking instances, the industry’s increased security measures have become increasingly important. Hot wallets are particularly vulnerable to assaults since they are connected to the internet. In reality, the most susceptible exchanges are those with weak blockchain monitoring mechanisms.

What occurred?

The cash was stolen from BitMart’s Ethereum and Binance Smart Chain hot wallets. Following the transfer of cash from BitMart, the hackers allegedly utilized decentralized exchange aggregators 1inch and PancakeSwap to trade the stolen tokens. The ether currencies were then transferred into Tornado Cash, a privacy mixer, making it impossible to trace the stolen assets.

BitMart reported in a tweet that the incident was primarily the result of a “stolen private key that compromised two of our hot wallets.” BitMart states that just a tiny portion of its funds was compromised and that all of its other wallets are safe and secure. Nonetheless, the exchange has halted withdrawals and is evaluating its security procedures.

BitMart, on the other hand, is sure that it will be able to progressively resume withdrawal and deposit activities.

BitMart executives have said that it would cover the problem and pay its users for any losses using its own funds. Merkle Science’s database has already been updated, and the wallet addresses implicated in the hack have been banned.

Analysis of the Ethereum Blockchain

The hacker took 29 different sorts of tokens from the Ethereum network, including ETH. The Ethereum network was robbed of $90,487,593.65 in cryptocurrency.
On December 4, 2021, 148.87 ETH ($599,576.39) were stolen from BitMart’s hot wallet 0x68b22215ff74e3606bd5e6c1de8c2d68180c85f7 and transferred to the hacker’s wallet 0x39fb0dcd13945b835d47410ae0de7181d3edf270 (H1).
The stolen ERC-20 tokens from H1 were changed into ETH for approximately 18,044.75 ETH ($74.07 million) via the well-known decentralized exchange aggregator 1inch.
On December 5, 2021, 18,085 ETH ($74.61 million) from H1 was moved to the hacker’s second wallet 0x4bb7d80282f5e0616705d7f832acfc59f89f7091 (H2).
To mix the stolen cash, 100 ETH ($417,118.62) was moved from H1 to Tornado Cash.
Furthermore, via 1inch, H2 earned 3,110.69 ETH ($12.97 million) from the traded ERC-20 tokens. This was not money taken from BitMart hot wallets.)
From stages 3 and 6, H2 got a total of 21,195.73 ETH ($85.36 million). In order to mix the money, the hacker transferred more than 99.9% (21,170 ETH) of the total ETH from H2 to Tornado Cash.

The hacker has been routinely using the decentralized exchange (DEX) aggregator 1inch to exchange stolen assets for cryptocurrency ether (ETH), and then depositing the ETH into privacy mixer Tornado Cash using a secondary address, making the hijacked money harder to track.

The $196 million in losses make this one of the most devastating centralized exchange hacks to date.

BitMart executives first stated on an official Telegram channel that the outflows were ordinary withdrawals, calling rumors of the attack “false news.”

Hours later, BitMart CEO Sheldon Xia revealed that the outflows were the consequence of a “security failure.”

The Impact of the Bitmart Hack on the Crypto Community

Following the BitMart breach, investors’ faith was severely shaken. As a result, the trading platform opted for an offline storage solution, with up to 54% of its tokens held in cold wallets.

Authorities all across the world are working hard to stabilize the cryptocurrency market and strengthen security mechanisms. Another thing to keep in mind is that, while blockchain is safe, exchanges are not. As a result, instead of depending on the insecure security mechanism of crypto exchanges, investors should employ cold wallets to keep their cash safe.

How Can Cryptocurrency Exchanges Be Safe From Hackers?

Individual and exchange-level safeguards should be implemented to protect funds against crypto frauds and attacks. Some procedures are advised for persons to safeguard themselves from loss. The first and most crucial activity is to develop an appropriate investing plan.

Diversification is an important component of a successful investment strategy. Another important approach is to do extensive research. Before investing in any token or cryptocurrency, it is recommended that you read the whitepaper and investigate the team’s credibility. This ensures that you are investing in a dependable project with real-world applications. While some cryptocurrencies may appear profitable owing to their brilliant marketing efforts, they might be part of a massive rug-pull scheme.

Decentralized indicates that a system does not rely on any centralized authority to work; the entire system may be accessed from any device anywhere in the globe. Because cryptocurrency is not legal in many countries, you should examine the crypto-related regulations in your jurisdiction before investing in any cryptocurrency. It is also recommended that you enable the 2FA mechanism if you intend to retain your assets on an exchange (also choose the top exchange).

In addition, when wallets ask their users to enable nearly limitless financing access to web3 apps, they must be explicit to their users, and they must offer visual indications that signal the depth of these approvals and any irregularities to their users. We are determined to address such problems in our upcoming web3 application implementation in Tookey.

Conclusions and concepts

According to the security firm Peckshield, the study revealed that it is a simple example of transfer, swap, and wash hacking. According to other inquiry reports, the impacted hot wallets held just a small fraction of the company’s assets.

Furthermore, after transferring funds from BitMart, the hackers used a decentralized exchange platform known as 1inch to exchange stolen tokens for Ether. Tornado cash, a coin mixer, was used to deposit these coins into an address. As a result, tracing the receiving address became impossible.