TL;DR
On November 2nd, 2022, Deribit Exchange’s hot wallet was compromised. Client funds are safe as the loss will be covered by company reserves. A private key leak may have led to the loss of ~$28m in USDC, ETH and BTC across the Ethereum and Bitcoin chains. This is the third largest private key compromise of 2022.
Summary
On Nov 2nd, 2022 an announcement was made by Deribit Exchange stating that their hot wallets were compromised. The loss will be covered by company reserves. The company claims to keep “99% of…user funds in cold storage to limit the impact of these types of events”.
Withdrawals were temporally suspended with a later update informing users that on-chain deposit addresses for BTC, ETH and USDC will have to be regenerated; previous deposit addresses will no longer be valid.
They announced that the insurance fund will not be impacted and that all losses would be covered by the insurance fund. That ongoing operations will not be impacted either.
Deribit Exchange worked towards opening regular on-chain withdrawals later in the day. Withdrawals via third-party custodians Copper Clearloop and Cobo were re-enabled. Deribit re-opened regular withdrawals for BTC, ETH and USDC after they opened Copper Clearloop and Cobo withdrawals. Deribit also migrated all the hot wallets to FireBlocks, which resulted in Deribit deposit addresses being renewed and old deposit addresses removed.
A private key leak has led to the loss of ~6,947 Ether, ~$3,394,823 USDC and ~691 Bitcoin for a total of roughly ~$28 million USD.
Exploit Transactions
Ether transfer
https://etherscan.io/tx/0xa1822e68a736bcdb57d05b2679260904813efdd17df62ede1d716dec9eeb4e8c
https://etherscan.io/tx/0xa43beda2d8739c679012b26b8b5f66dc4b7196eb31e39d6f7cdbede134e19720
USDC transfer
https://etherscan.io/tx/0x9ae755bfbb181cc991fc2d54ec6ab04f331042cea5d33e95476846446cf88815 Bitcoin transfer
Blockchain.com Explorer | BTC | ETH | BCH
Blockchain.com Explorer | BTC | ETH | BCH
Addresses
Deribit Hotwallet (ETH Compromised):
Deribit Hotwallet (Bitcoin Compromised):
Deribit Hotwallet Exploit2(ETH):
0x8d08aad4b2bac2bb761ac4781cf62468c9ec47b4
Deribit Hotwallet Exploit(ETH):
0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd
Deribit Hotwallet Exploit(Bitcoin):
bc1qw5g8lw4kzltpdcraehy2dt6dqda8080xd6vhl4kg4wwsypwerg9s3x6pvk
Profit and Assets Tracing
The combined stolen assets of Bitcoin and ETH is roughly ~$28 million USD (~6,947 Ether, ~$3,394,823 USDC and ~691 Bitcoin). The stolen assets are still in 0xb0606...(ETH) and bc1qw5g...(Bitcoin) by the time of writing this report (2022-11-02 08:39:11 UTC).
Conclusion
Two days after the Deribit incident, the hacker started moving funds via Tornado cash. https://etherscan.io/address/0xb0606f433496bf66338b8ad6b6d51fc4d84a44cd. The attacker moved 1,610 ETH in 17 transactions; 16 of the transactions moved 100 ETH, while the remaining transaction moved just 10. The attack against Deribit Exchange was the 3rd largest wallet compromise this year.
Deribit Exchange later announced that it is now impossible for any hacker to withdrawal any funds from a hot wallet because it now requires additional human verification. Deribit believes this is the best approach moving forward to ensure that no further attacks will occur.
