Introduction

On the morning of 10 April, South Korean exchange GDAC announced on their website that their exchange wallets had been compromised leading to the loss of $13 million worth of cryptocurrency. The company disclosed that this loss amounted to 23% of all of the exchange's holdings. Whilst unconfirmed at the time of writing, this incident was highly likely due to a private key compromise, and would account for the largest such incident in 2023.

Event Summary

Whilst GDAC announced on 10 April that their exchange was exploited, the incident likely began around 06:36pm +UTC on 8 April on the Ethereum network. At this time, 0.5 ETH is transferred to a hackers address as a possible test. Approximately six minutes later the majority of the ETH in externally owned address (EOA) 0x9f474, which CertiK have confirmed belongs to GDAC, was transferred to three separate wallets.

Image: Historical Ether balance of compromised GDAC wallet. Source: Etherscan

Additionally, 220,000 USDT was transferred to the exploiters wallet (0x24461) from another wallet controlled by GDAC. The USDT was then swapped for ETH before being deposited into Tornado Cash with the rest of the stolen Ether. At the time of writing, the exploiter has transferred 462.5 ETH worth $874,189.75.

The majority of the funds were stolen on the WEMIX blockchain with 10 million WEMIX tokens being transferred to the exploiter's controlled address. The coins were then transferred to multiple addresses including contracts and wallets. Below shows the flow of funds.

Image: Flow of funds on WEMIX Blockchain. Source: WEMIX Blockchain

The compromised GDAC wallet on the WEMIX blockchain now only holds approximately 751,000 WEMIX coins.

It’s unclear why the malicious actor didn’t drain the entirety of the funds in the compromised GDAC wallets. For example, EOA 0x5735f holds assets totaling approximately $1.78 million after the malicious transfer even though it had enough ETH to cover gas fees. It’s likely that the exploiter only targeted the USDT in the compromised wallet since this would be the easiest way to swap for ETH and then transfer to Tornado Cash. However, it is unclear why GDAC’s WEMIX wallet was not completely drained.

Attack Flow

Like in the majority of private key compromises that CertiK has investigated, the malicious transactions do not typically show any suspicious activity. Due to the dollar value of the assets being transferred, suspicions can sometimes arise if the recipient address is a fresh wallet, for example. Some cases are easier to identify as a private key compromise, such as the Wintermute incident, where the malicious actor took over an EOA that had privileged positions and transferred funds to a wallet via a privileged function. However, in this particular incident the malicious transactions showed as normal transfer() functions on-chain.

Private Key Compromises

The GDAC incident is the largest private key compromise that CertiK have detected in 2023. A total of $31.8 million have been lost in 11 incidents with the GDAC incident making up 40% of the overall total. By this time last year, CertiK had detected 12 private key compromises with an overall total of approximately $739 million being stolen, with the vast majority being attributed to the Ronin Bridge exploit. Discounting that outlier, the total is still approximately $115 million lost to private key compromises by early April 2022 and represents a 72% decrease by mid-April 2023 compared to the same time last year.

Perhaps the most striking difference when we compare private key comprises by mid April 2023 to the same time in 2022 is that the overall percentage of incidents that have targeted individual wallets such as retail investors. Of the total amount stolen from private key compromises in 2023, approximately 40% originated from retail investors. CertiK didn’t record any such incident in the same time period in 2022.

Conclusion

Private key compromises are unfortunately still common. Private key compromises require an in-depth investigation to determine whether the malicious actor is an insider threat or is external to an organization. CertiK’s investigation team is made up of highly skilled and motivated investigators who are able to look into an incident and compose a report to be submitted directly to law enforcement agencies. If you or your project has suffered a private key compromise, reach out to CertiK’s investigation team by visiting our website.