Back to all stories
Reports
Incident Analysis
Poloniex Incident Analysis
11/15/2023
Poloniex Incident Analysis

Introduction

On 10th November, Poloniex wallets on Ethereum, Tron and BTC were compromised leading to an overall loss of approximately $132 million. In total, the stolen funds have passed through at least 681 wallets as assets are being laundered. This is the second largest private key compromise that CertiK has detected in 2023. Just 40 incidents involving private key compromises have accounted for 57% of the overall losses in 2023, demonstrating how devastating private key compromises can be.

Event Summary

On 10th November, suspicious movements of funds were detected originating from Poloniex hot wallets on Ethereum, Tron and BTC. The total lost in this incident is approximately $132 million worth of assets, with the majority lost on the Ethereum Network. At the time of writing, the funds have passed through over 600 wallets on Etheruem and 70 wallets on Tron. The funds have not moved from the hackers Bitcoin wallet.

The first suspicious movement of funds occurred when approximately $18 million was transferred to the hackers BTC wallet at 10:34 AM UTC. Shortly after, the first movement of ERC-20 tokens were moved starting with 11 million USDT followed by approximately 642.9 ETHO on Tron. To swap the vast amount of ERC-20 tokens stolen, the hacker transferred 0.5 ETH to a wallet operated by the hacker followed by a particular token which were then swapped for ETH and transferred to a new wallet. An overview of this process can be viewed below 725f467b-a737-4630-bcb2-16fd41a2d7b6

A Mistake By The Hacker

The malicious actor stole 317 ERC-20 tokens from the Poloniex hot wallet with them majority swapped for ETH. However, the hacker made a mistake with the GLM tokens that they stole. In total, over 10.5 million GLM tokens were stolen worth $2.6 million at the time of transfer. However, instead of swapping the GLM tokens for ETH, the hacker transferred the tokens to the Golem Network Token contract.

601cf750-36c2-4dd5-9123-f0f23b140644

At the time of writing, the funds are still within the tokens contract. It is likely that human error led to the attacker copying the contract address as the recipient following importing the token contract into their wallet.

Private Key Compromises

In our $1 billion briefing report, which can be read here, CertiK predicted that although we would be unlikely to see an uptrend in the amount lost to hacks and scams before the end of the year, the exception would “highly likely come in the form of additional private key compromises on crypto companies that hold a large amount of assets.”

Since that prediction at the start of September, we have recorded, approximately, an additional $450 million in losses to private key compromises which have now reached $725.4m in 2023. This figure accounts for 57% of the overall losses in 2023 so far. The table below shows a month by month breakdown of the amount of funds lost to private key compromises for the year.

Screenshot 2023-11-15 at 15.15.30

This trend of private key compromises accounting for the large losses will likely continue until a bull market returns and investors lock more value into smart contracts.

Asset Tracing

So far there have been at least 681 wallets used to move the assets stolen from Poloniex.

Of these wallets:

  • 371 hold a balance greater than $100

  • 342 hold more than $1,000

  • 199 hold more than $10,000

  • 74 hold more than $100,000

  • There are 16 wallets what currently hold more than $1 million of assets

  • The largest wallet has a current balance of $21.17m

fbd385d4-fc05-464a-ac83-634ce8f636dd

The exploiter has so far not laundered any of the funds through privacy protocols or exchanges at the time of writing.

Conclusion

The hack on Poloniex hot wallets is the second largest private key compromise that CertiK have detected in 2023 which has resulted in November seeing $173 million lost in security incidents so far. This means that November already ranks 4th highest in the amount of funds lost. In our $1 Billion Dollar Brief report we predicted that going into Q4 2023 any month that has extremely high losses, such as $100 million or more would likely be due to private key compromises. You can see more details of our predictions in our $1 Billion Dollar Brief. Private key compromises will likely continue to cause the largest losses in Web3 for the remainder of the year due to centralized institutions holding large amounts of assets and DeFi protocols holding a lower overall value compared to the previous bull market.