Cyber Incident Victim: Hotbit
Date:
Apr 2021
Location:
China
Summary
A cryptocurrency exchange experienced a cyberattack targeting its wallets, leading to service disruptions and database deletion. Although attackers were prevented from accessing digital assets, the incident necessitated a temporary shutdown for investigation and system restoration, potentially lasting up to two weeks. Users were alerted to phishing risks and advised to update reused credentials, while the platform assumed responsibility for specific financial product losses during downtime. Open orders were slated for cancellation post-recovery to prevent unintended trading outcomes, and routine income distributions were deferred until maintenance concluded. Suspicious wallet transfers observed post-incident were confirmed as legitimate relocations to enhanced cold storage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 29, 2021, at approximately 8:00 PM UTC, the Hotbit cryptocurrency exchange experienced a significant cyberattack that disrupted core operations. Attackers targeted the platform’s infrastructure, paralyzing multiple basic services and attempting to compromise Hotbit’s cryptocurrency wallets. The exchange’s risk control systems detected and blocked the wallet intrusion attempt, preventing any theft of digital assets. However, the attackers successfully deleted Hotbit’s primary database, forcing an immediate suspension of all services. Hotbit, which served approximately 2 million registered users across 210 countries—including 500,000 active Android app users—assured customers their funds remained secure despite the operational outage. The exchange initiated an investigation to determine whether attackers had manipulated data prior to the deletion, as this could affect the integrity of backup datasets required for restoration. Recovery efforts were projected to take 7-14 days due to the need for meticulous backup analysis before system rebuilding could commence.
Hotbit issued specific advisories and operational updates during the downtime. Users were warned about potential phishing campaigns impersonating the exchange and urged to verify suspicious communications directly with Hotbit. Although passwords and two-factor authentication keys were stored encrypted, the exchange recommended changing credentials on other platforms if reused elsewhere. The attack impacted several transactional features: all open orders would be canceled upon service restoration to prevent unintended trading losses, leveraged ETF product losses during maintenance would be covered by Hotbit, and routine income distributions from investment products would resume post-recovery. While users observed unusual transfers from Hotbit wallets after the incident, the exchange clarified these were legitimate movements to a new cold wallet—a standard security practice contrasting with internet-connected hot wallets targeted during the attack. The platform maintained transparency throughout the incident but provided no further details on attack attribution or forensic findings within the initial disclosure period.