Cyber Incident Victim: Cryptopia Limited
Date:
Feb 2021
Location:
New Zealand
Summary
A New Zealand cryptocurrency exchange suffered two security breaches, initially losing approximately $30 million in cryptocurrencies. While undergoing liquidation, the platform experienced a second breach involving unauthorized transfers of around $45,000 from a cold wallet holding substantial assets. This incident followed separate thefts by a former employee who misappropriated nearly $250,000 in digital currencies and customer data. A court subsequently determined that remaining assets belonged to account holders rather than the exchange itself, amid ongoing liquidation proceedings.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The New Zealand-based cryptocurrency exchange Cryptopia experienced a significant cyber attack on January 14, 2019, resulting in the theft of approximately USD 30 million worth of cryptocurrencies. This initial breach marked a severe compromise of the platform's security infrastructure. Nearly two years later, while undergoing liquidation proceedings, Cryptopia suffered a second security incident on February 1, 2021. During this subsequent attack, threat actors transferred NZ$62,000 (equivalent to US$45,000) worth of XSN cryptocurrency from a cold wallet belonging to creditor Stakenet. The targeted wallet had remained inactive since the 2019 breach but still contained approximately NZ$2.7 million worth of Stakenet's native XSN tokens at the time of the 2021 incident. These security breaches occurred against a backdrop of internal misconduct, as reports indicated a former employee had previously been charged with stealing nearly $250,000 in cryptocurrencies and customer data several months prior to the 2021 hack.
Cryptopia entered liquidation in May 2020 following financial difficulties stemming from the 2019 breach. On April 8, 2020, New Zealand High Court Judge David Gendall ruled that ownership of Cryptopia's remaining crypto-assets would transfer to account holders rather than the exchange itself. Despite this legal determination and the ongoing liquidation process advertised on the exchange's website, the February 2021 theft demonstrated persistent vulnerabilities in Cryptopia's asset management systems. The second breach specifically impacted Stakenet's holdings within the compromised cold wallet, though the full scope of affected parties beyond this creditor remained unspecified in available reports. No security enhancements or protective measures implemented between breaches were documented, while the liquidation proceedings continued unaffected by the subsequent theft. The consecutive security failures resulted in cumulative financial losses exceeding $30 million and eroded stakeholder confidence during the exchange's wind-down operations.