Cyber Incident Victim: KuCoin
Date:
Sep 2020
Location:
Singapore
Summary
A cryptocurrency exchange suffered a security breach resulting in the theft of approximately $150 million from its internet-connected hot wallets, which facilitate real-time transactions. The attacker compromised various assets including Bitcoin and ERC-20 tokens, prompting the platform to suspend deposits and withdrawals while initiating a security audit. The incident was detected following unusual large-scale withdrawals, and the company committed to reimbursing affected users through its offline cold storage reserves. Further details were planned to be disclosed via a live announcement by its CEO.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 26, 2020, Singapore-based cryptocurrency exchange KuCoin detected unauthorized large withdrawals from its hot wallets, prompting an immediate security audit. The investigation confirmed a breach in which an unidentified threat actor stole Bitcoin, ERC-20 tokens, and other cryptocurrencies directly from these internet-connected wallets, which the platform used for processing real-time transactions and conversions. Initial tracking of stolen funds to an Ethereum address indicated losses exceeding $150 million. The exchange publicly disclosed the incident the same day, characterizing it as a coordinated attack on its hot wallet infrastructure. No evidence suggested compromise of offline cold wallets during the breach.
KuCoin suspended all deposit and withdrawal services following the discovery to contain further unauthorized transactions. CEO Johnny Lyu announced plans to fully cover user losses using the platform’s insurance fund backed by cold wallet reserves. A comprehensive security review was initiated alongside blockchain forensic efforts to trace the stolen assets. Lyu scheduled a live-streamed update for 12:30 UTC+8 on September 26 to address breach specifics and recovery timelines. The incident disrupted trading operations indefinitely while underscoring systemic vulnerabilities in hot wallet management practices across cryptocurrency exchanges. User reimbursement procedures remained pending as the investigation continued.