Cyber Incident Victim: GateHub Ltd.
Date:
Jun 2019
Location:
United States of America
Summary
Cybercriminals stole approximately $10 million in Ripple (XRP) from users of the GateHub cryptocurrency wallet service by exploiting API calls with valid access tokens originating from a limited number of compromised IP addresses. The company detected no evidence of brute force attacks or unauthorized logins but observed increased suspicious API activity, prompting the disabling of all access tokens which halted further incidents; the exact method of decrypting secret keys remains undetermined, though potential causes include historical database leaks or key management issues, with law enforcement engaged in an ongoing investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early June 2019, GateHub, a cryptocurrency wallet service supporting XRP Ledger wallets, confirmed a theft of approximately 3.2 million Ripple (XRP) tokens valued at nearly $10 million from user accounts. The company initiated an investigation after receiving customer reports of unauthorized fund withdrawals, focusing on transaction patterns and internal system logs. GateHub identified suspicious activity involving API requests authorized with valid access tokens, originating from a limited set of IP addresses believed to be compromised. No evidence of brute-force attacks or unauthorized logins was detected, but the volume of API calls using legitimate tokens increased notably. On June 1, GateHub disabled all active access tokens, halting the anomalous API traffic. Preliminary findings suggested attackers exploited these tokens to access encrypted secret keys, though the method of decryption remained undetermined. The company acknowledged no direct operational failures but committed to further analysis and cooperation with law enforcement.
Community researcher Thomas Silkjær independently documented the incident, revealing that the theft initially involved 201,000 XRP from an account managed via GateHub. His analysis traced the attack to 12 primary suspect accounts on the XRP Ledger, all linked to GateHub users. Silkjær confirmed no compromise of GateHub’s login credentials but explored unresolved hypotheses for the breach, including potential vulnerabilities in RippleTrade migration processes, browser client exploits, or exposure of an older database containing encrypted keys. The stolen funds were funneled through the wallet address r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k. GateHub publicly apologized to affected users while maintaining that no internal lapse facilitated the theft. The company reported the incident to authorities, with investigations ongoing to determine the full scope and attack vector. Financial losses were confined to customer assets, with no reported impact on GateHub’s operational infrastructure.