Cyber Incident Victim: Remitano Exchange
Date:
Sep 2023
Location:
Viet Nam
Summary
The Remitano cryptocurrency exchange suffered a security breach resulting in the theft of $2.7 million from its hot wallets. The attack was facilitated by compromised sensitive information from a third-party source. Tether froze $1.4 million of the stolen USDT. The exchange stated user funds were not affected and that normal operations would resume shortly.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 14, 2023, the cryptocurrency exchange Remitano experienced a significant security breach involving unauthorized withdrawals from its hot wallets. The incident began at approximately 12:45 pm UTC when a known Remitano hot wallet initiated transactions to an address that had no prior transaction history. These suspicious activities were detected by the blockchain analytics platform Cyvers, which subsequently alerted the broader crypto community. According to Cyvers, the attack resulted in a total loss of $2.7 million across three different blockchain chains. The platform also reported that it contacted the Remitano team directly to help halt any additional losses and to initiate efforts aimed at recovering the suspected stolen funds. This prompt action by a third-party analytics firm was a critical early step in mitigating the impact of the attack.

In response to the alerts and the ongoing situation, the stablecoin issuer Tether took decisive action by freezing the address that the attacker was using. This intervention prevented the movement of $1.4 million worth of Tether (USDT), effectively stopping a significant portion of the drained crypto assets from being cashed out or moved further. The freezing of these funds represented a major mitigating factor, potentially saving a substantial amount of customer assets from being permanently lost. The incident highlights the increasing role and capability of centralized entities within the decentralized finance ecosystem to respond to and contain security breaches after they have been detected.
Remitano officially acknowledged the attack in a blog post published on September 15, 2023. The exchange provided an explanation for the cause of the breach, stating that its Security Management team had discovered a data breach originating from a third-party source. This external breach had compromised some of Remitano's sensitive information. The company's statement indicated that the attackers used this compromised information to carry out unauthorized withdrawal transactions, which transferred a small amount of funds from the exchange's operational hot wallets to suspicious wallet addresses controlled by the attacker. The framing of the incident as stemming from a third-party source suggests the attack vector may have involved compromised credentials or API keys rather than a direct exploit of Remitano's core infrastructure.
A key point in Remitano's official communication was its assurance that user funds had not been and would not be affected by the incident. The exchange committed to making deposits and withdrawals fully operational again within a 48-hour timeframe from the acknowledgment. It provided a specific update on the status of various cryptocurrencies, noting that Bitcoin, Bitcoin Cash, and Litecoin deposits and withdrawals remained operational throughout the incident, while other networks were temporarily made unavailable, presumably as a security precaution to prevent further unauthorized transactions while the investigation and remediation efforts were underway. This approach of selectively disabling certain network functions is a common containment strategy following a security incident.
Remitano operates as a peer-to-peer cryptocurrency exchange and payment processor with a focus on serving emerging markets. Its user base is spread across numerous countries, including Pakistan, Ghana, Venezuela, Cambodia, Kenya, Malaysia, India, South Africa, Vietnam, and Nigeria. The geographic distribution of its services means the incident had a potentially wide-reaching impact on users in regions where access to traditional financial services may be limited and where cryptocurrency platforms play a significant role in the local economy. The breach of such a platform underscores the vulnerabilities present in financial technology services that cater to these important and growing markets.
The theft from Remitano occurred within a broader context of a series of attacks targeting cryptocurrency exchanges throughout 2023. Just days prior to this incident, other exchanges had suffered similar fates. On September 4, 2023, the online gambling site Stake was allegedly hacked for $41 million, and on September 12, 2023, the exchange Coinex was drained of $27 million. United States authorities have publicly claimed that these attacks were orchestrated by the Lazarus Group, a sophisticated cybercrime organization believed to have ties to the North Korean government. While the provided articles do not explicitly attribute the Remitano hack to the Lazarus Group, the temporal proximity and similar nature of the attacks suggest the possibility of a connected campaign, highlighting a persistent and high-level threat to the cryptocurrency industry from state-sponsored or state-affiliated actors.
The incident demonstrates the continued targeting of cryptocurrency exchanges as lucrative targets for cybercriminals. The method of attack, involving the unauthorized transfer of funds from hot wallets, points to the critical importance of securing private keys and sensitive access information. The fact that the breach was initially detected through anomalous transaction patterns by an automated monitoring system illustrates the value of real-time blockchain analytics and machine learning in identifying malicious activity quickly. The subsequent collaboration between the analytics firm, the exchange, and a stablecoin issuer to freeze assets shows an evolving ecosystem response to security threats, where different entities can work in concert to limit financial damage.
In summary, the September 2023 incident at Remitano was a targeted attack that resulted in the loss of $2.7 million in cryptocurrency from the exchange's hot wallets. The attack was facilitated by a compromise of sensitive information from a third-party source, leading to unauthorized withdrawals. The rapid response from Cyvers in detecting the anomaly and alerting the community, combined with Tether's action to freeze $1.4 million of the stolen funds, were significant mitigating factors that limited the overall financial damage. Remitano responded by acknowledging the breach, assuring users their funds were safe, and working to restore full service functionality within two days. This event occurred amidst a wave of similar exchange hacks during that period, attributed by US authorities to a known cybercrime syndicate, emphasizing the ongoing security challenges faced by the global cryptocurrency industry.
