Cyber Incident Victim: Wintermute
Date:
Sep 2022
Location:
United Kingdom
Summary
A cryptocurrency market maker suffered a $160 million hack targeting its decentralized finance operations, though its centralized finance and over-the-counter services remained unaffected. The attacker exploited a vulnerability potentially linked to the insecure Profanity vanity address generator, which allowed brute-forcing private keys of specific Ethereum wallets. Despite the breach, the firm maintained solvency with equity reportedly double the stolen amount and offered to treat the incident as a white hat event, inviting the hacker to negotiate a bounty. On-chain analysis revealed the attacker’s wallet held millions in Ethereum and ERC-20 tokens, with portions moved to a liquidity pool complicating recovery efforts. The incident prompted operational disruptions as the company worked to restore services while assuring lenders they could recall loans.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 20, 2022, cryptocurrency market maker Wintermute suffered a security breach resulting in the theft of approximately $160 million to $162.2 million from its decentralized finance (DeFi) operations. CEO Evgeny Gaevoy publicly confirmed the hack via Twitter, clarifying that the company’s centralized finance (CeFi) and over-the-counter (OTC) trading services remained unaffected. The stolen funds originated from a compromised Ethereum wallet linked to Wintermute’s DeFi activities, which the firm used to provide liquidity across more than 50 cryptocurrency exchanges and platforms, including Binance, Coinbase, and Kraken. Gaevoy asserted Wintermute’s solvency, stating the company retained equity worth "twice over" the stolen amount, while warning of potential service disruptions during recovery efforts. The CEO framed the incident as a potential "white hat" event—a benevolent security test—and publicly invited the attacker to negotiate a bounty in exchange for returning the funds without legal repercussions.
Blockchain investigator ZachXBT identified the attacker’s wallet, which initially held approximately $9 million in ether (ETH) and $38 million in ERC-20 tokens, with an additional $162.2 million reportedly moved to Curve Finance’s "3CRV" liquidity pool to obscure and complicate asset freezing. Security analysts proposed the exploit likely stemmed from a vulnerability in Profanity, an abandoned Ethereum vanity address generator known to have critical security flaws that allowed brute-force attacks on private keys for custom wallet addresses. Evidence indicated Wintermute’s compromised wallet was created using Profanity, aligning with prior warnings about the tool’s susceptibility to attacks requiring extensive GPU resources—a capability potentially accessible to cryptocurrency mining farms rendered idle after Ethereum’s recent transition to proof-of-stake. The Profanity developer had archived the project’s GitHub repository days before the hack following disclosures that attackers had already exploited the flaw to steal $3.3 million from other victims. Wintermute’s incident occurred amid a surge in DeFi breaches, including Nomad’s $200 million August hack and Curve Finance’s $570,000 theft, contributing to over $1.3 billion in estimated DeFi losses during the preceding year. This marked Wintermute’s second operational incident in 2022, following a $15 million Optimism (OP) token transfer error resolved when the recipient returned the funds.