When attacked, some crypto projects and exchanges buckle and fold under pressure; KuCoin set the standard in 2020 for how to react to crypto hacks, even on the largest scale.
KuCoin is a Singapore-based crypto exchange that consistently ranks among the top 5 exchanges in terms of daily volume serving the crypto markets in Asia. As of November 2022, they offer over 900 trading pairs of 700+ different cryptocurrencies, putting them firmly in the top 10 among both centralized and decentralized exchanges in terms of sheer amount of coins offered.
On September 25, 2020, KuCoin suffered one of the biggest incidents of theft in human history, let alone the short lifespan of the cryptocurrency asset class. More than 150 different cryptocurrencies made up the loot, which were valued at roughly $285M at the time according to KuCoin’s CEO.
You can imagine it’s difficult to calculate the precise value of the stolen digital assets because of the volatility of their varying prices, but it’s not impossible. In fact, blockchains record all the information required to calculate the exact value of the assets at the time of the hack; they also record all the information required to trace the digital assets to their final destination, and often to the real-world identities of cybercriminals and crypto thieves.
KuCoin showed the world how it’s done under pressure, with a lot of help from various crypto investigators, fellow exchanges, token issuers, and law enforcement agencies.
But we’ll get to that soon.
The 2020 KuCoin Hack Timeline
September 25, 2020:
At 23:41 UTC, KuCoin releases a statement that confirms there has been a security breach and a loss of various cryptocurrency assets.
“According to the latest internal security audit report, part of Bitcoin, ERC-20 and other tokens in KuCoin’s hot wallets were transferred out of the exchange,” the statement read.
We would later learn that their private keys had been leaked. Without multisig security enabled, attackers were able to drain the wallets without facing any resistance.
The first suspicious transaction occurred at 19:05 UTC for 8,709 ETH, and we now know that the assets involved in the KuCoin hack were Bitcoin (BTC), Ethereum (ETH), Bitcoin sv (BSV), Litecoin (LTC), XRP (XRP), Stellar Lumens (XLM), Tron (TRX), the stablecoin Tether (USDT), and 147 other Ethereum-based (ERC-20) tokens.
KuCoin offered more than 200 cryptocurrencies on their platform at the time.
September 26, 2020:
KuCoin Global CEO Johnny Lyu hosts a livestream with a Q&A from the community. A recap from the livestream was posted to the kuCoin Medium page later that day.
Several updates are given, including a full timeline of the attack and a list of relevant transactions, as well as the statement that “the funds affected contain a small part of [KuCoin’s] total assets holdings.”
We also get a reassurance from the CEO that the KuCoin insurance fund was enough to cover all user losses, regardless of whether or not KuCoin can recover the stolen funds, adding “starting from early 2018, we have established the insurance fund to deal with unexpected security issues such as this.”
Finally, during the livestream it was stated that KuCoin was in contact with crypto exchanges Huobi, Binance, OKEx, BitMax and Bybit, as well as various blockchain projects, security agencies, and law enforcement.
In the following days, KuCoin continues to provide updates to the community as they work with law enforcement and security teams behind the scenes.
October 03, 2020:
KuCoin CEO Johnny Lyu announces KuCoin and their industry partners have tracked and frozen over $200M worth of the stolen assets.
He reaffirms in another tweet that KuCoin is coming back to full functionality, and they did that day.
Conclusion to the 2020 KuCoin Hack
In a February 03, 2021 open letter from the KuCoin CEO, the final estimate of the stolen asset value on the day of the hack is given as $285M. We also get a breakdown of the recovered digital assets and how much was covered by the insurance fund.
$222M (78%) was recovered through cooperation with exchange and project partners, which involved freezing the funds being sent to exchanges for withdrawal, as well as freezing various blockchain assets, such as USDT.
$17.45M (6%) was recovered by law enforcement and security institutions using blockchain forensics and global investigations to track the movement of the stolen funds and uncover their ultimate destination.
The remaining 16% ($45.55M) was covered by KuCoin and their insurance fund.
KuCoin recovered funds. Image: KuCoin
KuCoin ensured that not a single user suffered permanent losses from the 2020 security incident, and they still operate today as one of the top exchanges serving the crypto markets in Asia.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.