As much as $16 million worth of Ethereum (ETH) and ERC20 tokens were stolen in the recent hack of New Zealand exchange Cryptopia, according to an analysis from blockchain infrastructure firm Elementus.
Elementus’ research and analysis were published under a week after Cryptopia first publicly announced its detection of the breach. As reported, the exchange had firstly informed the public that the platform was undergoing unscheduled maintenance, before avowing that a hack incurring “significant,” but unspecified, losses had happened.
According to Elementus, data on the Ethereum public blockchain indicates that the funds started to be siphoned from Cryptopia’s two core wallets – one holding ETH, while the other holding tokens – on the morning of January 13.
During that same afternoon, once both core wallets had been emptied, funds reportedly started to be transferred out of Cryptopia’s 76,000+ secondary wallets, a process that would continue until the early hours of January 17.
At the same time, Cryptopia had informed the public about the incident and alerted law enforcement by January 15.
Elementus indicates that just under $3.6 million in ETH was stolen, with approximately $2.4 million in Dentacoin and nearly $2 million in Oyster Pearl, as well as approximately $3 million in unspecified other tokens.
According to the investigations performed by Elementus, the hackers have thus far cashed out around $880,000 of the stolen crypto via exchanges, which reportedly include major platforms such as Binance, Huobi, and HitBTC.
The remaining $15 million reportedly remains in two wallets identified as being under the control of the perpetrators.
Elementus considers the incident to be unusual in that in deviates from the two common profiles of exchange hacks: these being either the exploitation of vulnerabilities in a wallet’s smart contract code, or unauthorized access to private key credentials, which usually involves the breach of a single wallet.
In Crytopia’s case, the thieves gained access to as many as or more than 76,000 wallets, and moreover apparently displayed a lack of urgency in siphoning the funds over time.
Elementus moreover suggests that Cryptopia’s inaction – for several days after the incident was detected—may imply the exchange had lost access to its own wallets.
Until now the estimations of the lost funds ranged between $3 million to $13 million. Up to 40 Cryptopia users are reported to have sought legal representation in the incident’s aftermath.
Binance’s CEO reported that the exchange had frozen tokens sent to its wallet by the entity who allegedly hacked Cryptopia.