An Analysis of How Attackers Stole 337 BTC From Cashaa’s Bitcoin Wallets

CertiK | Jul 16, 2020

Article's Poster

As with any crypto wallet, security is vital to keeping users’ assets safe. Cashaa, a London-based crypto exchange and banking platform, provided users with a “risk-free” payment gateway, which can reasonably guarantee asset security.

However, in just half a day, attackers stole a total of 337 BTC (~$3.1M at the time of writing) stored in Cashaa-owned wallets.

At 12:10AM UTC on July 11th, 2020 (8:10PM EDT on July 10th, 2020), the CertiK Skynet system detected abnormal transactions related to Cashaa’s Bitcoin wallets at blocks 638606 and 638692. CertiK’s security researchers quickly began their investigation to study the attack in detail.

Screenshot of CertiK's Skynet detecting an abnormality in Cashaa's wallets

The first attack on Cashaa’s wallets actually occurred at 10:57AM UTC on July 10th, 2020 (6:57AM EDT on July 10th, 2020). One of the Cashaa's Bitcoin wallets, at address 1Jt9mebBwqCk8ijrVDoT5aySu2q9zpeKde, had 1.059770800 BTC (about $9800 USD) transferred to the attacker's account at 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek. According to Cashaa’s report, the attacker stole the victim’s Bitcoin wallet information on Blockchain.info by gaining access to the victim's computer.

The second attack occurred at 12:10PM UTC on July 11th, 2020 (8:10PM EDT on July 11th, 2020), across eight separate Bitcoin wallets owned by Cashaa. A total of 335.91312085 BTC (~$3.1M USD) was transferred to the same recipient address and the wallet information stolen in the same manner as the first attack.

See below the eight affected wallet addresses owned by Cashaa:

  • 14TBB9Th7qCFAbatr1owmo9WqvB3ZLM5Aq
  • 1ESvwYDmdAvhHpJs8M3tRbPqXghJDNu7oV
  • 1LNp8hKZTvP8Ru8SAi4xPkJ8L2TwaNsDEu
  • 1Et9GAsZq8P3u7tL5F5qbLi6Re1HCZAgNn
  • 1KY5sNjDA7QMXf844wKZ3wcQUxoZeEcRF9
  • 1D6cTYKf5f9HtUjsVBGczyoPN5jgZktkMa
  • 1Ln2A65sjxLTuvPE3M1zQ1oybrXQXnJaDL
  • 1KJPr37UHmBAfRL1znGLXekTrNHoEABqfH

Vulnerability details of the victim’s computer and the role the vulnerability played during the attacks have not been disclosed. Our security researchers believe that there may be two internal operating errors or that the victim's computer was compromised with a malicious backdoor program.

Masked burglar going through a door with a set of keys in his hand

After analyzing these attacks, it’s clear that there should be extra precautions taken to ensure that programs follow security best practices. Below are some considerations for businesses to keep in mind:

  1. Cryptocurrency attacks can be highly complex and comprehensive; attackers create unique attack vectors by considering the many technical layers in application security, including computer hardware, blockchain software, wallet and other blockchain service software, smart contracts, etc.
  2. Before carrying out large-scale attacks, attackers often do a small-scale test run with small amounts of crypto so that they go undetected prior to the full-scale attack. Therefore, it’s necessary to pay attention to and learn from other attacks that happen so that proper measures can be taken to prevent a similar attack from happening to your assets.
  3. To strengthen protections on your crypto assets, it’s best and safest to use physical, encrypted, offline cold storage whenever possible.

The complexities in connections between the trading environment, operating system, browser, and network environment make transactions a great security risk. For example, most wallets built on top of mobile platforms in China, such as WeChat, can be easily attacked. By exporting the wallet firmware, you can see cache information of multiple currencies as well as various libraries that generate mnemonic words (to create seed/recover phrases for wallets).

Development teams may not realize the importance of security in their wallet products; once wallets are compromised and users’ crypto are stolen, it’s difficult to recover them. That’s why we recommend thorough security audits by an external party; they can help review your code to check that there are no loopholes or identify potential attack vectors.

Learn more about CertiK

Join Us on Social