Crypto researcher ZachXBT has reported an alleged exploit involving Australian crypto platform CoinSpot, claiming that over $2 million worth of Ether has been affected. According to a Telegram post by ZachXBT, attackers reportedly drained funds from CoinSpot’s hot wallet through two separate transactions. Etherscan data shows one transaction involving 1,262 ETH, and the other drained 20.99 ETH, both sent to the same addresses. The transferred funds were then exchanged for wrapped BTC (WBTC), Tether (USDT), and USD Coin (USDC) using platforms such as Uniswap and THORchain. The funds were further bridged to Bitcoin via Thorswap and Wan Bridge, according to the post.
In December 2021, CoinSpot users were targeted by a phishing campaign. The attack utilized a new theme centered around withdrawal confirmations, aiming to steal two-factor authentication (2FA) codes. The threat actors sent emails from a Yahoo address, mimicking legitimate emails from CoinSpot. Recipients were asked to confirm or cancel a withdrawal transaction.
CoinSpot, headquartered in Melbourne, generated over half a billion dollars in profits for its founder and CEO, Russell Wilson. In July, the crypto exchange distributed $538 million in dividends over the preceding two years.
CertiK Says Private Key Compromise Caused Hack
Global blockchain security firm CertiK has confirmed that the hack on CoinSpot likely occurred due to a “private key compromise” in at least one of CoinSpot’s hot wallets. The attacker’s address that received the stolen ETH swiftly swapped the funds for Bitcoin (BTC) using THORchain. Subsequently, the Bitcoin was distributed to four different wallets. Private key compromises leading to fund theft is not uncommon in the web3 ecosystem, as demonstrated by previous incidents such as the $70 million theft at Hong Kong-based cryptocurrency exchange CoinEx in September.