- The breach occurred owing to a potential private key compromise
- One transaction involved a total of 1,262 Ether (ETH), which is currently valued at $2.4 million.
Australian cryptocurrency exchange CoinSpot has reportedly fallen victim to a major security breach, resulting in the loss of approximately $2.4 million in digital assets.
The breach is believed to have stemmed from a probable private key compromise impacting at least one of CoinSpot’s hot wallets.
Blockchain sleuth ZachXBT brought the incident to light, sharing insights about the breach in his Telegram channel. He highlighted two transactions involving CoinSpot’s wallet, with the subsequent movement of funds to the Bitcoin network via ThorChain and Wan Bridge.
According to data obtained from Etherscan, one transaction involved a total of 1,262 Ether (ETH), which at current market prices is valued at $2.4 million. The transfer originated from a known CoinSpot wallet and was directed to the wallet controlled by the alleged hackers.
The owner of the receiving wallet initiated a series of transactions, including the exchange of 450 ETH for 24 Wrapped Bitcoin (WBTC) through Uniswap. Within the span of 10 minutes, this address exchanged 831 ETH for Bitcoin via Thorchain, subsequently dispersing the Bitcoin to four different wallet addresses.
Further investigation, led by blockchain security firm CertiK, uncovered that the owner of the four Bitcoin wallets embarked on a complex process of distributing the potentially ill-gained BTC to multiple new wallets. The funds were divided into smaller portions and sent to additional new wallets with each transfer.
CoinSpot, founded in 2014, has experienced security-related incidents in the past. In late 2021, the exchange was the target of a phishing campaign in which threat actors sent deceptive emails from a Yahoo address, masquerading as legitimate communication from CoinSpot.
These emails urged recipients to confirm or cancel withdrawal transactions, potentially putting their digital assets at risk.