$28 million stolen from cryptocurrency platform Deribit

Cryptocurrency derivatives platform Deribit on Tuesday said a hacker stole $28 million from the company, forcing it to halt withdrawals as it investigates the incident.

Deribit is a cryptocurrency futures and options exchange based in Panama City that allows customers to trade perpetual, futures, and options contracts.

The company said the losses will be paid through its reserves and noted that 99% of user funds are held in “cold storage” to protect against this kind of attack. Hot wallets for cryptocurrency are ones connected to the internet through a phone or computer while cold wallets are assets held in hardware devices offline. 

Deribit hot wallet compromised, but client funds are safe and loss is covered by company reserves

Our hot wallet was hacked for USD 28m earlier this evening just before midnight UTC on 1 November 2022.

— Deribit (@DeribitExchange) November 2, 2022

“The hack is isolated & quarantined to our BTC, ETH and USDC hot wallets,” the company said. “Deribit remains in a financially sound position and ongoing operations will not be impacted.”

The company did not respond to requests for comment about how the hack occurred and whether they are in communication with the hacker. On Twitter, Deribit shared a link to the location of the stolen funds. 

Blockchain security company PeckShield explained that the hack involved the theft of about 9,080 ETH – worth about $14.2 million – and about 691 BTC worth another $14.1 million. 

A Deribit spokesperson said it is planning to reopen withdrawals at some point on Wednesday. But when this happens, all Deribit deposit addresses for BTC, ETH and USDC will have to be re-generated.

"In the front end you will see your previous address(es) have been removed. As of the moment of re-opening wallets, we will not support deposits on old deposit addresses anymore," the spokesperson said. "All users need to create a new deposit address. Withdrawals via third-party custodians Copper Clearloop and Cobo have just been re-enabled."

Bill Callahan, a retired U.S. DEA special agent in charge who now works for the Blockchain Intelligence Group, told The Record that the stolen funds have all been moved to new addresses.

The situation highlighted the problem with hot wallets, he said, because they aren’t typically as well protected as cold wallets.

"Cold wallets should ideally hold the majority of a company’s and user’s funds and reserves, as they are highly secure as compared to hot wallets that are more vulnerable to phishing attacks and hacking,” he said.

According to Peckshield, October was a particularly difficult month for crypto platforms, with 53 protocols dealing with about $760.2 million in losses. 

An estimated $3 billion has been siphoned from cryptocurrency firms in 2022 so far, and losses have ‘doubled’ compared to last year. 

#PeckShieldAlert ~44 exploits (53 protocols affected) grabbed ~$760.2M in Oct. 2022, and ~$100M already returned the exploited protocols (Total loss: $657.2M)
As of October 2022, the stolen funds (~$3B) in 2022 “doubled” last year’s loss pic.twitter.com/mKZAjVk7UU

— PeckShieldAlert (@PeckShieldAlert) October 31, 2022

“As we continue to see the ecosystem scale in value and complexity we will need technical and operational solutions that scale with it. October was proof of this with around $718 million lost in the first week alone, making it one of the biggest months for crypto hacking,” said Alex Zinder, global head of blockchain security company Ledger Enterprise. 

“Educating the market at scale on security best practices is imperative, but collective support from the ecosystem is also needed to help raise the bar as hackers will continue to become more sophisticated and safety leads to mass adoption.”