Crypto firm Kronos Research says $26 million stolen after cyberattack

Cryptocurrency trading and investment firm Kronos Research said $26 million worth of cryptocurrency was stolen from its systems following a cyberattack.

The company said on Saturday that it experienced “unauthorized access” to some of its application programming interface (API) keys, forcing it to pause trading and begin an investigation.

By Sunday, the company confirmed that the losses reached $26 million but said anyone who lost funds would be compensated.

“Despite it being a sizable amount, Kronos remains in good standing. All losses will be covered internally, no partners will be affected,” they explained.

1/ Since 1:20 am (GMT+8), our team has been working round the clock to minimize the impact and resume trading operations, following a hacking incident that involved unauthorized access to our API Keys. https://t.co/t2cP9s69sZ

— Kronos Research (@ResearchKronos) November 19, 2023

“We are deeply grateful for the proactive assistance of all the exchanges we trade on, and our partners, who have been supportive in helping us manage this situation. We’re prioritizing our resources to resume servicing the exchanges and token projects we provide liquidity for. This is the first time since 2018 we've halted trading, and we are confident we will bounce back stronger than ever.”

Blockchain researchers said 12,800 ETH was stolen from Kronos and distributed to six different wallets.

Cybersecurity experts at CertiK said APIs facilitate the connection between two disconnected softwares, and many centralized exchanges “have API keys that allow traders to access market data in real time and execute trades from third party services.”

“For example, an organization could develop a trading app and utilize a Binance API key to conduct trades through the platform. Usually, centralized exchanges disable the withdrawal permissions by default,” they said.

“However hackers are still able to abuse permissions through a number of techniques. For example, a cybercriminal could inflate the price of a worthless token and force the victim’s account into purchasing the inflated asset. The attacker is then able to withdraw valuable assets whilst the victim is left with a worthless token.”

They noted that the theft of private keys has driven a significant amount of cryptocurrency losses this year.

More than half of the crypto theft in 2023 has involved private key compromises, they added.

Jason Kent, hacker in residence at cybersecurity firm Cequence Security and expert in API attacks, told Recorded Future News that allowing the attacker to have six accounts on a financial platform “is the most obvious example of not defending against modern attacks.”

“At a crypto company, you’d think the concept of a modern API Attack would be well understood,” he said, adding that security often takes a backseat to operational simplicity.