Japanese crypto-exchange Liquid hacked for $94 million

Tokyo-based cryptocurrency exchange Liquid said that hackers breached its servers and stole crypto-assets estimated to be worth at least $94 million at today's exchange rates.

"We are currently investigating and will provide regular updates. In the meantime deposits and withdrawals will be suspended," the company said in a tweet earlier today.

Liquid said the incident took place after hackers took control over its "warm" wallets, which are cryptocurrency accounts where exchange platforms keep funds for daily transactions. The intrusion was traced back to Quoine, Liquid's Singapore subsidiary, the company said on its Japanese blog.

As a response to the security breach, Liquid said it's moving the rest of its funds into cold wallets (offline accounts) as the company moves to kick the hackers off its internal network.

In the meantime, the company has published a series of four tweets[1, 2, 3, 4] containing cryptocurrency addresses where the hackers had exfiltrated its funds.

Stolen funds estimated at just over $94 million

Blockchain analysis firm Elliptic said these accounts contained just over $94 million in crypto-assets, a sum estimated at exchange rates just before the prices of various currencies started to drop as news of the hack started to spread.

"This includes $45 million in Ethereum tokens, which are currently being converted into Ether using decentralised exchanges (DEXs) such as Uniswap and SushiSwap," the company added. "This enables the hacker to avoid having these assets frozen - as is possible with many Ethereum tokens."

Before the hack, Liquid was ranked #19 on the CoinMarketCap cryptocurrency exchange list.

Liquid was also hacked in November 2020

Today's breach is Liquid's second major security incident. In November 2020, a threat actor social-engineered Liquid's DNS provider and gained control over the exchange's DNS infrastructure.

The hacker used this access to phish Liquid employees for their work credentials and pivoted to the company's internal network. While the intruder managed to collect personal data for some Liquid customers, no funds were stolen in the 2020 incident.

News of today's breach also comes a week after a hacker breached and stole more than $611 million worth of cryptocurrency assets from Poly Network. The hacker eventually returned the funds after the cryptocurrency exchange begged for the funds back on Twitter and also agreed to pay a $500,000 bounty reward for disclosing the vulnerability used in the attack.