KyberSwap says $54.7 million of user cryptocurrency stolen during attack

The cryptocurrency platform KyberSwap said on Friday that around $54 million worth of cryptocurrency was stolen during a cyberattack announced earlier in the week.

In an update on Friday, the company confirmed that the hack occurred on Wednesday evening when someone used “a series of complex actions to conduct exploitative swaps, enabling the withdrawal of users’ funds into the attackers’ wallets.”

In total, around $54.7 million of users’ funds were exploited by the attackers, they said.

“We've overcome many challenges since our 2017 inception, but by far these last 2 days have been the most difficult,” they said.

“In response, we paused deposits, launched an investigation, contacted relevant parties & initiated negotiations with the attackers in an effort to help users recover as much as possible, including offering a 10% bounty as an incentive for returning the users’ exploited funds.”

The company is now trying to recover the funds but argued that the incident “stands out as one of the most sophisticated in the history of DeFi,” noting that the attacker had to “execute a precise sequence of on-chain actions in order to exploit the vulnerability.”

On Wednesday evening, the company advised users to “promptly withdraw their funds” as they investigated the situation.

Urgent

Dear KyberSwap Elastic Users,
We regret to inform you that KyberSwap Elastic has experienced a security incident.

As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we…

— Kyber Network (@KyberNetwork) November 22, 2023

The hacker behind the incident posted a message on the blockchain, writing that “negotiations will start in a few hours when I am fully rested.”

In response to that message, a representative of KyberSwap said on Friday morning that the hacker conducted “one of the most sophisticated hacks” that “everyone missed.”

“On the table is a bounty equivalent to 10% of users' funds taken from them by your hack, for the safe return of all of the users' funds. But we both know how this works, so lets cut to the chase so you and these users can all get on with life,” the company said.

They provided a contact email for the hacker to reach out.

Several blockchain security companies and researchers backed up the company’s assessment that the hack was sophisticated.

Blockchain research firm Chainalysis found that 2022 was a banner year for hackers targeting cryptocurrency firms, with about $3.8 billion in total stolen from companies in the industry, up from $3.3 billion in 2021.