In what seems to be one of the first major security breaches of 2019, New Zealand-based digital assets exchange Cryptopia was allegedly hacked this week. The platform reported the incident via Twitter on Jan. 15, mentioning “significant losses.” While the incident has been confirmed by the local police, many crucial details — including the amount and titles of stolen tokens — remain undisclosed.

Brief introduction to Cryptopia, an essential exchange for altcoins

Cryptopia Limited, the company behind the self-titled exchange, was registered in July 2014, and the platform itself was launched later the same year. It is run by founders Rob Dawson and Adam Clark, who initially started it as a hobby born out of negative experiences with other crypto exchanges. Around January 2017, they allegedly quit their full-time jobs to focus solely on Cryptopia. The firm’s office is located in Christchurch, Canterbury, and there are around 50-100 people employed there.

According to the New Zealand Government Companies Register, Cryptopia has a total of 90 shareholders. The majority of shares are controlled by Dawson and Clark, who hold 30.57 percent and 27.46 percent respectively. A substantial portion of the stock — 25.52 percent — is also held by a local software development and consultancy services called Intranel, while the rest of shares seem to be controlled by the co-founders’ relatives and private investors.

As per Cryptopia’s LinkedIn profile, the company has “the world’s largest range of cryptocurrencies.” Indeed, the exchange has more than 830 cryptocurrencies listed, according to CoinMarketCap, which makes it one of the chief platforms for altcoin trading.

The data obtained from Coingecko suggests that Cryptopia’s peak trading volume this year occurred on Jan. 11, when it reached around $1,875,000. The crypto exchange reportedly has around 1.4 million registered users and is the largest crypto exchange in the country. In May 2017, Cryptopia launched NZed (NZDT), allegedly the first stablecoin tethered to the New Zealand dollar.

The incident was originally reported as “unscheduled maintenance”; the police are on the case

The episode can be traced back to Jan. 14, when Cryptopia published a series of short tweets regarding “unscheduled maintenance.” Interestingly, the platform issued somewhat similar updates in June 2018, causing concern among users, who later reported withdrawal difficulties.

Nevertheless, next day, on Jan. 15, Cryptopia officially announced that it was hacked the day before. According to the note shared by the platform, after finding out about the security breach, the exchange’s staff freezed all operations to assess damages.

The exchange has also reportedly notified government agencies and authorities, including the New Zealand Police and High Tech Crimes Unit, who have opened an investigation into the matter and are reportedly treating the incident as a major crime. On Jan. 16, the police confirmed that they are investigating the case.

“The inquiry is still in its very early stages and police are continuing to work with Cryptopia to establish what has happened and how.”

According to local media outlet Stuff, on Jan. 16, the police locked down Cryptopia’s office in Christchurch while some of the staff remained inside. The authorities later reported that the exchange’s staff are fully cooperating with the investigation team, but noted that media reports claiming that police “stormed” the building are “entirely incorrect.”

Further, the authorities are reportedly establishing a dedicated investigation team, including “specialist police staff with expertise in this area." The Financial Markets Authority (FMA) has also been called in, according to Stuff.

The FMA spokesman cited in the article said the watchdog did not regulate Cryptopia or the cryptocurrencies listed there, “but those providing a financial service related to cryptocurrencies needed to register on the Financial Services Providers Register — which enabled customers to access an independent dispute resolution service.” According to the regulator’s website, New Zealand firms who provide a financial service related to cryptocurrencies need to comply with the “fair dealing” requirements in the Financial Markets Conduct Act 2013.

The stolen amount remains undisclosed; social media estimates $3 million to $13 million being taken

While Cryptopia’s website is still under maintenance as of press time, the exchange has not revealed which tokens have been stolen and to what extent, limiting its comment to state that the losses are “significant.” The company has since stated that they will not be providing a comment due to the ongoing police investigation.

However, the police are also yet to confirm the exact amount of stolen money. As per their press release issued on Jan.16:

“Police are not yet in a position to say how much cryptocurrency is involved, other than it is a significant amount. A large team, including Canterbury CIB and specialist staff from the police High Tech Crime Unit, have been assigned to the case.”

With both Cryptopia and the authorities being unable to reveal concrete details of the alleged hack, the community has taken the matter into its own hands. Social media users have pinpointed one of the hacker’s alleged wallet addresses, highlighting large transaction numbers, as well as the timing of transfers, which reportedly occurred after the site went into maintenance mode.

If true, the criminals have stolen an abundance of ERC-20 tokens, including Dentacoin, Metal, Ormeus Coin, PowerLedger, Revain, Zap Token, TrueUSD, Centrality, InvestFeed, PILLAR, Golem, Jetcoin, Fabric Token, DALECOIN, Soniq, VOISE, SpankChain, Mothership and Oyster Pearl, among others.

“At this stage I'd probably believe reports of $11 [million] + USD equivalent hack,” Reddit user u/spronky writes, “I wouldn't be surprised if all the ERC-20 tokens in Cryptopia's hot wallets were thieved [sic].”

According to another Reddit investigation, a total of $13,000 worth of cryptocurrencies could have been stolen from Cryptopia. User u/toldjahP has collected numerous wallet addresses affiliated with the alleged hackers and combined the transfers, which equalled the above mentioned figure. Similar addresses have been marked by Twitter community members as well. While some of those wallets appear to be empty as of press time, one of them holds as much as $3.6 million.

Community is not rushing to call it a “hack”

News of the incident has been met with concern and some scepticism in the crypto community, whose members have suggested that the incident could have been an “inside job” or “exit scam.” For instance, industry Twitter personality WhalePanda notably placed the word “hack” in quotation marks, while commenting on the matter:

“Interesting that this happens in a bear season where small exchanges are struggling to make ends meet and are aggressively messaging anyone involved with crypto projects to get them to pay listing fees to get listed on their platforms.”

In response to WhalePanda’s tweet, a couple of commentators have gone so far as to investigate Cryptopia’s recent transactions, claiming the exchange had moved Ethereum (ETH) worth several millions of dollars out of its wallet on Jan. 13, citing data from crypto exchange blockchain monitor Whale Alert. That correlates with Cryptopia’s previous announcement regarding the Ethereum’s (ETH) Constantinople hard fork, when the exchange warned its users that it was placing ETH and all ERC-20 tokens into maintenance between Jan. 14 and Jan. 18. The exchange then advised its users to move their ETH to “a wallet where they have a control of the private keys.”

Some of funds have been frozen, Cryptopia users are preparing a lawsuit

It seems that at least some of the stolen tokens have been frozen. On Jan. 16, after being tagged by a Twitter community member, Binance exchange CEO Changpeng Zhao said that he suspended “some” of the funds affiliated with Cryptopia after they ended up on his platform’s wallets and claimed that he will freeze more if social media users report them.

Similarly, other Twitter users have published screenshots suggesting that coinexchange.io has also been warned about some of the stolen funds from Cryptopia being traded on their platform.

As for the legal aftermath, the situation is also unclear at this point. According to local media and radio outlet Radio NZ, up to 40 Cryptopia users have come forward to legally demand an explanation as to why their funds are inaccessible.

“We were contacted initially by about three people [last year], including a South African lawyer, who were complaining that they were having trouble transacting using their wallets and couldn't withdraw funds,” the lawyer handling the case told the publication.