On 15 January 2019, Cryptopia, a New Zealand crypto exchange, announced that the platform was hacked and sustained unspecified heavy losses. The exchange initially informed its users that an unscheduled maintenance was ongoing on the platform, but later announced that a breach was detected, and a report was filed with the local law enforcements.

On 20 January 2019, Elementus, a blockchain infrastructure firm, published an analysis showing that Ethereum (ETH) and ERC20 tokens worth up to $16 million was stolen from the crypto exchange as a result of the hack. The analysis found that approximately $3.5 million in ETH, $2.4 million in Dentacoin, $2 million in Oyster Pearl, alongside $3 million of other unnamed tokens were stolen in the theft case.

According to the report, the hack started from as early as 13 January 2019 and continued surprisingly until the early hours of 17 January 2019, which was a considerably long time after its detection. Two Cryptopia core wallets, one contained ETH and another contained tokens, were reportedly the first targets of the hack in the morning of 13th January, where both wallets were emptied out by the afternoon of the same day. The hack continued to draw funds from over 76,000 secondary wallets owned by Cryptopia until 17th January.

Elementus deemed the attack to be abnormal when compared to the two common exchange hack profiles which are “smart contract exploits” and “unauthorized access credentials”. Smart contract exploits are cases where a vulnerability in the code controlling smart contracts is found and exploited. Elementus explained that these cases usually target multiple wallets, but the attack will normally get under control in a short duration.

Unauthorized access credentials are cases where individuals gained direct access to a wallet’s private key without the owner’s knowledge. These cases usually involved a single wallet and funds would already be emptied out from the wallet by the time the breach was detected.

In this current case, the 76,000 secondary wallets breached did not have smart contracts, implying that the hackers gained direct access to the private keys of all the wallets. Moreover, the attack was described by Elementus to lack urgency as the theft continued days after its detection, implying that the hackers knew that Cryptopia lost access to all the wallets and had no way of stopping them.

As of now, $880,000 of the stolen funds were reportedly exchanged for cash through various exchanged such as Binance, Huobi and HitBTC. The hackers allegedly had two wallets containing the remaining stolen digital assets worth around $15 million and kept them under control.

Other crypto exchanges, such as Binance, are helping out Cryptopia by freezing funds suspected to be sent in by the hackers.