STICK 'EM UP —

Hackers find creative way to steal $7.7 million without being detected

Thieves obtain platform's private key, use it to destroy coins, then create new ones.

Hackers find creative way to steal $7.7 million without being detected

Hackers managed to steal $7.7 million dollars' worth of cryptocurrency from the platform known as KICKICO by using a novel technique—destroying existing coins and then creating new ones totaling the same amount and putting them in hacker-controlled addresses, KICKICO officials said.

The technique evaded KICKICO’s security measures because it didn't change the number of KICK tokens issued on the network. Such security measures are generally designed to spot thefts and other malicious actions by detecting sudden shifts in total cryptocurrency funds available on the market. The unknown attackers were able to destroy the existing coins and create new ones by first obtaining the secret cryptographic key controlling the KICKICO smart contract. KICKICO officials didn’t learn of the breach until they received complaints from several users reporting that $800,000 dollars' worth of digital coins were missing from their wallets.

KICKICO officials said they have since recovered the stolen tokens and are in the process of returning them to their original owners. In a blog post disclosing the incident, KICKICO officials wrote:

The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. But thanks to the rapid response of our community and our coordinated team work, we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage.

At the moment the problem is completely eliminated, the wallets of KickCoin holders are safe.

The post didn’t say how the hackers managed to steal the private crypto key or whether the hole that made the theft possible has been closed. The incident is the latest reminder of how susceptible cryptocurrency exchanges and platforms are to malicious hacks. People who use digital coins should keep them in cold-storage whenever possible, meaning wallets that aren’t connected to the Internet. Cold storage doesn’t prevent all thefts, but it will prevent many of them.

Channel Ars Technica