Crypto Assets trading platform suffers massive Hacker attack

On February 21, 2025, a well-known Crypto Assets trading platform suffered a serious security breach incident, resulting in the theft of approximately $1.5 billion in assets from its Ethereum cold wallet. This incident is considered the largest single theft in the history of Crypto Assets, surpassing previous records like Poly Network (2021, $611 million) and Ronin Network (2022, $620 million), causing a huge impact on the entire industry.

This article will provide a detailed account of the hacking incident and its money laundering methods, and remind readers that there may be a large-scale freezing of funds targeting over-the-counter trading groups and crypto payment companies in the coming months.

Theft Process

According to the description by executives of the trading platform and preliminary investigations by a blockchain analysis company, the theft process is as follows:

1. Attack Preparation: The hacker deployed a malicious smart contract at least three days prior to the incident (i.e., February 19) to lay the groundwork for the subsequent attack.

2. Invasion of the multi-signature system: The Ethereum cold wallet of this trading platform uses a multi-signature mechanism, which typically requires multiple authorized signatures to execute transactions. The Hacker infiltrated the computer managing the multi-signature wallet through unknown means, possibly via a disguised interface or malware.

3. Cloaked Transaction: On February 21, the trading platform planned to transfer ETH from the cold wallet to the hot wallet to meet daily trading needs. The hacker took advantage of this opportunity, disguising the transaction interface as normal operations, and诱导 the signers to confirm a transaction that appeared to be legitimate. However, the signature actually executed a command that modified the logic of the cold wallet's smart contract.

4. Fund Transfer: After the instructions took effect, the hacker quickly took control of the cold wallet and transferred approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address. Subsequently, the funds were dispersed to multiple wallets and the money laundering process began.

Money Laundering Techniques

The cleaning of funds can be roughly divided into two stages:

1. Early Capital Split:

   • The attacker quickly exchanged the ETH staking certificate tokens for ETH coins, instead of opting for the stablecoins that might be frozen.
   • The acquired ETH will be strictly split and transferred to the subordinate address in preparation for subsequent laundering.
   • At this stage, the attackers' attempt to exchange 15,000 mETH for ETH was promptly stopped, and the industry thus recovered some losses.

2. Money Laundering:

   • The attacker transfers funds through centralized or decentralized industry infrastructure, including multiple cross-chain protocols and decentralized exchanges.
   • Some protocols are used for fund exchange, while others are used for cross-chain transfer.
   • A large amount of stolen funds was exchanged for BTC, DOGE, SOL, and other mainstream coins for transfer.
   • The attacker even issued meme coins or transferred funds to exchange addresses for obfuscation.

Blockchain analysis companies are monitoring and tracking addresses related to stolen funds, and relevant threat information will be synchronized and pushed on their platform to prevent users from inadvertently receiving stolen funds.

Criminal Record Analysis

Through the analysis of the funding chain, it was found that this attack is related to two exchange theft incidents that occurred in October 2024 and January 2025, indicating that the mastermind behind these three attack events is likely the same entity.

Combining its highly industrialized money laundering techniques and attack methods, some blockchain security experts speculate that this incident may be related to a notorious Hacker organization. This organization has launched cyber attacks on institutions and infrastructure in the Crypto Assets industry multiple times over the past few years, illegally obtaining Crypto Assets worth billions of dollars.

Freezing Crisis

Blockchain analysis companies have found in their investigations over the past few years that this hacker organization not only uses decentralized industry infrastructure for money laundering but also heavily relies on centralized platforms for dumping. This directly leads to a large number of trading accounts of exchange users, whether intentionally or unintentionally receiving illicit funds, being risk-controlled, and the business addresses of over-the-counter traders and payment institutions being frozen.

Here are two related cases:

1. In 2024, a Japanese cryptocurrency exchange was attacked, resulting in the illegal transfer of $600 million worth of Bitcoin. The attacker transferred part of the funds to a cryptocurrency payment institution in Southeast Asia, causing the institution's hot wallet address to be frozen, locking up over $29 million worth of funds that could not be transferred.

2. In 2023, another trading platform was attacked, resulting in the illegal transfer of over $100 million in funds. Some of the funds were laundered through over-the-counter trading, leading to the freezing of business addresses for numerous over-the-counter traders, or the risk control of exchange accounts used for holding business funds, severely impacting normal business activities.

Summary

Frequent hacker attacks have caused significant losses in the Crypto Assets industry, and subsequent money laundering activities have also tainted more personal and institutional addresses. For these innocent individuals and potential victims, it is crucial to closely monitor the threat funds in business activities to prevent unnecessary impacts on themselves. In the current situation, strengthening security awareness and risk management is particularly important.