A review of Kucoin security incidents: Industry linkages are blocking and anti-hacking, hackers or loosing water?


 47 total views

In the early morning of September 26, Beijing time, the famous exchange KuCoin (KuCoin) suffered a currency theft. From Bitcoin to ERC20 USDT and other ERC20 standard tokens, even EOS USDT suffered losses. After the incident, KuCoin also promptly notified the incident in a public manner, and KuCoin International CEO Johnny also reported the ins and outs of the entire incident and the latest developments through a live broadcast. As far as the current situation is concerned, the whole situation is developing in a controllable direction, and Beijing Lianan has also participated in the analysis and tracking of the flow of related assets. Next, let us review this incident in stages.

what happened?

Kucoin perspective:

KuCoin CEO Johnny said that at 02:51 on September 26, 2020, KuCoin team received the first risk control system alarm and found an abnormal ETH transfer record. The transfer destination address is: 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23, and then more abnormalities When the transaction occurred, Kucoin immediately activated the response mechanism.

Perspective on ChainsMap:

Now, if you open the famous Ethereum block explorer, 0xeb31973e0febf3e3d7058234a5ebbae1ab4b8c23 has been marked as theft.

Etherscan will calculate the total value of the token assets on the address based on the dynamic price of the relevant Token. Therefore, the current mainstream foreign media based on the transfer record data on the chain, most of which reported that the Kucoin has been transferred out of 150 million US dollars this time. The KuCoin team confirmed that while the hackers transferred out KuCoin assets on a large scale, the KuCoin wallet team was also transferring assets to “haven”. For example, the 35 million USDT that has been frozen by Tether and Bitfinex, of which 13 million is the library. The wallet team transferred out, and 22 million were transferred out by hackers.

Accordingly, KuCoin has not announced the actual amount involved. KuCoin CEO Johnny also stated that since many of the affected tokens are ERC-20 tokens, their valuation work is still in progress and KuCoin will confirm The specific token and amount will be announced later.


Judging from the transaction records, the first transaction to this address occurred at 02:49:18 on September 26, Beijing time, and the transaction stolen more than 13.88 million ERC20 USDT.


Another feature of this incident is that, in addition to the mainstream ERC20 USDT, it stole various tokens from the KuCoin hot wallet in large quantities. At the same time, from the behavioral model, hackers are likely to adopt a code traversal method of stealing coins, do not perform balance verification on various tokens, and poll to issue transfer instructions, so we can see that some transfer amounts are 0 Token transfer only consumes some GAS, which is indeed a more “efficient” transfer method for hackers.

In terms of Bitcoin, through the analysis of Beijing Chain’s ChainsMap detection system, at 03:05:37 on September 26, the Kucoin hot wallet continuously transferred money to one address, totaling 1008 BTC, and also transferred 999160 OMNI USDT.

Kucoin’s response

Kucoin perspective:

KuCoin CEO Johnny said that after the incident, KuCoin technical staff set up an emergency team, established an emergency communication group, and began to investigate and explore some behavioral logic in the current system.

At the same time, Kucoin operation and maintenance personnel urgently shut down the wallet server and began to transfer the funds in the hot wallet to the cold wallet, and the relevant exchange deposit and withdrawal operations were also suspended.

For users, KuCoin issued a related announcement, and solemnly stated that if any users suffer losses in this incident, KuCoin and its insurance fund will bear all of them.

Perspective on ChainsMap:


Judging from the Kucoin ERC20 USDT, it was basically suspended after 06:28 on September 26, and its bitcoin-related transactions were no longer collected after 4:34 in the morning of the same day.


At the same time, we can also see that Kubi.com urgently transferred other tokens in its attacked hot wallet. From the perspective of post-issuance measures, Kubi’s response in these links is relatively quick and in place.

Blocking on the chain: industry linkage, hackers or bamboo baskets are empty

Kucoin perspective:

KuCoin CEO Johnny stated that KuCoin has contacted global mainstream trading platforms, project parties, security agencies, and the police including Huobi, Binance, OKex, Bybit, Bitmax, etc., has taken some effective measures, and is pursuing it in full force. These assets.

Perspective on ChainsMap:

After learning about this incident, Beijing Lian’an quickly opened the monitoring of related assets and the linkage and cooperation mechanism with KuCoin, and soon issued a batch of ERC20 USDT trends.


It can be seen that the hacker established an independent address, first conducted a transfer test of 1USDT, and then directly entered 50,000 USDT. This transaction group performed two times to reach two addresses. After that, the hacker added these two addresses The USDT part of the input was entered into the address at the beginning of 0xdf0921, and the relevant USDT began to be further distributed and transferred, and 11,000 USDT flowed into the Matcha exchange. In this regard, we also synchronized relevant information to relevant exchanges in a timely manner, and made announcements. Matcha also quickly frozen relevant accounts.

At the same time, one thing that KuCoin CEO Johnny didn’t mention in the live broadcast is that KuCoin apparently contacted USDT issuer TEDA. TEDA also responded positively by directly freezing the relevant USDT on the chain through smart contracts. At the same time, Bitfinex also announced that it had frozen the stolen EOS USDT.

From the current point of view, the remaining stolen ERC20 tokens and Bitcoin have not taken any action. Under the chase of the industry, it will be extremely difficult and costly for hackers to fully transfer and realize this asset.

In fact, at 21:18:35 on September 26, Beijing time, the hacker tried to transfer USDT assets again


Obviously, the transfer of this frozen asset has been prevented. What is the feeling of the hacker not only at this time?

Aftermath: How should exchanges deal with asset security

More than 24 hours have passed since the Kucoin security incident, and the clamor around the incident itself has gradually dissipated


As always, as today’s well-known address, the address where hackers transfer assets has become a graffiti board and billboard. Some weird Tokens are transferred to this address for display and ridicule. This is also a black humorous phenomenon in this industry.

Of course, more serious issues are left for us to continue to think about. The reasons for KuCoin-related security incidents require further investigation and public announcement by KuCoin. However, for any exchange, doing a good job in internal risk control to prevent moral hazard, doing a good job in isolation between different business networks, and implementing a multi-signature mechanism are the most basic, but it requires solid security measures.

At the same time, the Kucoin security incident also shows that, in addition to preventing problems before they occur, reasonable responses will also effectively reduce losses when a security incident occurs. From this point of view, Kucoin still has remarkable points in this incident, such as relatively quick discovery of problems and emergency protection of existing assets, promptly mobilizing the industry to conduct joint defenses, especially seizing key links to prevent as much as possible Further transfer of key assets. Of course, the key point is disclosure. Kucoin promptly discloses the attacked information, and the CEO communicates the information through live broadcast, which has effectively achieved the effect of communication. These practices may be worthy of other exchanges. In the plan strategy.

For exchanges, asset security is a top priority. We hope that major exchanges will pay more attention to security measures in the future. As a professional technical security agency and a professional service provider for asset traceability on the chain, we are also willing to empower the industry to protect the asset security of customers and their users.