The Breakdown - Huobi Changes Name to HTX and Almost Immediately Gets Hacked
Episode Date: September 27, 2023Today on The Breakdown it's a hackathon, with a set of high profile hacks happening over the weekend that show the continued challenging state of crypto custody and security. Enjoying this content? ...SUBSCRIBE to the Podcast: https://pod.link/1438693620 Watch on YouTube: https://www.youtube.com/nathanielwhittemorecrypto Subscribe to the newsletter: https://breakdown.beehiiv.com/ Join the discussion: https://discord.gg/VrKRrfKCz8 Follow on Twitter: NLW: https://twitter.com/nlw Breakdown: https://twitter.com/BreakdownNLW
Transcript
Discussion (0)
Welcome back to The Breakdown with me, NLW.
It's a daily podcast on macro, Bitcoin, and the big picture power shifts remaking our world.
What's going on, guys? It is Tuesday, September 22nd, and today we are talking hacks, hacks, hacks.
Before we get into that, however, if you are enjoying the breakdown, please go subscribe to it,
give it a rating, give it a review, or if you want to dive deeper into the conversation,
come join us on the Breakers Discord.
You can find a link in the show notes or go to bit.L.Y slash breakdown pod.
Well, friends, today we start this show talking about Ben Armstrong, better known as BitBoy,
who was arrested last night after he won, posted to his YouTube that he was going to confront
a former business partner about the Lamborghini that he said was his.
Two, went to said person's door and rang the doorbell.
Three, did this with a gun and illegal narcotics in the back of his car, along with another
business and affair partner to boot, and then four livestreamed himself getting arrested.
Just kidding.
I'm not going to talk about that.
Ever at all.
In fact, I will only say this.
The crypto space gets exactly the level of influencers it deserves.
So perhaps as we think about where we want to be heading into the next bull market,
we might want to choose who we listen to with just a hint more discernment.
Now, what we're actually going to be talking about today is the plague of this bear market,
well, outside of Gensler, of course, and that is hacks.
A wave of hacks impacted crypto firms starting over the weekend.
On Friday, Nansen disclosed a security breach at a third-party software.
software vendor. The attacker was able to gain access to admin rights of a Nansen account in charge of
facilitating client access to the platform. Nansen claims it, quote, managed to stop the
unauthorized access shortly after learning about it and launched an immediate investigation.
According to Nansen, wallet funds were unaffected. All affected users had email addresses exposed,
while smaller user cohorts had password hash accessed and wallet addresses revealed.
Nansen urged all users to double check emails claiming to be coming from the company and be
vigilant for fishing attempts. So that was Friday. Then on Saturday, OpenC disclosed that one of its
third-party vendors, quote, experienced a security incident that may have exposed information. They warned
that user API keys were compromised. The company noted that the incident was not expected to impact
any programs which use an OpenC API key, but that external parties using exposed keys could
experience rate and usage limits. OpenC plans on shutting down existing keys by next Monday and
asked users to rotate their keys. A third exploit was disclosed early on Monday morning. Mixin Network,
which is a nominally decentralized wallet service, said it lost $200 million in customer assets
during an attack early on Saturday morning. Crypto developer Lawrence Day at Function Zero writes,
it's another poly network, nine figures gone from a place I've literally never heard of before.
Also, respectfully, how are you losing 200 milly from a cloud breach? So this company Mixin was founded in
2017, and had nearly 400 million in protocol funds across 48 chains. The service allows users to
send digital assets assigned to phone numbers. And its biggest market appears to be Hong Kong.
Now, the firm said that it can guarantee the safety of around half of user assets, but
that guarantee seems to be in the form of a corporate backstop rather than the product of
successful threat mitigation. During a live stream on Monday addressing the attack,
Mixing founder Fang Xiaodong said, no matter what your assets are, whether it's Bitcoin or
Ethereum, we will ensure that half of it is unaffected.
We're trying to find a way to recover the compromised money, but that is very difficult.
For the other half of the assets, Mixin is considering offering what they are calling bond tokens
for users to claim. The firm would later buy back the tokens, making them similar to other
token-based recovery schemes seen in the past during events like the Bitfinex hack.
A security firm called SlowMist is involved in the investigation and stated that the incident
occurred when a cloud service provider database was attacked.
Now, if this feels like just the latest in a string of big hacks, that's because it is.
In 2022, we had the record of $3.1 billion in funds lost from hacks. And estimates this year include
TRM Labs saying that $400 million was stolen in quarter one, immune phi saying that $700 million was lost
in the first half of the year. And then just in Q3, we've had a $126 multi-chain hack in July,
a $61.7 million market-based protocol exploit of Curb Finance in July, $41.3 million hacked from
stake.com in September, and another July hack of $37 million at coins paid.
So from estimates, it looks like this might be the largest hack of the year, roughly the same
size as Euler in March. Still, even though it wasn't the biggest, the most high-profile hack of the
weekend was disclosed on Monday as well, and that was from HTX. HTX, formerly known as Huobi,
suffered the loss of 5,000 Eath worth around $8 million on Sunday evening. Justin's son claimed in a
Twitter thread that, quote, HTX has fully covered the losses incurred from the attack and has
successfully resolved all related issues. Sun added that, quote, all user assets are Safu, and
the platform is operating completely normally. Now, in addition to disclosing the law, Sun downplayed
the impact of the attack, stating that, quote, 8 million represents a relatively small sum in
comparison to the 3 billion worth of assets held by our users. It also amounts to just two weeks
of revenue for the HTX platform. Sun disclosed the wallet address of the hacker and added,
we are willing to offer 5% of the stolen amount, 400,000 USD, as a white hat reward to encourage the
hacker to return the stolen funds. If the hacker returns the funds, we will also hire them as a
security White Hat Advisor for HTX. However, they said if the funds are not returned within seven
days, we will transfer the information to law enforcement authorities for further action, and to
prosecute the hacker. In an on-chain message to the hacker, HTX claimed to have discovered
their quote, true identity. Now, according to Arkham Analytics, the attack affected an
HTX hot wallet, which was created in March. Since then, the wallet has received $500 million
in deposits from Binance, and on-chain analysts confirmed that funds have now been migrated
to a new wallet. Now, there were a lot of comments related.
to the name change of this exchange. Crypto Calayo says,
Quobey changes its name to HTX and gets hacked for $8 million in the first month.
Coincidence or tempting fate?
Lawrence Day again said, I'm sorry, but renaming Huobie to HtX and then immediately
losing millions of dollars is so effing funny that I might have a stroke.
Even Binance's CZ said, a week after you rename your exchange after FTX, dot, dot, dot.
Jokes aside, our security team will help in tracking hacker funds in all cases where we can.
Now, in addition to just the jokes about the HTX name,
There are lots of questions floating around about Huobi solvency.
To get a sense of some of those theories, go check out Adam Cochran's account.
It's a little bit out of the scope of this particular episode, but it's obviously something
that we're watching closely.
Now, it's unclear at this stage whether these attacks had any sort of links, but the
small amount of detail available does show some common features.
The first three hacks all blamed a third-party service provider.
While the provider was not named, Nansen did urge them to disclose the security breach.
These attacks come just weeks after CryptoCustody firm Fortress Trust suffered a $15 million
attack, which was also related to a security failure at a third-party cloud provider called Retool.
In that attack, an employee at the software provider was the victim of a fishing attack.
The attacker used an AI-synthesized voice clone of an IT support worker to replicate the
employee's credentials to access Retool systems.
In their write-up of that attack, Retool said that 27 customer accounts were compromised.
All 27 were crypto companies.
So the method of attack here, which uses a combination of,
of social engineering, and a bypassing of security measures also bears a striking resemblance to
the write-ups of the recent cyber attack on MGM and Caesar's casinos. The casino systems were hacked
two weeks ago with customer and corporate data compromised. Postmortems of the attack claimed
that hackers used a voice replication of IT workers to gain access. Identity management firm,
Okta confirmed that the casinos had been using their systems to credential employees.
In an August blog post, Okta said that their customers were seeing, quote, consistent pattern
of social engineering attacks against their IT service desk personnel, in which the call
strategy was to convince service desk personnel to reset all multifactor authentication factors enrolled
by highly privileged users. The casino attacks were attributed to a threat actor known as
scattered spider using malicious software developed by Alfie or Black Cat. Now, if these attacks
are all part of the same cybercrime spree, it could speak to a group of hackers going after
high-value targets like crypto firms. The vulnerability seems hard to address as it involves security
training for employees at third-party software providers. And one of the implications is if these
kind of attacks become a systemic threat to the industry, it could mean more crypto firms need to
bring sensitive software in-house. That higher barrier to secure operations could make it more
difficult for smaller startups to compete in the industry. Now, of course, for any of you who are
listening to the AI breakdown, you'll also recognize that this is not going to be a problem
that's unique to the crypto industry. The casino attacks speak to that as well, but the reality
is that voice cloning technology is incredibly advanced and just getting more so all the time.
individuals and companies are going to need to develop entirely different modes of operation
that recognize the fact that you simply can't trust a voice on the other line of a call anymore.
Now, when it comes to the impact of these hacks on the industry, outside of just the ramifications
for the people who lost money themselves, it's hard exactly to know what the real impact is.
On the one hand, it certainly lends to a perception of immaturity overall.
But at the same time, when it comes to the geopolitics and regulation of crypto, the hacks that are
most important to keep an eye on are those that have some sort of geostrategic ramifications,
particularly those emanating from the Lazarus group in North Korea. Still, being this deep
into a bare market and trying to match all-time records for hacks is not necessarily the place
we want to be overall. Now, the one other story that I wanted to cover on today's show is a bit
of a dust-up around the Celsius restructuring. In short, the Celsius bankruptcy could be coming
to a close after creditors have voted in favor of the current recovery plan. Ninety-eight percent of
creditors gave the thumbs up to a plan which would see the sale of assets to crypto consortium
Fahrenheit Holdings. The acquiring group includes Arrington Capital and minor U.S. Bitcoin
Corp. Ferenheit plans to retain and operate mining equipment owned by Celsius under a new
corporate structure. The new company also plans to stake Ethereum and monetize other Celsius
assets. Some large creditors will receive equity in this new company, and in addition, another
$2 billion in liquid crypto will be distributed to creditors. Overall, the plan is projected
to provide a 76 to 85% recovery. Now, one remaining snagging,
in the plan is an objection from the SEC. The regulator filed its objection last Friday to express
concerns with Coinbase's involvement in the process. Celsius receivers planned to use Coinbase as an
intermediary to distribute crypto to creditors. The SEC claim the agreement could require Coinbase to,
quote, go far beyond the services of a distribution agent, and effectively they believe that Coinbase could
be called upon to provide the kind of crypto services which are at issue in their separate enforcement
lawsuit. The SEC filing claimed that, quote, Celsius have confirmed that they do not intend for
Coinbase to provide brokerage services despite the language and the Coinbase agreements to the
contrary. However, this court should not be asked to approve a deal where their material terms are
missing or inconsistent. The regulator also appears concerned about an additional agreement with
Coinbase, which Celsius have attempted to file under seal and have not yet disclosed.
Coinbase's chief legal officer, Paul Grewell, hit back at the SEC's objection in a Twitter post
stating, Coinbase is proud to engage with Celsius to distribute crypto back to its customers.
I wonder, why would the SEC object to a trusted U.S. public company taking on this role? We look
forward to addressing this with the bankruptcy court and undertaking our important role to make
Celsius customers whole. Now, Wayne Vaughn had a very simple explanation saying,
Coinbase's role in the Celsius bankruptcy makes Coinbase look like a trusted good actor. The SEC
wants Coinbase to look like an untrustworthy bad actor. And of course, this isn't the first
time we've seen the SEC stand in the way of a bankruptcy distribution agreed to by creditors.
In March, the SEC objected to Voyager using Binance U.S. to distribute crypto to its creditors,
which was, of course, months before the regulator had filed its lawsuit against finance,
but still based their objections on claims that the exchange was an unregistered securities brokerage.
A very unimpressed judge in the Voyager case called it, quote, kind of a weird objection.
In fact, they said that they were, quote, absolutely shocked at the regulator's conduct
for suggesting that the judge should, quote, stop everybody in their tracks because you might have an issue.
This time around, of course, the SEC at least does have an ongoing lawsuit that they can point to
regarding Coinbase's brokerage services.
But the objection does still seem odd, given that the regulator didn't,
seek an injunction to prevent Coinbase from operating as normal in the interim.
The Celsius case will return to court next Thursday to hear the SEC's argument and see if the
judge is inclined to allow the plan to go ahead. Now one interesting line of discussion are the
implications for the spot ETF applications that are outstanding. Adam Cochran writes,
while this is dumb, it also kind of tips the SEC's hand. If this is the line they are taking,
then it's a really good bet they are going to continue to fight the spot ETFs, but now on the
basis that there is no valid custodian, an ATS registered for exchanging the spot assets.
gets them around some of the issues with there being a futures market but not wanting to approve the spot.
They'll make the claim that since all the venues lists some handwavy securities, they must be
registered even if they also list things that are only commodities. Therefore, they aren't denying
the eligibility of BTC to have an ETF, just that no provider is currently legally able to do so,
since they've not approved such an ATS. Now, speaking of ETF's Bitwise filed an amendment to
its spot Bitcoin ETF application on Monday, adding 40 pages of research on Bitcoin market structure.
The research aimed to preempt arguments from the SEC, which could be used to reject the current
batch of ETF applications. Bitwise claimed to show that Bitcoin futures are the primary market
for price discovery, with spot prices following futures. According to Bitwise, this would mean
that the well-regulated CME futures market should be the primary consideration when looking for
evidence of market manipulation. They argued that this trading venue should count as a regulated
market of significant size for market surveillance purposes. As part of their argument, Bitwise
also cited a previous study from 2019, which suggested that Bitcoin's spot,
market mainly consisted of fake volume, making the relative size of the regulated futures market much
larger in comparison. Regarding the price impact of futures, Bitwise found in 2021 that futures markets
accounted for between 52.97% and 68.03% of Bitcoin's price discovery. Now, this isn't the first
time Bitwise have dropped large amounts of Bitcoin research on the SEC to dispute their claims.
They have produced at least two 100-page plus reports in support of previous Bitcoin ETF applications.
Bitwise Chief Investment Officer Matt Hogan explained his firm strategy in a Twitter thread stating,
Given the gray scale ruling, every spot Bitcoin ETF filing is essentially in a waiting pattern
hoping the SEC reacts to the court ruling by approving spot Bitcoin ETFs.
That's the happy case.
The question is, what happens if the SEC appeals the court decision?
In short, we return to the status quo.
We're back to needing to prove that the CME Bitcoin futures market leads price discovery
over the spot market, such that it can serve as a regulated market of significant size
for the purpose of surveillance.
Unfortunately, existing filings do not include substantively new arguments or research addressing
this question head on.
Until now, today's amendment aims to address point by point each of the major objections
the SEC has raised in prior disapprovals for spot Bitcoin ETFs.
In particular, we try to clear up the significant confusion around the growing body of academic
literature on price discovery in the Bitcoin market and demonstrate that every well-designed
academic study supports the finding that the CME is significant.
So, friends, there you have it, a little bit of hacks, a little bit of the SEC objecting
to something that seems reasonable from the end.
outside. In other words, a quintessential 2023 crypto day. Appreciate you guys listening as always, and
until next time, peace.