Last week Gatecoin, a digital currency exchange company based in Hong Kong, suffered a security breach that resulted in the loss of 250 bitcoin and 185,000 etherium. This loss is the equivalent of $2 million, or 15% of the total assets held by Gatecoin.
In the official statement posted on their website, Gatecoin stated that they had a disruption of service last Monday that resulted in a server reboot, and on Friday noticed suspicious transactions. After an immediate suspension of services, and a forensic investigation by French cybersecurity firm Tehtri Security, Gatecoin confirms that the breach occurred and resulted in a drastic loss of assets.
Gatecoin services will be offline until May 28, at which time customers may access their accounts and, if they choose, withdraw their funds using a new platform specifically designed for secure withdrawals. The company is also attempting to raise funds to cover customer losses and intends to reimburse their customers for funds lost in the hack.
The use of segregated accounts was touted by Gatecoin as a method to reduce risk and exposure to hackers, a concern when dealing in digital currencies. However, in the security breach the hacker altered the system so that the multi-sig cold storage system was bypassed, and funds were transmitted directly to a hot wallet.
There is a 5% limit on hot wallets, but due to the multi-sig bypass, transfers were allowed to exceed that limit. Hot wallet exchanges are different from offline storage, or ‘cold wallet’ hacks, such as the February attack on Chinese firm Bter that resulted in a similar, almost $2 million loss. Hot wallet exchanges are hidden inside active traffic, making them harder to detect immediately.
Gatecoin has requested help in tracking the ‘malicious external entities’ responsible for the breach, and to that end have posted the wallet addresses used by the hackers on their website.
As a result of the weaknesses in their system that have been exposed, Gatecoin is planning a move to a new infrastructure before services resume. They have assured their customers that remaining assets are secure. Aurélien Menant, CEO of Gatecoin added, “We sincerely apologize for all the concern experienced by our clients and for the inconvenience caused while clients wait for their fund withdrawals to be processed. Gatecoin would also like to express our gratitude to the community of exchanges that have very kindly volunteered to help identify the parties responsible for the stolen funds.”