Wintermute has lost money on accounts it uses to trade on decentralized exchanges that are not controlled by a single company or entity.
Getty
Wintermute, a London-based cryptocurrency firm that trades billions of dollars worth of digital assets daily, lost $160 million in a hack early Tuesday. Founder and CEO Evgeny Gaevoy says he learned of the hack minutes after the hack, around 6am London time. An hour later, he announced the theft on Twitter without saying how it happened. In all, the hacker stole about $120 million worth of Wintermute’s stablecoins, including USDC and USDT, $20 million worth of Bitcoin and Ether, and another $20 million worth of lesser-known cryptocurrencies -Dollar.
explained Gaevoy forbes that while the investigation is ongoing, the hack likely originated from a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make working with them easier. Otherwise, crypto accounts are roughly 30-character strings of various letters and numbers. Last week, a blog post from another crypto company revealed a vulnerability in Profanity’s code. The heart of the problem: anyone with enough computing power can generate any possible key or password created for a profanity-vanity address. Then they can scan related accounts to see how much money they have and steal the money.
Wintermute didn’t use Profanity to create easy-to-remember digital account names, but rather to reduce its trade transaction costs, which is another feature of Profanity’s service, says Gaevoy. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their profanity accounts and protect them from liquidation. However, due to their own “human error,” according to Gaevoy, one of the 10 accounts was not blacklisted, which likely led to the $160 million heist.
These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where quick trades are made on decentralized exchanges like Uniswap and Sushi Swap that are not controlled by a single entity. Because the DeFi ecosystem is young, highly experimental, and more openly accessible than traditional finance, it doesn’t have the same safeguards as centralized exchanges like Coinbase. “They don’t have circuit breakers. They don’t have two-factor authentication to store your keys,” says Gaevoy.
In 2021, DeFi hacks totaled $1.3 billion, according to research by security firm Certik. Analytics firm Chainalysis estimates that North Korea-affiliated groups stole $1 billion from DeFi protocols in the first eight months of 2022.
Some tried and true crypto security practices, such as using external hardware wallets or “multi-sig” applications that require multiple parties to digitally sign before a transaction is approved, cannot be used for the type of automated trading , the winter mute does . “They need to sign transactions on the fly and within seconds,” says Gaevoy. So they had to invent their own technical tools and security protocols. “That’s ultimately the risk we took. It has been calculated.” DeFi has been a thriving part of Wintermute’s business over the past several years. “It didn’t work out this year,” he admits.
Wintermute’s CEO has some leads as to who the hacker might be, and he’s investigating them “both internally and with the help of external partners.” He hopes the hacker will become a “white hat” who returns most of the money, and is now offering a 10% bounty, or $16 million, if the hacker returns the remaining $144 million. He tweeted that Wintermute “would prefer to solve this in a simple way, but the window of opportunity is closing fast due to the publicity of this exploit.”
Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on a solid financial footing with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this hit,” says the CEO. For a few hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed its normal operation.
