New Zealand-based cryptocurrency exchange Cryptopia announced overnight that it had suffered “a security breach which resulted in significant losses.” According to the exchange, New Zealand police and related agencies have been alerted and are investigating the breach. The site is in “unscheduled maintenance mode” at this writing, with accounts frozen and trading and withdrawals apparently suspended. According to Cryptopia, the site will not be reopened until the investigation “has been carried out.”
Coinciding with reports that the much larger BitMEX exchange was continuing to shut down the accounts of U.S. and Canadian traders, the Cryptopia hack rings in the New Year with perhaps the most enduring truism of the cryptosphere—if you don’t control your own private keys, your money could disappear at any moment. According to Larry Cermak, lead analyst at The Block, exchange hacks since 2011 have now netted thieves at least $1.1 billion.
As with all such exchange hacks, there is also widespread suspicion that something even more nefarious could be unfolding. Many “hacks” reported by exchanges have been strongly suspected to be cover for exit scams by operators, who can blame the supposed hack for sudden insolvency and take traders’ deposits for themselves.
One trader has noted that the day before the reported hack, a total of about $2.4 million dollars worth of tokens, including Ether (ETH) and a small coin called Centrality (CENNZ), was moved out of Cryptopia’s custodial wallets. This far exceeds the exchange’s normal daily volume.
On 14th January, Cryptopia "suffers a security breach."
Just one day ago, 13th January, they were moving money out.
What a coincidence! pic.twitter.com/eEUJ1O4Rod
— InvestPal (@invest_pal) January 15, 2019
This may have been the actual hackers moving funds, since Cryptopia has not confirmed the amount of its loss. But the move far exceeds normal volume for the exchange, and seems not to have been noticed by Cryptopia for roughly half a day. There is added suspicion of an inside job because Cryptopia had strong two-factor authentication requirements. That would have made it harder (though certainly not impossible) for an outside hacker to compromise accounts.
Even discounting an inside job, there have been longstanding signs of trouble at Cryptopia. Veteran crypto reporter Ian DeMartino reported in November 2018 that Cryptopia had disabled more than 100 different trading pairs in small-cap coins, and was pressing some coin developers to pay steep listing fees to reactivate trading, perhaps in response to malicious attacks that drained funds. In the past, exchanges such as Mt. Gox have allegedly concealed chronic losses, sometimes for months, before finally becoming insolvent, throwing in the towel completely—and taking depositor funds with them.