Threat Management

Hackers steal over $160 million from crypto market maker Wintermute

A banner lists the sponsors of a cryptocurrency convention.
More than $160 million was stolen from Wintermute, a cryptocurrency market maker, in a brute-force attack Sept. 20. Pictured: ETHDenver sponsors are listed on a banner on Feb. 18, 2022, in Denver. (Photo by Michael Ciaglo/Getty Images)

Cryptocurrency market maker Wintermute was breached in the early hours of Sept. 20 with attackers taking $162.5 million from the company’s decentralized finance (DeFi) business, as crypto currency firms are seemingly falling prey more often to cybercriminals in recent months.

According to both a tweet from the CEO and founder, Evgeny Gaevoy, and various industry reports, the popular London-based crypto platform had its private key compromised in what appeared to be a brute-force attack which hobbled DeFi operations, but reportedly did not affect Wintermute’s over-the-counter trading. (DeFi activities are those handled on the blockchain without using third parties.)

In a separate tweet, Gaevoy also claimed that Wintermute was “solvent with twice over that amount in equity left.” Recently named official DeFi market maker for the Tron network, the five-year-old Wintermute trades billions of dollars across crypto markets daily, providing liquidity across multiple venues.

“If you have a [market maker] agreement with Wintermute, your funds are safe,” Gaevoy further posted on Twitter. “There will be a disruption in our services today and potentially for (sic) next few days and will get back to normal after.”

Standing on its own, this most recent attack would be noteworthy; but looked at in the broader context of other recent crypto-compromises, it seems to indicate a troubling and worsening cybersecurity trend here.

The Wintermute hack is the fifth largest so far this year, and the 12th largest of all time, according to Comparitech's cryptocurrency heist tracker, said Rebecca Moody, head of data research at Comparitech. Total losses from cryptocurrency heists since the beginning of 2022 have topped nearly $2.3 billion — roughly 30% of all crypto-breach losses overall (over several years), and close to the total amount lost in 2021 of $2.7 billion, based on Comparitech’s research.

“2022 also looks set to be a record-breaking year for the number of attacks, with 126 recorded so far,” Moody said, “Just six below last year's total of 132.”

Examples of other recent cryptocurrency breaches include: crypto bridge Nomad having nearly $200 million drained in August; and DeFi protocol Curve Finance had $570,000 stolen last month as well, Moody pointed out.

The Wintermute hack demonstrates how vulnerable DeFi platforms are, said Jeff Williams, co-founder and CTO of Contrast Security, adding that software vulnerabilities continue to plague financial institutions at high rates.

"This is creating a serious challenge for growing DeFi companies to secure their software," Williams said.

Hugh Brooks, director of security operations at CertiK, a blockchain security tracker, estimated that cryptocurrency firms have lost at least $273 million so far this year to private key compromises, as Wintermute likely experienced, “making this one of the largest attack vectors this year.”

“The exploiter used a privileged function with the private key leak to specify that the swap contract was the attacker-controlled contract,” Brooks explained. “By utilizing the stolen private key, the hacker was able to redirect funds.”

Why have cryptocurrency market makers, bridges, platforms and other related crypto-businesses become such significant targets for bad actors? Rick Vanover, senior director for product strategy at Veeam, a large data protection, backup and recovery platform, said there are “a few angles” to this increasing barrage of attacks.  

“One [reason] is simple pride and credibility,” Vanover said. “If a lone individual hacked company X and did Y damage, that could be huge for the storytelling onwards in confident circles. But if you look into why these matters happen, it is for a payout.”

“Big incidents are always a thought-out affair, targeted, and often using multiple breakdowns in best practices or intended configurations,” Vanover added. “Why so much? The risks are high, and so much is on the line. The more digitally transformed an organization is, the higher the potential payout.”

Private key compromises and hacks can result in devastating losses for protocols. Here are several notable examples of private key compromises, including the attack in Wintermute:

  1. Wintermute: $162 million
  2. Harmony Protocol: $97 million
  3. Slope exploit: $8 million
  4. ZbExchange: $4.8 million
  5. Gera Coin: $1.4 million
  6. Marvin Inu: $350,000
  7. Bill Murray’s personal wallet: $177,000
  8. Citizen Finance: $94,000
  9. Pirate X Pirate: $81,000
  10. Impermax Finance: $47,000

Source: Investigations Team at Blockchain Intelligence Group  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.