The 2020 EXMO security incident: resolved

Overview of the attack

In December 2020, EXMO became a target of a hack attack against the platform’s hot wallets used for deposit and withdrawal transactions. The attack was identified immediately which helped us react quickly and limit the loss at the level of 5% of the total assets.

The security incident has now been completely resolved with 100% of funds reimbursed to our users.

Response steps

We’re focused on protecting our users from any security threats that might exploit vulnerabilities, causing them to lose their funds. When we detected the attack we reacted right away to address vulnerabilities and stop attackers from causing more damage.

Immediate actions to cut damage

Once the attack was detected, we suspended all withdrawal and deposit transactions to prevent a bad actor from transferring funds to their wallet.

Keeping users informed

Adhering to our transparency principles, we published a public blog post detailing the hack and its implications. We also communicated via all our channels to ensure our users were made aware of the incident immediately.

External reporting

We contacted leading security intelligence and blockchain analytical providers including Chain Analysis, Crystal and CipherTrace to report the security incident. The attacker’s wallet was named ‘EXMOHACKEDCUSTOMER’ and its entity type was changed to ‘Criminal’ with the risk score of 10 points to prevent it from carrying out further transactions.

We agreed on tracing all transactions of the hacker as part of the organizations’ extensive investigation and provided further updates, in case any new data in regard to the incident was discovered.

Attack investigation

We contacted Poloniex, which was used by an attacker for transactions. The exchange confirmed that they had allowed the attacker’s account to be registered with an anonymous email and that they allowed multiple transactions since they did not find this suspicious.

Following our subsequent requests to provide further information for undertaking a thorough investigation, the exchange failed to respond. We also addressed the Seychelles Central Bank and the Seychelles Financial Intelligence Unit directly, which provide services to Poloniex. EXMO requested help and cooperation in retrieving stolen digital assets; however, we also failed to hear from them.

Striving to detect the vulnerability that allowed the attackers to perform the hack, we partnered with the industry’s leading agency specialising in investigating cybersecurity breaches. They assisted us in identifying weakness and finding solutions to prevent further incidents.

Reporting to law enforcement

In addition to undertaking a thorough internal investigation, we also briefed appropriate government agencies on this incident:

• Metropolitan Police in London, United Kingdom.
• Action Fraud, the UK’s national reporting centre for fraud and cyber crime.
• Submitted a ‘Suspicious Activity Report’ to the National Crime Agency.
• Britain’s Financial Conduct Authority.

We kept in touch with all the authorities and security intelligence providers to exchange any relevant information and provide updates on the incident to take timely action.

Recovery and security improvements

Having investigated the incident, we released important security updates to minimise the risk of any similar attacks taking place in the future.

Stronger custody security with Ledger Vault integration

EXMO has struck a partnership with Ledger Vault, a world-recognised leader in cryptocurrency wallet management solutions. Thanks to the Ledger Vault technology, we offer greater control over withdrawal requests with leveraged key generation and multi-authorisation capabilities. EXMO traders can now benefit from secure and smooth day-to-day withdrawal flows.

Upgraded crypto wallet infrastructure

We revamped our entire server infrastructure for supporting crypto wallet pools with a completely upgraded data center, security hardware and software provided by a world leading provider.

Hardware security module

We’ve implemented an off-site hardware security module (HSM) cluster utilising a globally renowned security provider. These HSMs provide us with the ability to remotely store private keys enhancing our security level. The physical HSM has hot wallet transactional signing with up to 50,000 messages per second within a fips certified, secured and tamper-proof environment. The signing of transactions for both the private and public keys together is guaranteed to have no human involvement or exposure thus the potential leaking of these keys is kept secure.

Top-tier security team and practices

EXMO brought on board a tremendously experienced Chief InfoSec Officer alongside a seasoned security team with the goal to implement best security practices and policies.

The team managed to successfully roll out strict procedures covering all aspects of product development, data centre security, acceptable encryption, data classification, information security, password and asset management. These policies were implemented along with a Security Operations Centre (SoC) deploying an extensive suite of tools including Darktrace, Carbonblack, Qualys and LogRhythm among others.

All implemented measures help identify, prevent and cure any breaches or bad actor attacks – be it internal or external attempts.

Security incident resolved, lessons learned

Despite this very unpleasant experience, we feel like we’ve coped with the situation extremely well and have come out even stronger having faced and dealt with the security challenge.