Wintermute, a leading cryptocurrency market maker, has revealed that hackers have managed to steal $160 million from the company’s decentralised finance (DeFi) unit. With the hack, London-based Wintermute becomes another entry in a long list of companies hit by cyber security breaches.
Founder and Chief Executive of Wintermute Evgeny Gaevoy disclosed information about the hack on Twitter while also adding that the company’s centralised finance and over-the-counter operations remained unaffected. Gaevoy added that despite the “ongoing hack,” the company remained solvent.
1. Attack vectorThe attack was in relation to our wallet used for DeFi proprietary trading operations, which are completely separate and independent from our CeFi and OTC operations
— wishful cynic (@EvgenyGaevoy) September 20, 2022
A total of 90 different assets were stolen in the hack, amounting to a total of $160 million in assets. Of this, $114 million are in the form of USDC and USDT stablecoins alone.
“We can confirm we remain in a financially strong position and there is no more further damage possible in relation to this hack,” Marina Gurevich, Chief Operating Officer, Wintermute, told Bloomberg.
Gaevoy said that it would honour all contracts that it has with lenders. “If you have a MM agreement with Wintermute, your funds are safe. There will be a disruption in our services today and potentially for next few days and will get back to normal after,” he said.
Wintermute currently owes over $200 million to various DeFi lenders, including a $92 million tether (USDT) loan that matures on October 15, reported Coindesk.
Gaevoy revealed that the hack was potentially executed using a known exploit associated with Profanity, a cryptocurrency vanity wallet address generator. Wintermute had generated a wallet address with several zeroes in front due to “optimization” reasons, and not “vanity,” said Gaevoy.
The wallet address was generated back in June, and Gaevoy said the company has since moved to a more secure script-based wallet address generation. Other experts have chimed in, stating that due to the lack of security of such vanity wallet addresses, the attack was most likely a brute force hack.
Also read: If security is 'slack' — what happened at Rockstar Games could happen to your company too
Currently, Wintermute is offering the hacker a 10 percent bounty, or $16 million, in exchange for returning the stolen assets. But Gaevoy added that “the window of opportunity to do so is closing fast due to the high profile of this exploit.”
We are working on multiple leads, both internally and externally and would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit
— wishful cynic (@EvgenyGaevoy) September 20, 2022