Cryptocurrency market maker Wintermute has disclosed that it has lost US$162.5 million in a hack.
Founder and CEO Evgeny Gaevoy, made the hack known through a series of tweets, saying that as of September 20 the hack was “ongoing” and that, despite the hack, the company was “solvent with twice over that equity left”. He reassured customers that their funds were safe and that the company may be disrupted for a couple of days but will “get back to normal after [the breach]”.
Gaevoy also appealed to the hacker in his tweets, saying: “We are (still) open to treat this as a white hat, so if you are the attacker – get in touch.” He later posted a follow-up statement, offering a 10 percent bounty of all funds taken to the hacker if they returned the rest of the funds.
While Wintermute has not made an official statement on how the hack took place, Gaevoy referenced an “exploit” being used in his tweets. It has been suggested by cryptocurrency news site Coin Telegraph that a vulnerability in private keys generated by the Profanity app was exploited during the attack. Private keys are a secure code proving ownership of a cryptocurrency wallet, allowing the holder of the wallet to make transactions.
The vulnerability was first spotted by cryptocurrency network 1inch, who noted in a blog post on September 13 that “1inch contributors noticed that Profanity used a random 32-bit vector to seed 256-bit private keys and suspected it could be unsafe”. 1Inch also said in the blog that customer’s wallets were “not saf[e]” if the address was generated using Profanity.