Nicehash, the cryptocurrency mining company, has confirmed the theft of over 4,736.43 Bitcoin, worth over $75 million at today’s prices.

What We Know

On Wednesday, December 6th, the Nicehash team reported that someone had compromised their systems. Once inside, the attacker(s) successfully transferred over 4,000 BTC to a wallet they controlled. Nicehash has not disclosed further details since they’ve requested the help of law enforcement. Reddit user /u/BlueeDog4 believes the attack occurred because the attackers modified Nicehash’s records of account balances:

I would also point out that compromising private keys is not the only way an attacker can steal money from a bitcoin related business. If an attacker is able to compromise the database that keeps track of individual account balances, then you can trick the business into thinking your account has a higher balance than it should, and into processing a withdrawal to an address the attacker controls. If I understand the Nicehash attack correctly, the attacker was able to change account balances.

Nicehash has since stated they will fully reimburse the loss of all customer funds. CEO Marko Kobal states:

We fully intend to make this right. It’s a matter of deep concern to us and we’re working hard to rectify the matter in the coming days. We’re working on a solution to ensure that all users are reimbursed. These things are delicate matters, and take time, so we would ask our community to be patient while we get this fixed and fully investigated. As soon as we have a full plan in place we will communicate it to our users and all those affected.

The Nicehash Theft

From what users report, the attackers moved the stolen Bitcoin to address 1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq. Review of the blockchain indicates that the attackers started moving BTC from address 12VkDG5PSo5Qh6Lzjje72eCvVwrTwdiuFK in the morning of Dec 6th. The first transaction, 07e31965e8b535f2b3d3e3eab489d15d40e383e543c0297bf172d66ff22a6e65, appears to be a test transaction, seeing if money could be successfully moved. This makes sense, as the attackers wanted to verify that they could actually receive the stolen coins in a new wallet. More importantly, Nicehash reportedly paid users from this wallet, so a smaller transaction should not get flagged in Nicehash’s systems. Once that transaction successfully confirmed, the attackers moved BTC in blocks of 1,000 over a period of two minutes. We then see several smaller (sub-1 BTC) transactions, assumedly as new coins flowed into the wallet from standard user activity.

Cashing Out?

After a week, we’ve started seeing coins move out of the wallet (TX 1, TX 2). From the activity since, the attackers are utilizing a mixing service in order to obscure where the coins came from and start cashing out. We do not know why they’re doing so. Anyone can still trace the coins; why would they not use a cryptocurrency exchange service to exchange to an untraceable currency like Monero? The attackers may also want to wait for the Lightning Network to become mainstream. Lightning also allows for pseudonymous transactions, as long as transactions are made within a single node’s purview. Since the node only pushes transactions to the main blockchain upon channel closure, the attackers could mix the coins with other transactions and further obscure the source of the funds.

Secure Compliance Solutions LLC (SCS) provides a wide range of cybersecurity consulting and managed security services to small and medium sized businesses (SMB) and government agencies, fortifying their Information Security and Data Privacy programs. SCS works with its clients to tailor and implement industry-proven frameworks and standards to meet compliance goals and drive consistent security operations. We raise awareness of current security trends and risks to prepare personnel to recognize and defend against potential security issues. We implement technical solutions and controls to minimize data risks and liabilities. Our Managed Security Service provides “constant watch” against both internal and external cyber threats and attacks. At SCS, we promote a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities to keep your business up and running. Contact us to learn more.