The largest bitcoin and ether exchange in South Korea by volume, Bithumb, was recently hacked.
Monetary losses from compromised accounts have started to surface, and are quickly reaching into the billions of won.
With a reported 75.7% share of the South Korean bitcoin market volume, Bithumb is one of the five largest bitcoin exchanges in the world and hosts over 13,000 bitcoins worth of trading volume daily, or roughly 10 percent of the global bitcoin trade.
The exchange also hosts the world’s largest ether market. While trade in the South Korean won currently makes up the fourth largest currency market for bitcoin, trailing the US dollar, Chinese yuan and Japanese yen, the won market is Ethereum’s largest. Bithumb accounts for around 44 percent of South Korean ether trading.
A cyber attack late last week resulted in the loss of billions of won from customers accounts. According to a major local newspaper, the Kyunghyang Shinmun, one victim alone claimed that “bitcoins worth 10 million won” in his account “disappeared instantly.” A survey of those who lost money from the hack reveals “it is estimated that hundreds of millions of won have been withdrawn from accounts of one hundred investors. One member claims to have had 1.2 billion won stolen.”
Hackers succeeded in grabbing the personal information of 31,800 Bithumb website users, including their names, mobile phone numbers and email addresses. The exchange claims that this number represents approximately three percent of customers.
The breach was discovered by Bithumb on June 29 and reported to the authorities on June 30. More than 100 Bithumb customers have since filed a complaint with the National Police Agency’s cybercrime report center.
While admitting to being hacked on their website, Bithumb maintained that there was no direct access to funds stored on the exchange. Nonetheless, many customers are reporting their digital currency wallets being emptied. The exchange further claims that the breach was made to a personal computer belonging to an employee, and not the exchange’s internal network, servers nor digital currency wallets.
While victim accounts of precisely how their funds were stolen have widely differed, attackers appear to have stolen enough credentials to start a process of “voice phishing,” where the scammers call up victims one at a time and pose as agents of Bithumb.
1 victim claims the attacker posed as an executive at Bithumb and telephoned to say he was “suspicious of a foreign hacking trade,” and instructed his victim to give him an “identification number written on the letter from Bithumb.” The amount in question was that the victim’s One-Time Password, (OTP) which allowed the attacker instant access to ten million won, worth about US$8,700.
The exchange posted a note on their site saying that “compensation for personal information leakage cases has been determined.” The company stated they would pay as much as 100,000 won per person, now worth US$870, to associates. Further damages will be paid for when the amount is supported.
They also assert they reported the hack to three different agencies, the Korea Communications Commission, the Korea Internet & Security Agency (KISA), and the Supreme Prosecutors’ Office. However, the Herald reported on Monday that about 100 victims are expected to file a class action lawsuit against Bithumb.
It’s unclear if the trade will be legally accountable for the missing funds, even after the damages are shown. The situation is complicated by a lack of regulation regarding digital currencies in South Korea, which have yet to be recognized at all.
The Korea Herald reported that a set of invoices has been prepared by Rep. Park Yong-jin of the ruling Democratic Party of Korea. The bills aim to revise the Electronic Financial Transaction Act and provide cryptocurrencies a legal status, such as bitcoin and ether. A similar procedure was recently completed in Japan, which legalized bitcoin obligations on April 1.
The amended bills state that only businesses with capital of 500 million won or more, sufficient expert manpower, and automatic gear are permitted to get digital money and handle it. There are also reporting regulations on anyone earning money from trading electronic currencies.