Wintermute, a London-based cryptocurrency firm that trades billions of dollars’ worth of digital assets daily, lost $160 million in a hack early on Tuesday. Founder and CEO Evgeny Gaevoy says he learned of the hack a few minutes after it took place, around 6:00 AM London time. An hour later, he announced the theft on Twitter without saying how it happened. All told, the hacker stole about $120 million worth of Wintermute’s “stable coins” including USDC and USDT, $20 million worth of its bitcoin and ether and another $20 million worth of lesser-known cryptocurrencies.
Gaevoy explained to Forbes that, although the investigation is still ongoing, the hack likely originated with a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make them easier to work with. Otherwise, crypto accounts are roughly 30-character strings of varied letters and numbers. Last week, a blog post by another crypto firm revealed a security vulnerability with Profanity’s code. The gist of the problem: someone with enough computing power can generate all the possible keys or passwords created for a Profanity vanity address. Then they can scan the associated accounts to see how much money they hold and steal the funds.
Wintermute had been using Profanity not to create easy-to-remember names for digital accounts, but to lower its trading transaction costs, since that’s another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their Profanity accounts, shielding them from being liquidated. However, due to their own “human error,” one of the 10 accounts didn’t get blacklisted, according to Gaevoy, which probably resulted in the $160 million heist.
These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where it makes rapid trades on decentralized exchanges like Uniswap and Sushi Swap that aren’t controlled by a single entity. Since the DeFi ecosystem is young, highly experimental and designed to be more openly accessible than traditional finance, it doesn’t have the same safeguards that centralized exchanges like Coinbase has. “You don’t have any circuit breakers. You don’t have any two-factor authentication to help store your keys,” Gaevoy says.
In 2021, DeFi hacks totaled $1.3 billion, according to research by security firm Certik. Analytics firm Chainalysis estimates that North Korea-linked groups stole $1 billion from DeFi protocols in the first eight months of 2022.
Some tried and true security practices in crypto, such as using external hardware wallets or “multi-sig” applications that need to be digitally signed by multiple parties before a transaction is approved, can’t be used for the type of automated trading Wintermute does. “You need to sign transactions on the fly, within seconds,” says Gaevoy. So they had to invent their own tech tools and security protocols. “Ultimately, that’s the risk we took. It was calculated.” DeFi has been a flourishing part of Wintermute’s business in prior years. “It didn’t work out this year,” he admits.
The Wintermute CEO has some leads on who the hacker might be, and he’s investigating them “both internally and with the use of external partners.” He’s hoping that the hacker will become a “white hat” who returns most of the funds, and he’s now offering a 10% bounty, or $16 million, if the hacker gives back the remaining $144 million. He tweeted that Wintermute “would prefer to resolve this in a simple way, but the window of opportunity to do so is closing fast due to the high profile of this exploit.”
Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on sound financial footing, with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this punch,” the CEO says. For a couple hours after the hack, the company paused its OTC trading desk, where it facilitates large trades between other parties. But that has resumed to its normal operation.