The largest bitcoin and ether exchange in South Korea by volume, Bithumb, was recently hacked. Monetary losses from compromised accounts have started to surface, and are quickly reaching into the billions of won.
With a reported 75.7% share of the South Korean bitcoin market volume, Bithumb is one of the five largest bitcoin exchanges in the world and hosts over 13,000 bitcoins worth of trading volume daily, or roughly 10 percent of the global bitcoin trade.
The exchange also hosts the world’s largest ether market. While trade in the South Korean won currently makes up the fourth largest currency market for bitcoin, trailing the US dollar, Chinese yuan and Japanese yen, the won market is Ethereum’s largest. Bithumb accounts for around 44 percent of South Korean ether trading.
A cyber attack late last week resulted in the loss of billions of won from customers accounts, according to a major local newspaper, the Kyunghyang Shinmun. One victim alone claimed that “Bitcoins worth 10 million won” in his account “disappeared instantly.”
Hackers succeeded in grabbing the personal information of 31,800 Bithumb website users, including their names, mobile phone numbers and email addresses. The exchange claims that this number represents approximately three percent of customers.
The breach was discovered by Bithumb on June 29 and reported to the authorities on June 30. More than 100 Bithumb customers have since filed a complaint with the National Police Agency’s cybercrime report center.
While admitting to being hacked on their website, Bithumb maintained that there was no direct access to funds stored on the exchange. Nonetheless, many customers are reporting their digital currency wallets being emptied. The exchange further claims that the breach was made to a personal computer belonging to an employee, and not the exchange’s internal network, servers nor digital currency wallets.
“The employee PC, not the head office server, was hacked. Personal information such as mobile phone and email address of some users were leaked. However, some customers were found to have been stolen from because of the disposable password used in electronic financial transactions.”
While victim accounts of exactly how their funds were stolen have widely differed, attackers appear to have stolen enough credentials to begin a process of “voice phishing,” where the scammers call up victims one at a time and pose as representatives of Bithumb.
One victim claims that the attacker posed as an executive at Bithumb and phoned to say that he was “suspicious of a foreign hacking transaction,” and instructed his victim to give him an “identification number written on the letter from Bithumb.” The number in question was the victim’s One-Time Password, (OTP) which granted the attacker immediate access to ten million won, worth about US$8,700.
The exchange posted a notice on their website stating that “compensation for personal information leakage cases has been decided.” The company said they would pay up to 100,000 won per person, currently worth US$870, to members. Further damages will be compensated for as soon as the amount is confirmed.
They also claim that they immediately reported the hack to three separate agencies, the Korea Communications Commission, the Korea Internet & Security Agency (KISA), and the Supreme Prosecutors’ Office. However, the Herald reported on Monday that about 100 victims are expected to file a class action lawsuit against Bithumb.
It is unclear whether the exchange will be legally responsible for the lost funds, even after the damages are proven. The situation is complicated by a lack of regulation regarding digital currencies in South Korea, which have not been recognized in any way.
The Korea Herald reported that a set of bills is being prepared by Rep. Park Yong-jin of the ruling Democratic Party of Korea. The bills aim to revise the Electronic Financial Transaction Act and give cryptocurrencies a legal standing, including bitcoin and ether. A similar process was recently completed in Japan, which legalized bitcoin payments on April 1.
The amended bills state that only companies with capital of 500 million won or more, sufficient professional manpower, and computerized equipment are allowed to receive digital currency and handle it. There would also be reporting regulations on anyone earning income from trading digital currencies.