Encryption exchange encounters major security vulnerabilities, triggering industry warnings

On February 21, 2025, a well-known cryptocurrency exchange suffered a serious security breach, resulting in approximately $1.5 billion in assets being stolen from its Ethereum cold wallet. This incident is considered the largest single theft in the history of cryptocurrency, surpassing previous records such as the $611 million from Poly Network in 2021 and the $620 million from Ronin Network in 2022, causing a huge impact on the entire industry.

This article will delve into the analysis of this hacking incident and its money laundering techniques, while reminding readers that in the coming months, there may be a large-scale wave of account freezes targeting over-the-counter trading groups and encryption payment companies.

Detailed Explanation of the Theft Process

According to descriptions from exchange executives and preliminary investigations by blockchain analysis companies, the theft process is roughly as follows:

1. Attack Preparation: The hacker deployed a malicious smart contract at least three days before the incident (February 19) to prepare for the subsequent attack.

2. Infiltration of the multi-signature system: The exchange's Ethereum cold wallet uses a multi-signature mechanism, typically requiring multiple authorized signatures to execute transactions. The hacker infiltrated the computer managing the multi-signature wallet through unknown means, possibly using a disguised interface or malware.

3. Cloaked Transactions: On February 21, the exchange plans to transfer ETH from the cold wallet to the hot wallet to meet daily trading needs. Hackers took advantage of this opportunity, disguising the trading interface as normal operations, luring the signers to confirm what appeared to be a legitimate transaction. However, this instruction was actually an operation to alter the logic of the cold wallet smart contract.

4. Fund Transfer: After the instruction took effect, the hacker quickly took control of the cold wallet and transferred approximately $1.5 billion worth of ETH and ETH staking certificates to an unknown address. Subsequently, the funds were dispersed to multiple wallets and the money laundering process began.

Money Laundering Techniques

The fund laundering process is mainly divided into two stages:

The first stage is the early funding split. The attacker quickly exchanged ETH staking certificates for ETH tokens, rather than opting for stablecoins that might be frozen. Subsequently, they strictly split the ETH and transferred it to lower-level addresses in preparation for laundering.

It is worth noting that at this stage, the attacker's attempt to exchange 15,000 mETH for ETH was timely stopped, allowing the industry to recover some losses.

The second phase is the specific fund laundering work. The attackers use centralized and decentralized industry infrastructure for fund transfers, including multiple well-known cross-chain protocols and decentralized exchanges. These platforms are used for fund exchange or cross-chain transfers.

As of now, a large amount of stolen funds has been exchanged for mainstream cryptocurrencies such as BTC, DOGE, and SOL for transfer, and even some of the funds have been used for the issuance of meme coins or transferred to exchange addresses for obfuscation.

Blockchain analysis companies are closely monitoring relevant addresses, and related information will be pushed to users through professional platforms to prevent mistakenly receiving stolen funds.

Analysis of Hacker Organization Background

By analyzing the flow of funds, researchers found that this attack is linked to two exchange theft incidents that occurred in October 2024 and January 2025, indicating that these three attacks may originate from the same hacker organization.

Considering its highly specialized money laundering methods and attack techniques, some blockchain security experts attribute this incident to a notorious hacking organization. This organization has launched cyber attacks on institutions and infrastructure in the cryptocurrency industry multiple times over the past few years, illegally obtaining cryptocurrency assets worth billions of dollars.

Potential Freezing Risk

Blockchain analysis companies have found in their investigations over the past few years that this hacker organization not only uses decentralized platforms for money laundering but also heavily utilizes centralized exchanges for cashing out. This has directly led to many exchange users' accounts, which inadvertently received illicit funds, being subjected to risk control, and the business addresses of over-the-counter traders and payment institutions being frozen.

For example, in 2024, a Japanese cryptocurrency exchange was attacked, and $600 million worth of Bitcoin was stolen. Part of the funds was transferred to a cryptocurrency payment institution in Southeast Asia, resulting in the freezing of the institution's hot wallet address, with approximately $29 million in funds locked.

In 2023, another well-known exchange was attacked, and over $100 million in funds was illegally transferred. Some of the funds were laundered through over-the-counter transactions, resulting in the freezing of business addresses for many over-the-counter traders or their accounts being risk-controlled at the exchange, severely impacting normal operations.

Conclusion

Frequent hacker attacks not only cause significant losses to the encryption industry, but the subsequent money laundering activities also affect more innocent individuals and institutions. For these potential victims, maintaining vigilance in daily operations and monitoring suspicious fund flows is crucial for risk prevention. Industry participants should work together to raise security awareness and improve defense measures to maintain the healthy development of the entire ecosystem.