Back to News

Security Incident Report: What Happened on EXMO and Why You Shouldn’t Worry

While we are investigating the current situation, we ask you not to make deposits with cryptocurrencies to existing wallets. We are planning on enabling deposits and withdrawals on Thursday, December 24th, 2020.

Dear EXMO users,

While the investigation is still in progress, we are ready to share the following intermediate report.

We have detected that some amounts of BTC, XRP, ZEC, USDT, ETC and ETH have been withdrawn to the hackers’ private addresses on December 21st, 2020 between 00:00 – 10:00 AM, UTC. Currently, almost the entire amount of stolen BTC is stored on the following BTC wallet: 1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq

In the morning of December 21st, we have taken the following measures to ensure the security of your funds:

  • Suspended all clients deposits and withdrawals.
  • Traced that some funds (XRP and ETH) went to the Poloniex exchange and immediately contacted its support team to block the associated account.
  • Reported the case to the Police and National Cybersecurity center.
  • Made an announcement about the hack.
  • Contacted CipherTrace, Chainalysis, and Crystal to mark the hackers’ addresses, where the funds came to, as “criminal” and “high risk.” By collaborating with these services, we are making sure the stolen crypto will never get in the hands of innocent users.

Compromised due to the hack amount makes up around 6% of the company’s total assets. We don’t believe it could somehow affect a going concern basis for EXMO. The company’s policy is to store around 5-10% of all its assets on hot wallets to enable fast withdrawals for users and limit potential losses from the hacks. At the moment of the hack, there was approximately 5-10% of BTC on a withdrawal wallet according to the internal rules.

We are still investigating the hack internally, but here’s what we have for now:

  • We have completely separate server infrastructure for cryptocurrency wallets and all other platform data (production servers). The hack didn’t affect the production server. All information about transactions and clients also remained out of reach for the hackers.
  • We have a separate server infrastructure for cryptocurrencies and a separate server for each cryptocurrency. As we can see, only 6 cryptocurrencies were affected (while we have 57 different cryptocurrencies on the platform).
  • At this moment, we did checks for all the logs on compromised cryptocurrency servers. As a result, we assume that the hacker got the private keys. And now we are trying to find how it happened.
  • We are working with cybersecurity teams around the world to sort everything out and continue operating in a safe environment.
  • We hope we could set new servers and wallets for the affected cryptocurrencies in 1-2 days and restore the deposits and withdrawals. The EXMO website works in a normal mode: users can trade, chat, and use EXMO coin.

To prevent this from happening again, we are planning to take the following measures:

  1. To set 3rd party custody provider for hot wallets.
  2. To decrease the level of crypto we keep on hot wallets to 4-7%.
  3. To expand and strengthen our Security department.

Please mind that users’ account balances remain untouched by the attack. You can check it yourself by logging into the platform.

Thank you for your patience and understanding.
EXMO team