Cryptocurrency exchange Poloniex has had its hot wallets drained by hackers with an estimated loss of around $114 million, several sets of on-chain data show.
A suspected hack was flagged at around 10:55 UTC by blockchain security firms PeckShield and Cyvers. Poloniex announced 12 minutes later that the exchange’s wallet had been disabled for maintenance. The hack was later confirmed by Poloniex investor Justin Sun in a tweet.
Various wallets across multiple blockchains appear to have been targeted. Arkham data shows that an Ethereum wallet, now tagged as “Poloniex hacker,” sent a total of $114 million worth of tokens from Poloniex in 357 transactions. A wallet on the Tron blockchain also sent around $42 million to various wallets.
Poloniex is one of the longest-running crypto exchanges, having been founded in 2013. It was acquired by Circle in 2018 and later spun off to several investors including Justin Sun, who revealed that he was a part of the most recent acquisition in 2019.
The exchange has facilitated $616 million worth of trading volume over the past 24 hours, its public reserves are not available to view, according to CoinMarketCap. That compares with $19.3 billion for market leader Binance and $3 billion for Coinbase (COIN), the only publicly traded exchange.
Crypto exchanges are common targets for hackers. Two months ago HTX was hacked with a total of $8 million worth of ether (ETH) being drained; South Korean exchange Gdac lost $13 million in April and Deribit lost $28 million in a hot-wallet hack last November.
Blockchain analytics company Nansen reported that there were just 175 tokens left in Poloniex’s wallet, worth a total of $10,000.
“We are currently investigating the Poloniex hack incident,” Sun tweeted. “Poloniex maintains a healthy financial position and will fully reimburse the affected funds. Additionally, we are exploring opportunities for collaboration with other exchanges to facilitate the recovery of these funds.”
Sun added that the exchange is offering a 5% white hat bounty to the hacker with a deadline of seven days before engaging with law enforcement.
Sun posted on X (formerly Twitter) later Friday that Poloniex “successfully identified and frozen a portion of the assets associated with the hacker’s addresses.”
“At present, the losses are within manageable limits, and Poloniex’s operating revenue can cover these losses,” he added.
UPDATE (Nov. 10, 12:20 UTC): Updates amount stolen in headline, first paragraph, according to Arkham; adds Justin Sun white hat bounty offer in last paragraph.
UPDATE (Nov. 10, 14:47 UTC): Adds details of Justin Sun’s investment, Poloniex volume data and Nansen tweet.
UPDATE (Nov. 10, 16:18 UTC): Adds Justin Sun’s post about Poloniex having identified and frozen a portion of the stolen assets.
Edited by Sheldon Reback.