A missing pile of Safemoon and other cryptocurrencies, accusations of broken promises, and then nothing.

When a high-profile cyber attack takes place and hundreds of millions of dollars are lost, usually a healthy balance is struck between safeguarding information to protect ongoing investigations and maintaining a level of transparent communication with the public.

In the case of BitMart’s security breach, they chose to keep a lot under wraps. We can still get a general idea of what happened and what went wrong from a string of statements they made early on.

This is the fullest story you’ll find on what happened with the $200M BitMart hack.

Timeline of the BitMart Hack

December 04, 2021:

At approximately 22:30 UTC, BitMart staff identifies a security breach involving two hot wallets (lower-security wallets that are connected to the internet). They respond by immediately shutting down various systems, including withdrawals and the freezing of certain trading pairs.

We learn in a later update that the security breach involved the attacker gaining access to two private keys, which allowed them to take various cryptocurrencies from the two wallets.

December 05, 2021:

At 00:28 UTC, just under 2 hours after BitMart noticed the hack and paused withdrawals, blockchain security and data analytics company PeckShield posts a tweet showing multiple suspicious withdrawals from BitMart’s hot wallets, and asking publicly if they’d been compromised.

By 01:50 UTC, PeckShield releases an update on the affected tokens, including the exact amounts of each, and estimates approximately $100M was lost from an Ethereum hot wallet, and another ~$96M from a Binance Smart Chain wallet.

The list of tokens stolen from the Ethereum wallet include SHIB, SAITAMA, ELON, CRO, GALA, STARS, SAND, LUFFY, HOT, WOO, HEX, MATIC, TRU, SRK, KISHU, RVF, AKITA, RSR, USDC, FTM, MANA, XDB, WPP, UFO, ENJ, WILD, ZEON, and PBR.

Here’s the list of ERC-20 token amounts stolen.

The list of tokens stolen from the Binance Smart Chain wallet include SAFEMOON, X2P, FLNS, BabyDoge, HERO, STARSHIP, FLOKI, JULb, CMCX, GMR, SPE, BETU. GMEX, ZEO, MOONTSHOT, BPAY, STACK, EnergyX, BSC-USD, and BNB.

Here’s the list of BEP-20 token amounts stolen.

At 02:13 UTC, the CEO of BitMart, Sheldon Xia, makes an announcement on Twitter confirming the security breach. He adds “the affected ETH hot wallet and BSC hot wallet carries a small percentage of assets on BitMart and all of our other wallets are secure and unharmed.”

December 06, 2021:

BitMart announces they will host an AMA; the distraught comments under the tweet indicate that many users are still unable to withdraw their funds. During the AMA, Sheldon Xia confirms the data shared by PeckShield.

“Unfortunately, we have more than 45 tokens involved in this security breach, including #SHIB, #SAFEMOON, #SAITAMA, and so on. The total amount taken is around USD $200 million,” he said during the live communication. At this time, BitMart also ensures users that they will compensate anyone who was affected by the security breach using their own funding.

December 08, 2021:

BitMart releases an official statement on the incident, mostly just covering the information that was already available, but also reassuring users that they are “committed to exhausting all feasible options for supporting users’ withdrawal requests,” and they add that features are expected to be activated systematically within the coming days.

According to a later update by BitMart, it was on Dec 07 that deposit and withdrawal functions for “ETH and some ERC-20” tokens were first reinstated.

They also launched a giveaway program on this day with two separate prize pools of 500,000 BitMart tokens (BMX) as an expression of gratitude for users’ support. BMX was valued around $0.37 at the time, so the total prize was valued at roughly $370,000. The giveaway program concluded on Dec 15, and the BMX token held above $0.30 until mid-May 2022.

December 09, 2021:

At 03:00 UTC, BitMart restores deposit and withdrawal functions for partial BEP-20 tokens.

They also confirm they have “replaced all token deposit addresses including BTC, ETH, SOL, and all other tokens.”

December 17, 2021:

BitMart resumes deposit and withdrawal functions on multiple mainnets, including Bitcoin, Avalanche, Harmony, Polkadot, Polygon, Solana, and several more.

December 31, 2021:

BitMart drops its post-mortem, which offers little further detail about the attack, but lays out their security response and several updates they’ve made to improve risk control and network architecture, such as deeply integrated identity authentication via Google’s identification systems, more secure data transmission, and a fully isolated DevOps environment to avoid future leaks of sensitive information, such as private keys to hot wallets.

Apart from a few tokens that are pending “high-level security reviews”, the majority of functions on the exchange, such as trading and withdrawals, are restored.

Did BitMart Reimburse Users?

This is where the trail goes cold.

Due to BitMart’s rapid response in shutting down their systems, all users on the platform were impacted by the inability to make withdrawals. However, once withdrawals were reinstated, the majority of users were no longer impacted because they still had the same assets and were able to trade or withdraw them as usual. So no reimbursement for those users was required.

However, those “high-level security reviews” mentioned above impacted users holding the tokens that were subject to review because they were still unable to withdraw or trade those assets. It’s unclear how many users were impacted in this way, but on January 7, five weeks after the incident, reports emerged that many users were still waiting to receive reimbursements or make withdrawals, particularly holders of the memecoin SAFEMOON.

As of August 10, 2022, there has been an ongoing FTC investigation into the BitMart hack and its response. No further updates were available at the time of writing, but BitMart continues to operate consistently within the top 15 centralized crypto exchanges in terms of daily trading volume.

Marin Ivezic
Website | Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.