Hacker stole 336 BTC from Crypto exchange Cashaa

[hugeblack]

Cashaa cryptocurrency exchange in the UK reported that hackers took more than 336 Bitcoin. One of their wallets was hacked and over 336 Bitcoin sent to 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek.
 Kumar said to Cointelegraph:

“We are still investigating the damage caused by the incident and suspend all the withdrawals for 24 hours. We have called the board meeting to decide whether the company will bear all the losses.”

Cashaa was using Blockchain.com wallet to store and send BTC. However, their argument for the difficulty of selling hacked coins seems emotional.

Kumar blamed an increase in hacking incidents on the exchanges that support trading where these hackers can deposit the funds. He said:

“Everyone working in the crypto industry has to work very hard to bring the same level of security which currently an average person has when dealing with a bank account. As of today, hackers are very confident to hack crypto addresses and move it through exchanges that are facilitating such laundering through their systems. Exchanges like these must be shut down and owners of these exchanges should be charged with money laundering facilitation crime.”

Read more and source --> https://twitter.com/yourCashaa/status/1281995351864430593
https://earnbtc.cc/hacker-stole-336-btc-from-crypto-exchange-cashaa/

[o_e_l_e_o]

I've never heard of this exchange. How many customers do they have? How many bitcoin were they holding? Is this 336 BTC their entire holdings?

Absolutely mind blowing that an exchange is using a Blockchain.com wallet and not proper cold storage. Completely irresponsible. You are trusting a third party who are in turn trusting a third party with your coins. The number of things that go wrong in such a set up is huge, as demonstrated by this story. It seems the "hack" wasn't even difficult and may not even have been a targeted attack - simply the computer they opened the Blockchain.com wallet on had malware on it, likely the same kind of malware that we see posts about in this forum on a regular basis. A web based hot wallet as their main storage? Unbelievable.

Anyone keeping their coins on a centralized exchange should bear in mind that you have absolutely no idea what their security set up is, and how secure or not your coins are. Anyone who is using this particular exchange should be figuratively running for the hills at such a display of gross incompetence.

[chichidori]

Never heard of this exchange either and why does an exchange using a blockchain.com wallet to store BTC everybody knows that web wallet is the most dangerous, they should have used bitcoin core and cold storage the fund is miss manage and that is the fault of the whole hacker can easily steal all of them BTC with a simple redirect and a phishing website, hope they have learned something from this incident that cold storage is a must for an exchange.

[BitcoinGirl.Club]

Cashaa was using Blockchain.com wallet to store and send BTC. However, their argument for the difficulty of selling hacked coins seems emotional.

Who in the earth keeps 336 bitcoins in a third party web wallet? If the story is true then they deserved to be hacked. Everyone should know about it and needs to wake up.

This is an unbelievable story and I think it's made up. May be the rabbit hole will open up in few days and we will know it's an internal job to rip off their clients.

Never heard of this exchange before.

[hugeblack]

I've never heard of this exchange. How many customers do they have? How many bitcoin were they holding? Is this 336 BTC their entire holdings?

Cryptocurrency is part of their business, but it is a company for money transfers between cryptocurrencies(Buy bitcoin using Mastercard) and bank transfers, you can read more information here https://cashaa.com/personal-account.
Their trading volumes are not so great^[1] so I doubt they will give money to clients.
The platform makes money transfers, so I assume they have a lot of money in hot wallets.

why does an exchange using a blockchain.com wallet to store BTC everybody knows that web wallet is the most dangerous,

They need to use web wallets, but perhaps the laziness or weakness of the developed team is what motivated them to use that wallet.

This is an unbelievable story and I think it's made up. May be the rabbit hole will open up in few days and we will know it's an internal job to rip off their clients.

I also expect that their defense of the matter does not seem serious.

[1] https://coinmarketcap.com/currencies/cashaa/

[o_e_l_e_o]

https://coinmarketcap.com/currencies/cashaa/

That's not their exchange volume though - that's the price of a token they have released. It's completely predictable that a useless exchange ran by idiots would launch a meaningless token which has done nothing but slowly bleed value since it was released.

They need to use web wallets, but perhaps the laziness or weakness of the developed team is what motivated them to use that wallet.

Not sure what you mean here? There is no reason that anybody has to use a web wallet. You can access funds just as quickly with a hardware wallet connected to an internet enabled computer, in a much safer manner. Even a password protected desktop hot wallet would be massively preferable to a web wallet. I would hope this 336 BTC only represents a fraction of their total holdings, with the majority being in a cold wallet.

I do agree their defense is shambolic, essentially blaming other exchanges and taking zero responsibility.

[bbc.reporter]

@o_e_l_e_o. They were also advertised to have already developed a proven product for remittances and their own digital wallet during their ICO. I speculate they told that to everyone to avoid the classification of CAS as a security.

Also, is earnbtc.cc owned by Cointelegraph? I have this source with a similar title when I created another thread about this.

https://cointelegraph.com/news/hacker-stole-336-btc-from-crypto-exchange-cashaa

[bitmover]

A web based hot wallet as their main storage? Unbelievable.

Anyone keeping their coins on a centralized exchange should bear in mind that you have absolutely no idea what their security set up is, and how secure or not your coins are. Anyone who is using this particular exchange should be figuratively running for the hills at such a display of gross incompetence.

lol
After all histories we already know, it is unbelievable how people still keep their savings in exchanges...

There are also others risks, not only security/hacks, but the owners of the exchange can just run away with your money. In Brazil our biggest exchange (with higher volume) stole all clients money in 2019 and I know people who had more than 1 btc there.

There is also the risk  the exchange block your coins/account because of regulation issues.

[buwaytress]

It's still not clear to me how the hacker exactly got hold of the money. Are Cashaa saying they actually kept bitcoin on a blockchain.com wallet? I mean, that's just ridiculous. If you have a company and you're running an exchange and doing things like that, then the board meeting should be about the IT guy getting fired. You'd think they'd cough up for an actual custodian or something.

[adzino]

What kind of crypto exchange is Cashaa? Never even heard of it, yet people use them. Like how does a less known exchange hold and own more than 336 BTC of users? I guess they had even more.
And the worst part is, they have been using Blockchain.com as their wallet! An online wallet? How careless can they be! Sounds something really fishy over here. Wouldn't be surprised if it them who stole the coins....

[The Sceptical Chymist]

Never heard of this exchange either and why does an exchange using a blockchain.com wallet to store BTC

Well, that makes about three of us in this thread who've never heard of Cashaa, and as to the second part of your statement, I fully agree.  Not only that, but it sounds like a bizarre business practice and Cashaa doesn't seem like they knew what the hell they were doing.

And if I'm interpreting this quote correctly:

As of today, hackers are very confident to hack crypto addresses and move it through exchanges that are facilitating such laundering through their systems. Exchanges like these must be shut down and owners of these exchanges should be charged with money laundering facilitation crime.

This Kumar guy is blaming other exchanges for accepting coins that were stolen and thus they should be shut down.  I have huge issues with that reasoning, mainly because a hacker can get dirty coins onto an exchange before the hack is even made public, and thus the second exchange would have no idea they'd allowed a deposit of stolen coins.  That's sour grapes logic, and it makes me want to pull my hair out.

Could have been an inside job, too.  I don't think you can ever rule that out when you hear about hacks like this.

[o_e_l_e_o]

I have huge issues with that reasoning, mainly because a hacker can get dirty coins onto an exchange before the hack is even made public, and thus the second exchange would have no idea they'd allowed a deposit of stolen coins.

My biggest issue with this is the privacy implications it has. He is basically saying that all exchanges must turn in to Big Brother, monitor all their customers, perform constant blockchain analysis on all their transactions, trace every satoshi they deposit, and ensure that every deposit is entirely "clean" and "untainted", all because he did something so monumentally stupid as to use a flawed and buggy web wallet to hold all the deposits to his exchange. If you can't be bothered to do the smallest amount of due diligence, then trying to turn bitcoin in to a nanny state isn't going to help you.

A quick internet search seems that their Twitter is still active, so this hack doesn't seem to have shut them down. I also found an interview from a few days ago with their co-founder, with some very concerning lines in it:

Due to our huge amount of transactional data on cryptocurrencies and national currencies, we can now enable governments to understand things better and develop a positive outlook towards the industry. It will enable regulators to stop frauds or system compromise by following our compliance policies.

Sounds very much like they are sharing customer data with governments. I suppose that fits well with their "no privacy" ethos as described above.