Mixin suspends deposits and withdrawals after $200m cryptocurrency heist

Mixin Network confirmd on Monday that it has "temporarily suspended" all deposit and withdrawal services after hackers broke into a database and stole about $200 million in funds from the Hong-Kong based cryptocurrency firm. 

In a statement posted on the social media platform formerly known as Twitter, the digital biz said the incident happened early Saturday morning, when "the database of Mixin Network's cloud service provider was attacked by hackers. After initial verification, the funds involved are approximately US$200 million."

Mixin, which is a decentralized exchange, did not identify the cloud service provider. 

The statement said the firm had contacted Google and blockchain security company SlowMist to help with the investigation. SlowMist confirmed its role, and the amount stolen, in a separate social media post. And Google-owned Mandiant confirmed to The Register that its incident responders were assisting with the cleanup.

"After discussion and consensus among all nodes, these services will be reopened once the vulnerabilities are confirmed and fixed," the Mixin statement promised. "During this period, transfers are not affected. Regarding how to deal with the lost assets, the Mixin team will announce the solution afterward."

The crypto firm also noted that Mixin founder Feng Xiaodong will discuss the breach in a Mandarin livestream on Monday, which will be summarized in English after the broadcast.

"We will try our best to minimize the losses and deeply apologize for this," the cryptocurrency exchange said.

• North Korea may be itching to sell $40m of purloined Bitcoin
• North Korea's Lazarus Group linked to Atomic Wallet heist
• TransUnion reckons big dump of stolen customer data came from someone else
• Feds raise alarm over Snatch ransomware as extortion crew brags of Veterans Affairs hit

Mixin's platform uses open-source software and its wallet supports 48 public blockchains, according to its website. It also claims a million users and about $1 billion in assets, although presumably less now.

The heist highlights "inherent vulnerabilities" in open-source banking, KnowBe4 Security Awareness Advocate James McQuiggan told The Register.

"With open-source banking, cybercriminals will always go after the money, whether a crypto or natural currency," McQuiggan said. "When a breach occurs, the effects can run deep. Not only do they face immediate financial repercussions, but the damage focuses on the erosion of trust, which can take years to rebuild."

The Mixin intrusion comes about a week after Elliptic blamed North Korea's Lazarus Group for the $54 million CoinEx heist against another Hong Kong exchange earlier this month. Over the previous 104 days, the criminals stole almost $240 million from five separate hacks, according to the blockchain analysis firm.

Victims included Atomic Wallet ($100 million) CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million), some of which attacks have also been linked to the North Koreans. 

And in August, the FBI issued an alert that the same gang of government-backed cryptocurrency thieves may try to liquidate a stash of stolen Bitcoin worth more than $40 million from several recent robberies. ®