Over $100 Million Missing: CoinBene Claims Maintenance, a Month of Questions Point Toward a Hack
Back in March 2019, the CoinBene cryptocurrency exchange denied that it suffered a hack but claimed to be undergoing maintenance, despite losing 109 ERC-20 tokens worth about $105 million.
Remember CoinBene, the cryptocurrency exchange platform that denied being hacked at the end of March 2019, and instead saying it was undergoing maintenance? Well, it turns out the platform is still under maintenance, or so the company says.
Meanwhile, Cointelegraph has received exclusive details from stakeholders reportedly affected by the situation. These reports, for the most part, were only discussed on social media platforms like Twitter and Telegram but have yet to make an appearance on the cryptocurrency news circuit — until now.
The CoinBene saga — timeline of events
On Monday (March 25, 2019), there were massive outgoing transactions from CoinBene’s hot wallet to an unknown wallet that did not exist prior to that Monday. These transactions reportedly involved every single ERC-20 token (totaling 109) held by the company.
Those tokens include huobipool token (HPT), pundi X (NPSX), maximine coin (MXM) and udoo (UDOO). The latter two will prove important later on in this narrative.
The following day (March 26, 2019), Cointelegraph reported an announcement from CoinBene stating that the platform was undergoing maintenance. However, several reports were circulating at the time that the cryptocurrency exchange had been hacked.
Users on the platform had begun to report issues concerning pending deposits, which is often a sign that an exchange has fallen victim to cybercriminals.
Some stakeholders, like Nick Saponaro of Diviproject, alerted the cryptocurrency public to massive outgoing transactions from CoinBene’s wallet. For its part, CoinBene denied these allegations, saying that customer funds were safe and that it would announce the completion of the maintenance at a later date.
As pointed out by James Edwards, cryptocurrency analysts and editor of the blog Zerononcense, the cleanout of CoinBene’s hot wallet did not include ether (ETH), coinbene coin and maximine coin. The suspected hacker only removed a portion of CoinBene’s MXM holdings.
These tokens were sent to about 12 addresses separate from the alleged hacker’s address. These 12 addresses are also fairly new — created around the same period as the suspected hack. The inbound transactions from CoinBene are the first recorded in all 12 addresses.
Rumors of the hack only added to the negative press surrounding CoinBene, following a previous revelation that the platform was inflating its trading volume. A report by Bitwise Asset Management earlier in March had identified CoinBene as one of the platforms engaged in wash trading.
On March 27, 2019, the day after CoinBene’s maintenance announcement, data scientists at Elementus — a blockchain infrastructure firm — published a report that described the fund transfers out of CoinBene’s hot wallet bore all the hallmarks of a hack.
The Elementus report provided the first definitive glimpse of the monetary value of these fund transfer, which stood at $105 at the time. According to the report, the fact that the ERC-20 tokens removed from CoinBene’s wallet were subsequently sold could point to the fact that the platform had been hacked.
An excerpt from the report, stated:
“After leaving CoinBene, the tokens were quickly moved into Etherdelta, where they were sold for ETH. A large amount of funds were also moved into centralized Exchanges, including Binance, Huobi, and Bittrex. The funds continue to move into exchanges as I write this.”
If indeed the hack theory is correct, it would explain the movement of the other three tokens not involved in the attack. CoinBene was most likely trying to secure those tokens in its cold wallet.
However, there is a problem with this explanation, and the issue lies in the timeline of events. According to Edwards, the transfer of the three tokens not involved in the hack occurred several hours after the suspected hack took place.
Thus, valuable ETH and about 1.2 billion MXM (worth about $118.6 million) were left untouched by the hacker. Days later, MaxiMine would issue a new smart contract and send 1.9 billion MXM ($200 million) to CoinBene.
So, CoinBene reportedly suffered a hack, had $118.6 million worth of a particular token spared in the suspected attack but finally ended up with $200 million worth of that same token after the fact — all within the space of three days.
Meanwhile, all the other tokens previously held in the company’s wallet are still reading the same amounts they did after the hack. In addition, maximine’s price surged between those three days.
Howdoo.io: How 18 million UDOO disappeared in the CoinBene hack
In an interview with Cointelegraph, David Brierley, the CEO of Howdoo, one of the projects affected in the alleged theft, provided two weeks’ correspondence between his company and a representative of CoinBene listed as a manager on the platform’s LinkedIn page.
According to the correspondence, the March 25 incident saw 18.4 million UDOO ($209,000) removed from the CoinBene hot wallet. According to Brierley, upon initial contact with CoinBene, the manager admitted to not knowing the source of the intrusion — while still telling the public that there was ongoing maintenance.
Meanwhile, Brierley says CoinBene still allowed people to trade nonexistent udoo tokens on the platform. Consequently, the price of udoo began to tank. CoinBene was trying to devalue udoo’s price so it could easily cover its losses from the suspected hack.
Suddenly, on March 28, 2019, CoinBene put out an announcement saying the Howdoo project was undergoing maintenance. Brierley shared the statement with Cointelegraph, which reads as follows:
“The UDOO project are doing maintenance upgrades recently. CoinBene has suspended UDOO’s trading function already. After the completion of the upgrade and maintenance, the transaction function will be opened and the specific time will be announced separately.”
According to the Howdoo CEO, the above statement was not only false, but an attempt to pin the problem on the Howdoo project team. CoinBene also ceased trading on udoo, which alerted even more token holders to the situation.
From this point onward, the conversation features several attempts by the manager to deflect, claiming that upper management at CoinBene was looking into the matter. Meanwhile, the Howdoo CEO continued to press for a concrete answer from the platform.
By March 29, 2019, Brierley began pressing CoinBene to come clean about the hack to the broader cryptocurrency community. In reply, the CoinBene manager stated that such a decision was above his pay grade.
Under the radar: Attempted coverup?
April 1, 2019 heralded yet another twist in the tale, as the entity responsible for the original removal of the 18.4 million udoo tokens sent them back to the project’s smart contract. This action effectively destroyed the tokens and offered further evidence that CoinBene had been hacked.
For Brierley, the hacker probably wanted to make a statement, as it seemed highly unlikely that a hacker would give up their loot in such a manner. Sperando’s response was for the Howdoo team to come up with a solution that sorted out the matter quietly, without CoinBene having to make any of the details public.
The details of the conversation show Brierley objecting to this course of action:
“The loss here is for the users of CoinBene who had uDOO in their custody at CoinBene. The relationship is between CoinBene and its users.”
At this point in the correspondence thread, the CoinBene business development manager suggests that it would be better for the Howdoo team to communicate with someone higher up in the organization.
The manager then said a certain individual would contact Brierley on the next steps to take. The company’s LinkedIn page lists this individual as an “Assistant” in one of the departments. According to the manager, the individual has ties with upper management.
The conversation with the individual yielded little result, as the CoinBene employee simply asked Brierley to facilitate an 18.4 million UDOO transfer from Howdoo’s treasury to cover the lost tokens.
Brierley told Cointelegraph that CoinBene later sent another offer for Howdoo to provide the 18.4 million udoo for a knocked-down price of $50,000, to which Howdoo declined. Meanwhile, CoinBene continued to tout the official maintenance line, obscuring the behind-the-scenes goings-on from the public.
The Howdoo chief shared a screenshot of CoinBene’s official Telegram channel in which a user asked the channel admin when the trading of udoo would resume. The admin simply replied:
“Please wait for the completion of maintenance.”
Cointelegraph reached out to CoinBene for comments via various channels of communication. The only responses received were via the company’s Twitter handle, which promised to provide answers to Cointelegraph’s inquiries, as well as from the manager, whose reply on Monday (April 15, 2018) reads in part:
“Thank you for getting in contact with me! I forwarded your request to our global marketing department, in charge of all our PR, with a strong suggestion for at least a statement, I'll follow up this overnight tonight.”
Cointelegraph has yet to receive any further response from both channels.
When asked what the next course of action would be for Howdoo, Brierley responded:
“We have already begun pursuing legal avenues and have reached out to lawyers in Singapore and China to see if affected users in the community can set up a class action suit against CoinBene and its founders.”
CoinBene and MXM: More questions than answers
Judging solely based on the experiences described by the Howdoo team, it would seem that CoinBene cover up the fact that it suffered a hack. Well, remember MaxiMine, the platform whose the token the suspected hacker left largely untouched? Well, investigating certain oddities surrounding the MaxiMine’s alleged involvement in the matter pushes the CoinBene story into a suspiciously sinister territory.
A lot of the following observations and deductions first appeared on Edward’s blog post published earlier in April. According to the blog post, examining the chain of events throws up some irregularities in the dealings between CoinBene and MaxiMine.
On March 25, 2019, the day of the suspected hack, someone transferred out 669.87 million MXM from CoinBene’s hot wallet. The following day, CoinBene moved 1.2 billion MXM from its hot wallet to its cold wallet.
On March 27, 2019, MaxiMine created a new token contract address. The following day, MaxiMine destroys its old smart contract. Via its Medium account, MaxiMine published a blog post explaining the process:
“All cryptocurrency exchanges listing MaxiMine tokens will automatically complete the upgrade of token address in a few days. Once the upgrade is completed, users can resume normal trading activities. Currently, new tokens have already been issued to all existing token holders in a 1:1 ratio.”
According to MaxiMine, the decision to issue a new token smart contract address was part of the rollout of its public chain. The odd bit lies with the number of maximine sent to CoinBene.
MaxiMine sent CoinBene 1.9 billion MXM, despite its announcement saying the token distribution would be on a 1:1 basis. Thus, why did CoinBene receive an extra 700,000 MXM — which were worth about $77 million at the time — from MaxiMine?
Cointelegraph also reached out to MaxiMine for comments about the story. As of press time, no one from MaxiMine has responded to Cointelegraph’s request.
Did MaxiMine spot CoinBene a whopping $77 million to cover the damages from the suspected hack? If so, do both companies share any sort of affiliation? Also, why was maximine the only token not completely drained by the suspected hacker? And finally, why was 18.4 million udoo sent back to Howdoo’s smart contract to be burned off?
These are some lingering questions that persist in the CoinBene saga that have so far managed to fly under the radar of the broader cryptocurrency news circuit. The victims of the situation and the cryptocurrency community at large need answers.