Skip to main content

Hacker steals $160 million from crypto trading firm Wintermute

Hacker steals $160 million from crypto trading firm Wintermute


A series of unauthorized transactions sent tens of millions of dollars of USD Coin, Tether, Wrapped ETH, and other cryptocurrencies to the attacker’s wallet

Share this story

Gold coins on a red background.
Illustration by Alex Castro / The Verge

In the latest eye-watering crypto heist, Wintermute, a market-making firm, has been hacked for $160 million, according to its CEO.

Early Tuesday morning, CEO Evgeny Gaevoy posted on Twitter that the company was experiencing an ongoing hack that had drained the funds from its decentralized finance (DeFi) operations.

On blockchain tracking service Etherscan, a transaction flagged as an exploit showed tens of millions of dollars worth of Dai stablecoin, USD Coin, Tether, Wrapped ETH and other currencies transferred from the company to a wallet address labeled as “Wintermute Exploiter.”

Market-making firms like Wintermute play a crucial role in the cryptocurrency ecosystem, providing liquidity to exchanges by holding large amounts of different cryptocurrencies in reserve in order to instantly fulfill large buy or sell orders. The need to access these reserves on short notice means that certain enhanced security procedures, like holding funds in offline “cold storage” wallets, cannot be used, which can lead to a greater security risk. As one of the largest market-making firms, Wintermute would have made an attractive target to hackers.

Gaevoy said that the company remains solvent and still holds more than twice the value of the stolen funds in equity. Clients that had a market-making agreement with Wintermute would not lose funds, but the service would be disrupted for a few days while the problem was addressed, the CEO said.

Though the exact exploit method is not known, reporting from crypto news site Blockworks suggested that the attack could have been carried out by exploiting a recently uncovered vulnerability in vanity wallet addresses generated by a tool called Profanity. Ethereum addresses consist of 40 hexadecimal characters that are usually random — but tools exist to generate a very large number of possible addresses until one is found that contains a certain desired sequence like a word or name.

Less than a week before the Wintermute hack, researchers from decentralized exchange network 1inch published a blog post detailing a vulnerability in the address generation method used by the Profanity tool, which meant that private wallet keys could be derived from addresses created using Profanity. On Monday, a hacker was able to exploit the attack method to steal $3.3 million from Ethereum addresses made with Profanity. Though it’s not known exactly how many public addresses were generated with Profanity, the GitHub repository for the project has been forked hundreds of times.

As the investigation continues, Wintermute is still holding out some hope of recovering the funds. Gaevoy said the firm was “open to” treating the hack as a white-hat event, meaning that the hacker could return the funds and receive a substantial reward for having uncovered a security vulnerability in the platform.

Though it may seem far-fetched, there’s precedent for recovering even larger sums of money: in August 2021, a hacker who stole $600 million of crypto coins from the Poly Network cross-chain bridge returned them to the targeted company.