*This article has been automatically translated. Please refer to the original article for accurate content.
At the beginning of the year, unusual withdrawal activity was detected in one of the hot wallets of a major cryptocurrency exchange in South Korea. Hundreds of transactions were executed over a 15-minute period, resulting in the theft of approximately ₩44.5B KRW (equivalent to $33-35 million USD), prompting the exchange to suspend all withdrawals. The stolen assets included major tokens such as USDC, BONK, SOL, ORCA, RAY, PYTH, and JUP. While the exchange managed to freeze over half of the stolen funds (₩23B KRW worth of LAYER tokens), the remainder was already unrecoverable. Analysis of the withdrawal patterns and timing suggests that the incident was caused by a compromised hot wallet signature flow, rather than a smart contract malfunction or user-level error.
In this article, we will explain the recent trends in exchange hacking, delve deeper into the methods used in these attacks, and show how Hexagate's Wallet Compromise Detection Kit and GateSigner were able to detect the attacks early and help minimize the damage.
CEX and custodian breaches on the rise
This incident at a major exchange reflects a clear industry trend: increasing breaches of centralized exchanges (CEXs) and custodians. This is due to the increasing difficulty of operating high-speed, multi-chain withdrawal systems in complex cloud environments. While exchanges and custodians now handle some of the most complex on-chain capital flows in the market, they often underestimate the need for robust on-chain security and rely on measures that later prove insufficient.
We've been tracking customer environments and threat groups like Lazarus for almost a decade and have seen a clear shift: attackers are increasingly targeting custodians and CEXs due to their higher payoffs and larger, more complex operational stacks. Recent attacks on Bybit, BTCTurk, SwissBorg, Phemex, and now a South Korean exchange all fit the same pattern: a single point of compromise resulting in millions of dollars in losses.
The root cause of each incident is different. It can range from social engineering leading to account takeover, to cybersecurity flaws in the tech stack, to malware, to insider fraud, and more. Sophisticated attackers exploit a single weak link. The realistic assumption is not "full defense" but "something will eventually break." And when it does, it all depends on the speed of detection and response. Strong real-time detection and response will not eliminate risk, but it will prevent operational breaches from escalating into catastrophic losses.
What was happening?
Prior to this incident, one of the Solana wallets (out of hundreds) connected to the exchange involved had been behaving normally for several weeks. The balance had fluctuated, but never reached zero. However, when the attack occurred, the wallet was completely emptied within minutes. This is extremely rare in legitimate operations and a strong indication of a compromise. The following signals in particular stood out:
- Balance zeroing pattern : All of the wallets involved shared a signature where their balances collapsed to zero in an extremely short period of time, a behavior that would not occur during normal exchange operations.
- Spike in Large Withdrawals: In the seven days prior to the attack, the exchange had only received one withdrawal of approximately $100,000 from its Solana wallet. However, during the attack, approximately 80 withdrawals of the same size occurred within a 15-minute period.
- High-Frequency Execution of Multiple Assets : The attackers moved dozens of different tokens in hundreds of transactions at once. This bursty behavior is a significant deviation from the normal baseline.
These are exactly the signals that advanced automated behavioral analysis systems like Chainalysis Hexagate are designed to detect in real time. Ultimately, the exchange made the appropriate decision to suspend withdrawals, protecting its users and platform. Incidents of this nature highlight the effectiveness of fully automated detection and response mechanisms. With the right real-time pipeline in place, anomalies can be flagged early, at the very first few transactions, and contained before any significant movements occur.
Immediate actions after the theft
At this stage, the attackers likely focused on using automated market makers (AMMs) to exchange the stolen assets and convert them into tokens that would be difficult for issuers to freeze. This is typical of the initial actions following a large-scale hot wallet breach. The following graph from Chainalysis' Reactor research tool shows that the majority of activity at this point is consolidation of funds and shuffling of asset types, rather than proliferation.
Overview of initial moves in reactor graphs
How Chainalysis Hexagate detects and blocks wallet leaks
1. Wallet Compromise Detection Kit
A suite of real-time monitors powered by Chainalysis intelligence that detect the earliest signs of a hot wallet compromise. Key features include:
Balance drain pattern detection : Detects when your wallet balance suddenly drops towards zero.
Burst detection : Flags sudden increases in large withdrawals over a short period of time.
Unknown Destination Detection : Alerts you when funds are moved to addresses outside of your internal trusted ecosystem.
Breach detection using machine learning : Detection is performed using models trained on past CEX breaches and broader ecosystem behavior.
These signals fire at the first few malicious transactions, or even earlier, at subtle behavioral changes. Using this early detection, CEXs can automate defensive actions such as blocking withdrawals, moving transactions to cold storage, and isolating flows, allowing them to respond more quickly, consistently, and with fewer operational errors.
2. GateSigner (Pre-Sign Protection)
GateSigner plugs into your signature flow and pre-simulates each transaction to screen for high-risk behavior, providing critical pre-approval screening.
First, simulate a withdrawal.
The results are collated with a set of breach detection monitors.
If an anomaly is detected, the transaction is blocked or escalated before it goes on-chain, preventing infrastructure from accidentally signing dangerous transactions that an attacker might want to pass.
Some thoughts
Hot wallet compromises are becoming one of the most costly and frequent risks facing custodians and exchanges today. The best-prepared organizations invest in early detection and strong controls in their signing pipelines. Hexagate's Wallet Compromise Detection Kit and GateSigner empower CEXs to immediately catch anomalies, block risky withdrawals before they are executed, and automate appropriate responses at the right time. This is the most effective way to limit inevitable compromises and protect users, operations, and the business as a whole.
Contact us to learn more about how the Wallet Compromise Detection Kit and GateSigner can help you prevent yourself from becoming the next victim of a major theft, or to request a demo.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient's use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claims attributable to errors, omissions, or other inaccuracies of any part of such material.
The post $35 million worth of crypto assets stolen in 15 minutes: Evolution of exchange hacks and preventative measures appeared first on Chainalysis .
