Wintermute team member suspected of hacking for $160 million

What’s new? Cybersecurity expert James Edwards, known by the nickname Librehash, claims that the $160 million hack of market maker Wintermute’s DeFi protocol is an “inside job.” The researcher came to the conclusion that the exploit was carried out by an employee of the project by analyzing the smart contract code. According to Edwards, “the relevant transactions initiated by the EOA [externally owned address] make it clear that the hacker was likely an internal member of the Wintermute team.”

Librehash’s blog

What else did Edwards report? The expert suggests that the EOA that made the request for Wintermute’s compromised smart contract was itself compromised through the team’s use of “a faulty online vanity address generator tool.”

Edwards said the attacker recovered the private key to the compromised EOA, noting that this could only be done with admin access.

The researcher also discovered a transfer of 13,48 million USDT from Wintermute to the 0x0248 address, allegedly created and controlled by the hacker. Edwards drew attention to Etherscan’s transaction history, allegedly showing that Wintermute had transferred these funds from two different exchanges to address a compromised smart contract.

7/ That concludes my breakdown of the Wintermute smart contract 'hack' and why I've come to the conclusion that this was the product of an inside job rather than an outside attacker exploiting an EOA with a weak private key due to the use of a faulty vanity addy generator tool— James Edwards (@librehash) September 26, 2022

Edwards’ theory has not yet been confirmed by other blockchain security experts. Although there is talk in the crypto community that the project’s employees may have been involved in the hack.

The fact that @wintermute_t used the profanity wallet generator and kept millions in that hot wallet is negligence or an inside job. To make things worse the vulnerability in profanity tool was disclosed a couple of days ago.— Rotex Hawk 🦇🔊 (@Rotexhawk) September 21, 2022

What do the project’s representatives say about the hack? Evgeny Gaevoy, the co-founder of Wintermute, noted that centralized finance (CeFi) protocols and over-the-counter (OTC) operations were not affected. According to him, all user funds are safe. In this, Gaevoy pointed out that the company has twice the amount stolen by hackers, so Wintermute remains “solvent.”

What is known about Wintermute? The cryptocurrency project was founded in 2017. The company positions itself as “a new generation algorithmic trading firm.” It provides liquidity to other companies and has its own digital asset exchange.

Earlier, analysts at cybersecurity firm Peckshield reported that hackers stole more than $446 million worth of cryptocurrency in three summer months through hacks. In August, the loss from 18 attacks on crypto platforms totaled $208,5 million. In July, hackers carried out 12 hacks worth $10,2 million, and in June, attackers withdrew $227,76 million during 21 attacks.