Around 10:41 a.m. UTC, it came to the attention of Librehash that Hotbit had been compromised via various reports on multiple different social media platforms.
It appears that, at some point during the latter hours of April 29th, 2021 (or early hours of April 30th, 2021), Hotbit reported to its users that it had been compromised with a serious attack on its servers.
Hotbit's Announcement on Their Website
Before covering this announcement, its worth noting that Hotbit put a tweet up on their page approximately 9 hours ago from the time of writing (April 30th, 2021; 1:00 a.m. UTC).
That tweet is re-published below:
In case this tweet is deleted or removed (for whatever reason), here is the archived link - https://archive.ph/NAhF5
Curiously, the tweet states that the exchange was due to undergo maintenance in order to "optimize server performance" and were "expected to finish at 10:00 AM UTC on April 30th 2021."
At the end of the tweet is a link to an article on their site, which can be found here:
again if this article / site is taken down, here is an archived link - https://archive.ph/MYPxn
Below is a screenshot showing the general text of article on their site (curiously, it states that it was updated approximately 4 minutes ago from the time of writing; the author is unable to access any earlier versions of the article at this point in time)
Strange Offer of VIP Services Just Before the Compromise Announcement
For some reason, just 2 hours before announcing that they were hacked, Hotbit released the following article on their site, regarding 'VIP Services' that users could obtain on their website'.
Link to the Live Article on the Hotbit Website:
Archived Link to the Live Article - https://archive.ph/Qx1rr
Evaluating the Statement of Compromise on Hotbit's Website
On April 30th, 2021 at 10:40(ish) UTC, Hotbit released the following announcement on their website:
archived link - https://archive.ph/uvEpf
Below is a screenshot of the first part of the announcement on their Zendesk website:
Pointing Out an Interesting Fact
In the very first sentence of the Hotbit compromise announcement, they state:
"Hotbit just suffered a serious cyber attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralyzation of a number of some basic services..."
If this is the case, then that means that they published that tweet about their "scheduled maintenance" well after the fact (that was published on April 30th, 2021 at 1:00 a.m. UTC, nearly 5 hours after the supposed "serious cyber attack had occurred").
More Concerning Information Contained in the Hotbit Announcement
The screenshots below show the remainder of what's contained in the press release by Hotbit:
First Major Area For Concern
The first, and perhaps most obvious point of concern are the statements made in the second screenshot of the Hotbit Announcement (re-published below & highlighted for convenience):
Rebuilding the Servers
If the Hotbit team is legitimately finding themselves in a situation that requires them to "rebuild the servers" (whatever that is supposed to mena), then they are truly fucked at this point in time.
Other Statements About the Servers Make No Sense
To someone that is not quite familiar with servers, IT administration, database maintenance, etc., the statements Hotbit made in reference to their servers may sound legitimate.
Fortunately, Librehash has a bit of an understanding about these things and, from the publication's perspective, the statements made in that first screenshot do not add up.
Some specific areas of trouble:
- It is stated that the attacker "maliciously deleted the user database after failing to obtain assets". If this statement is actually true, then that means that the 'attacker' had enough access within Hotbit's systems to delete the database in the first place - which would strongly imply that they were either root or admin. If that was/is the case, then Hotbit is completely screwed. If this isn't the case (due to them lying), then users are still screwed anyway because an exchange lying about something of this magnitude is a clear, unequivocal bleeding red flag that something very wrong is going on.
- The Hotbit teams states that their "database is routinely backed up", yet in that 'same breath', insists that they are "still uncertain whether the attacker has poluted [sp] data or not before the attack". To be clear, this statement makes little to no sense. If they're 'uncertain' about whether the attacker "poluted" data before the attack, then that implies that they were compromised well before 8:00 p.m. UTC on April 29th, 2021. Considering the fact that we just deduced that this attacker must have root privileges (or something akin to it), to be able to execute commands on the database from within Hotbit's servers, things are looking even bleaker now that we've parsed out that this 'attacker' (if real), may have had Hotbit's servers compromised for some time.
- There are countless database tools / plugins in existence that allow you to track various database changes. Not only that, there should be general logs kept by any proficient (or even mediocre) server administrator looking to protect user data. These logs would contain information like server accesses, strange augmentations / amendments to data that normally is immutable or created through a out-of-band process (i.e., a server administrator creating a user account via the backend vs. the account being created using the normal 'create new user' account on the backend). Additionally, IP address logging for admin / root / moderator logins should be something that's kept by default. Assuming that these individuals work remotely in part or whole (COVID19 still has some under quarantine at the time of writing), then its assumed that there will be a private network (VPN) that users connect to, which should provide some additional protections.
- If they don't know what data was accessed and when, then there is no way for Hotbit to confirm whether an "anomaly is detected", and if the data of users is truly "encrypted" (which would be strange; normally passwords & data of that nature get 'hashed') - then it would be impossible for them to "perform an accurate reconstruction toi ensure that all user data is accurate" (this is sort of an asinine statement to make anyway)
Recovery Period is a Major Cause For Concern!
In the announcement, Hotbit states that, "We initially expect that the recovery period will last about 7-14 days."
That's an excruciatingly long time for an exchange to be out of commission, especially when considering the fact that there were no user funds that were taken from them.
When considering the fact that they announced they were going to do "server maintenance" after the time they stated they were compromised in their announcement (which was published in the same hour their server maintenance was supposed to have concluded), the team's credibility dwindles as you read further into the announcement.
Hotbit Users Should Feel a Sense of Dread Currently
Yes, this sucks if you're a user of this platform and this is probably the last thing that you want to read if you've been affected by this sudden shuttering of the exchange.
But nobody benefits from us putting our collective heads in the sand and hoping it will magically be resolved at some point in the future.
There are numerous red flags in Hotbit's behavior and announcement(s) that strongly indicate that the exchange may never make a return.
Librehash could be wrong about this, but that appears increasingly unlikely.
Even if Hotbit is telling the God's honest truth, their task of reconstructing their entire user database seems impossible. If they had their databases deleted, encrypted, etc., then that means that their records of which funds belong to a given account, trades executed by users, deposit addresses generated, withdrawals initiated, etc. would be all gone and since the tabulation of user account balances is done by exchanges in-house (and privately), there's really nothing that someone can do to prove that they had X amount of funds on that exchange (and perhaps that's the main point, sadly).
Updates will be published as they're found / received.