Profanity may be the cause of crypto trading firm Wintermute’s $160 million hack

Wintermute, a London-based cryptocurrency firm that trades billions of dollars in digital assets daily, lost $160 million in a hack early Tuesday. Founder and CEO Evgeny Gaevoy says he learned of the hack a few minutes after it took place, around 6 a.m. London time. An hour later, he announced the theft on Twitter without saying how it happened. In all, the hacker stole about $120 million worth of Wintermute’s “stable coins” including USDC and USDT, $20 million worth of bitcoin and ether, and another $20 million worth of lesser-known cryptocurrencies.

Gaevoy explained Forbes that, although the investigation is still ongoing, the hack likely originated from a service called Profanity, which generates “vanity addresses” for digital cryptocurrency accounts to make them easier to work with. Otherwise, crypto accounts are roughly 30-character strings of various letters and numbers. Last week, a blog post from another crypto firm revealed a security vulnerability with Profanity’s code. The crux of the problem: someone with enough computing power can generate every possible key or password created for a profanity vanity address. They can then scan the linked accounts to see how much money they have and steal the funds.

Wintermute had not used Profanity to create easy-to-remember names for digital accounts, but to lower merchant transaction costs, as that is another feature of Profanity’s service, Gaevoy says. When Wintermute learned of the vulnerability last week, they took steps to technologically “blacklist” their swearing accounts, protecting them from being liquidated. However, due to their own “human error,” one of the 10 accounts was not blacklisted, according to Gaevoy, likely resulting in the $160 million heist.

These trading accounts were part of Wintermute’s “decentralized finance” or DeFi business, where it makes fast trades on decentralized exchanges such as Uniswap and Sushi Swap that are not controlled by a single entity. Since the DeFi ecosystem is young, highly experimental, and designed to be more openly accessible than traditional finance, it does not have the same security measures that centralized exchanges like Coinbase have. “You have no circuit breakers. You don’t have two-factor authentication to help you store your keys, says Gaevoy.

In 2021, DeFi hacks totaled $1.3 billion, according to research by security firm Certik. Research firm Chainalysis estimates that North Korea-linked groups stole $1 billion from DeFi protocols in the first eight months of 2022.

Some proven security practices in crypto, such as the use of external hardware wallets or “multi-sig” applications that must be digitally signed by multiple parties before a transaction is approved, cannot be used for the kind of automated trading that Wintermute does. “You need to sign transactions on the fly, within seconds,” says Gaevoy. So they had to invent their own technical tools and security protocols. “At the end of the day, that’s the risk we took. It was calculated.” DeFi has been a thriving part of Wintermute’s business in previous years. “It didn’t work out this year,” he admits.

The Wintermute boss has some clues about who the hacker might be, and he’s investigating them “both internally and using external partners.” He hopes the hacker will become a “white hat” who returns most of the funds, and he is now offering a 10%, or $16 million, bounty if the hacker returns the remaining $144 million. He tweeted that Wintermute “prefers to resolve this in a simple way, but the opportunity to do so is closing quickly due to the high profile of this exploit.”

Despite the new $160 million hole in its balance sheet, Gaevoy says Wintermute is on solid financial footing, with more than $350 million in equity. “We are one of the very few crypto-native proprietary trading firms that can actually take this hit,” says the CEO. For a couple of hours after the hack, the company shut down its OTC trading desk, where it facilitates large trades between other parties. But it has returned to normal operation.