In the world of decentralized finance, the natural risk created by keeping governments at arm’s length is supposed to be mitigated by the architecture of exchanges providing no path into user wallets other than a seed phrase. Some crypto companies are wearing the “decentralized” label as a brand without actually being designed that way, however, as the recent breach of Mixin Networks demonstrates.
When you read about a DeFi breach these days, it’s usually North Korean hackers managing to troll yet another administrator with a fake job offer and gain access to the platform’s backing liquidity pools. Platform users might see the value of their tokens crater, but their wallets are not actually penetrated. Not so with the Mixin breach, as it turns out the company was facilitating its fast and convenient transactions by using a centralized database that allowed for direct theft of user funds.
North Korea a leading suspect yet again
While there has been no formal attribution as of yet, security researchers have noted that one of the addresses the stolen $200 million was exfiltrated to has been seen in a previous Lazarus attack. The Mixin theft is currently the largest to hit a crypto company in 2023 and the 10th largest of all time, a list that is mostly composed of incidents that have taken place since 2021.
The hackers were able to get to user funds via a centralized database that was compromised, something apparently maintained both to speed transactions (one of Mixin’s lead selling points from the beginning) and to make it easier to recover user accounts when passwords are lost. Platforms that do this and brand themselves as “decentralized” often say that it is just an initial interim step, but Mixin has been active since 2017.
Mixin has involved Mandiant and SlowMist in the follow-up investigation, but if North Korea was behind the breach the funds are likely gone for good. The company has offered a $20 million “bug bounty” if the full amount of stolen funds are restored, but the state-backed hackers are certain not to be interested in that.
Security of crypto company called into question
It remains to be seen how much trust there will be in Mixin after this breach. That trust is vital to making its existing customers whole, as the crypto company promised only “up to 50%” in near-term reimbursement. The rest will have to come from “future profits” used to purchase a bond the company is issuing for the remaining amount. It is unclear if and when this mass buy-back will happen.
The company temporarily suspended all deposits and withdrawals after the breach, but says that all services will gradually be restored during the investigation. Many customers are likely re-assessing their relationship with the crypto company during this time, and perhaps checking the status of other platforms to see if they are truly decentralized or similarly vulnerable.