Kronos Research Loses $26 Million in API Keys Exploit

According to statistics from CertiK, there have been forty instances of private key compromises, accounting for 57% of the total losses in 2023.

Greek titan surrounded by money
An API private key compromise involves unauthorized access to the associated private key, enabling the misuse of the application programming interface's functionalities.

As per SlowMist's weekly report on the financial damage caused by Web3 exploits, the largest losses last week resulted from the API private key compromise at Kronos Research. On November 18, this cryptocurrency investment company lost 13,008 ETH valued at nearly $26.2 million. CertiK, another blockchain security team, notes that this incident is one of the forty private key compromises this year, contributing to 57% of the overall losses.

Read also: Weekly Damage from Web3 Exploits Surpasses $35 Million

In its incident analysis, CertiK underscores that the event is not a typical private key compromise, the term that often refers to the victim's wallet private key. Instead, the Kronos Research exploit was the result of an Application Programming Interface (API) private key compromise.

An API acts as a tool facilitating interactions between disparate software applications. Centralized exchanges often share API keys with their traders, providing them with access to real-time market data and the capability to execute trades through external services. For instance, CertiK explains that a trading app developed by an organization might employ a Binance API key to facilitate trades on the Binance platform.

CertiK's Kronos Research analysis
Source: CertiK

While centralized exchanges commonly default withdrawal permissions to be disabled, hackers can exploit these permissions through various methods. For example, a malicious actor might manipulate the price of a seemingly worthless token, prompting the victim's account to unwittingly purchase the inflated asset. Subsequently, the attacker can withdraw valuable assets, leaving the victim with a token of little or no value.

Read also: October Web3 Exploits Lead to Over $32 Million Losses

"In the case of Kronos Research, we can see that EOA 0x6F15ee9258ACDEbf356dB7aB607bB255a00C6fdF receives USDT originating from Binance in multiple transactions, however, it is not known what steps the attacker had to take in order to remove funds from Kronos Research CEX accounts," CertiK reports.

According to CertiK, the attacker initiated the exploit with what seems to be a test withdrawal of 72 USDT from Binance, confirming control over the compromised account. Shortly after, a much larger sum of 2.4 million USDT was withdrawn from Binance and transferred back to the same wallet.

Subsequently, within a three-hour timeframe, an astonishing 22,899,712 USDT was systematically withdrawn from Binance and directed into the compromised wallet.

CertiK also notes that the attacker successfully transferred assets on the Binance Smart Chain (BSC) network, including $2 million worth of WOO tokens, $107,000 in WBNB, and $82,000 in BNB.

Kronos Research officially announced the exploit nearly four hours after the incident. The exploit made the company halt all trading. Despite assuring that the potential losses do not significantly impact their equity, Kronos Research aims to resume trading as soon as possible.