The hack started with a transaction of 10,000 XRP and then to follow, in the following days, there were other transactions for a total of 23,200,00 XRP from just under a hundred users. 13,100,000 XRP have already vanished through various exchanges and transaction mixing services, not least because no action has been taken in time to identify and freeze the funds, so from now on only what has been salvaged will be traced and eventually recovered.
The dynamics of the hack against GateHub are unclear and there may be several hypotheses as to how it could have happened.
- A hack of the platform, but from a first analysis it does not seem that the GateHub site has been tampered with by using the users’ credentials;
- Phishing, although from the interviews with the victims none of them reported suspicious emails;
- Repeating nonce, although most victims have accounts older than December 2017 and therefore more vulnerable;
- Incremental nonces, this possibility has not been found either;
- RippleTrade Migration: Considering that accounts are prior to December 2017 many users have a RippleTrade username;
- Attack via browser client, although it is possible to trace user information using the relevant API provided by GateHub this would mean that all accounts should be under the same network;
- Database leak, considering that the site provides a service for hosting wallets and stores private keys, it is possible that the platform has suffered a database leak where this sensitive information was contained.
Surely it is yet another demonstration that it is never a good idea to use a custodial wallet as your main account, but it is advisable to keep your private keys safe using non-custodial wallets.