DDoS Attack Temporarily Breaks UK’s EXMO Cryptocurrency Exchange

 Large, popular cryptocurrency exchange EXMO was knocked offline by a massive DDoS attack on February 15. The incident prevented users from accessing accounts, and the company’s website was down for more than two hours.

What Happened?

At approximately 4:10 p.m., EXMO experienced a massive influx of traffic in an aggressive distributed denial-of-service (DDoS) attack that temporarily knocked its servers offline and halted business operations.

The Daily Swig talked to a spokesperson for EXMO who said that they had experienced previous DDoS attacks that have only ever affected their website. However, this attack came packing a punch (more than 30 DB of traffic per second) and disrupted their “entire network infrastructure including the website, their API, Websocket API and exchange charts.”

The same spokesperson said,

“So, it’s quite natural for any exchange to be down under these circumstances. The attack was repelled with the help of the DDoS protection Curator. We are now also taking additional security measures.”

“EXMO resumed its work yesterday. So basically, we were down just for a couple of hours.”

“Unfortunately, with a splash in market activity, which undoubtedly drives a positive change, many negative phenomena are back as well. DDoS, which we’ve faced, is just one of them.”

Although the service was only interrupted for a short time, they did open an investigation to locate the responsible parties.

EXMO is an Attractive Target

Being in the business of cryptocurrency makes EXMO a popular target for cybercriminals. Back in December, hackers stole $4 million from EXMO in another attack. Threat actors plundered roughly 6% of the company’s assets, and they cannot be recouped. To mitigate the damage, the company had to suspend deposits and withdrawals for a while. The incident was reported to the UK police and National Cybersecurity Centre (NCSC).

After that attack, EXMO commented that

“We have completely separate server infrastructure for cryptocurrency wallets and all other platform data (production servers). The hack didn’t affect the production server. All information about transactions and clients also remained out of reach for the hackers.”

“At this moment, we did checks for all the logs on compromised cryptocurrency servers. As a result, we assume that the hacker got the private keys. And now we are trying to find how it happened.”

They concluded with, “We are working with cybersecurity teams around the world to sort everything out and continue operating in a safe environment.

What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is when bad actors flood a service, network, or device with heavy traffic to overwhelm it, so it stops working.

Typical targets for DDoS attacks include computers, network servers, and IoT devices. The purpose of a DDoS attack is to temporarily shut down these services to expose vulnerabilities so hackers can access them using either backdoors or other malware and take control. Often the goal is monetary or sometimes to steal information for identity theft or to sell on the dark web.

Cyber gangs use malware to create vast networks called botnets (often using privately-owned devices unknowingly connected through a malware infection). They use all these devices to send information to the target at once. Because many of these devices are legitimate, it’s very difficult to separate them from the culprits and identify exactly where the damage is coming from.

The symptoms of a DDoS attack usually begin with the server, computer, or service, slowing way down and becoming unresponsive. Server monitoring may also show a massive spike in network activity within a few seconds. Often these attacks take place at odd hours (such as the middle of the night) or appear to come from a single IP or a range of IP addresses. Another telltale sign is the traffic will all be directed towards a single target which might be an app, service, or single web page.