Rain exchange lost $14.1M worth of crypto in a confirmed exploit 2 weeks ago

May 13, 202416:48 UTC

The Rain cryptocurrency exchange was “likely exploited” on April 29 when $14.1 million worth of Bitcoin BTCUSD, Ether ETHUSD, Solana SOLUSD, and XRPUSD was transferred to a new wallet under suspicious circumstances, according to a May 13 report from on-chain sleuth ZachXBT. The report comes two weeks after the reportedly suspicious transactions took place.

Rain co-founder AJ Nelson confirmed on X that the transfers were caused by an attacker. Nelson claimed that all assets have been replaced from the team's own funds that the exchange is running normally

Rain is a centralized crypto exchange headquartered in Bahrain. It specializes in serving customers from Southwest Asia and the Middle East. According to regional news site The National, Rain has recorded over $1 billion in trading volume since its inception.

ZachXBT’s official Telegram channel reported that the transferred funds “were quickly transferred to instant exchanges and swapped for BTC and ETH” before being deposited to two destination addresses on the Bitcoin and Ethereum networks. The Ethereum address, which ends in 6c28, is currently holding approximately 1,881 ETH, worth $5.5 million at the current price. The Bitcoin address, which ends in prp2, is holding ‎137.9 BTC, worth $8.6 million at the current price.

According to Arkham Intelligence data, the Ethereum destination address received its funds from an address ending in d609. The d609 address, in turn, received the funds from several Bitgo multisignature wallets. Arkham has not explicitly labeled these wallets as belonging to Rain.

On April 29, these Bitgo wallets posted 26 separate transactions, sending ETH and a variety of tokens to the address ending in d609. More than 590 ETH ($1.7 million at the current price) was sent, as well as approximately 20 billion Shiba Inu ($481,000),12,500 Chainlink ($169,000), $240,000 Tether USDTUSD, and $500,000 USD Coin USDCUSD.

These tokens were immediately swapped for ETH on Uniswap. As these swaps were being carried out, the account continued to receive more tokens from the Bitgo wallets, including Aave (AAVE), Yearn Finance (YFI), MakerDAO (MKR), and other tokens.

The account also received funds from a Binance hot wallet.

Cointelegraph contacted Rain for comment but did not receive a response by the time of publication.

After publication, Nelson confirmed on X that the transfers were caused by a “security incident.” Nelson emphasized that Rain is regulated by the Central Bank of Bahrain and the Abu Dhabi Global Market, which requires it to always hold reserves in a 1:1 ratio to customer deposits. The team “plugged the hole immediately from its own reserves,” and the exchange is “running as normal [...] throughout the time of the event.” The exchange is currently working with law enforcement to recover the funds, he stated.

Hacks and exploits continue to pose a risk for crypto users. On May 6, Gnus.AI lost more than $1.27 million when its Discord server became compromised and a private key was leaked. On May 13, cybersecurity firm Kaspersky reported that the North Korean hacker organization Kimsuky has launched a new “Durian” malware that specifically targets crypto firms.

Related: Kronos Research hacker shifts funds to Tornado Cash

Update 2:34 pm UTC on May 14: This article has been updated to include a public comment from Rain co-founder AJ Nelson.