- The hack, which took place on 13 December 2019 and resulted in more than 6.9 million VET being stolen, is under control according to the latest statements from VeChain.
- There is a detailed blacklist and the known accounts are frozen.
- VeChain works together with the largest exchanges to avoid further dumping and selling of the stolen capital.
- Furthermore, Jay Zhang and Sunny Lu will waive 50% of their pay for the entire next year to bear the consequences of the hack.
On December 13, 2019, due to the carelessness of a VeChain Foundation employee, more than one billion VET Tokens were stolen from a wallet. An employee is said to have made a mistake when creating the private key, so that it could be stolen. More than one billion VET-Tokens could be stolen from a wallet of the buyback program.
469 addresses of the thief identified
Immediately after the hack, VeChain took several security measures and immediately contacted relevant exchanges and the “Hacken-Team”. The exchanges were informed that they should immediately freeze funds from the identified addresses so that the hackers would not have the opportunity to sell the captured VET tokens or cause greater damage.
The “Hacken-Team” consists of more than 2,000 whitehat hackers who helped track down the funds and notified the exchanges. Thanks to the quick response from OceanEx, Binance, Huobi, Kucoin, Bitrue, Bitfinex, Bittrex and other exchanges, it has so far been possible to prevent the thief from manipulating the market. Nevertheless the thief took further measures, as VeChain describes in the current article (freely translated):
Nevertheless, the thief escalated the action in the next few days, such as creating thousands of new wallets with small amount of tokens to wash the stolen funds and launching DDoS attacks to VeChainStats’ blacklist and etc.
VeChain has convened an urgent internal meeting of the Steering Committee of Secretary General Sunny Lu to discuss current preventive security measures. After much discussion, the Steering Committee voted and approved a motion to contact all Authority Masternode and release an emergency patch, i.e. VeChainThor v1.1.5, on December 18th, so that the Authority Masternode can vote on whether or not to agree to a temporary lockdown of the addresses controlled by the thief.
The owners of the Authority Masternode have reacted positively to this proposal and thanks to a quick response the patch was implemented within 72 hours. All Authority Master Nodes have confirmed that they will implement the blacklist. This makes it almost impossible for the thief to move the stolen funds.
Currently 469 addresses and 737 million VET tokens are in the possession of the thief and are blocked by the Authority Master Nodes. VeChain continues to work on recovering all funds that have been transferred to exchanges.
Consequences of the hack and further proceedings
VeChain will have the community vote on what to do with the blocked addresses and the funds contained therein. In accordance with the recently adopted VeChain Governance Charter, the Steering Committee is convinced that a vote is needed in which all stakeholders participate.
Therefore, VeChain will shortly announce a vote by all stakeholders on whether the blocking list introduced in VeChainThor v1.1.5 should be permanently implemented to ban these 469 contaminated addresses and to deduct the 727 million burned tokens from the total and outstanding balance forever.
The employee responsible for the error has been held accountable. Furthermore, Jay Zhang will step down from his position as CFO and be replaced by the current financial controller. In addition, Jay Zhang and Sunny Lu will waive 50% of their remuneration in 2020, as they too, according to VeChain, indirectly share responsibility for the incident.
Furthermore, the team has submitted a plan to revise VeChain’s complete security:
The Foundation team has decided on internal remediation and improvement plans to further strengthen the digital asset security management from both technical and procedural perspectives. And this private key theft has put our incident response procedure into a real-life test, and we will also take the opportunity to further improve the process.
Recently, VeChain had published a new decentralized voting platform VeVote, which is to be used for future decision-making processes. This platform will also be used for voting on the implementation of VeChainThor v1.1.5. Furthermore VeChain could win a new partner from China with the Anhui Tea Industry Association.
VET’s price has been trending sideways (+ 1.40%) for the last 24 hours and stood at USD 0.0055 at the time of writing.