Crypto Prime Brokerage FPG Halts Withdrawals After Suffering a $15 million Cyber Attack

Updated: 15 June 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Floating Point Group (FPG), an institutional trading desk that specializes in cryptocurrencies, reported having suffered a cyber attack that caused it to lose over $15 million in cryptocurrency on Sunday.

FPG Falls Victim to Cyberattack, Freezing Operations

Barely six months ago, FPG announced that it had engaged an external auditor, Prescient Assurance, for a series of cybersecurity audits and penetration testing and was able to successfully earn a SOC 2 certification.

For a thorough cyber security audit of FPG’s FlowVault platform, the company also worked with CertiK, a pioneer in blockchain security, to conduct high-level audits. FPG was planning to make the audit results public for independent verification via Certik’s website once they were finished.

While hacks and breaches have become relatively common occurrences in the crypto industry, FPG was not expecting it having done so much due diligence on its systems.

The company broke the news on Twitter saying that they had been hacked and were cooperating with investigators to assess and analyze the level of loss. However, they estimated the loss of assets to be between $15 million and $20 million.

2/5 Our account segregation limited the overall impact of the attack. We have ceased trading, deposits, and withdrawals, out of an abundance of caution. Finally, we have notified law enforcement and are actively cooperating with them on this matter.

— Floating Point Group (@fpgcrypto) June 14, 2023

As a result of the attack, the company stated that it has halted all trading, deposits, and withdrawals to allow for a comprehensive investigation. This attack adds to this year’s list of exploits with the most recent one targeting Ethereum.

After learning about the attack, FPG explained that it immediately locked all third-party accounts and moved the contents of these accounts to reduce risk while the brokerage tried to determine what had happened.

According to the company, if it had employed any other operational dynamics other than its distinctive “account segregation” approach, the attack and its related impact would have been worse.

The renowned cryptocurrency prime brokerage, whose customers manage more than $50 billion worth of assets, revealed that it was engaging forensic analysts from various authorities to further analyze the situation and discuss the recovery of assets.

“We are working with the FBI, the Department of Homeland Security, our regulators, and Chainalysis to understand how this occurred and to recover assets. As this is an ongoing investigation with law enforcement, we cannot share specifics at this time,” FTG said.

The firm pledged to keep the public informed despite standard operating procedures dictating that the company only reveals certain details, considering active investigation is still ongoing.

FPG’s VASP registration in Danger

The attack places FPG’s Virtual Asset Service Provider (VASP) registration in the Cayman Islands, which was only been obtained in August of last year, in jeopardy. The company had managed to secure only up to 100 clients at the time of the attack.

The registration allowed the company to store client assets securely while guaranteeing that, in the unlikely event that the company went bankrupt, the assets would be shielded from its own creditors.

This attack comes less than a month after Arbitrum-based Jimbos Protocol was also exploited losing 4090 ETH worth over $7.54 million. The attack was made possible due to the lack of slippage control on liquidity conversions.

This is because the liquidity of the Jimbos protocol is invested in a price range that is not always equal. Therefore, according to PeckShield, this opens a security flaw that allows attackers to reverse swap orders to their own benefit.