Silkjaer

Thank you

r9Be4diPqgUcdPNPvzY1rFTTATLFhFeKSF is a https://changenow.io account, so it is only natural they still have account activity. ChangeNOW have confirmed they have frozen some of the stolen XRP.

21 million

Not sending funds much around, changing accounts quite often etc. So only slight changes in how they operate.

We've been contacted by a victim of June 27, so while we thought that the perpetrators were done this was a cue to look into movements to see if there were other thefts we didn't know about. Perpetrators have changed tactics and we have been able to identify several thefts, the latest being July 7, and the stolen amount is now close to 26M.

Likely only the secret key is stored in encrypted form, but looking at session data also “personal identifiable information” such as email addresses, is stored and accessible with the API.

Total amount 15 REP – looks like xrpcharts is confused about the USD value of REP In other words, they are payments of REP IOU's issued by Gatehub, and apparently xrpcharts think that the USD value per REP is ~38M, rather than ~15.

You can add the ALV trustline in a different account and move it

On Gatehub you either create a new XRPL account (wallet), and they generate an address and private key for you, or you import an existing XRPL account by entering your address and private key. When you trade on Gatehub (or send money, add trustlines …) their software is doing it for you – and it couldn't without knowing the private key. However, they do not store this private key in "plain text", but encrypted with your password. So Gatehub cannot do anything with your account for you – only when you have signed in and decrypted the private key for the active session. Since we have not received any details from Gatehub yet, except for an explanation of an API exploit, we (XRP Forensics) still find the most likely scenario to be a database hack (scenario 7 in https://medium.com/xrp-forensics/overview-of-the-gatehub-hack-f88a441c9203). Either this hack happened a long time ago, and the hacker has spent years brute forcing the encrypting private keys OR the database also contained user information (hashed user passwords, e-mail addresses etc), and have cracked as many passwords as possible. If the latter, the cracked passwords could be used to decrypt the private keys. We have long believed that the database could have been sold on the dark web, making the hackers and the thieves two different groups of people. If this is the case, the API exploit is only a "symptom" of the real problem.

We have published an updated summary

Also if they use a KYC service provider that does all the processing?

Nothing wrong with considering worst case scenarios. But likely Gatehub doesn't even store KYC material themselves. And I'd rather focus on more likely scenarios first, since the evidence on the XRPL doesn't point in that direction

You're describing a worst case scenario, but there is no reason to believe, or any indicators pointing to KYC material being stolen. The stolen funds has been processed through less than 20 exchanges, some of which don't have KYC requirements and are exchanging services. On other exchanges they have re-used old exchange accounts, that are connected to other criminal activity. The stressful boost in liquidating funds yesterday and today leaves much room for errors and slip-ups. I am convinced that law enforcement will have an easy job of finding at least some of the perpetrators behind the heist.

Comment on last paragraph: Lastest victim is from yesterday, latest cashout was today. Perpetrator is using more than 30 accounts. We prepared a chart of the thefts: