Silkjaer

Thank you!

If you didn't make the payment, someone else did. How it happened is difficult to say (where/how did you store your wallet backup files, private keys etc), have you ever typed in the private key on an insecure website, is your computer infected with a keylogger or other malware, ever typed in the private key while connected to a public wifi …?

One lead you could follow with law enforcement is that r3ne9vXa93RNH6VrJEj7hMtRoBt1pVV4PK was activated by Binance (they would have a record of who), and the same account also transferred money to Wirex (who also should have a record of who). This account has both sent and received money from the account you mention (rLDFYFYG3D1dDwyXPyx3v498zEKCxSHZWM)

There has been multiple crypto theft related arrests the last months, but to my knowledge none has been related to this event. Could be a "mixup" of information

Thank you

r9Be4diPqgUcdPNPvzY1rFTTATLFhFeKSF is a https://changenow.io account, so it is only natural they still have account activity. ChangeNOW have confirmed they have frozen some of the stolen XRP.

21 million

Not sending funds much around, changing accounts quite often etc. So only slight changes in how they operate.

We've been contacted by a victim of June 27, so while we thought that the perpetrators were done this was a cue to look into movements to see if there were other thefts we didn't know about. Perpetrators have changed tactics and we have been able to identify several thefts, the latest being July 7, and the stolen amount is now close to 26M.

Likely only the secret key is stored in encrypted form, but looking at session data also “personal identifiable information” such as email addresses, is stored and accessible with the API.

Total amount 15 REP – looks like xrpcharts is confused about the USD value of REP In other words, they are payments of REP IOU's issued by Gatehub, and apparently xrpcharts think that the USD value per REP is ~38M, rather than ~15.

You can add the ALV trustline in a different account and move it

On Gatehub you either create a new XRPL account (wallet), and they generate an address and private key for you, or you import an existing XRPL account by entering your address and private key. When you trade on Gatehub (or send money, add trustlines …) their software is doing it for you – and it couldn't without knowing the private key. However, they do not store this private key in "plain text", but encrypted with your password. So Gatehub cannot do anything with your account for you – only when you have signed in and decrypted the private key for the active session. Since we have not received any details from Gatehub yet, except for an explanation of an API exploit, we (XRP Forensics) still find the most likely scenario to be a database hack (scenario 7 in https://medium.com/xrp-forensics/overview-of-the-gatehub-hack-f88a441c9203). Either this hack happened a long time ago, and the hacker has spent years brute forcing the encrypting private keys OR the database also contained user information (hashed user passwords, e-mail addresses etc), and have cracked as many passwords as possible. If the latter, the cracked passwords could be used to decrypt the private keys. We have long believed that the database could have been sold on the dark web, making the hackers and the thieves two different groups of people. If this is the case, the API exploit is only a "symptom" of the real problem.

We have published an updated summary

Also if they use a KYC service provider that does all the processing?