The Rain cryptocurrency exchange experienced a suspected security breach on April 29, resulting in the transfer of $14.1 million worth of Bitcoin (BTC), Ether (ETH), Solana (SOL), and XRP to a suspicious new wallet. On-chain investigator ZachXBT reported this incident on May 13, two weeks after the suspicious transactions occurred.
AJ Nelson, co-founder of Rain, confirmed that the transfers were caused by an attacker. However, Nelson assured that all assets have been replaced using the exchange’s own funds and that the platform is operating normally. Rain is a centralized crypto exchange based in Bahrain, catering to customers from Southwest Asia and the Middle East. Since its establishment, Rain has achieved a trading volume of over $1 billion, according to regional news site The National.
ZachXBT’s official Telegram channel disclosed that the transferred funds were swiftly moved to instant exchanges and converted into BTC and ETH before being deposited into two destination addresses on the Bitcoin and Ethereum networks. The Ethereum address, ending in 6c28, currently holds approximately 1,881 ETH worth $5.5 million. The Bitcoin address, ending in prp2, holds 137.9 BTC worth $8.6 million.
According to data from Arkham Intelligence, the Ethereum destination address received its funds from an address ending in d609. This address, in turn, received the funds from several Bitgo multisignature wallets. However, Arkham Intelligence did not explicitly label these wallets as belonging to Rain.
On April 29, these Bitgo wallets conducted 26 separate transactions, sending ETH and various tokens to the address ending in d609. The total amount sent was over 590 ETH ($1.7 million), along with approximately 20 billion Shiba Inu ($481,000), 12,500 Chainlink ($169,000), $240,000 Tether (USDT), and $500,000 USD Coin (USDC).
These tokens were immediately exchanged for ETH on Uniswap. Meanwhile, the account continued to receive more tokens from the Bitgo wallets, including Aave (AAVE), Yearn Finance (YFI), MakerDAO (MKR), and others. Additionally, the account received funds from a Binance hot wallet.
Cointelegraph reached out to Rain for comment, but no response was received at the time of publication. However, Nelson later confirmed that the transfers were the result of a “security incident.” He emphasized that Rain is regulated by the Central Bank of Bahrain and the Abu Dhabi Global Market, which mandates the exchange to maintain reserves in a 1:1 ratio to customer deposits. Nelson stated that the team promptly addressed the issue using their own reserves and that the exchange is fully operational. He also mentioned that Rain is cooperating with law enforcement to recover the funds.
Incidents of hacks and exploits continue to pose risks for crypto users. For instance, Gnus.AI lost over $1.27 million when its Discord server was compromised and a private key was leaked. Additionally, cybersecurity firm Kaspersky reported that the North Korean hacker group Kimsuky has unleashed a new malware called “Durian,” specifically targeting crypto firms.
Related: Kronos Research hacker shifts funds to Tornado Cash
Update 2:34 pm UTC on May 14: This article has been updated to include a public comment from Rain co-founder AJ Nelson.