Dear SOMESING Community Members,
First and foremost, the SOMESING team extends its sincere apologies for the considerable concern caused to the SOMESING community and other industry members due to the hacking incident involving SSX tokens on January 27. Despite the SOMESING team’s ongoing and earnest endeavors to remove the investment warning flag on SSX, the SOMESING team expresses profound regret regarding DAXA’s decision to delist SSX.
Regarding the DAXA’s decision to delist SSX, we would like to provide insight into the actions taken by the team subsequent to the hacking incident and the details submitted by the SOMESING team to DAXA to request the rescindment of the investment warning flag on SSX, to the best of our ability.
1. Chronology of the Hacking Incident
In the early hours of January 27, 2024, an unforeseen attack by an unidentified group of hackers resulted in the withdrawal of foundation-owned, undistributed SSX tokens, planned for circulation by the end of 2025, to external wallets. Promptly upon recognizing the hacking incident at 10:02 AM on January 27, we notified all Korean domestic and foreign exchanges and urgently requested the suspension of deposits and withdrawals. Through collaboration with Uppsala Security, an official partner of Interpol, we traced the movement of stolen SSX. Subsequently, it was determined that about a total of 730M SSX were pilfered from 18 foundation-owned wallets, with approximately 670M SSX transferred to the HTX exchange, 10M SSX to the Gate exchange, and 55M SSX to a wallet believed to be controlled by the hackers. The final analysis report from Uppsala Security was submitted to DAXA on February 7, appended to the project’s clarification dossier.
Given that the majority of the stolen SSX was deposited into the HTX exchange, we furnished 23 wallet addresses, presumed to be associated with the hackers, to the HTX exchange via telegram hotline and official email, urging immediate account freezing. Confirmation of freeze completion was received from the exchange. Similarly, the wallet address receiving the pilfered 10M SSX was relayed to the Gate Exchange, resulting in account suspension upon confirmation. The wallet containing the remaining 55M stolen SSX, believed to be under the control of the hackers, was shared with all Korean domestic and foreign exchanges and the Klaytn Foundation, accompanied by a request for immediate freeze. As of this announcement, it has been confirmed that the aforementioned 55M SSX remains stored in the wallet without further transfer.
Concurrently, on January 27, following the hacking incident, initial data outlining the incurred damage was compiled and reported to the Cyber Investigation Unit of the National Police Agency without any hesitation. On the same day, a visit was made to the responsible police station to file an offline report. Additionally, the hacking incident was reported to the Korea Internet & Security Agency (KISA), with ongoing analysis of the incident’s background. Moving forward, we pledge full cooperation with law enforcement authorities and relevant agencies, including the National Police Agency, Interpol in all investigative endeavors pertaining to the hacking incident and the recovery of stolen assets.
2. SOMESING team’s Measures to Monitor Excessive Circulating Supply of SSX
On February 1st, the SOMESING team submitted an amended circulating supply plan to each exchange to reflect the unexpected increase in circulating supply resulting from the hacking incident. Through collaborative efforts with the Xangle team, real-time monitoring of circulating supply based on the updated plan in the Live Watch resumed in a ‘Normal’ state from 10 AM on February 7, 2024.
3. Hacking Path Analysis
On January 16, 2024, a phishing email impersonating one of the Korean Exchanges where SSX is listed was received by the exchange response staff within the SOMESING team. Due to the sender and email address being identical to previous legitimate correspondence from the exchange, and the content mirroring previous emails, a representative from SOMESING opened the attachment of the phishing email on January 17th without doubt. Subsequently, the attached file was downloaded and executed. On January 18, upon verification with a Korean Exchange representative, it was confirmed that the email was indeed fraudulent. Promptly, the email was shared with the relevant exchange, and both the email and its attachments were deleted. A thorough V3 inspection was conducted as a precautionary measure.
Since January 29, after the hacking incident occurred, digital forensics has been conducted on the device suspected of being hacked through a KOSDAQ-listed security company. According to the security company’s final analysis report, this hacking incident was caused by North Korea. It has been confirmed that the ‘Kimsuky’ group, one of the hacking groups in North Korea, carried out an attack targeting the SOMESINg Project. As it was confirmed that a hacking attack was carried out due to a phishing email impersonating one of the Korean exchanges, the relevant exchange sent a warning email to all listed projects on February 1 asking them to be careful about phishing emails, and the email included the phishing mail image that SOMESING project shared with the exchange.
The malicious code deployed on the PC, which fell victim to the hacking attack via a phishing email impersonating an exchange, is presumed to be a novel malicious code downloader not yet cataloged in the V3 antivirus security database. Consequently, V3 antivirus software was unable to fully eradicate it, effectively addressing only a portion of the malicious code stored in its security database. This discrepancy has been verified in our investigation. Despite conducting a thorough V3 scan on a terminal infected with the malicious code as part of our internal probe, no malicious code was detected. Moreover, the security company’s analysis report corroborateed the challenge users face in identifying the presence of running malicious code on their terminals.
4. SOMESING team’s Response to DAXA Clarification Data Request
In light of the hacking incident, the actual circulating supply volume surpassed the team’s previously announced plan, significantly undermining investor and community trust, a core tenet we have steadfastly pursued. Nonetheless, prior to the hacking incident, the SOMESING team had been at the vanguard of disclosure, revealing circulating supply volume for the first time among projects via Market Cap API integration with the Upbit Exchange. Additionally, SOMESING was the inaugural DApp to proactively introduced Xangle’s Live Watch solution, establishing a real-time monitoring system for SSX and future circulating supply plans, while strictly adhering to the predefined plan without over-distribution of SSX.
After DAXA’s issuance of the investment warning flag on SSX on January 29, the SOMESING team diligently submitted all available materials on February 7, February 13, and February 22 in response to DAXA’s request for clarification materials. These materials encompassed comprehensive details of the hacking incident, preventive measures adopted by the team, the SOMESING team’s measures for investor protection, and the overarching project response to the hacking incident.
In particular, to strengthen system security and virtual asset management measures to prevent the recurrence of the hacking incident, we submitted the following information as part of the clarification material on February 7th.
‘The project immediately implemented the following security measures to prepare for similar system hacking attacks and to better protect the foundation’s virtual assets. In preparation for additional hacking attacks on the management system, we strengthened the security of our internal system by signing a security control service contract with the security control specialist company. Through this, we aim to quickly identify and take countermeasures through the control system for individual security issues related to the internal system and safely protect the overall project system from external hacking attacks. In addition, we strengthened system security by signing a contract to add four functions (IPS, antivirus, web filtering, and malware) to the FortiGate firewall that was already introduced and operated in the project.
Furthermore, to ensure the secure management of the foundation’s virtual assets, we have centralized the management of virtual assets by transferring the entire SSX balance to the wallet of Korea Digital Asset (referred to as KODA hereinafter) and subsequently withdrawing and utilizing it from the KODA wallet following legal approval procedures in accordance with the future circulating supply plan. This initiative has been done, with sequential transfers of virtual assets to KODA wallets commencing on February 2, 2024. The addresses of these KODA wallets are also being integrated into Xangle’s Live Watch platform to enable real-time monitoring of SSX circulation volume.’
Furthermore, the SOMESING team acknowledges full responsibility for the hacking incident associated with the project. As part of the clarification material submitted to DAXA, the team has presented the following additional action plans to demonstrate its dedication to rebuilding trust.
1) Burning of SSX held by management members
To express our sincere apologies for the recent hacking incident and our determination to restore trust, we agreed to voluntarily donate and burn the SSX held by individual key executive members. This SSX burning is scheduled to be carried out within the 1Q 2024, and details such as the exact SSX amount and the schedule of the burning will be notified in advance.
2) Implementing a ‘Zero Reserve’ policy
In alignment with the SOMESING project’s initial white paper, we intend to implement a ‘Zero Reserve’ policy by burning all remaining SSX reserves presently held in the KODA wallet among the tokens allocated to the project reserve. This is not a simple burning of uncirculated SSX tokens but is part of a policy based on future business and operation plans and is an implementation plan for the project to restore trust from investors and the community. Through this, we will ensure that the market value of SSX is not diluted due to excessive circulating supply volume in the future, and we aim to preemptively eliminate concerns about additional future distribution volume that investors and communities may have. Detailed schedule and progress regarding ‘Zero Reserve’ implementation will also be announced through the official community channel.
2) Implementation of permanent SSX burning model
In the SOMESING app service, 40% of the total SSX accumulated through SSX sponsorship of other users for song content created and posted by users is accumulated in the platform wallet as service sales revenue for the project. In addition, SSX sales revenue will also be generated in additional services using SSX and Dex/Swap according to future business development. We would like to permanently introduce a model in which a certain percentage of SSX generated from project sales is burned on a quarterly basis. The ratio of SSX to be burnt against SSX sales revenue, as well as the actual burning schedule, will be announced via prior notification through the official community channel.
4) Immediate SSX burning upon recovery of the stolen SSX
Wallet addresses currently identified as hacker-owned have been reported to all Korean domestic and foreign exchanges. In the event of successful asset recovery through collaboration between law enforcement authorities and exchanges, recovered SSX will be promptly burnt to mitigate the current market circulating supply volume. Alternatively, other virtual assets exchanged through stolen SSX will be utilized to repurchase SSX in the market, with the repurchased SSX subsequently burnt. We will also immediately notify the community of the progress related to the recovery of the stolen SSX through the official community channel. The SOMESING team will make every possible effort to track and recover stolen assets and plans to continue cooperating with all relevant legal enforcement, including investigative agencies.
As previously elucidated, before the hacking incident, the SOMESING team spearheaded proactive and diligent endeavors to transparently disclose circulating supply volume to both investors and the community. This was achieved through the integration of circulation volume API with Upbit exchange and voluntary onboarding on Xangle Live Watch. We firmly believe that industry stakeholders are cognizant of our concerted efforts to securely manage the virtual assets held by the SOMESING team, as evidenced by our status as the inaugural customer company of KODA Custody. We wholeheartedly acknowledge and profoundly reflect upon the SOMESING team’s responsibility for the occurrence of an unforeseen hacking incident due to inadequate management. However, despite our earnest determination to address the situation and sincere efforts to provide clarification, we find ourselves unable to accept the rationale presented by DAXA for the delisting of SSX.
In light of this, the SOMESING team intends to initiate legal proceedings to request a provisional injunction aimed at suspending the delisting of SSX by the exchanges in question. We will diligently provide updates regarding the progress of these legal proceedings through separate notifications.
Thank you,
SOMESING Team
