No doubt you have heard of hacks surrounding cryptocurrency exchanges and networks. But which are vulnerable? Where are the security holes? How much digital currency has simply evaporated into the ether? Let’s explore that! Below is a list of more than thirty five hacks of note since the infamous Mt. Gox in 2011.
|Year||Month||Hack Locale||Amount Stolen $ Value|
|2011||June||Mt. Gox||8.75 Million|
|2014||February||Mt. Gox||460 Million|
|2017||December||YouBit||17% of all assets|
|2019||January||Cryptopia||16 Million + 1675 ETH|
Mt. Gox, the largest and most notable first-generation crypto exchange, was victim to the first (arguably most famous) cryptocurrency exchange hack. Following news of the heist, cryptocurrency pioneering leaders Jesse Powell and Roger Ver were called in to assist with the cleanup. Though the incident was significant enough to cause the value of bitcoin to plummet, Mt. Gox CEO Mark Karpeles didn’t seem to take the incident very seriously. Powell told Wired that Karpeles took the weekend off while the rest of the Mt. Gox team scrambled to bring the site back up.1
Enter Social Media. In the case of Bitstamp in 2015, hackers used social engineering attacks to gain sensitive credentials of individual users, specifically employees of Bitstamp. The credentials included date of birth, social security numbers, phone numbers, addresses, login identification, password and account addresses. Skype and email was used to target Bitstamp employees, by appealing to their hobbies and interests and luring the employees to download malicious software, also known as phishing.
Bitcoin gold proved that 51% attacks can plunder an exchange. Hackers simply use the 51% computing power to take control of a network. The 51% attackers initiate changes to a ledger, says Blockchain security firm Ciphertrace. The 51% attack uses weaknesses in POW (Proof of Work) algorithms.
The Bancor theft in 2018 proved that decentralized exchanges are not immune to hacks. A security flaw was exploited in a wallet intended to update Bancor’s smart contracts. The scheme worked and the hackers pillaged millions. Following the hack, Bancor was forced to shut down. That was one of the most prestigious ICOs of 2017, having raised over $153 million in investments during its token sale. The calendar year 2018 saw the greatest dollar valuation stolen in cryptocurrency. At almost $1 Billion, the crypto space was decimated. This was directly on the heels of the most exuberant fast-paced year of gains.
In June this year, 2019, it is being reported that the largest ever exchange hack may have actually been generated from Russian viruses rather than having been perpetrated by North Korea. The Coincheck breach and loss of over 500 million NEM tokens may have been penetrated in fact by Makes and NetWire malware. These malware allow malicious criminals to gain access to operating systems and remotely manipulate them. Group-IB earlier alleged a cybersecurity hack by North Koreans. However, under closer analysis, it appears that the hack is in fact an action by Russian and Eastern European cyber criminals.4
As of this publication, there is a new hack, one still being investigated and very deserving of scrutiny. In May of 2019, Binance, the exchange hosting its very own BNB token, was hacked. The thieves made off with at least 7,000 Bitcoin. Translation? $40 Million at the time. “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” according to the post, written by Zhao Changpeng, Binance’s chief executive officer. “We must conduct a thorough security review. The security review will include all parts of our systems and data.”3 This has been denied (May 7th, 2019) and Binance has been quite defensive, assuring its customers of safe funds. Oddly, as of June 2019, Binance is going to ban all U.S. participants. That alone could be seen as a very telling sign. Perhaps there is a lack of AML participation and perhaps that has reason. Time, as we know, will tell.8
So how do these hacks actually happen? Largely, they are data security breaches that go unnoticed or enter systems with already sloppy security practices. Some dangerous habits that preempt hacks include the storage of all assets in a third party exchange, either centralized or decentralized. As the adage goes, if you don’t hold your private keys your assets are not secure. Another indicator of risk to users is low or nonexistent two factor authentication, the misuse or absence of multiple signatures. Additionally, leaving assets in a hot wallet, which means storing crypto in a simple wallet connected to the internet (yes, even Jaxx or Cobinhood) is dangerous. There are no guarantees. The best practice for cryptocurrency users is to store assets on a ledger, trezor, keepkey or somehow in cold offline storage. This generally requires private keys, a seed code, a ledger, and a PIN. Be wise! Keep your assets safe!
- https://www.wired.com/2014/03/bitcoin-exchange/ (How Could Mt. Gox Happen TWICE?!)
- What is Malware and Why is it Used? https://www.howtogeek.com/183642/who-is-making-all-this-malware-and-why/