What Exchanges Can Do to Enhance Security in the Aftermath of the Binance Breach

Binance reported having lost 7,000 in a single transaction on 5/7/2018. However, a review of that transaction, compared with the one after and several before, gives reasons to want to see more clarification on whether they actually did not lose more than what was in that single transaction.

(Source: https://binance.zendesk.com/hc/en-us/articles/360028031711-Binance-Security-Breach-Update)

Looking at that transaction, it becomes clear that those losses are the abnormally large amounts that were sent to the bc1q* addresses.

(Source: blockchain.com)

Clicking on that hot wallet address, and filtering by sent transaction also reveals that the next transaction also has a large amount sent to a bc1q address; as did several transactions before that, going even as far back as a day before. (Note that it could very well be the case that these are normal transactions where the owners did intend to send those amounts to those bc1 addresses, and they just happen to frequently be the largest in the transaction group; it just seems a bit unusual.)

(Source: blockchain.com)

This led to a search of what these bc1q* addresses are, which are longer than the typical bitcoin addresses, and do not seem to be searchable on blockchain.com. It turns out that those addresses are actually known to be associated with bitcoin mail fraud. (There is more information on these Bech32 type bitcoin addresses here! Which brings us to the point of why there weren't any transaction screens already in place that would have easily flagged that anomalous transaction, and what improvements the industry can glean from this episode.

(Source: http://mokagio.github.io/tech-journal/2014/11/21/regex-bitcoin.html)

Can Exchanges be Doing More to Enhance Security

Blockchain transactions and the encryption required to send or receive assets are quite secure, and besides issues related to miner-type attacks are one of the most secure ways of sending and receiving transactions today. However, a lot of security breaches still do occur; and a large amount of these through exchanges. These occur through compromises of the user's own accounts, or exchange's own account - actions that have nothing to do with the security of the blockchain itself, or what is referred to as onchain transactions.) These hacks negatively impacts perceptions of the technology as a whole. It also leads to secondary loss of value as was witnessed during the MtGox hack, which brought down the values of most assets, beyond what was actually lost. It is therefore in everyone's interests to see exchanges improve on security.

Security Measures That Could Have Mitigated the Current Hack

Some exchanges rely on manual review of all outgoing transactions. Obviously, this is expensive due to the manpower requirement of such review. It is also slow, for any exchange that has significant number of users. For exchanges that automate outgoing transactions, some form of automated review, searching for known threats would help mitigate some types of attacks, such as this. This could be combined with artificial intelligence that detects unusual transaction patterns to stop and flag them for manual review. For the current case, the following search measures would have probably helped:

• Inordinately large amounts in one single transaction all going to one or the same type of accounts (such as bc1q* in this case)
• Have security professionals that stay one step ahead of the technology and various threats, and knowledgeable in the industry. Those would have known about threats from those who use these addresses, and might have implemented and kept an alert query on for transactions going to those addresses in particular.
• Random manual review of outgoing transactions
• AI software that does pattern recognition so that even yet unknown threats can be detected, based on new and unusual patterns that could show up in future.

Using AI to Detect Anomalous Transaction Patterns

This section is simply to clarify the use of the term AI, in order to not abuse the term as is popularly done recently. Here, it refers to the use of GA-based machine learning formulations which learn the regular patterns of transactions by ingesting in all transaction patterns as far back as the data is available. The algorithms are then able to detect patterns that have not occurred before or deviate significantly from those that have previously been observed. Anyone interested in greater details of how this works can consult the second half of the book by Goldberg titled "Genetic Algorithms". I have written and maintained such algorithms before, and they are a powerful tool that exchanges involved in a lot of such public facing applications and APIs should probably add to their toolkits as part of detecting and further reviewing irregular transactions.

(It should be noted that some technical details of the hack also probably needs to be disclosed to fully understand what happened here. For instance, some users pointed out that the limit for withdrawals even for a full KYC is 100BTC, and so some of those withdrawals seen in that transaction from the hot wallet should normally have been prohibited.)

---

Disclaimer
While I do a lot of technology work that covers a lot of areas, I am not currently dedicated to working on application or blockchain security and this information should not be taken as recommendation that would solve any specific application or blockchain setup. I am also not a financial advisor and this content is only intended for educational purposes and is not investment advise.