Profiling the Security Holes of Cryptocurrency Exchanges and Lost Billion$

No doubt you have heard of hacks surrounding cryptocurrency exchanges and networks. But which are vulnerable? Where are the security holes? How much digital currency has simply evaporated into the ether? Let’s explore that! Below is a list of more than thirty five hacks of note since the infamous Mt. Gox in 2011.

Year Month Hack Locale Amount Stolen $ Value
2011 June Mt. Gox 8.75 Million
2011
October Bitcoin7 50 K
2012
March Bitcoinica 228 K
2012 May Bitcoinica 87 K
2012 July Bitcoinica 300 K
2012 September Bitfloor 250 K
2013 May Vicurex 160 K
2013 June PicoStocks 130 K
2013 November PicoStocks 3 Million
2014 February Mt. Gox 460 Million
2014 March Cryptorush 570 K
2014 March Poloniex 64 K
2014 March Bitcurex undetermined
2014 July Cryptsy 9.5 Million
2014 August BTER 1.65
2014 October MintPal 1.3 Million
2014 October KipCoin 690 K
2014 December BitPay 1.8 Million
2015 January 796Exchange 230 K
2015 January Bitstamp 5.2 Million
2015 April BTER 230 K
2016
May Shapeshift 2.14 M
2016 August Gatecoin 77 Million
2016 October Bitfinex 1.5 Million
2016 February Bitcurex 1 Million
2017 April Bithumb 5.3 Million
2017 February YouBit 1 Million
2017 December YouBit 17% of all assets
2018 January Coincheck 530 Million
2018 February BitGrail 187 Million
2018 May BitcoinGold 18 Million
2018 May Taylor 1.5 Million
2018 June Coinrail 40 Million
2018 June Geth 20 Million
2018 July Bancor 23.5 Million
2018 September Zaif 60 Million
2019 January Cryptopia 16 Million + 1675 ETH
2019 June Synthetix 37 Million sETH

Mt. Gox, the largest and most notable first-generation crypto exchange, was victim to the first (arguably most famous) cryptocurrency exchange hack. Following news of the heist, cryptocurrency pioneering leaders Jesse Powell and Roger Ver were called in to assist with the cleanup. Though the incident was significant enough to cause the value of bitcoin to plummet, Mt. Gox CEO Mark Karpeles didn’t seem to take the incident very seriously. Powell told Wired that Karpeles took the weekend off while the rest of the Mt. Gox team scrambled to bring the site back up.1

Enter Social Media. In the case of Bitstamp in 2015, hackers used social engineering attacks to gain sensitive credentials of individual users, specifically employees of Bitstamp. The credentials included date of birth, social security numbers, phone numbers, addresses, login identification, password and account addresses. Skype and email was used to target Bitstamp employees, by appealing to their hobbies and interests and luring the employees to download malicious software, also known as phishing.
Bitcoin gold proved that 51% attacks can plunder an exchange. Hackers simply use the 51% computing power to take control of a network. The 51% attackers initiate changes to a ledger, says Blockchain security firm Ciphertrace. The 51% attack uses weaknesses in POW (Proof of Work) algorithms.

The Bancor theft in 2018 proved that decentralized exchanges are not immune to hacks. A security flaw was exploited in a wallet intended to update Bancor’s smart contracts. The scheme worked and the hackers pillaged millions. Following the hack, Bancor was forced to shut down. That was one of the most prestigious ICOs of 2017, having raised over $153 million in investments during its token sale. The calendar year 2018 saw the greatest dollar valuation stolen in cryptocurrency. At almost $1 Billion, the crypto space was decimated. This was directly on the heels of the most exuberant fast-paced year of gains.

In June this year, 2019, it is being reported that the largest ever exchange hack may have actually been generated from Russian viruses rather than having been perpetrated by North Korea. The Coincheck breach and loss of over 500 million NEM tokens may have been penetrated in fact by Makes and NetWire malware. These malware allow malicious criminals to gain access to operating systems and remotely manipulate them. Group-IB earlier alleged a cybersecurity hack by North Koreans. However, under closer analysis, it appears that the hack is in fact an action by Russian and Eastern European cyber criminals.4
As of this publication, there is a new hack, one still being investigated and very deserving of scrutiny. In May of 2019, Binance, the exchange hosting its very own BNB token, was hacked. The thieves made off with at least 7,000 Bitcoin. Translation? $40 Million at the time. “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” according to the post, written by Zhao Changpeng, Binance’s chief executive officer. “We must conduct a thorough security review. The security review will include all parts of our systems and data.”3 This has been denied (May 7th, 2019) and Binance has been quite defensive, assuring its customers of safe funds. Oddly, as of June 2019, Binance is going to ban all U.S. participants. That alone could be seen as a very telling sign. Perhaps there is a lack of AML participation and perhaps that has reason. Time, as we know, will tell.8
Synthetix was most recently attacked on June 24, 2019. It is a synthetic asset issuance platform built on Ethereum. The oracle attack involved a compromised 37 Million sETH. The true USD value is difficult to calculate both due to arbitrage bot trading and issuance as well as to the relative illiquidity of sETH. CEO of Synthetix, Kain Warwick, is facilitating limited information sharing at this time. From the Block Crypto, an earlier publication in June made it clear that while Synthetix was experiencing heightened popularity, the value of synthetic products still are difficult to value. This is risky for holders to begin with. We will keep an eye out as the story unfolds.9

So how do these hacks actually happen? Largely, they are data security breaches that go unnoticed or enter systems with already sloppy security practices. Some dangerous habits that preempt hacks include the storage of all assets in a third party exchange, either centralized or decentralized. As the adage goes, if you don’t hold your private keys your assets are not secure. Another indicator of risk to users is low or nonexistent two factor authentication, the misuse or absence of multiple signatures. Additionally, leaving assets in a hot wallet, which means storing crypto in a simple wallet connected to the internet (yes, even Jaxx or Cobinhood) is dangerous. There are no guarantees. The best practice for cryptocurrency users is to store assets on a ledger, trezor, keepkey or somehow in cold offline storage. This generally requires private keys, a seed code, a ledger, and a PIN. Be wise! Keep your assets safe!
 
REFERENCES:

1. https://coiniq.com/cryptocurrency-exchange-hacks/
2. https://www.wired.com/2014/03/bitcoin-exchange/ (How Could Mt. Gox Happen TWICE?!)
3. https://www.bloomberg.com/news/articles/2019-05-08/crypto-exchange-giant-binance-reports-a-hack-of-7-000-bitcoin
4. https://www.cncryptonews.com/russian-hackers-may-have-carried-out-largest-ever-crypto-exchange-theft/
5. https://www.group-ib.com/
6. What is Malware and Why is it Used? https://www.howtogeek.com/183642/who-is-making-all-this-malware-and-why/
7. https://ciphertrace.com/
8. https://www.tronweekly.com/binance-hack/
9. https://www.theblockcrypto.com/tiny/synthetix-suffers-oracle-attack-potentially-looting-37-million-synthetic-ether/