Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice
Top five biggest exchange hacks and a chronicle of 2018. What is the modern crypto exchanges’ response to the “burn in hell” message from Vitalik Buterin?
Has the cryptocurrency exchange which you typically trade on already been hacked? If not yet, this is highly possible. Centralized exchanges, which Vitalik Buterin wished would “burn in hell,” can manipulate users' funds and face regular attacks, while decentralized ones seem to have not yet found a balanced compromise between security and usability. At the same time, the experience of traditional banks in ensuring cybersecurity is still not in demand within the crypto industry, which leads to users’ millions of dollars theft or data breach, like in an incident happened to Atlas Quantum account owners on Aug. 25.
The top five attacks on crypto exchanges are well known to traders and studied by cybersecurity specialists around the world. The list is headed by Mt. Gox, which has recently started accepting refunding claims of the traders affected by the hack.
Founders: Jed McCaleb, Mark Karpeles
Funds stolen: 1.35 million BTC
Mt. Gox was first hacked in 2011, and then in 2014. The hackers compromised the account belonging to an auditor of the exchange. In the first case, 500,000 BTC — equivalent to $8.75 million — were stolen from the accounts and from the depository as a result of the exchange’s database being hacked. In the second case, attackers managed to withdraw much more — 850,000 BTC.
Civil investigators, unfamiliar with the subtleties of the cryptocurrency industry, were able to confirm the movement of only 200,000 BTC, which hackers transferred to their wallet by altering a nominal value of one Bitcoin to one cent. What happened to the rest of the assets is still unknown. The exchange terminated its operation in February 2014, resulting in three powerful blows to the Bitcoin exchange rate. Thus, in 2011, the cryptocurrency price fell from $32 to several cents; in 2014, from $720 to $550; and in 2018, Mt. Gox arbitration manager Nobuaki Kobayashi sold a total of 35,841 BTC in the falling market, accelerating its further fall. Recent activities of Mt. Gox administration infuriated the deceived users, who demanded to "just give the people their money in BTC!"
Some cryptocurrency exchanges strengthen their defences by working with trustworthy security auditors who have proven hack-proofing expertise and white hat skills. They prefer to work with one contractor in relation to audits, DDoS mitigation, scans and site updates.
This minimizes the risk of audit-related vulnerability and access to stored funds falling into the wrong hands. For higher protection, additional banking tools are used — such as segregated master wallets, cold storage, layers of withdrawal authorization, IP address verification and email confirmation, two factor authentication (2FA) login and a crypto debit card, which can all be used to verify payments and user logins to the exchange.
iBitt COO Chris Schwarzenbach shared with Cointelegraph that the highest level of cybersecurity is only possible with a centralized exchange service, which has the development resources, security team, hidden servers and responsive control necessary to run military-grade security for a crypto exchange.
Founder: Roman Shtylman
Funds stolen: 24,000 BTC
BitFloor suffered from the second largest hack in crypto history back in September 2012. It all started when the exchange’s server crashed, either under the influence of a DDoS-attack or because of a power outage in the data center — as was claimed by its owner Roman Shtylman.
Four days after, the hackers used a backup copy of the key from the hot wallet of the exchange, where the funds of traders were stored, and withdrew 24,000 BTC. Shtilman made an unsuccessful attempt to compensate the victims by selling a stake in BitFloor's property, but could not find an interested party. In 2013, the exchange closed, leaving the affected investors with nothing.
According to security experts, Bitfloor made two errors at once that led to such a severe financial loss. The first was storing the data in an unencrypted way — which Shtylman honestly confessed to — and the second one, which only aggravated the situation, was leaving large sums of money in an online-accessible hot wallet.
The simplest action to be done by any exchange in order to prevent the theft of coins is to keep the majority of its funds in “cold storage,” which ensures that private keys never touch any computer accessible from the internet. ThomasV, the lead developer of the Electrum client, provided seven key recommendations for cryptocurrency exchanges:
- Don’t store more Bitcoin outside cold storage than you can afford to lose and remain solvent
- Deposits should be sent to cold storage addresses directly
- Transfer from cold storage to hot storage should be manual only
- An attacker shouldn’t be able to disguise a theft as a series of withdrawals from customers
- If a withdrawal request exceeds the amount available in the hot wallet, the customer should have to wait. Receiving coins 24 hours later is better than never
- Clone your database to a place where an attacker cannot irreversibly modify or delete it from the server
- Send digitally signed account statements to customers regularly, using a key that is not on the public server
Founder: Tristan D'Agosta
Funds stolen: 97 BTC
Poloniex takes the 3rd place in the long list of victims. In May 2017, hackers discovered a critical vulnerability in the exchange’s software — all the withdrawal requests being simultaneously sent, were automatically processed regardless of the account balance. The owner of Poloniex, Tristan D'Agosta, did not name the exact amount of the stolen goods, but announced that the total users’ funds were reduced at the time of hack equivalent by 12.3 percent or 97 BTC.
To cover the losses Poloniex had to cut all users’ balances by this amount. These funds were temporarily frozen and then returned to users from personal funds, with an increase in the exchange’s fees going up 1.5 percent. Users found this decision acceptable, and Poloniex saved its reputation and continued to work — periodically undergoing minor attacks. Now the exchange belongs to the American payment system Circle.
Tristan D’Agosta publicly revealed in his BitcoinTalk post what crucial mistakes had been made by the administration:
“The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously. Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.”
Agosta has also advised on precautionary measures to be done in order to prevent such irreversible damage and shared new changes in the exchange’s security system:
“Withdrawals and order creation have been switched to a queued method, where the first step is to add the task to a global execution queue that is processed sequentially. Each step of critical database operations is verified before proceeding, and such operations are in the process of being converted to transactions. I have hired additional developers to help with tightening up security at Poloniex, as well as created a bug bounty.”
Founders: Merlak brothers
Funds stolen: 19,000 BTC
In 2015, Bitstamp lost 19,000 BTC, which were stolen by hackers from the exchange’s hot wallet. At that time, the losses were equivalent to $5 million. Surprisingly, a banal phishing attack was used by hackers — the exchange employees received personal emails and messages in Skype from seemingly friendly sources.
What’s maybe even more surprising is that the person responsible for security, Bitstamp system administrator Luka Kodrich, clicked the link and downloaded malware onto the working computer, after which the exchange was hacked. Bitstamp hurried to notify traders about what was happening, however, the attackers had already stolen the funds. Compensation did not followed, but the security regime was toughened that helped the exchange recover quickly. For the purpose of developing multi-signature protection Bitstamp has partnered with BitGo.
Now, carrying out transactions on Bitstamp requires using multisignature, and 98 percent of the cryptocurrency is stored in a cold wallet.
Country: British Virgin Islands
Founder: Rafael Nicole
Funds stolen: 120,000 BTC
Bitfinex became the victim of hackers in August 2016. Unknown people used a bug in the multisignature system, which was supported by BitGo's partner company. The hackers deceived the BitGo algorithms in an unknown way, forcing them to approve transactions and withdrew about 120,000 BTC from the hot wallet, worth the equivalent of $72 million at the exchange rate at that time.
The Bitfinex founders confronted the users about the fact that financial losses would be distributed among all the users, 36.067 percent of whose coins would be frozen. These funds were later compensated by BFX tokens, which could be converted into U.S. dollars at the exchange rate, or into shares of iFinex Inc., which belongs to Bitfinex founder. This chosen — and seemingly proper — policy helped the exchange stay in the top until today.
Emin Gün Sirer, a famous computer scientist, specialist in hacking researches, and professor at Cornell University, suggested a solution that does not break Bitcoin's all-too-critical irreversibility when dealing with strangers, but allows someone to take back his funds in the event of a hack:
“The special thing about vaults is that they come with two keys. One key is used to unlock the vault and move your funds to a regular wallet. The other one, called a recovery key, is used when you notice that your funds were hacked and moved out of the vault by a hacker. You can then use your recovery key to undo the hack — you have 24 hours to notice and launch the recovery and get back all the funds. Notice that you cannot fool a merchant with this trick and revert a real transaction. All you can do is take back your own money from someone who is trying to steal it. If I may say so myself, it's a pretty ingenious scheme. It's almost like someone ought to work on it.”
Chronicle of 2018
Despite all the hopes of the crypto community, the year has not brought anything new to the established practice of securing the exchange sites, and 2018 is being marked by numerous attacks made with the help of new sophisticated hacking tricks. According to the Wall Street Journal, since the beginning of the year, hackers have managed to steal more than $800 million and are not going to stop there.
Founders: Koichiro Wada, Yusuke Otsuka
Funds stolen: 523 million NEM
Coincheck was attacked by hackers in the last days of January 2018. The target, as in most cases, was the hot wallet of the exchange, from which 523 million NEM tokens were stolen. Despite all the previous examples, the exchange continued to keep users' funds and even their own funds in the hot wallet and did not use the multisignature for protection.
Will the hackers cash out the stolen goods? Hardly. The crypto community united after this theft and finally began to actively exchange information in order to prevent further movements of stolen funds. In particular, the ShapeShift instant exchange service has banned the exchange of NEM coins. This example was followed by other services, since 11 anonymous addresses, which the stolen tokens had been transferred to, have been tagged with a sign "coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker," so it isn’t difficult to track any transaction made by hackers. The investigation of the incident and the development of compensation options for users are continuing.
Coincheck’s example emphasized the importance of properly organized storage of users’ funds on the exchange. Security layers and warning triggers are a must for any exchange service, says Nick Moore, CEO at Investa, a U.K. crypto exchange which also operates debit cards and ATMs:
“We hold minimal coins in our hot wallets and operate a time delay on withdrawals with manual review process, so the ability to hack account and amount of coins held on exchange is low. The risk of loss is minimized through the manual procedures of moving coins to cold storage when we identify that any excess funds have accumulated and are not needed for immediate liquidity. Storing the funds on cold wallets ensure they cannot be hacked and keeping a minimal float in hot wallets helps to save the liquidity.
“I’m sure users don’t mind waiting a little longer for their withdrawals, when they realize that this is one of the best ways to fight the hackers.”
Founder: Francesco Firano
Funds stolen: $170 million
On Feb. 13, BitGrail lost $170 million in Nano (XRB) as a result of hacking attacks. At the same time, the founders of the exchange started a public discussion with developers of Nano's blockchain in order to define which side was responsible for the bug that led to the hack.
The developers of the cryptocurrency accused BitGrail of giving insufficient attention to ensuring security — in particular, in the absence of the authentication procedure for users. Later the exchange stopped working and turned over the investigation to the police.
The authorities of Florence confiscated all the cryptocurrency from the BitGrail deposit to secure the claim of the affected users, and the Nano Foundation promised to take part in the protection of their interests and compensation for losses.
Country: South Korea
Founder: Lee Nuss
Funds stolen: $40 million
Coinrail fell victim to a hacking attack on June 10, 2018 and lost a total of $40 million in 11 cryptocurrencies. Immediately after the attack, the representatives of the exchange were not ready to provide any intelligible information, so the details of the theft were revealed by the participants in the Pundi X project, whose tokens were also among the kidnapped.
A month later, on July 15, the exchange resumed trading and offered the victims two compensation schemes: a gradual refund through the purchase of stolen cryptocurrency and compensation with Coinrail RAIL tokens, which can then be converted into a cryptocurrency at the inner rate.
Rik Ferguson, an analyst at cybersecurity firm Trend Micro, believes the problem is in the weakness of the development team, insufficient cybersecurity education of the staff and poor investment in fraud analytics:
“By and large these exchanges are small businesses and they are most often in permanent startup mode, facilitating transactions. These organizations have small security teams, if they have one at all, little to no experience in securing a financial institution and generally a very large, attractive pile of money.”
Country: South Korea
Founder: Kim De Shi
Funds stolen: $30 million
Bithumb was hacked on June 19, just a few days after it updated its security systems. $30 million, which was 10 percent of the total trading volume, was stolen by the attackers. This is the second incident in the chronicle of Bithumb. The first occurred on June 29, 2017, when the personal data of 30,000 users — equivalent to three percent of all the users by that time — was compromised. Hackers tried to access users' one-time passwords, but the exchange froze trades and made changes to the security system.
At the same time, Bithumb spends eight percent of profits on security, strictly follows the rule "5.5.7" when five percent of employees are IT specialists having the confirmed expertise, five percent possess the skills to ensure cybersecurity, and at least seven percent of the company’s profits are spent on its funds protection.
At the time of the hack, the exchange discovered a potential threat and was already withdrawing users' funds to a cold wallet. Affected traders were promised to be compensated from the personal funds of Bithumb administration.
Charlie Lee in a tweet expressed hopes for the restoration of the exchange and gave users concise advice, warning against such situations:
“As I've said many times, be smart and only keep on exchange coins that you are actively trading. It's best to withdraw right after trading.”
Founder: Guy Benarzi
Funds stolen: $23 million
Bancor, a decentralized exchange created in opposition to centralized ones, to which Vitalik Buterin has recently addressed his angry "burn in hell" statement, was attacked by hackers on July 9, 2018. It is noteworthy that this happened a day after the exchange expressed in the official Twitter post the full agreement with Vitalik Buterin about centralized decisions and stated that decentralized exchanges are the future.
"Burning in hell" is a bit extreme, but we do agree with @VitalikButerin that #decentralized solutions — such as Bancor — are the future of #blockchain and value exchange. https://t.co/XLqtc82H19 pic.twitter.com/ZuKKbKFwmM— Bancor (@Bancor) July 8, 2018
From the exchange’s hot wallet, hackers withdrew a total of $23.5 million. Almost half of the stolen funds was made up of their own BNT tokens ($10 million), Ethereum ($12.5 million) and Pundi X ($1 million). Its tokens were immediately frozen, which caused a flurry of criticism from the cryptocurrency community, because such actions directly contradict the principle of decentralization. Charlie Lee summed up the overall view in his Twitter, announcing that Bancor can manipulate users’ funds.
A Bancor wallet got hacked and that wallet has the ability to steal coins out of their own smart contracts. 🤦♂️— Charlie Lee [LTC⚡] (@SatoshiLite) July 10, 2018
An exchange is not decentralized if it can lose customer funds OR if it can freeze customer funds. Bancor can do BOTH. It's a false sense of decentralization. https://t.co/22UYygIhEF
As for users’ tokens, Bancor immediately created a coalition with the instant exchange service Changelly, through which the hackers tried to withdraw funds. Transactions were frozen there as well.
How do banks deal with this?
Classic banks and banking services have been subject to various attacks since their emergence — that is, for several centuries. And over this time, they have been learning to resist such threats. The only difference is that 50 years ago, banks were attacked by criminals such as Bonnie and Clyde, and now they are attacked by hackers and internet scammers.
Classic banks follow the "5.5.7" formula and have international information security standards — for example, CobiT, which is considered entry level and is then supplemented by numerous internal regulations and scenarios for responding to intervention attempts.
Director of special projects at Group-IB Ruslan Yusufov is sure that the response to incidents must include both systems and an early warning and response plan that will allow all employees to act in accordance with regulations in the event of an incident. Everything is like that in the banking sector. A similar scheme was used by the Bancor exchange, which instantly froze its own tokens, calculated the services through which the withdrawal was planned, and entered into a coalition with them to freeze the stolen assets.
Criticism on the part of the crypto community in this case is less important than efforts to preserve the investors’ funds.
According to statistics, hackers, when attacking crypto exchanges, use tools that have been repeatedly tested on fiat banks. A study of 400 successful hacking attacks on the blockchain systems showed that popular banking services like TrickBot trojan, Vawtrak, Qadars, Triba, and Marcher were slightly modified for crypto exchanges and brought success to hackers in this way as well.
Nevertheless, the security systems of classical banks successfully resist hackers, and the established practice of tracking transactions allows customers to return the stolen funds. Why not borrow this experience? Unfortunately, in ICO teams — including those who create cryptocurrency exchanges — there is not a single IT specialist with the experience in the field of information security of banks.
Is it possible to return the money?
As practice shows, after powerful hacking attacks, crypto exchanges most often use three ways to compensate the affected users:
1. Rollback to a previous state or freeze transactions (Bitstamp, Ethereum and Bancor did this, but this contradicts the principle of blockchain’s irreversibility).
2. Compensation at the expense of other users (this way was chosen by Poloniex).
3. Return the funds of the exchange from its own profit or by issuing exchange tokens (Bitfinex and Coinrail).
Thus, stable, large exchanges that are interested in continuing its operation will offer newer and newer ways of compensating for lost funds. And this is good news for the cryptocurrency industry. Obviously, the practice when the exchange owners tried to hide information from the community about the details of the theft and disappear themselves is being slowly abandoned.
Will cryptocurrency exchanges cope with the problem of hacking attacks sometime soon? Absolutely not. There are two main approaches to hacking exchanges. The first is to gain access to accounts and closed-functionality through the hacking of the founders' accounts and then to use malicious programs from the arsenal of bank attacks. The second is an attack on the infrastructure of the exchange itself, through the hacking of a web application linking the client to his money on the exchange servers or an attack on so-called hot wallets.
Consequently, the protection of digital assets can be achieved by the joint efforts of users and crypto banks serving the turnover of cryptocurrencies. Bancor's head of public relations, Nate Hindman, made a statement after the hack:
“These mechanisms include a real-time blacklist that tracks offending addresses and stolen assets, as well as an emergency fund that compensates projects when thefts occur. There is plenty more to do here and we look forward to working with our peers across the industry to make everyone [is] stronger and smarter as we move forward together. Collaboration is not just a concept, it’s a practice — and we are grateful for the support and assistance.”
At the same time, Hindman believes that it is impossible to completely eliminate the possibility of hacking attacks, since attackers develop their own strategies along with the crypto industry, but these attacks can be resisted if market participants unite for joint actions and exchange of information.
As for ordinary users, the tips for preserving digital assets from hackers’ are well known:
- Do not keep funds in hot wallets.
- Choose well-known exchanges that disclose security policies.
- Use the functionality provided by the exchange to the maximum, including 2FA.
- Distribute funds between several wallets and exchanges.
Probably cryptocurrency exchanges are so often hacked because it is easy to do — and punishment for this is not regulated yet. More exchanges are attacked, more people are left without money, and someone gets away with it. But this year, things may change, since all this has started to seriously concern regulators in state and even world scale.
Along with the G20, an entire consortia of summits are being held, devoted to the issue of regulating the activity of crypto exchanges. For example, one of the Futurama Blockchain Innovators Summit concept authors Joshua Hong reported to Cointelegraph:
“There are many unreported hacking incidents of major exchanges. So, from the perspective of regular user, we do not know how severe the level of hacking [is] for most exchanges. For example, Bithumb was recently hacked, but its trading volume or commission revenue didn't seem to get affected at all. On the other hand, other exchanges had to shut down their operation after a single blow of hacking.“
The exchanges leaders positively react to such initiative. One of them, investment strategist at Bithumb Alex Lee expressed his personal interest to take part in such discussions:
“[The] best answers to the problems in our industry can be found through proactive sharing of each other's stories in highly personable ways. So, no matter what the issues are, be it crypto exchanges getting hacked or regulators feeling the pressure from disgruntled token investors who lost money, the solution can be found through community interactions and honest, open conversations.”