From Coincheck to Bithumb: 2018’s Largest Security Breaches So Far

On June 19, Bithumb, South Korea’s number one crypto exchange, was hacked. The attackers stole cryptocurrencies worth $30 million, making it one of the largest heists of the year so far. While the exchange has already promised to compensate its users, the damage has been done: yet again, it has become evident that even the biggest players cannot guarantee total safety.

Indeed, the crypto world hasn’t been the same since the Mt. Gox collapse. Still, it comes down to how these attacks are handled in the aftermath: while some go MIA or start diffusing the responsibility, others choose to rebuild their reputations step-by-step, steadily making amends with the community. Here’s how the largest hacks of 2018 so far have happened, and what their consequences have been.

Bithumb

Bithumb: “No damage” to the customers
When: June 2018
Hacker’s prize: $30 million worth of cryptocurrencies
Outcome: Drop in rating

On June 19, Bithumb, South Korea’s biggest crypto exchange, was hacked. Over 35 billion won (about $30 million) worth of cryptocurrencies was stolen. At the time of the attack, Bithumb was ranked as the sixth largest exchange by trade volumes globally but has since dropped to 10th place.

According to Cointelegraph Japan, the hackers hijacked Bithumb’s hot wallet. Coincidentally, the exchange started moving “all of asset[s]” to a cold wallet in order to upgrade its security system on June 16, days prior to the attack.

Once Bithumb’s team realized their service was being hacked, it halted all deposit and withdrawal services. In an official announcement made on June 21, the crypto exchange confirmed its intention of reimbursing the users affected of the theft. Moreover, Bithumb stated that their wallet system was undergoing “a total change” in order to prevent further attacks and claimed that there will be “no damage” to its customers as a consequence of the theft, emphasizing its strict separation of customer and company assets.

According to reports from local media, the country’s Ministry of Science and Technology has launched an investigation into the hack. Reportedly, the Korea Internet & Security Agency (KISA) also got involved in order to figure out how exactly the attack occurred, working closely with local police and other agencies. Allegedly, authorities have also sent officers to Bithumb’s offices in Seoul to collect data and records from the company’s computers.

The hijack occurred just weeks after Bithumb was cleared by the South Korean government, which found no evidence of wrongdoing at Bithumb after a three-month investigation, but ordered the exchange to pay 30 billion won (approximately $28 million) in taxes.

Bithumb has been hacked before. In July 2017, the personal data of 30,000 customers was stolen due to an employee’s computer becoming compromised, while some users reported losses as well.

Coinrail

Coinrail: Danger of FUD
When: June 2018
Hacker’s prize: 40 billion won (approximately $37.2 million)
Outcome: Mainstream media overreaction

When South Korean exchange Coinrail was hacked, the mainstream media reacted in full force. Bloomberg, the Wall Street Journal, Reuters and the Guardian all linked the cyber attack with the price drop of Bitcoin and altcoins — Bitcoin lost around 11 percent of its value at the time — albeit recognizing that Coinrail was a rather small operation, being the 99th largest crypto exchange at the time. Moreover, none of those articles mentioned another possible explanation of the price drop, such as U.S. regulators’ probe into price manipulation in the crypto market, which was happening at the same time. That, of course, outraged the community.

It was reported that Coinrail lost around 40 billion won ($37.2 million) worth of cryptocurrency, including 21 billion won worth of Pundi X and 14.9 billion won worth of Aston coins. As local news outlet Sedaily points out, Coinrail removed parts about reimbursement from its terms of service a week prior to the attack. However, the exchange reportedly explained the removal by saying that it was working with the government to revise the terms of the contract.

According to the exchange’s website, 70 percent of its assets have been transferred to cold storage, and “about 80 percent” of the stolen coins have been frozen or withdrawn in some way, as the exchange is under “system maintenance.” Coinrail plans to reopen around July 15.

Verge

Verge: Ignorance is bliss
When: April-May
Hacker’s prize: 35 million XVG (about $1.7 million)
Outcome: Damaged reputation

Privacy-focused cryptocurrency Verge (XVG) has been hacked twice — thrice, considering that its Twitter account was taken over in March, as well — in the past few months.

In the beginning of April, reports about Verge being hacked started to emerge. Apparently, the attackers exploited a bug that allowed the manipulation of block mining timestamps. Using the code’s flaw, they had the ability to create illegitimate coins out of nowhere, stealing 250,000 XVG as a result. Verge called the incident “a small hash attack” and claimed that funds were only exploitable for three hours. On Bitcointalk.org, a member of the Verge team wrote “we're kinda glad this happened and that it wasn't as bad as it could have been.” In response, the message board user OCMiner noticed that developers apparently ‘resolved’ it by accidentally launching a hard fork. XVG lost about 25 percent of its value in reaction to the news.

On May 21, Verge was hacked again, as its team tweeted that their mining pools were under a DDoS attack. This time, 35 million XVG (about $1.7 million) was stolen over a period of a few hours, and XVG went down by a little over 14 percent.

OCMiner, who called attention to the first security breach, pointed out Verge’s vulnerability on the message board again, stating that “since nothing really was done about the previous attacks (only a band-aid), the attackers now simply use two algos to fork the chain for their own use and are gaining millions.” XVG’s price is at $0.026131 as of press time, its lowest for the past three months, according to Coinmarketcap.

Coincheck

Coincheck: Compliance and transparency
When: January
Hacker’s prize: 532 million NEM coins
Outcome: Coincheck survived the hack and the FSA pressure, was bought

In January, the Tokyo-based exchange Coincheck was hacked. Coincheck had to freeze all operations after it lost 523 million NEM coins — worth approximately $534 million at the time — on January 26. The coins were lifted through several unauthorized transactions from a hot wallet (according to Coincheck representatives, the hackers managed to steal the private key for it) where NEM coins were being stored, enabling them to drain the funds. Later in the day, NEM Foundation president Lon Wong called it "the biggest theft in the history of the world." Indeed, the Coincheck hack was larger than that of Mt. Gox by about $50 million in terms of stolen funds.

Soon after the security breach occurred, Coincheck held a press conference. There, the Coinbase team explained that NEM coins were indeed being held on a simple hot wallet rather than a much more secure multisig wallet, as the security setup differs between various coins on the exchange. They stressed that other cryptocurrencies on the platform were stored in multisig wallets and confirmed that the stolen funds belonged to customers. The Coincheck team also promised to refund their clients.

In March, a local news outlet — the Nikkei Asian Review — wrote that malware emails were sent to several members of Coincheck staff weeks before the attack, which might have opened the employee email system to allow the hackers to steal the private key.

In the aftermath of the attack, 10 crypto traders filed lawsuits in mid-February over Coincheck’s freezing of crypto withdrawals. 132 more crypto investors filed another lawsuit in early March, seeking around 228 million yen (around $2 million) in damages. Nevertheless, Coincheck made good on its promise, as in mid-March the exchange platform started to refund the affected customers and allowed the withdrawal and sale of certain cryptocurrencies.

During the process of handling the aftermath, Coincheck had shown full compliance with the FSA, Japanese regulatory body that oversees the crypto industry in the country. Soon after the cyberattack, the FSA conducted on-site inspections of 15 exchanges and sent business improvement orders to seven of these exchanges, including Coincheck. After the inspection, the exchange opted to drop three anonymity-based coins from its list.

In April, the traditional Japanese financial services provider Monex Group bought 100 percent of shares of Coincheck Inc, for 3.6 billion yen ($33.5 million). The new owner soon announced plans for international expansion. So, overall, Coincheck seems to have rebounded after the massive hit.

BitGrail

BitGrail: Let’s play the blame game (and get sued)
When: February
Hacker’s prize: 17 million XRB tokens
Outcome: Firms wallets seized through court

On February 8, Italian cryptocurrency exchange BitGrail claimed that $195 million worth of customers’ cryptocurrency in Nano (XRB, formerly known as Raiblocks) was stolen in what could be perhaps the shadiest hack on this list, as the blame is still being shifted between BitGrail founder Francesco Firano and the Nano development team.

Essentially, a day after BitGrail was ‘hacked,’ and 17 million XRB tokens were drained from the exchange’s wallets, Nano developers made an official comment showing that BitGrail’s owner and operator Francesco “The Bomber” Firano had asked for the coin’s ledger to be altered.

“[...] Firano informed us of missing funds from BitGrail’s wallet. An option suggested by Firano was to modify the ledger in order to cover his losses — which is not possible, nor is it a direction we would ever pursue,” Nano wrote in a Medium post.

The Nano team then published alleged evidence that some of the withdrawals Firano claimed were the result of a hack had occurred as early as October of 2017. Firano denied those findings, which are contestable because Nano does not record transaction dates directly to its blockchain. At one point, he implied that transactions were somehow removed and restored in a later date, which is technically unattainable due to the nature of blockchain.

In an interview with Cointelegraph, Firano also stated that it would be “impossible to refund the stolen amount” and argued that the timestamp technology of Nano and that the block explorer of the cryptocurrency is not reliable. The Nano blockchain network did a re-synchronization of its nodes, providing every block or transaction missing before January 19 with timestamps. This suggested that all transactions were, in fact, recorded accurately.

Nevertheless, BitGrail users still haven’t received a definitive answer as to what precisely lead to the incident, and they headed to the courtrooms. On April 5, a class action lawsuit was filed in the U.S. on behalf of investors. The Nano team supported them, stating that they would even help pay the lawyer bills of those who sought to battle BitGrail in court.

In March, after legal pressure was applied, BitGrail announced plans to refund their users, but only if those users stopped trying to sue the exchange. In a press release, BitGrail said that, “the use of the platform for the victims of the theft will be bound by the signature of a settlement agreement. The latter will be characterized by an expressed renouncement from the users to every type of legal action, and will have to be formalized through the compilation of a form.”

Thus, Bitgrail intended to pay back its users by creating a token, Bitgrail Shares (BGS). The customers who were affected by the heist were refunded 20 percent of their lost amount in XRB, with the remaining 80 percent supposed to be covered by BGS. Nonetheless, BitGrail once again claimed that they are not taking the responsibility for the hack, continuing to point fingers at Nano and its alleged protocol problems.

On June 15, the BitGrail case took another turn, as the BTC stored in the firm’s wallets were confiscated by Italian law authorities. The funds were removed following a court order by the Tribunal of Florence on June 5, but did not mention the current value of the seized assets. The court order was triggered by a petition filed by the victims of the BitGrail hack.

MyEtherWallet, BlackWallet and Binance

Smaller hacks: MyEtherWallet, BlackWallet and Binance

In January, a DNS hijack led to hackers stealing $400,000 worth of Stellar Lumen (XLM) coins from wallets of Blackwallet.co. The attackers took over the service’s hosting server and changed settings to send the coins to their address.

Similarly, over $150,000 worth of ETH was stolen in the DNS attack on crypto wallet MyEtherWallet (MEW) in April. The attack recalled the allegations of a DNS hack levelled at MEW in January by the developers of altcoin Ethereum Blue, radically denied at the time by MEW team, who called it “a stupid lie.”

On March 7, the users of Binance, the world’s largest crypto exchange by trading volume, were affected by a hack of third-party software. That resulted in unauthorized transactions being made from their accounts. However, as CEO of Binance Changpeng Zhao soon declared, all users’ funds were safe, and the exchange returned to operating normally. On March 11, Binance said it was offering $250,000 in Binance Coin (BNB) for the first person to supply the information that would result in the legal arrest of the attacker.