From Coincheck to Bithumb: 2018’s Largest Security Breaches So Far

On June 19, Bithumb, South Korea’s number one crypto exchange, was hacked. The attackers stole cryptocurrencies worth $30 million, making it one of the largest heists of the year so far. While the exchange has already promised to compensate its users, the damage has been done: yet again, it has become evident that even the biggest players cannot guarantee total safety.

Indeed, the crypto world hasn’t been the same since the Mt. Gox collapse. Still, it comes down to how these attacks are handled in the aftermath: while some go MIA or start diffusing the responsibility, others choose to rebuild their reputations step-by-step, steadily making amends with the community. Here’s how the largest hacks of 2018 so far have happened, and what their consequences have been.

Bithumb

Bithumb: “No damage” to the customers
When: June 2018
Hacker’s prize: $30 million worth of cryptocurrencies
Outcome: Drop in rating

On June 19, Bithumb, South Korea’s biggest crypto exchange, was hacked. Over 35 billion won (about $30 million) worth of cryptocurrencies was stolen. At the time of the attack, Bithumb was ranked as the sixth largest exchange by trade volumes globally but has since dropped to 10th place.

According to Cointelegraph Japan, the hackers hijacked Bithumb’s hot wallet. Coincidentally, the exchange started moving “all of asset[s]” to a cold wallet in order to upgrade its security system on June 16, days prior to the attack.

Once Bithumb’s team realized their service was being hacked, it halted all deposit and withdrawal services. In an official announcement made on June 21, the crypto exchange confirmed its intention of reimbursing the users affected of the theft. Moreover, Bithumb stated that their wallet system was undergoing “a total change” in order to prevent further attacks and claimed that there will be “no damage” to its customers as a consequence of the theft, emphasizing its strict separation of customer and company assets.

According to reports from local media, the country’s Ministry of Science and Technology has launched an investigation into the hack. Reportedly, the Korea Internet & Security Agency (KISA) also got involved in order to figure out how exactly the attack occurred, working closely with local police and other agencies. Allegedly, authorities have also sent officers to Bithumb’s offices in Seoul to collect data and records from the company’s computers.

The hijack occurred just weeks after Bithumb was cleared by the South Korean government, which found no evidence of wrongdoing at Bithumb after a three-month investigation, but ordered the exchange to pay 30 billion won (approximately $28 million) in taxes.

Bithumb has been hacked before. In July 2017, the personal data of 30,000 customers was stolen due to an employee’s computer becoming compromised, while some users reported losses as well.

Coinrail

Coinrail: Danger of FUD
When: June 2018
Hacker’s prize: 40 billion won (approximately $37.2 million)
Outcome: Mainstream media overreaction

When South Korean exchange Coinrail was hacked, the mainstream media reacted in full force. Bloomberg, the Wall Street Journal, Reuters and the Guardian all linked the cyber attack with the price drop of Bitcoin and altcoins — Bitcoin lost around 11 percent of its value at the time — albeit recognizing that Coinrail was a rather small operation, being the 99th largest crypto exchange at the time. Moreover, none of those articles mentioned another possible explanation of the price drop, such as U.S. regulators’ probe into price manipulation in the crypto market, which was happening at the same time. That, of course, outraged the community.

It was reported that Coinrail lost around 40 billion won ($37.2 million) worth of cryptocurrency, including 21 billion won worth of Pundi X and 14.9 billion won worth of Aston coins. As local news outlet Sedaily points out, Coinrail removed parts about reimbursement from its terms of service a week prior to the attack. However, the exchange reportedly explained the removal by saying that it was working with the government to revise the terms of the contract.

According to the exchange’s website, 70 percent of its assets have been transferred to cold storage, and “about 80 percent” of the stolen coins have been frozen or withdrawn in some way, as the exchange is under “system maintenance.” Coinrail plans to reopen around July 15.

Verge

Verge: Ignorance is bliss
When: April-May
Hacker’s prize: 35 million XVG (about $1.7 million)
Outcome: Damaged reputation

Privacy-focused cryptocurrency Verge (XVG) has been hacked twice — thrice, considering that its Twitter account was taken over in March, as well — in the past few months.

In the beginning of April, reports about Verge being hacked started to emerge. Apparently, the attackers exploited a bug that allowed the manipulation of block mining timestamps. Using the code’s flaw, they had the ability to create illegitimate coins out of nowhere, stealing 250,000 XVG as a result. Verge called the incident “a small hash attack” and claimed that funds were only exploitable for three hours. On Bitcointalk.org, a member of the Verge team wrote “we're kinda glad this happened and that it wasn't as bad as it could have been.” In response, the message board user OCMiner noticed that developers apparently ‘resolved’ it by accidentally launching a hard fork. XVG lost about 25 percent of its value in reaction to the news.

On May 21, Verge was hacked again, as its team tweeted that their mining pools were under a DDoS attack. This time, 35 million XVG (about $1.7 million) was stolen over a period of a few hours, and XVG went down by a little over 14 percent.

OCMiner, who called attention to the first security breach, pointed out Verge’s vulnerability on the message board again, stating that “since nothing really was done about the previous attacks (only a band-aid), the attackers now simply use two algos to fork the chain for their own use and are gaining millions.” XVG’s price is at $0.026131 as of press time, its lowest for the past three months, according to Coinmarketcap.

Coincheck

Coincheck: Compliance and transparency
When: January
Hacker’s prize: 532 million NEM coins
Outcome: Coincheck survived the hack and the FSA pressure, was bought

In January, the Tokyo-based exchange Coincheck was hacked. Coincheck had to freeze all operations after it lost 523 million NEM coins — worth approximately $534 million at the time — on January 26. The coins were lifted through several unauthorized transactions from a hot wallet (according to Coincheck representatives, the hackers managed to steal the private key for it) where NEM coins were being stored, enabling them to drain the funds. Later in the day, NEM Foundation president Lon Wong called it "the biggest theft in the history of the world." Indeed, the Coincheck hack was larger than that of Mt. Gox by about $50 million in terms of stolen funds.

Soon after the security breach occurred, Coincheck held a press conference. There, the Coinbase team explained that NEM coins were indeed being held on a simple hot wallet rather than a much more secure multisig wallet, as the security setup differs between various coins on the exchange. They stressed that other cryptocurrencies on the platform were stored in multisig wallets and confirmed that the stolen funds belonged to customers. The Coincheck team also promised to refund their clients.

In March, a local news outlet — the Nikkei Asian Review — wrote that malware emails were sent to several members of Coincheck staff weeks before the attack, which might have opened the employee email system to allow the hackers to steal the private key.

In the aftermath of the attack, 10 crypto traders filed lawsuits in mid-February over Coincheck’s freezing of crypto withdrawals. 132 more crypto investors filed another lawsuit in early March, seeking around 228 million yen (around $2 million) in damages. Nevertheless, Coincheck made good on its promise, as in mid-March the exchange platform started to refund the affected customers and allowed the withdrawal and sale of certain cryptocurrencies.

During the process of handling the aftermath, Coincheck had shown full compliance with the FSA, Japanese regulatory body that oversees the crypto industry in the country. Soon after the cyberattack, the FSA conducted on-site inspections of 15 exchanges and sent business improvement orders to seven of these exchanges, including Coincheck. After the inspection, the exchange opted to drop three anonymity-based coins from its list.

In April, the traditional Japanese financial services provider Monex Group bought 100 percent of shares of Coincheck Inc, for 3.6 billion yen ($33.5 million). The new owner soon