Crypto Exchange Hacks in Review: Proactive Steps and Expert Advice
31 August 2018, 18: 47
Has the cryptocurrency exchange which you typically trade on already been hacked? If not yet, this is highly possible. Centralized exchanges, which Vitalik Buterin wished would “burn in hell,” can manipulate users' funds and face regular attacks, while decentralized ones seem to have not yet found a balanced compromise between security and usability. At the same time, the experience of traditional banks in ensuring cybersecurity is still not in demand within the crypto industry, which leads to users’ millions of dollars theft or data breach, like in an incident happened to Atlas Quantum account owners on Aug. 25.
The top five attacks on crypto exchanges are well known to traders and studied by cybersecurity specialists around the world. The list is headed by Mt. Gox, which has recently started accepting refunding claims of the traders affected by the hack.
Mt. GoxCountry: USFounders: Jed McCaleb, Mark KarpelesFunds stolen: 1.35 million BTC
Mt. Gox was first hacked in 2011, and then in 2014. The hackers compromised the account belonging to an auditor of the exchange. In the first case, 500,000 BTC — equivalent to $8.75 million — were stolen from the accounts and from the depository as a result of the exchange’s database being hacked. In the second case, attackers managed to withdraw much more — 850,000 BTC.
Civil investigators, unfamiliar with the subtleties of the cryptocurrency industry, were able to confirm the movement of only 200,000 BTC, which hackers transferred to their wallet by altering a nominal value of one to one cent. What happened to the rest of the assets is still unknown. The exchange terminated its operation in February 2014, resulting in three powerful blows to the Bitcoin exchange rate. Thus, in 2011, the cryptocurrency price fell from $32 to several cents; in 2014, from $720 to $550; and in 2018, Mt. Gox arbitration manager Nobuaki Kobayashi sold a total of 35,841 BTC in the falling market, accelerating its further fall. Recent activities of Mt. Gox administration infuriated the deceived users, who demanded to "just give the people their money in BTC!"
Protection adviceSome cryptocurrency exchanges strengthen their defences by working with trustworthy security auditors who have proven hack-proofing expertise and white hat skills. They prefer to work with one contractor in relation to audits, DDoS mitigation, scans and site updates.
This minimizes the risk of audit-related vulnerability and access to stored funds falling into the wrong hands. For higher protection, additional banking tools are used — such as segregated master wallets, cold storage, layers of withdrawal authorization, IP address verification and email confirmation, two factor authentication (2FA) login and a crypto debit card, which can all be used to verify payments and user logins to the exchange.
iBitt COO Chris Schwarzenbach shared with Cointelegraph that the highest level of cybersecurity is only possible with a centralized exchange service, which has the development resources, security team, hidden servers and responsive control necessary to run military-grade security for a crypto exchange.
BitFloorCountry: USFounder: Roman ShtylmanFunds stolen: 24,000 BTC
BitFloor suffered from the second largest hack in crypto history back in September 2012. It all started when the exchange’s server crashed, either under the influence of a DDoS-attack or because of a power outage in the data center — as was claimed by its owner Roman Shtylman.
Four days after, the hackers used a backup copy of the key from the hot wallet of the exchange, where the funds of traders were stored, and withdrew 24,000 BTC. Shtilman made an unsuccessful attempt to compensate the victims by selling a stake in BitFloor's property, but could not find an interested party. In 2013, the exchange closed, leaving the affected investors with nothing.
Protection adviceAccording to security experts, Bitfloor made two errors at once that led to such a severe financial loss. The first was storing the data in an unencrypted way — which Shtylman honestly confessed to — and the second one, which only aggravated the situation, was leaving large sums of money in an online-accessible hot wallet.
The simplest action to be done by any exchange in order to prevent the theft of coins is to keep the majority of its funds in “cold storage,” which ensures that private keys never touch any computer accessible from the internet. ThomasV, the lead developer of the Electrum client, provided seven key recommendations for cryptocurrency exchanges:
Don’t store more Bitcoin outside cold storage than you can afford to lose and remain solvent
Deposits should be sent to cold storage addresses directly
Transfer from cold storage to hot storage should be manual only
An attacker shouldn’t be able to disguise a theft as a series of withdrawals from customers
If a withdrawal request exceeds the amount available in the hot wallet, the customer should have to wait. Receiving coins 24 hours later is better than never
Clone your database to a place where an attacker cannot irreversibly modify or delete it from the server
Send digitally signed account statements to customers regularly, using a key that is not on the public server
PoloniexCountry: USFounder: Tristan D'AgostaFunds stolen: 97 BTC
Poloniex takes the 3rd place in the long list of victims. In May 2017, hackers discovered a critical vulnerability in the exchange’s software — all the withdrawal requests being simultaneously sent, were automatically processed regardless of the account balance. The owner of Poloniex, Tristan D'Agosta, did not name the exact amount of the stolen goods, but announced that the total users’ funds were reduced at the time of hack equivalent by 12.3 percent or 97 BTC.
To cover the losses Poloniex had to cut all users’ balances by this amount. These funds were temporarily frozen and then returned to users from personal funds, with an increase in the exchange’s fees going up 1.5 percent. Users found this decision acceptable, and Poloniex saved its reputation and continued to work — periodically undergoing minor attacks. Now the exchange belongs to the American payment system Circle.
Protection adviceTristan D’Agosta publicly revealed in his BitcoinTalk post what crucial mistakes had been made by the administration:
“The major problem here was that withdrawals should have been queued at every step of the way. This could not have happened if withdrawal requests were processed sequentially instead of simultaneously. Additionally, auditing and security features were not explicitly looking for negative balances. They add deposits and withdrawals and check that accounts are in balance. If you have 2 BTC, withdraw 10 BTC, and are left with -8 BTC, the software would see that you deposited 2, withdrew 10, and have exactly what you should: -8.”
Agosta has also advised on precautionary measures to be done in order to prevent such irreversible damage and shared new changes in the exchange’s security system:
“Withdrawals and order creation have been switched to a queued method, where the first step is to add the task to a global execution queue that is processed sequentially. Each step of critical database operations is verified before proceeding, and such operations are in the process of being converted to transactions. I have hired additional developers to help with tightening up security at Poloniex, as well as created a bug bounty.”
BitstampCountry: SloveniaFounders: Merlak brothersFunds stolen: 19,000 BTC
In 2015, Bitstamp lost 19,000 BTC, which were stolen by hackers from the exchange’s hot wallet. At that time, the losses were equivalent to $5 million. Surprisingly, a banal phishing attack was used by hackers — the exchange employees received personal emails and messages in Skype from seemingly friendly sources.
What’s maybe even more surprising is that the person responsible for security, Bitstamp system administrator Luka Kodrich, clicked the link and downloaded malware onto the working computer, after which the exchange was hacked. Bitstamp hurried to notify traders about what was happening, however, the attackers had already stolen the funds. Compensation did not followed, but the security regime was toughened that helped the exchange recover quickly. For the purpose of developing multi-signature protection Bitstamp has partnered with BitGo.
Now, carrying out transactions on Bitstamp requires using multisignature, and 98 percent of the cryptocurrency is stored in a cold wallet.
BitfinexCountry: British Virgin IslandsFounder: Rafael NicoleFunds stolen: 120,000 BTC
Bitfinex became the victim of hackers in August 2016. Unknown people used a bug in the multisignature system, which was supported by BitGo's partner company. The hackers deceived the BitGo algorithms in an unknown way, forcing them to approve transactions and withdrew about 120,000 BTC from the hot wallet, worth the equivalent of $72 million at the exchange rate at that time.
The Bitfinex founders confronted the users about the fact that financial losses would be distributed among all the users, 36.067 percent of whose coins would be frozen. These funds were later compensated by BFX tokens, which could be converted into U.S. dollars at the exchange rate, or into shares of iFinex Inc., which belongs to Bitfinex founder. This chosen — and seemingly proper — policy helped the exchange stay in the top until today.
Protection adviceEmin Gün Sirer, a famous computer scientist, specialist in hacking researches, and professor at Cornell University, suggested a solution that does not break Bitcoin's all-too-critical irreversibility when dealing with strangers, but allows someone to take back his funds in the event of a hack:
“The special thing about vaults is that they come with two keys. One key is used to unlock the vault and move your funds to a regular wallet. The other one, called a recovery key, is used when you notice that your funds were hacked and moved out of the vault by a hacker. You can then use your recovery key to undo the hack — you have 24 hours to notice and launch the recovery and get back all the funds. Notice that you cannot fool a merchant with this trick and revert a real transaction. All you can do is take back your own money from someone who is trying to steal it. If I may say so myself, it's a pretty ingenious scheme. It's almost like someone ought to work on it.”
Chronicle of 2018Despite all the hopes of the crypto community, the year has not brought anything new to the established practice of securing the exchange sites, and 2018 is being marked by numerous attacks made with the help of new sophisticated hacking tricks. According to the Wall Street Journal, since the beginning of the year, hackers have managed to steal more than $800 million and are not going to stop there.
CoincheckCountry: JapanFounders: Koichiro Wada, Yusuke OtsukaFunds stolen: 523 million NEM
Coincheck was attacked by hackers in the last days of January 2018. The target, as in most cases, was the hot wallet of the exchange, from which 523 million NEM tokenswere stolen. Despite all the previous examples, the exchange continued to keep users' funds and even their own funds in the hot wallet and did not use the multisignature for protection.
Will the hackers cash out the stolen goods? Hardly. The crypto community united after this theft and finally began to actively exchange information in order to prevent further movements of stolen funds. In particular, the ShapeShift instant exchange service has banned the exchange of NEM coins. This example was followed by other services, since 11 anonymous addresses, which the stolen tokens had been transferred to, have been tagged with a sign "coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker," so it isn’t difficult to track any transaction made by hackers. The investigation of the incident and the development of compensation options for users are continuing.
Protection adviceCoincheck’s example emphasized the importance of properly organized storage of users’ funds on the exchange. Security layers and warning triggers are a must for any exchange service, says Nick Moore, CEO at Investa, a U.K. crypto exchange which also operates debit cards and ATMs:
“We hold minimal coins in our hot wallets and operate a time delay on withdrawals with manual review process, so the ability to hack account and amount of coins held on exchange is low. The risk of loss is minimized through the manual procedures of moving coins to cold storage when we identify that any excess funds have accumulated and are not needed for immediate liquidity. Storing the funds on cold wallets ensure they cannot be hacked and keeping a minimal float in hot wallets helps to save the liquidity.
“I’m sure users don’t mind waiting a little longer for their withdrawals, when they realize that this is one of the best ways to fight the hackers.”
BitGrailCountry: ItalyFounder: Francesco FiranoFunds stolen: $170 million
On Feb. 13, BitGrail lost $170 million in Nano (XRB) as a result of hacking attacks. At the same time, the founders of the exchange started a public discussion with developers of Nano's blockchain in order to define which side was responsible for the bug that led to the hack.
The developers of the cryptocurrency accused BitGrail of giving insufficient attention to ensuring security — in particular, in the absence of the authentication procedure for users. Later the exchange stopped working and turned over the investigation to the police.
The authorities of Florence confiscated all the cryptocurrency from the BitGrail deposit to secure the claim of the affected users, and the Nano Foundation promised to take part in the protection of their interests and compensation for losses.
CoinrailCountry: South KoreaFounder: Lee NussFunds stolen: $40 million
Coinrail fell victim to a hacking attack on June 10, 2018 and lost a total of $40 millionin 11 cryptocurrencies. Immediately after the attack, the representatives of the exchange were not ready to provide any intelligible information, so the details of the theft were revealed by the participants in the Pundi X project, whose tokens were also among the kidnapped.
A month later, on July 15, the exchange resumed trading and offered the victims two compensation schemes: a gradual refund through the purchase of stolen cryptocurrency and compensation with Coinrail RAIL tokens, which can then be converted into a cryptocurrency at the inner rate.
Protection adviceRik Ferguson, an analyst at cybersecurity firm Trend Micro, believesthe problem is in the weakness of the development team, insufficient cybersecurity education of the staff and poor investment in fraud analytics:
“By and large these exchanges are small businesses and they are most often in permanent startup mode, facilitating transactions. These organizations have small security teams, if they have one at all, little to no experience in securing a financial institution and generally a very large, attractive pile of money.”
BithumbCountry: South KoreaFounder: Kim De ShiFunds stolen: $30 million
Bithumb was hacked on June 19, just a few days after it updated its security systems. $30 million, which was 10 percent of the total trading volume, was stolen by the attackers. This is the second incident in the chronicle of Bithumb. The first occurred on June 29, 2017, when the personal data of 30,000 users — equivalent to three percent of all the users by that time — was compromised. Hackers tried to access users' one-time passwords, but the exchange froze trades and made changes to the security system.
At the same time, Bithumb spends eight percent of profits on security, strictly follows the rule "5.5.7" when five percent of employees are IT specialists having the confirmed expertise, five percent possess the skills to ensure cybersecurity, and at least seven percent of the company’s profits are spent on its funds protection.
At the time of the hack, the exchange discovered a potential threat and was already withdrawing users' funds to a cold wallet. Affected traders were promised to be compensated from the personal funds of Bithumb administration.
Protection adviceCharlie Lee in a tweet expressed hopes for the restoration of the exchange and gave users concise advice, warning against such situations:
“As I've said many times, be smart and only keep on exchange coins that you are actively trading. It's best to withdraw right after trading.”
BancorCountry: SwitzerlandFounder: Guy BenarziFunds stolen: $23 million
Bancor, a decentralized exchange created in opposition to centralized ones, to which Vitalik Buterin has recently addressed his angry "burn in hell" statement, was attacked by hackers on July 9, 2018. It is noteworthy that this happened a day after the exchange expressed in the official Twitter post the full agreement with Vitalik Buterin about centralized decisions and stated that decentralized exchanges are the future.