Since September 2012, approximately $1.3 billion have been stolen from major exchanges worldwide on 14 separate crypto hacking attacks. This lack of security in crypto-currencies is one of the biggest concerns of government agencies around the world and one of the primary reasons for regulation. Criminals have shifted their focused away from using Bitcoin to fund their illegal activities to stealing crypto-currencies for their newly gained mainstream value.
Despite crypto-currencies using sophisticated encryption protocols to encode data during their transactions, several key weaknesses exist that undermine the entire network. There are two primary weaknesses criminals exploit in the banking system; the wallets, and the exchanges.
Criminals resort to a time tested method called “email phishing” where scam emails are sent requesting the transfer of crypto-currency (Bitcoin, Ethereum, or Litecoin) disguised as investments or other offers. In addition, the email carries a hidden malware program that infects the victim’s computer and steals his/her wallet data (cryptographic key) replacing the destination wallet key with the hackers’ during transfers. This was the case of the hacking of South Korea’s exchange Bithumb in April, 2017, where hackers stole the database of user information off the personal computer of an employee resulting in the loss of $1M in Ethereum (ETH) coins. North Korean hackers were suspected of this attack. Email phishing account for the loss of $225 millions of dollars’ worth of crypto-currency so far.
A report by IBM’s X-force stated that crypto exchanges are also targeted by cyber-criminals in the same way as individual computers. Criminals use the TrickBot Malware to redirect Bitcoin to their wallets during a purchase; the TrickBot Trojan simultaneously captures the user’s login credentials, crypto wallet, and credit card information. On July 19, 2017 hackers exploited a vulnerability in the Parity multisig blockchain’s smart contract shared by three companies (Swarm City (ETH wallet), aethernity blockchain, and Edgeless Casino (an online crypto-currency based casino)) resulting in the loss of 153,000 Ethereum coins valued at $32 million. More recently, on February 8, 2018 the leading exchange Binance suffered an attack that reprogramed the API (user authorization key) of trading bots causing accounts to trigger buy and sell orders of the AVI coin. Fortunately, Binance’s sophisticated security systems detected the “unusual trading activity” and automatically suspended withdrawals preventing the unauthorized transactions and potential losses.
According to the US Department of Homeland Security, one in three exchanges has been attacked from 2009 to 2015. In December, 2017 the South Korean exchange Youbit declared bankruptcy after suffering a second attack where it claimed losses amounting to 17% of the company’s worth. Youbit, formerly Yapizon, suffered its first attack on April 2017, losing 3,816 Bitcoins (worth $5.5 million dollars at the time).
As crypto-currencies continue to rise in value, so will the threat of computer theft crimes; 2018 has been deemed as the year of hacks; not only on exchanges but individual investors as well. Exchanges will continue to face threats to their infrastructure through Trojan banking, DDos cyber-attacks (network overloads), and ‘ransomware’. Individual investors will have to deal with ‘Carding’ (the use of stolen credit card information), phishing from phony ICOs that set up fronts to steal their login information, but also ‘phone-porting’ (hacking a Bitcoin account by first stealing the user’s phone number).
In a still unregulated market where insurance is not available to recover lost funds, it becomes imperative for investors to understand the risks associated with the purchase and holding of crypto-currencies. There are few security measures investors can follow to minimize risk; such as the choosing of well known exchanges, keeping only a minimal amount of crypto-currency online, the use a physical wallet, upgrading antivirus and anti-phishing software, using a firewall, using a VPN internet connection, and not storing public keys on their phones or computers. At the end, no institution or individual is 100% safe of cyber-attack, but it is important to stay informed and be prepared to transfer or liquefy one’s position and suffer a loss in case all else fails.