App Tiers Affected:
Ten months ago we asked a rhetorical question: will losses from cryptocurrency exchange hacks hit one billion dollars in 2018? Indeed, they did.1 Cryptocurrency theft is growing both in terms of frequency of attacks and breadth of targets. Attackers aren’t just cryptojacking and targeting exchanges. According to endpoint security provider Carbon Black, $1.1 billion in cryptocurrency was stolen in the first half of 2018 alone, with exchanges comprising 27% of attacks. The remaining attacks were primarily aimed at businesses (21%), users (14%), and government (7%).2 Cryptocurrency security consultants Ciphertrace noted that in the first half of 2019, attacks against cryptocurrency exchanges and infrastructure passed $480 million, making 2019 look like another banner year for cryptocurrency attacks.3
A Whale of a (Potentially) Different Color
One obvious, recent change in the cryptocurrency scene came with Facebook’s long-anticipated announcement that it is bringing a cryptocurrency to market in 2020. While Facebook’s offering is technologically similar to existing cryptocurrencies, there are some differences with respect to governance that could make Libra different for both attackers and users. The Libra currency is a type of stablecoin; that is, its value will not fluctuate significantly the way that, for instance, bitcoin does. However, it will not be pinned to the value of an existing fiat currency like the USD or Euro. Instead, its value will be guaranteed by a basket of deposits that will be diversified across several different currency markets, which are brought to the table by the Libra Association. This association, which is the other unique aspect of the Libra currency, will be composed of a number of organizations from different industries, including tech, finance, and consumer goods and services. Members of the association will have votes on the future of the currency, placing Libra in a sort of middle position in terms of decentralization. It is less centralized than if Facebook were running the entire show, but more centralized than other cryptocurrencies, making it sort of a corporate oligarchy rather than either a nation-state fiat currency or a completely decentralized, community-run currency.
North Korea Steps It Up
The Democratic People’s Republic of Korea (DPRK) is already a known threat in the cryptocurrency space. However, new evidence from a panel of experts reporting to the United Nations Security Council provides a better sense of the scope of the threat. Over the last few years, Pyongyang has amassed roughly $2 billion in foreign and virtual currency, using cyberattacks and blockchain technology to circumvent economic sanctions. Of that $2 billion, about $600 million came from attacks on cryptocurrency exchanges and users. There is also growing evidence that the DPRK is using the pseudonymous nature of blockchain transactions to launder money and operate clandestine global financial operations.4
Why Is Cryptocurrency Such an Appealing Target?
A variety of factors contribute to the appeal of cryptocurrency as a target for malicious actors. Many digital thefts leave the attacker with illiquid assets—that is, something that still needs to be converted into money. By contrast, cryptocurrency is essentially cash, so it is much more liquid. The cryptocurrency ethos, which espouses deep personal privacy, anonymity (or at least pseudonymity), and autonomy, can be both a helps and a hindrance to security. Some of the same principles and tools that draw people to cryptocurrency can work to the advantage of attackers, and the field has more than its share of scammers.
Obscure Threat Models
In the same way that fiat currency (like the U.S. dollar) is underpinned by a vast administrative and legal framework, cryptocurrency requires an enormous infrastructure to work socially. Every part of this infrastructure has the potential to be the focal point of an attack, including wallet software, exchange platforms, the blockchain algorithms underpinning the currency itself, and the people who use it. This has led to the use of some unusual and unanticipated attack vectors, in addition to many familiar ones.
Cryptocurrency exchanges have been subjected to distributed denial of service (DDoS) attacks on multiple occasions, probably for the purpose of suspending trading in order to achieve some kind of pricing advantage. DDoS attacks do not require much sophistication or effort, and can have a devastating impact on the perceived stability of platforms—like exchanges—that thrive on traffic to drive their marketplaces.
NSA Tracking Bitcoin
The trove of documents that Edward Snowden revealed in 2013 showed that the NSA had cultivated techniques to deanonymize bitcoin users. In one case, the NSA created an anonymization service (probably a VPN) to bitcoin users in geographic areas of interest that had a backdoor deliberately built in.5 While this is an old exploit, it illustrates the limitations of the pseudonymity that cryptocurrency provides.
Poor Operational Security
The QuadrigaCX debacle, in which the CEO died in mysterious circumstances, taking with him the sole knowledge of the keys necessary to access QuadrigaCX’s $200 million CAD in assets, illustrates the risks posed by strong individual controls without widespread resilience and program management.6 Given the auditor’s findings of malfeasance prior to the CEO’s death, this was in all likelihood an elaborate exit scam, in which an exchange operator exploits the pseudonymity of cryptocurrencies to take the money and run. However, even if everything in this scenario was above board, it demonstrates that, as with all organizations with a financial presence on the Internet, a single strong control of any type, including encryption, is not sufficient to control the various manifestations of risk.
Below are the incidents that are suspected malicious attacks that have unfolded since our last report in October 2018.
In mid-January 2019, the New Zealand-based exchange Cryptopia announced that ether (ETH) tokens worth nearly $2.44 million, and around 48 million centrality (CENNZ) tokens worth about $1.18 million had been transferred from the exchange to an unknown wallet, concurrent with what the exchange called a “security incident.”8 No technical details have emerged about the event since, and there has been some speculation that this was in fact an exit scam.9 Although the exchange made some public efforts to restore trading, those attempts were unsuccessful, and in May 2019 Grant Thornton was appointed liquidator for the failed exchange.10
In February 2018, 450,000 user credentials for the prominent exchange Coinmama, specifically email addresses and hashed passwords, were posted on the dark web as part of a larger dump of compromised credentials. Attackers reportedly exploited a vulnerability in the PostgreSQL database management system to download credentials from a swath of sites. Fortunately, there are no reports of any loss of assets by Coinmama users.11
One of the leading cryptocurrency exchanges, Binance, was hacked in May 2019 through a combination of phishing and malware attacks that provided attackers with a large number of multifactor authentication codes and application programming interface (API) keys. As a result, there was a single large transaction of 7,000 bitcoin (BTC) worth approximately $41 million to the hacker’s wallet.12
In late January 2019, attackers compromised a third-party discussion forum platform running on the LocalBitcoins site and set up a false login prompt which they used to collect user credentials, including multifactor codes. Using these credentials attackers gained access to six user accounts and transferred BTC 7.9, or about $27,000 USD, before the discussion software was disabled.13
Approximately $19 million USD was stolen from the largest crypto exchange in South Korea, Bithumb, in May 2019. The attack was tentatively ascribed to an insider. All of the assets stolen were Bithumb reserves, not user assets.14
On 6 June 2019, XRP Ledger wallet provider GateHub announced that $10 million USD of XRP (the cryptocurrency used by the Ripple protocol) had been stolen via an attack of unknown means against the wallet’s API.15 GateHub’s statement noted that the API requests connecting to victim’s wallets all used valid access tokens, and they were unsure how attackers had gained access to secret token keys. This highlights the issues surrounding visibility that APIs have introduced into contemporary systems.
The Singaporean exchange Bitrue was attacked in late June 2019, and experienced a theft of roughly $5 million USD. The attackers exploited an unspecified vulnerability in order to gain access to 90 user accounts. Bitrue quickly detected the attack, suspended the account in question, and contacted other exchanges trading in XRP and ADA currencies to freeze the corresponding transactions.16
In mid-July 2019, the Japanese exchange Bitpoint lost $32 million USD in an unspecified hacking event against a hot wallet.17
Exit scams are not really security breaches, but rather fraud events in which exchanges or currencies collect money from investors, often in initial coin offerings that are subject to a great deal of financial speculation, then disappear. These scams exploit the cryptographic capabilities of cryptocurrencies to make it impossible to recover funds once they are stolen.
Purebit’s exit scam was unusually fast—the exchange had only been running for about two months, and had recently completed an ICO (Initial Coin Offering), raising about $2.8 million USD in Ethereum (ETH) before closing in November 2018 and moving the funds elsewhere.18
The popular Irish exchange Bitsane was notable for being one of the first exchanges to trade the XRP currency. Users began reporting technical difficulties for withdrawals in May 2019 and the exchange went offline mid-June 2019. While the total amount of user assets lost is not publicly known, Bitsane had nearly 250,000 users and a daily volume of $7 million USD in March.19
MapleChange—Scam or Hack?
In October 2018, the Canadian exchange MapleChange went down for site maintenance shortly before it announced that it had been hacked. It reported that 913 bitcoin, worth roughly $6 million USD at the time, had been stolen.20 Shortly after, the exchange deleted its social media accounts and shuttered its website, leading to accusations of an exit scam, particularly since it had recently experienced its highest trading volume in months.21
Exit scams and exchange hacks are only a risk to those who store their currency on exchange platforms. Storing currency in wallets offers significantly greater security, but hot wallets can still be compromised under certain conditions. While breaches like this result in smaller losses overall than what occurs when an entire exchange is breached, the loss is catastrophic for the affected user. Thus far, the most prominent tactic has involved using SIM swapping to gain access to hot wallets. SIM swapping involves convincing a wireless carrier to move a wireless account to another SIM card (and therefore another phone), so that the attacker can bypass multifactor authentication, or simply log in to crypto exchanges to move currency. In November 2018, a man was arrested and charged for multiple SIM swapping frauds against Silicon Valley executives and other prominent cryptocurrency personalities. He is alleged to have stolen more than $80 million USD using SIM swapping techniques.22
Managing Cryptocurrency Risk
The combination of the technologies underpinning cryptocurrencies and the people participating in the cryptocurrency community make the crypto market a strange beast. Trust is in short supply, and while there is a lot of money to be made, it is even harder than normal to completely minimize risk. Nevertheless, there are a few things you can do to improve your security profile as an individual cryptocurrency investor.
Vet Your Exchange
At this point, it should be clear that not all exchanges are started in good faith. You should vet your exchange thoroughly before you commit any money. Third-party audits are a good sign that an independent entity considers the organization a well-run and safe platform for investment.
Air-Gap Your Wallet
Cold wallets that rely on hardware authentication and that are physically disconnected when not in use (that is, air-gapped) are a good way to retain control over your assets. There are no known incidences of hardware wallets being compromised, and, when used correctly, they mitigate much of the risk we’ve outlined here.23 At this point, we consider them to be a hard requirement for investing in cryptocurrencies.