Another day, another cryptocurrency hack. Earlier this month, cryptocurrency conversion platform Bancor lost $23.5m in cryptocurrency after hackers managed to compromise a wallet. Attackers stole $12.5m in Ether, $1m of Pundi X tokens, and $10m of Bancor Network Tokens (BNT), which are smart tokens used to convert other currencies. Bancor managed to freeze the BNT, slashing its losses to $13.5m, but that’s still a hefty chunk of change.
This is the latest in a string of hacking-related cryptocurrency losses. 2018 also saw attacks on South Korean exchange Coinrail, which had a reported $40m in various tokens pilfered in June, and Bithumb, another South Korean exchange which lost $30m in tokens (some of which it later retrieved). Japanese exchange Coincheck lost over $500m in its NEM tokens to hackers in January, making it one of the biggest crypto-hacks ever.
There have been many other cryptocurrency hacks. Bitstamp lost almost 19,000 bitcoins (worth around $5m at the time) in 2015, while Bitfinex initially spread the losses from a 2016 attack between its users, dropping their accounts 36% in value temporarily. It issued them Bitfinex tokens in what amounted to IOUs, which it later repaid by purchasing them back.
Other attacks raise eyebrows. When Italian firm BitGrail lost $195m in February, some found the transactions suspicious. When Mt Gox lost almost $500m in bitcoins in 2014, investigators pointed fingers at senior management, claiming an inside job. Shapeshift, which lost millions in a sustained hacking campaign on its systems, later pointed the finger at someone on its own team.
How cryptocurrency hacks happen
How do attackers gain access to funds? Sometimes they go after an exchange’s staff, duping someone into opening a flawed file that installs malware on an internal computer and giving them a foothold into the system.
In many cases, compromised exchanges make fatal mistakes, such as storing most of their cryptocurrency in a hot wallet. This is a wallet that is connected to the Internet in some way, and therefore accessible online.
Conversely, cold storage is effectively a bank vault for cryptocurrency, keeping it stored physically offline so that hackers can’t get at it. Coinbase, one of the biggest US exchanges, makes a point of keeping most of its funds in a cold storage wallet, but many choose hot wallets for liquidity reasons. They need the money available quickly for online transactions with customers.
Then there are the hacks that target all users indiscriminately, rather than just the exchanges. An attack on MyEtherWallet, a wallet for the Ethereum cryptocurrency, exploited a weakness in the border gateway protocol (BGP) to effectively steal its online address, misdirect its users who tried to visit it to a different destination and then capture their login credentials.
Attacks like these keep the tally of stolen cryptocurrency on the rise. The Anti-Phishing Working Group estimates that $1.2bn in cryptocurrency has been stolen since the beginning of 2017.
In many cases, exchanges continue operating after these thefts, but they can have a significant effect on cryptocurrency markets. Bitcoin dipped in price after Coinrail was hacked, and also took a temporary 7% tumble in January after the Coincheck fiasco.
Using stolen crypto
How do criminals use these ill-gotten gains? Laundering stolen cryptocurrency is relatively easy. Decentralized exchanges, which often don’t follow the same know-your-customer rules as centralized ones, are a relatively easy place to trade one cryptocurrency for another.
Then, there are ‘tumblers’ – online services that will take a delivery of cryptocurrency from one address and then spit them out to a variety of other addresses, effectively obfuscating the source. The more users that a tumbler has, the more difficult it is to track the cryptocurrencies that run through them.
Staunching the flow of stolen coins
Nevertheless, some initiatives are attempting to thwart the attackers. One, called the Sentinel Protocol, plans to crowdsource intelligence from the broader cryptocurrency community, who can report suspicious addresses. It maintains a threat reputation database to score addresses, making it theoretically easier to spot scammers on the blockchain.
Some insurance companies are also negotiating with cryptocurrency startups to explore options around insuring them against cyberattacks. That would be a highly risky type of policy that would come with a relative level of expense.
One thing is for sure: As the number of cryptocurrency tokens continues to flourish thanks to increased initial coin offering (ICO) activity, the targets for hackers continue to grow. It’s no wonder that regulators are increasing their scrutiny of new cryptocurrency ventures. When it comes to theft and fraud, the cryptocurrency world is still a largely unpoliced frontier.
With a thousand new companies promising investors the next great crypto-opportunity, the number of people piling their money into electronic tokens is going to grow, raising the security stakes in this risky environment.