The Primary Causes of Exchange and Tokens Hacks

It’s no secret that cryptocurrencies have become ‘big business.’ As lucrative as they can be, not only do they attract investors but also draw attention from online thieves and hackers.  Since the dawn of crypto, many companies have fallen victim to online attacks: leading to losses of billions of dollars worth of digital assets and even the closure of some exchanges.

In this post, we shall explore top causes, and illustrate with examples of notable hacks that shook the crypto-world to its very core:

Social Engineering / Phising

Social engineering or phishing hacks typically revolve around psychological manipulation. “Con artists” devise ingenious methods for fooling unsuspecting users and employees into handing over confidential and valuable company data.

Popular phishing methods include; use of emails, imitation profile and websites as well as other communications to invoke a sense of urgency or fear, leading the victim to open a malicious file, click on a malicious link or promptly reveal confidential information. And because these hacks involve a human element they can be quite tricky to prevent.

In December 2014, hackers stole millions worth of digital currency from Bitpay. They used a sneaky phishing attack that harvested Bryan Krohn (BitPay’s Chief Financial Officer) email and password. Using Bryan’s email, the hackers sent several fund requests to Stephen Pair (BitPay’s CEO). By the time BitPay came to their senses, $1.8 million worth of Bitcoin had gone down the drain.

In January 2015, Bitstamp employees were the target in a weeks-long phishing attempt leading to the loss of approximately $5 million in Bitcoin. Hackers utilized email and Skype to distribute files that contained malware to employees. The exchange’s system became compromised after Luka Kodric; the systems administrator downloaded a file that he thought was sent by the organization representative.

In March 2018, Binance reported unauthorized transactions through a phishing attack linked to Viacoin Pump. The hackers executed unauthorized orders through users’ accounts which caused a 400% pump for Viacoin.

ICO’s are not an exception. Fraudsters dupe naive investors to send their hard-earned ETH/BTC to a fake address. NuCypher which recently launched its ICO has suffered several phishing attempts. The most recent being messages delivered to users via slackbots; asking them to send ether funds to an Ethereum address provided in return for NuCypher tokens. Nevertheless, NuCypher promptly cautioned investors that would never make investment requests via Slack.


Inside Jobs / Corrupt Employees

The biggest security threat is within. While it is natural that organizations would trust their employees, a study done in 2015 reveals that 60% of hacks is either an inside job or designed by “malicious insiders.”

In 2011, Bitcoin7 was one of the biggest exchanges (after TradeHill and Mt Gox). The company was hacked, and 5,000 BTC disappeared into thin air. While the company linked the attack to a group of Russian hackers, many believe it was an inside job. The exchange was shut down soon after the incident.

In 2012, Bitcoinica suffered three attacks and Bitcoins worth thousands of dollars lost. While the initial hacks were linked to the exploitation of their webhost known as Linode, the third attack was suspected to be an inside job. According to some Blockchain analysis, Zhou Tong (Bitcoinica CEO) may have been the beneficiary of the July 2012 hack.  Zhou, however, denied the allegations; he claimed he was being framed.

In 2013, Bitcoin Savings and Trust which was allegedly meant to serve as the first securities platform (using Bitcoin as an asset class), turned out to be a giant Ponzi scheme. Trendon Shavers (the man behind this scam) was arrested in 2014 and sentenced to pay the investors restitution of $40.7 million.

Mintpal, at one time, was one of the top crypto exchanges preferred by traders because of its ability to process large trading volumes. In 2014, Mintpal was sold to Moopay executive “Alex Green” (alias, Ryan Kennedy), who is believed to be a shady scammer. Soon after the sale, the exchange was attacked, and $3.2 million worth of Bitcoin lost. While it possible that the vulnerability was present at the point of sale, and the buyer just failed to detect and patch it in good time. Many people claim that Alex Green “hacked” it himself.

In April 2016, ShapeShift was also in the frying pan. Investigations linked the theft to one of its employees. ShapeShift’s investigation report indicated that the worker made away with $130,000 worth of digital currency, and then sold ShapeShift’s security system information to a hacker.  And the fraudsters made a second attack during the same month and stole yet another $100,000 from Shapeshift.


Poor Security Practices

The other leading cause to how fraudsters gain access to an exchange system is due to poor security practices.

In May 2013, Vicurex security was breached and $160,000 worth of digital assets stolen. The hacker got access to the login credentials of their VPS control account and then requested a root password reset to all servers. The simple mistake that cost them was that the hosting service provider sent the VPS credentials via Vicurex helpdesk ticket, instead of the standard procedure of communicating via an official email address.

In June 2013, PicoStocks – a first generation digital assets stock exchange was hacked and $130,000 worth of cryptocurrency lost.  Through a forum post, a PicoStocks representative indicated that the company’s slovenly security practices were to blame for the attack. They had the same password for several accounts. Admitting that it was their fault, the company promised to refund customers for the loss.

In December 2017, EtherDelta suffered a DNS hijacking attack. According to EtherDelta, the hackers took control over its DNS server, redirecting domain to a malicious server hosting an imitation of their website. Other crypto companies that have been a victim of DNS hijacking hacks in the previous years include; Etherparty ICO website and Classic Ether Wallet.

In January 2018, Coincheck was hacked and 523 million NEM coins were stolen. The platform admitted of not securing its hot wallet by using multisignature private keys. Hackers managed to access a single private key which they used to unlock the digital wallet and drained the funds. In a scenario where multisignature security protocol is employed, the private keys are stored in a distributed fashion and should not be reachable in a single breach.


Smart Contract Vulnerabilities

Smart Contracts are essentially the core of all Ethereum DApps as well as token sales.  They automatically and autonomously enable execution of credible transactions on the Blockchain.

Since smart contracts control millions of dollars, it’s no surprise that they are a target for attackers. Consequently, some hacks emanate from vulnerabilities in smart contracts. Here are a few examples:

DAO hack

A Decentralized Autonomous Organization (DAO) is a decentralized venture capital fund run by smart contracts. By eliminating the need for documents and people, DAO was intended to democratize the funding of Ethereum projects.

In June 2016, unknown hackers exploited the fallback function – vulnerability on the DAO code that exposed smart contracts to reentrancy and stole 3.6 million Ether. As a survival strategy, the Ethereum’s codebase resolved for a reset via a hard fork. Consequently, it resulted in the creation of Ethereum and Ethereum Classic as two distinct chains.

Multi-sig wallet hack

During the same period, in June, Parity’s multi-signature wallets were hacked.  Usually, Multi-sig wallets require more than one digital signature before a transaction is approved. The attackers exploited the delagatecall and fallback function in the smart contracts and made away with 150,000 Ether.

User-Triggered Wallet Freeze

The other most recent attack that looms large is Parity’s user-triggered wallet freeze. In July 2017, a user (by the pseudonym devops199), accidentally exploited a bug in the library code of Parity’ smart contract, freezing 513,774.16 ETH.


Final Word

While it’s true that the crypto sphere has so much to offer, just like any other monetary system, there will always some high-profile bad actors. As you can see in this post, most crypto exchanges have at some point faced hacking attempts – this just a tip of the iceberg, as countless hack attempts are not even reported.

The major methods hackers utilize include phishing/social engineering, inside jobs/corrupt employees, poor security practices, and exploiting smart contract vulnerabilities.  As an investor, be wary. Trade and store your funds in safe platforms.