For some time now, skeptics have warned investors away from the crypto fad by claiming that it’s too volatile and insecure to be considered a safe investment. However, with cryptocurrency values soaring, it’s difficult to just sit on the sidelines when a major asset class has arrived on the scene.
Therefore, before you decide to jump into the crypto bandwagon, it’s important to understand the security risks as history is littered with many instances of security breaches where users have lost colossal sums of money.
This chapter takes a critical look at some of the most publicized cryptocurrency hacks with an intention of educating you why these attacks happened.
#1: Mt. Gox attack
Overview: Mt. Gox was launched in 2010 as a Bitcoin exchange and quickly expanded to become a pinnacle of Bitcoin trading market. The going was easy for Mt. Gox—a Japan-based cryptocurrency exchange firm—which was at the top of cryptocurrency exchange markets. In fact, Mt. Gox was estimated to have a market share of more than 70%.
In 2014, Mt. Gox came crashing down after one of the biggest cryptocurrency hacks took place on the platform. The hack resulted in the theft of more than 700,000 bitcoins that were valued at approximately $473M at the time. Even before the 2014 attack, an intrusion had taken place on the platform in 2011 where attackers broke into the platform and transferred a substantial number of bitcoins away from client wallets before selling them on the Exchange.
Details of the Hack: Bitcoin is transferred and spent using the digital signatures. The diagram below summarizes the transactions that take place in any cryptocurrency network:
To generate a digital signature, you must have a private key. Today, the majority of wallets encrypt the private keys. However, before the September of 2011, the Bitcoin Core Wallet—a software that manages users’ keys—did not encrypt private keys.
Wallet encryption was one of the major features of the Bitcoin 0.4.0 which was released on 23rd of September 2011. Therefore, the hacker didn’t require any special password apart from the wallet.dat file to gain access to the customer’s private keys. In the first attack, it was believed the wallet.dat file was stolen, either through hacking, or a rogue employee.
In the second attack, the perpetrators used a transaction malleability attack to steal the bitcoins from customers. Because there was no adequate versioning control protocols and the efficient set up of the software development, attackers got hold of control and made illegal transactions on the Mt. Gox platform.
As it’s the case with such monumental scales of theft, the investors suspected foul play and sued Mark Karpelès—the founder and CEO of the platform. Mark Karpelès was subsequently caught and charged with fraud. The platform has never recovered from the attack.
#2: DAO Hack
Overview: DAO was one of the first token sales to be launched in April 2016. The DAO token sale intended to solicit funds from investors with a view of replacing the conventional governance structure and organizational decision making with smart contract—self-executing programs—on the Blockchain.
Notably, the most significant aspect about the DAO was the fact that investors would share in the earnings from the crypto-based projects and monetize their investments in the DAO tokens via reselling them in the alternative markets. As it is the case with crypto markets, the token purchases were made through pseudonyms, making it difficult to identify the real buyers.
Even though DAO was touted for its automated decision-making structures, there was a critical human layer. Essentially, these were a group of “curators” who performed the specific security-related functions and also decided to make proposals that investors should vote on, and the order and frequency of the proposals.
For whatever reasons, DAO was popular among the crypto enthusiasts at the time and by the end of the token sale, it had raised over $150M from more than 11,000 investors making it the largest crowdfunding in recent history.
But something unusual happened.
Details of the attack: An unknown hacker began to siphon off the DAO of Ether generated from the sale of the tokens. By 18th June, the hacker had managed to drain more than 3.6M into another Blockchain block (child block) which had a similar structure to that of DAO.
The hacker analyzed the DAO.sol—the code implementing the DAO on the Ethereum Blockchain—and noticed that the “splitDAO” function was susceptible to the recursive send pattern. The hackers were able to analyze the DAO.sol and obtain insightful information about launching an attack.
The recursive function updates account balances at the end, so if any hacker could obtain any of the function calls prior to the transaction happening, it could call the splitDAO again in a recursive manner. Such a function can lead to an infinite number of recursions which can siphon off as many funds as the hacker wishes.
Consider the code below illustrating how the splitDAO function was exploited:
The diagram below summarizes the DAO hack:
The result was devastating: the value of Ether dropped sharply from over $20 USD to under $13 USD. Investors panicked and many attempts were made to split the network and forestall more theft. These attempts could not get sufficient votes necessary during that short time.
Because of the controversy, certain users refused to migrate to the new platform which had the updated protocol and continued to use the old code. This hack led to 2 new cryptos: Ethereum (ETH) and Ethereum Classic (ETC). ETC is currently based on the old protocol.
#3: Coincheck Inc. Hack
Overview: Coincheck is a Bitcoin wallet and exchange Platform founded in Japan by Koichiro Wada and Yusuke Otsuka. Coincheck operates various exchanges between bitcoins/ether and some fiat currencies in Japan. It also handles bitcoin transactions and storage in some jurisdictions worldwide.
Details: On 31st of January 2018, hackers broke into Coincheck and siphoned off approximately $500M in digital tokens. As of this writing, Coincheck hasn’t revealed how their platform was breached beyond denying that it was an inside job.
As usual, Exchanges tries to minimize vulnerabilities by storing most of their client’s assets in cold wallets which don’t need a connection to external networks. Coincheck was storing customer’s digital assets in hot wallets—wallet software which must be connected to the internet—which was connected to external networks.
Besides, Coincheck didn’t enforce multi-signature security—a measure that demands multiple sign-offs— before the funds could be moved. Consequently, hackers exploited the inherent vulnerabilities in the application of hot wallets and lack of multi-signature security to siphon off more than $500M worth of NEM coins.
- More than $500M worth of NEM coins lost;
- Repayment of over 46.3 billion yen (approximately $425M) of the virtual funds that it lost to hackers; and
- A proposal to split (fork) NEM into 2 cryptos: the old one with the stolen funds and a new one for the unstolen funds.
#4: NiceHash Hack
Overview: Nice Hash is a Slovenian-based cloud mining company which links sellers of hashing power to buyers. The platform was conceived to allow buyers to rent hashing/computing power via the Nice Hash’s portal. Sellers offer computing power by connecting to the NiceHash marketplace while NiceHash owns the mining software.
Details of the Hack: On 6th of December 2017, attackers penetrated the NiceHash’s platform via a compromised company PC and made away with over $64M worth of investors’ funds. According to the VPN logs, the attackers accessed the NiceHash’s platform using a VPN login with one its engineer’s username and password.
After penetrating the system, hackers learned and simulated the operations of the payment system and begun making transactions from the firm’s accounts.
- More than $64M worth of investors’ money stolen;
#5: CoinDash Hack
Overview: CoinDash is an Israeli-based cryptocurrency social trading system that was conceived to eliminate investment entry barriers. It provides tools and services which make the management and tracking of crypto assets easier and accessible for every trader. CoinDash launched its ICO campaign in the early summer of 2017 but had to quickly stop after learning that one its Ethereum addresses had been compromised.
Details of the Hack: CoinDash had hoped to raise $12M for its social trading platform from the ICO that was slated to last for 28 days. However, just before the Token Sale on the morning of 17th July 2017, a group of hackers altered the payment address causing payments to start going to anonymous persons.
The attackers had commandeered the site and altered the original Ethereum address that investors were to use. This enabled the hacker to siphon off funds from token holders, whose Ether was originally meant for CoinDash ICO address.
Consequently, the company summarily shut down their website and warned its token holders to stop further payments using the compromised Ethereum address.
While the company stated that payments sent after it had released the statement won’t be honored, some investors proceeded to show support by donating to the hacked Ethereum address, raising the total stolen funds from $7M to $10M at the time. The company had raised $7.3M before an attacker altered the address, causing payments to go to an anonymous person.
- Between $7M and $10M were lost;
- The company shut down the entire ICO process; and
- The company transferred its native token award, CoinDash Token (CDT), to those investors who donated to the anonymous address.
#6: Parity Wallet Hack
Overview: Parity Wallet was a cryptocurrency wallet provider touted for its nice user interface and DApp browser for Ethereum clients. The Platform was coded in Rust from ground-up for verifiability, correctness, modularization, and high-performance. The year 2017 was a tough one for Parity Wallet as it had the rare distinction of being hacked twice.
Details of the Hack:
Challenges began to manifest in July 2017 when Parity Wallet unearthed a vulnerability in version 1.5 of its wallet software. At the time, hackers had exploited 3 high-profile multi-signature contracts which were storing funds from the past ICO and siphoned off more than 153,037 ETH (valued at approximately $30M) at the time.
This problem was first reported by the Parity Wallet team because the affected multi-signature wallet contract was part of the software suite. This problem was corrected immediately by revising the Parity software. In December 2017, another attack occurred.
But this time, hackers sent 2 transactions to each of the multi-signature contracts: the first got exclusive ownership of multi-signature while second moved all of its funds from the user accounts as illustrated in the first transaction in the call to initWallet below:
The above function was conceived to extract the wallet’s constructor logic into a distinct library by using a similar concept as a proxy library. This function caused all public functions from the wallet software library to be callable by hackers, including the initWallet, which altered the contract’s owners.
Because the initWallet function didn’t have checks to forestall attackers from calling it when the contract has been initialized, hackers exploited this vulnerability and executed the transactions.
More than $280M worth of investors’ money was lost
#7: Bitcoin Gold Hack
Overview: Bitcoin Gold was hard-forked from original Bitcoin in November 2017. Bitcoin Gold developers had big plans to generate a cryptocurrency that is decentralized and free from the so-called 51% attack (major group influences). Whereas the original Bitcoin was based on an SHA-256 algorithm and therefore relied on ASICs to mine, Bitcoin Gold was based on the Equi-hash algorithm, which meant that ASICs were no longer required.
Details of the Hack: Shortly after the unveiling of Bitcoin Gold, some Bitcoin users had their crypto wallets siphoned off after using a service that was apparently endorsed by the project’s implementation team. Marketed as a form of authenticating whether a particular user was eligible for Bitcoin Gold (free funds for the Bitcoin owners) or not, the website’s operators instead drained more than $3M in Bitcoin, Bitcoin Gold, Litecoin, and Ethereum.
Later, Bitcoin Gold’s implementation team claimed no structured relationship with the website’s developer, arguing that they reached out to implement a wallet checking service to make the code open-source. The website’s creator initially alleged that his site had been hacked, but later wiped out his GitHub account and stopped responding to users on Bitcoin fork’s Slack platform.
- More than $3M worth of bitcoins, Bitcoin Gold, Litecoin, and Ethereum were drained off from the users’ accounts.
#8: Enigma Project Hack
Overview: Enigma is touted as a cryptocurrency and decentralized data marketplace protocol. It was conceived by a group of researchers from Massachusetts Institute of Technology (MIT) and incubated in the MIT Media Lab. The Enigma Project is often regarded as a second-layer, off-chain system that aims to resolve the challenges of privacy and scalability on the Blockchain.
Details of the Hack: On 21st August 2017 (just some few days into the Pre-ICO), Enigma project was hacked as a result of a bug in the system that made researchers from MIT appear like amateurs. The official email account of Guy Zyskind (CEO) got hacked as a result of password re-use on his PC.
It was alleged that the CEO had used the same password in a hitherto hacked database which compromised his account. By hacking his account, which had administrative privileges to the Slack (communication channel), hackers accessed the website’s domain, mailing lists and the Slack channel.
While on the official website, the hackers altered the deposit addresses for both Bitcoin and Ethereum. On the Slack channel, they deleted all other administrators and misinformed the token holders. Consequently, they sent an email to everyone who was on the mailing list notifying them of changes in the deposit addresses.
As a result of the hack, investors were defrauded close to 1,500 Ethers. The compromised accounts promised an ROI, and masking as the legit operators of the project, those behind the hack was able to persuade naive investors to donate to the compromised website. While the team behind the Enigma project was able to get back control of the firm’s accounts, the Ether wallet used by the attacker was emptied, and the stolen money was never recovered.
- Over 1,500 ETH were stolen from investors; and
- Stolen funds were never recovered.
#9: Tether Hack
Overview: Tether is a crypto token touted to be supported by $1 for each token issued with an intention of facilitating transactions between crypto exchanges that have a rate fixed to the U.S. dollar. Based on the Bitcoin’s underlying Blockchain via the Omni Layer Protocol, Tether aims to take advantage of high-speed arbitrages that don’t involve slow bank wired transfers.
Details of the Hack: On 21st November 2017, Tether announced that an anonymous hacker had managed to drain more than $30M worth of Tether tokens. It said that the stolen Tether tokens had been flagged and are now irredeemable believing that the hacker was still holding the stolen tokens at the following address:
Although the stolen funds weren’t significant in the cryptocurrency market, the hack was more germane as it renewed the long-standing criticisms of Tether the company, which prompted a thorough scrutiny in the form of its blog posts and other mainstream news exposes.
The firm later moved to blacklist the tokens that had been stolen via an update to its Omni protocol. Still, Tether continues to be plagued by claims the incident played no small part in helping to stir it up.
- More than $30M worth of Tether tokens were drained from investors’ accounts; and
- The firm moved to blacklist the tokens which had been stolen through an update to its Omni Layer Protocol.
- The incident threw up many questions regarding the relationship between Tether and other secretive exchanges such as Bitfinex with duo rumored to have been sharing owners and therefore manipulating the market.
#10: EtherDelta Hack
Overview: EtherDelta is a popular cryptocurrency exchange that is particularly touted for its selection of the Altcoins (from token sales) which are often listed on its website prior to hitting other, higher-profile crypto exchanges. The exchange doesn’t require any user verification of any kind to start trading, even though it doesn’t back fiat currencies.
Details of the Hack: In December 2017, the company said on its Twitter handle that it had “reason to believe” that hackers had compromised its systems. Users who had visited the actual EtherDelta website were served a partly functional system after the platform was compromised.
At the time of the hack, the attack appeared to have mitigated within few hours and the official EtherDelta website restored, anyone had interacted with the fake platform had sent ether tokens to the anonymous hacker. The attack resulted in at least 308ETH (estimated at over $266,000) being drained from users’ accounts.
- At least 308ETH (estimated at over $266,000) was stolen from users’ accounts.
#12: Bitfinex Hack
Overview: Bitfinex is a Hong Kong-based crypto exchange trading and storage platform, owned by iFinex Inc. Since 2014, Bitfinex has seen its market share rise to over 10 percent of exchanges’ trading.
Details of the attack: In May 2016, Bitfinex was hacked where over $72M worth of bitcoins were siphoned from its users’ accounts. The hackers were reported to have exploited a vulnerability in the Bitfinex’s multi-signature wallets to drain bitcoins from users’ accounts.
Bitfinex first communicated about the hack on 2nd August 2016 when it noted that bitcoins had been taken from the users’ segregated wallets. During the attack, a substantial amount of transactions were signed off via Bitfinex’s security provider, without its knowledge as demonstrated below:
Shortly after the attack, Bitfinex developed BFX tokens that were used to represent their client’s stolen equity. At the time, the BFX tokens represented $1 USD and were issued only to the account holders whose tokens had been stolen by the anonymous hacker. The BFX tokens were successfully created in April 2017 where all the customers whose accounts had been drained off were paid back.
- More than $72M worth of bitcoins were siphoned from its users’ accounts;
- BFX tokens were created to represent client’s stolen equity;