Cyberlands.io - API Penetration Testing

Top-10 Cybersecurity Breaches in Crypto Industry

The cryptocurrency market continues to constantly grow, reaching $1,6 billion in 2021. Could it possibly grow faster? Yes, if it gained trust.

Cryptocurrency first appeared back in 2009. Despite being around for 13 years, it is still a very new concept, compared to regular money. Consequently, people just do not trust it yet. The main reasons are lack of institutional support and, obviously, security. In 2020 alone, $1,9 billion in cryptocurrencies was stolen and there were 15 million attacks on the market in the span of one month.

We have found the top-10 cybersecurity breaches in cryptocurrency to learn from and avoid great losses in the future.

#1 Coincheck

Coincheck is the 17th largest crypto exchange and a digital wallet that was founded back in 2012. Its head office is in Tokyo, Japan. They trade Bitcoin, Ethereum, Factom, Ripple(XRP), and LISK.

They suffered the second-biggest breach in the history of crypto in January 2018. Hackers managed to transfer $534 million worth of NEM from "hot wallets" (those connected to online storage rather than offline) to 20 different accounts. It happened in several transactions that were possible because of stolen keys.

The breach happened because of Coincheck's neglect. The situation could have been avoided if they just stored NEM partly offline and had a more complicated transfer process.

Around 260,000 users were affected by the breach and Coincheck had to pay them back all that they have lost.

#2 Mt. Gox

Mt. Gox was a bitcoin exchange based in Tokyo, Japan. It was founded back in 2010 and at one point, it proceeded 70% of all the bitcoin transfers.

In April 2013, they had to stop their services for an entire day which resulted in a massive bitcoin value drop. Later that year and in 2014, they had to stop withdrawals for some time as well and that is when the security breach revealed itself. In fact, Mt. Gox's CEO, Karpeles, has known about some kind of problem since 2011 already. However, they thought that it was a one-time happenstance and they just transferred bitcoins to the accounts that have lost their money. Unfortunately, it was not a one-time problem. The hackers were siphoning money for two years until the breach was detected.

The problem was that the bitcoin exchange did not use any version control software and its CEO was the only one with access to approving changes on the platform. He could push back the updates for weeks which resulted in vulnerabilities. However, the question of why exactly the hack happened is unclear. The most viable version is that the private key was unencrypted till 2011 and was, therefore, compromised.

Hackers had stolen over $700 million in cryptocurrency. Mt. Gox proclaimed itself corrupt in 2014. At first, the CEO was charged with embezzlement and data manipulation. For now, the main suspect became Alexander Vinnik who is also known for other cryptocurrency frauds and API security manipulation. The lost bitcoins were tracked down and found in his wallets.

#3 BitGrail

BitGrail was a small Italian cryptocurrency exchange. In 2018, they announced a massive breach that resulted in missing Nano cryptocurrency.

Nano was formerly known as RaiBlocks and was the 24th largest cryptocurrency at the moment. Its price was around $10 when the theft of 17 million units of Nano was reported.

The cryptocurrency exchange blamed Nano itself for unsecured currency. However, the Nano team came back with a statement that it was BitGrail's fault and the following investigation proved that it was the exchange's vulnerability.

BitGrail did not secure its coin storage which was exploited by the hackers. It could have been avoided if the cryptocurrency exchange patched the vulnerability earlier.

The exchange lost $170 million and later announced its insolvency.

#4 Bitfinex

Bitfinex is a leading cryptocurrency exchange that was founded in 2012 in Hong Kong.

The exchange suffered a breach in 2016 where 120,000 bitcoin tokens were stolen. At the time, it meant a $72 million loss. The reason for the breach is still unknown: some say that the process of key storage and recall was imperfect, others tend to believe that multi-signature technology (where the keys belonged to a couple of owners for risk prevention) was not as good.

The exchange did not go bankrupt and even managed to return the lost money to affected users. The company, along with authorities, continues to track down where the bitcoins went. They offer 30% of the stolen funds (which means $2,2 billion as of now) to those who know anything significant about the hackers.

#5 Roll

Roll is a cryptocurrency platform for social money that runs on Ethereum Blockchain.

In March 2021, they suffered a breach and lost $5,7 million. Hackers somehow got access to Roll's hot wallet and stole different kinds of social currencies from there. To this day, it is not known how exactly the password to the hot wallet became known.

Roll had to stop the withdrawal until they gained control over their hot wallet. The value of some social currencies plummeted down. While such currencies as $WHALE did not lose much in the long run, some currency creators lost everything. Roll offered $500,000 to fix the situation.

#6 Poly Network

Poly Network is a decentralized finance (DeFi) platform. It helps users to transfer funds between different blockchains. The platform created interoperability between numerous chains like Bitcoin, Ethereum, Neo, Ontology, Elrond, Binance Smart Chain, etc.

The exchange suffered a breach in 2021 that has become the biggest heist in cryptocurrency history. Hackers found a vulnerability in a smart contract that makes interoperability possible. They proceeded to steal $610 million in 12 different cryptocurrencies.

Hackers then returned the money to their respective accounts, claiming that they just wanted to transfer money to a safe wallet before the vulnerability could be exploited by other hackers. However, many believe that they just could not launder that much.

#7 Liquid

Liquid is a Japanese-based cryptocurrency trading platform that was founded in 2014. They help beginners and pros to trade Bitcoin, Ethereum, XRM, and other currencies.

Liquid already suffered two breaches. The first one happened in 2020 when hackers were able to break into DNS infrastructure and steal the personal data of some customers and the work credentials of employees. However, no money was stolen. In 2021, the situation was more heated. Hackers used a vulnerability in hot wallets and stole $94 million in different cryptocurrencies.

Numerous wallers were compromised because of the breach. Liquid suspended all the withdrawals and is now tracking down where the funds went to return them back to the clients.

#8 Coinrail

Coinrail is a small Korean-based cryptocurrency exchange. Cryptocurrency is extremely popular in South Korea and the breach of their exchange caused some panic on the market.

In 2018, they suffered a breach, losing 30% of all the traded currency. The hackers stole 11 cryptocurrencies which valued at around $40 million. The company immediately froze all operations and transferred money to cold wallets to find the problem.

The reason for the hack was never disclosed but Coinrail claims to patch the vulnerability and upgrade their security system overall. They managed to recover seven out of eleven currencies. Even though we can not learn what to protect in this situation, at least we can take an example of their great crisis communication.

#9 Altsbit

Altsbit was a new cryptocurrency exchange. It was founded in 2020 and lasted only a few months before hackers stole its funds.

The breach happened in 2020: the exchange claimed to lose all of its funds. Later, it turned out that they lost under 50% of it but it was still a big shock for the new platform. The problem was that Altsbit kept almost all its funds in hot wallets. Funds on cold wallets were not lost.

Hacker's group Lulzsec that was responsible for the breach managed to steal $70,000 worth of cryptocurrencies. Altsbit was able to return the funds partially but they announced their exit promptly after.

#10 Upbit

Upbit is a Korean-based cryptocurrency exchange. Their breach has become the 7th major breach of 2019.

In November, in a span of minutes, hackers stole 342,000 in Ethereum (or $48.5 million for that time). They cleared all of the available currency out of hot wallets, raising once again the question of how much currency should be kept online. After the breach, the exchange froze its operations for two weeks and promised to return the funds.

Conclusion

Businesses in the crypto industry should learn from the negative experience of their competitors as well as fully adhere to such regulations as European Banking Authority Guidelines on ICT and security risk management 2019 to avoid massive financial and reputational losses. This is especially relevant for the organizations based in the go-to Fintech destinations as Singapore, Estonia, United Arab Emirates, and Japan.

Cyberlands.io Team