Why are cryptocurrency exchanges hacked so often?

Attacks against exchanges, exit scams and nation-state threats mean that cryptocurrencies retain their Wild West character.

According to research from experts of The Block, since 2012 42 crypto exchanges have been compromised, and this figure even does not include small platforms. The total amount of stolen funds exceeded $1.35 billion, while about 59% of it (795.5 million) was stolen in 2018.

According to cybersecurity company Carbon Black, crypto exchanges account for 27% of all attacks related to the cryptocurrency industry. In most cases, the causes of hacking are referred to as poor protection of hot exchange wallets, less often users are victims of exit scam by the owners of the site.

How hackers are stealing funds

If an attack on a trading terminal for a mobile device or computer requires special conditions, such as the ability to intercept traffic or physical access to the device, this is not required for attacks on web application clients. Therefore, such attacks are usually of a mass nature.

The analysts of Positive Technologies have considered the most popular ways to hack web terminals of cryptocurrency exchanges, which allow hackers to get access to hot wallets of trading platforms.

XSS

Almost all trading terminals are vulnerable to Cross-Site Scripting attack. With the help of found vulnerabilities, attackers inject malicious code into a web resource page that redirects traders to third-party web resources and/or infects users’ devices with malicious software. Such software can include viruses that steal passwords from wallets or replace the sender’s address in the clipboard.

Configuration vulnerabilities

Web terminals may not have HTTP headers, which increase security against some types of hacker attacks. For example, the ContentSecurity-Policy header protects against malicious content deployment attacks, including XSS; X-Frame-Options protects against Clickjacking attacks; Strict-Transport-Security forcibly establishes a secure connection via HyperText Transfer Protocol Secure (HTTPS).

Vulnerabilities in code

Research by Coverity, a company specializing in software quality and security testing solutions, has shown that for every 1000 lines of code there are 0.52 errors in open source products and 0.72 in proprietary products (quality standard — less than 1 error per 1000 lines of code). These errors can potentially have a negative impact on a platform security.

Even if exchange developers write code without a single error, there is always a risk of a vulnerability in a third-party software. For example, vulnerability in the operating system, payment gateway or messenger can be used for phishing or installing malicious software on devices of exchange employees.

Vulnerabilities in smart contracts

Hackers detect a vulnerability in the code of a wallet smart contract that allows them to seize control over the victim’s assets. And it can be either a targeted attack on a particular wallet, or a mass attack if many wallets have the same vulnerability.

Phishing and social engineering

Using human weaknesses remains the most popular way to hack into accounts. Attackers under the guise of exchange representatives gain access to employees’ computers (this task sometimes takes months) and take possession of private keys.

SMS-authentication

If cybercriminals know that a specific person is trading or working as a crypto exchange administrator, their SMS messages can be intercepted and used for authentication or access recovery procedures.

Hacking options:

  • Spying with special equipment, infecting the victim’s phone with malicious software or hacking into provider’s server;
    SIM card cloning;
  • False base station — expensive equipment that intercepts and decrypts SMS messages;
  • An SS7 attack. Hacking the system of special telecommunications protocols used to configure telephone exchanges (PLMN, PSTN);
  • Phishing the operator’s call center. Attackers learn users’ personal information and phone numbers and then call the call center operator to restore the SIM card.

The intercepted SMS message can be used not only to log in to the exchange account, but also to restore access to e-mail. To do this, one need to try to log in to the mail service, after unsuccessfully reset the password via SMS.

The most famous exchanges hacks

Mt.Gox

Country: USA

Founder: Jed McCaleb

Stolen: officially 2000 BTC, non officially 1.325 million BTC

Mt.Gox was hacked two times: first in 2011 and then in 2014. Hackers attacked the audit account of first owner of the McCaleb exchange. The first time, according to the new owner of Mt.Gox Mark Carpelez, 500 000 BTC were withdrawn from the accounts and the second time — 850 000 BTC. Investigators, not familiar with the intricacies of crypto industry, were able to confirm theft of only 2000 BTC. What happened to the rest of funds is still unknown. The exchange closed in February 2014, taking three powerful blows at Bitcoin price: in 2011 the cryptocurrency fell from $32 to a few cents, in 2014 — from $720 to $550, and in 2018 the arbitrage manager of the exchange Nobuaki Kobayashi sold a total of 35 841 BTC from Mt.Gox, accelerating market decline. The latest actions of Mt.Gox administration led to frenzy of deceived users, who demanded “just to give people back their bitcoins”.

BitFloor

Country: USA

Founder: Roman Stilman.

Stolen: 24,000 BTC

BitFloor was hacked in September 2012. First, the servers of the stock exchange fell either under the influence of DDoS-attack, or due to power outage in the data center, as claimed by its owner Roman Stilman. Four days later, hackers used a backup copy of the key to the hot wallet of the exchange, where traders’ funds were stored, and removed from the system 24 000 bitcoins. Stilman made an unsuccessful attempt to compensate the affected investors through the sale of a stake in BitFloor, but could not find a buyer. In 2013, the exchange closed, leaving the affected investors with nothing.

Bitstamp

Country: Slovenia

Founders: The Merlak brothers

Stolen: 19 000 BTC

Bitstamp lost 19 000 BTC in 2015, which were stolen by hackers from a hot wallet. At that time, the damage amounted to $5 million. A phishing attack was used to break in: exchange employees received personal e-mails and Skype messages from seemingly friendly sources. System administrator Luka Codric clicked the link and downloaded malware to his work computer, after which the exchange was hacked. Bitstamp rushed to notify traders about what was happening, but the job was done. No compensation followed, but security regime was tightened: transactions at Bitstamp since then require a multisignature, and 98% of the exchange funds are stored in a cold wallet.

Bitfinex

Country: British Virgin Islands

Founder: Raphael Nicole

Stolen: 120 000 BTC

Bitfinex fell victim to hackers in August 2016. Unknown persons used a bug in the multisignature system supported by a BitGo partner company. The hackers deceived BitGo algorithms in an unknown way, forcing them to approve transactions, and took 120 000 BTC from a hot wallet — about $72 million at the exchange rate at that time. The creators of Bitfinex notified users about the fact: the damage will be distributed among all bidders, whose accounts will be frozen 36.067%. These funds were later compensated by BFX tokens, which can be converted into U.S. dollars at the domestic exchange rate, or into shares of iFinex — the founder of the exchange. Bitfinex stayed afloat.

How do crypto exchanges protect themselves

Most crypto websites use at least one, and more often several, anti-hacking systems. The easiest and most common is two-factor authentication: for each transaction you need to enter a one-time password, which is sent to the client’s phone or e-mail.

With this in mind, two-factor authentication is not the most secure way of protection. A more advanced option for two factor authentication is special applications like Authy and Google Authenticator. They block access to the system if the login and password are compromised by asking for additional code.

The second most popular method of protection is multi-signature: when several keys to Bitcoin wallet are kept by different owners, and access to the funds can be obtained only by collecting all electronic signatures. However, this system can also fail. Experts note that multisignature works only when all key owners are independent from each other.

One of the most reliable ways of protection against hacker attacks remains distribution of funds between hot and cold wallets. In addition to physical protection (video cameras, armed guards, retinal scanner, etc.), a cold wallet can be equipped with a multi-signature system. The bigger the share in the cold storage, the safer it is. Ideally, cryptocurrency should only get online at the time of the transaction.

Another way are the so-called Bitcoin “valves” — special Bitcoin addresses, where coins are locked by a two-stage security mechanism with two different keys. To unlock funds, you need a regular digital key, but full access to the money is only possible after 24 hours. Within those 24 hours, any transaction can be cancelled by entering the second key. There is another degree of protection: if a hacker has both keys, the exchange can burn the funds stored in the wallet.

Regular audits by independent experts and hacking tests have become a good tone among crypto exchange operators. The latter is done by so-called white hackers. Their goal is to hack into security systems to find potential vulnerabilities that can be exploited by attackers.

One way or another, a complex approach is important in the question of cryptocurrency exchanges security: security of code in combination with security of development environment and third-party libraries used in the product creation. It is also impossible to exclude human factor, which often contributes to hacker attacks.

Stay safe and protected from hackers — mine BTC with our cloud mining platform Hashmart.io!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jeffrey Hancock

Blockchain enthusiast developer and writer. I love video games, blockchain and the hot symbiosis of these two worlds.