Hacks on Cryptocurrency Exchanges
Despite the fact that the crypto industry is currently experiencing some difficulties, the Bitcoin blockchain development business remains optimistic that it will reach its pinnacle, as it did in 2017. Nonetheless, it is attracting an increasing number of new investors, many of whom will begin by acquiring coins from the stock. New coin launch platform projects are also forming to construct wallets and issue new coins. The bitcoin exchange service is what unites the entire market and aids its development and growth. A compromised exchange, on the other hand, affects all of its users and their wallets.
What have been the most significant cryptocurrency exchange hacks, and how could they have been avoided?
Statistics on Exchange-Hacking
Surprisingly, committing cybercrime and escaping with billions of dollars in bitcoin is rather simple. On July 8, 2018, a slew of publications claimed that exchanges have a number of flaws, which surprised investors and crypto brokers. Many crypto-focused publications, including Cointelegraph, reported that $1.1 billion in cryptocurrency has been stolen in the first half of 2018.
Carbon Black produced a list of the most often attacked cryptospheres in July of this year:
Cryptocurrency is frequently hacked. Spheres
Number of strings: 35 percent 20 percent 35 percent
35 \sBusiness \s35 \sConsumers
20 \sGovernment \s10
The number of attacks has risen quickly, according to the largest crypto portals. Cryptoauxiliary, a blockchain and DeFi development firm, will expose the reasons for this, as well as the methods used by hackers.
History of Exchange-Hacking
Since its inception, cryptocurrencies and blockchain have been subjected to a slew of thefts that have resulted in massive financial losses. Let's take a look at the big exchanges that have been hacked and investigate the causes.
Mt. Gox was the world's largest and most popular Bitcoin exchange, as well as one of the first cryptocurrency exchanges. It was the victim of many cyber attacks, which resulted in the loss of 1.35 million BTC for its customers.
Mt.Gox began as a website for the trading cards "Magic: The Gathering Online," founded by blockchain developer Jed McCaleb, who is also the co-founder of Ripple and Stellar. The Magic the Gathering Online eXchange took its place later. It was founded in Japan and then purchased by Mark Karpeles, a Frenchman who became the most despised criminal in the crypto world at the time.
From 2013 to 2014, the exchange was thought to have housed 70% of all Bitcoins and was the most popular website for selling and purchasing BTC. However, the company went bankrupt in 2014, claiming to have lost 850,000 BTC. Karpeles stated during a press conference in Tokyo that the Bitcoins had vanished owing to a flaw in the system. As a result, 25,000 Mt. Gox users demanded their funds be returned.
It was the largest calamity the Bitcoin blockchain development business had ever experienced at the time: the price of Bitcoin plummeted, and some even predicted the demise of Bitcoin.
Mark Karpeles was arrested and accused with embezzlement and electronic data manipulation in the summer of 2015. He was imprisoned for over a year. However, in 2017, US officials apprehended a Russian suspect, Alexander Vinnik, based on evidence that about 90% of the money taken from Mt.Gox went straight to Alexander's wallet.
A curious event happened a few days after Mt. Gox went bankrupt: Mark Karpeles was going through all of his digital wallets and stumbled across his old wallet, which contained 200,000 BTC. What a lucky break! The price of Bitcoin had risen to nearly $2,000 US at the time, turning Mark's old wallet into a gold mine, covering all of the money he owed the outraged Mt. Gox users.
What Caused the World's Largest Exchange Failure?
Many well-known and successful blockchain development firms are having difficulties. Some succeed in repairing them, while others fail and go bankrupt. However, in the instance of Mt. Gox, everything hinged on management and a risk miscalculation. The following are some of the issues that have put Mt. Gox at jeopardy of being hacked.
The absence of a VCS
Version Control Software (VCS) is essential, like a warm coat in the cold. It keeps track of all database changes and, if any, detects any fraudulent activity. An IT organisation can use VCS to check who made the changes and when they were made, and then correct everything in a timely manner. Of fact, for a blockchain development firm whose whole revenue stream is based on electronic data, the lack of a VCS can be deadly.
There is no testing policy in place.
The fact that Mt. Gox didn't have a testing policy for a long time, while being the largest crypto exchange business, is incredibly concerning. Customers were receiving an unprotected service from the provider.
A problem with a bottleneck
But wait, there's more! With the help of their CEO, Mark Karpeles, they actually tested the code. He double-checked all Mt. Gox developer codes, which halted the process.
Mt. Gox's Two Biggest Strikes
With all of the aforementioned faults acting as weak places, Mt. Gox's demise was unavoidable. It was just a matter of time.
An attacker hacked one of the company's computers on July 19, 2011, and transferred a large sum of Bitcoin to the company. This resulted in the largest loss in Bitcoin value in the system's history. Bitcoin's exchange price has plunged below one penny in a matter of minutes. Check it out for yourself!
Mt.bitcoin Gox's price has dropped.
Users of the exchange service began complaining about the length of time it took to complete a transaction in 2014, prompting the Mt. Gox staff to conduct a technical check that lasted several days. When the hack happened, they were victims of a malleability attack, which resulted in a $473 million loss. The Mt. Gox saga came to a close here, with the declaration of the company's bankruptcy.
BitFloor in 2012
Bitfloor, a U.S.-based exchange and trading platform, was not the first, and it will not be the last, to be forced to shut down due to a cyber attack.
BitFloor's servers were hacked in 2012, just as Bitcoin was gaining popularity, resulting in a loss of 24 000 BTC. This was valued $250,000 US at the time of the hack. It's a good thing it didn't happen in January 2017.
Any attack on a cryptocurrency exchange leads in the loss of funds. Every blockchain development company, on the other hand, handles it differently. BitFloor, on the other hand, went out of business in 2013, leaving their clients with nothing.
What's the deal with the hack?
The attacker broke into the crypto exchange's servers and acquired access to unencrypted backup keys. The keys that govern wallets were encrypted, but BitFloor was still vulnerable. The hacker signed the transaction, which transferred money from BifFloor's wallet to his or hers.
Despite the fact that BitFloor's founder, Roman Shtylman, issued an official statement apologising for the delays and pledging to restore any lost cash to their owners, nothing transpired.
BitFloor made two mistakes that may have been avoided and prevented the hack:
Keeping data in a secure location. In an official declaration to the public, Roman Shtylman admitted as much.
Keeping a large sum of cash in a hot wallet. The cash would not have been harmed if BitFloor had merely employed cold storage.
Bitfinex in 2015
Bitfinex, one of the first crypto exchanges, was formed in 2012, at a period of global interest in cryptocurrencies. Bitfinex is now the world's most popular bitcoin trading platform. It has, however, overcome some significant challenges on its route to success.
The Bitfinex website went offline on August 2nd, alleging that it had been hacked and that it had lost about 120,000 BTC, which was worth $72 million at the time. Bitcoin's price dropped roughly 20% as a result of the theft.
The Bitfinex attack was ironic in that the company's security procedures were the reason for the hack. Bitfinex chose to implement multi-signatures in users' wallets on the platform in order to give greater security and liquidity to its consumers.
What Are Multi-Signatures and How Do They Work?
Let's pretend there's a wallet with 100 BTC in it – that's a lot of money, right? You don't want to lose that much money. As a result, there is a multi-signature technique that enables security for blockchain development firm users' wallets in order to protect your assets.
The concept is straightforward: instead of having only one crypto key for a wallet, the user will receive three. Users should construct a multisig address with three crypto keys to protect their funds, then specify a rule to gain access to the funds. At least two of the three keys are recommended. Keeping them together would, of course, be the same as having only one key. As a result, the user keeps one for himself and keeps the other in a safety deposit box as a backup key. The multisig provider receives the third key.
Let's pretend Alice has a multi-signature wallet and wants to buy a cup of coffee using the money she has in her wallet. What exactly does she do? She uses her phone to access her private key, which she always carries with her. She does, however, require one additional key in order to spend the money in her wallet. Her multisig provider receives notification of the attempted transaction and must validate it. Alice will only get her coffee after that.
If the phone appears to be stolen, or the provider detects some suspicious activity, the transaction will not be validated, and the fraudster will not receive his or her coffee in exchange for Alice's money.
How Could Multisig Cause a Security Breach?
Bitfinex and BitGo formed a collaboration in 2015, and Bitfinex adopted multisig technology with the proviso that Bitshares keep two keys and BitGo keep one.
Bitfinex opted not to employ cold storage wallets because of BitGo's added security, and instead kept money in hot wallets protected by multisig.
The attackers, on the other hand, were able to carry out not only erroneous Bitcoin transactions using Bitfinex signatures, but also those with BitGo signatures.
There is no official explanation on how the hackers achieved it. However, there are several accounts, one of which is that the Bitfinex and BitGo collaboration system was flawed, and BitGo would sign off any transaction coming from Bitfinex. Bitfinex's servers were the sole weak area to consider.
Bitfinex Survives a Hack
Bitfinex's handling of the cyber attack merely proves the adage that "what doesn't kill us makes us stronger."
Bitfinex distributed BFX tokens as an IOU (“I owe you”) in an attempt to restore all lost monies to clients. This appeared to be a ruse at the moment, as though they were attempting to gain extra time. On September 1, Bitfinex purchased the first 1.1 percent of BFX tokens from clients in order to recoup the funds stolen by the hackers.
Bitstamp is a cryptocurrency that was launched in 2015.
Bitstamp is a great example of how the human aspect and curiosity can lead to people losing a lot of money because they put their trust in the exchange business.
Bitstamp users received personal emails and messages from the hackers who attacked the network using Skype. A phishing assault is what this is known as. Luka Kodrich, a Bitstamp system administrator, received the same email, opened it, and downloaded the attached file. After he done this, it didn't take long for hackers to steal 19,000 BTC, which was worth $5 million at the time.
Surprisingly, the corporation has yet to reimburse the stolen monies to its customers. However, multisig technology and a cooperation with BitGo have bolstered its security mechanism. It also began putting money in cold storage.
Poloniex in 2017
Poloniex, the cryptocurrency exchange business started by Tristan D'Agosta in 2014, is now a global trading platform whose parent company, Circle, has issued USD Coin, a stable coin in the US dollar.
Poloniex currently offers BTC, ETH, and USDC trading pairings, with more to come in the future. Things are alright; nonetheless, Cointelegragh has named Poloniex as one of the largest cryptocurrency exchange hacks in history.
So, what went wrong, and how did the company bounce back? A hacker discovered a flaw in the code in May 2017, which meant that if many withdrawals were made at the same time, they would all be processed at the same time. The balances would go negative as a result, but the database transactions would still be legitimate.
The BTC was frozen after the security system detected odd activity, which was the correct decision.
Tristan D'Agosta did not specify how much money the company had lost, only that its funds were down 12.3 percent.
Management of the Poloniex Hack
To avoid the website's activities ceasing, all existing users' balances on Poloniex were lowered by 12.3 percent. Mr. D'Agota vowed to return the monies to consumers as soon as possible, and in order to do so, he hiked transaction costs by 1.5 percent.
Poloniex had stayed on course and saved its reputation by quickly recouping all lost revenues through price increases.
The Error That Led to the Hack
Tristan D'Agosta found the critical spot that became the source of the Poloniex system's vulnerability in a post on BitcoinTalk.
The hack would not have happened if the withdrawals were processed sequentially rather than continuously. Following the incident, Poloniex sought to make the system handle withdrawals in a more orderly manner.
Binance is a cryptocurrency that was launched in 2018.
Binance has established itself as a trustworthy cryptocurrency exchange and trading platform among other cryptocurrency exchange projects. As a result, users were taken aback when they learned about the June 2018 intrusion.
On June 10th, a Reddit user contacted the Binance support staff. He claimed that his account had been robbed of 2 BTC. The account had $50,000 in it at the time, so what had stopped the hackers from taking it all?
How Could This Have Happened?
Many investors perceive Binance's rule of only allowing two Bitcoin withdrawals per day to be a restriction. Despite this, users have been spared a $50K attack thanks to this restriction.
The hacker employed the ‘SIM swap' approach to collect all of the relevant information transferred to their phone while pretending to be a victim of the hack.
The hacker gained access to the user's Google Authenticator account after obtaining the information, which is another protection layer employed by Binance.
The support personnel reacted immediately to the threatening Reddit post, and the account was stopped within minutes.
Preventing Hacker Attacks Using Security Measures
All of the above-mentioned hacker attacks were made possible by flaws in the crypto exchanges' security systems. All of these, however, can be remedied in order to protect users and their finances. Here are a few safeguards for crypto exchanges:
Cold wallets should be used to keep all monies. Otherwise, a hacker has a good chance of gaining access to clients' wallets.
There should be no middleman between cold-storage addresses and deposit wallets.
Manual transfers will help to ensure that a hack is not missed by the system.
Any questionable activity on the platform should be reported to the system.
If a user requests additional funds from a hot wallet, the transaction should not take less than 24 hours to complete.
Users and exchanges should store a duplicate of the database in an encrypted area so that no one may alter or remove it.
Account statements should be sent often and signed by a key that is not internet accessible or maintained on a public server.
It's worth noting that, as Decentralized Finance applications and DeFi development businesses grow in popularity, they're being referred to as "crypto exchanges for hackers." While crypto exchanges were targeted heavily in 2019, the DeFi blockchain solutions business will be the focus this year. And it's all because the niche's solutions are too fragile, and smart contracts are security methods that are technically faulty.
A previous attack on the DeFi project led in the theft of $ 25 million due to a flaw in the smart contract code. Add-ons based on the ERC-777 protocol were established by the DeFi development company, making smart contracts vulnerable to re-entry attacks. Hackers can use this type of attack to continually withdraw payments until the original transaction is validated or destroyed.
The largest crypto money appear to be concentrated on the blockchain, according to crypto exchanges and trading platforms. That is why hackers salivate when they see susceptible transactions.
According to history, even the most trustworthy and reputable exchanges, such as Binance, are subject to hacker assaults. As a result, every security precaution should be taken to safeguard user cash.
As we can see from the history of breaches, one of the most serious difficulties that exchanges confront is hot wallets, which are relatively easy to access for hackers.
Check out the Cryptoauxiliary blog and our consulting team for more information about the crypto industry. Cryptoauxiliary is a Smart Contract developer, blockchain advisor, and DeFi development firm that will assist you in taking your innovative solution public!