5 Reasons That Cryptocurrency Exchanges Are Hacked – And How to Prevent

Bitcoin! Ethereum! Ripple! Do we have your attention yet?

Cryptocurrency has become a media darling. A societal fascination with all things vapor-money has blossomed. While the valuation trajectory of digital currencies now smacks of the 17th century Dutch tulip bubble; actually following the speculative rollercoaster is topically separate from that of drilling into analysis of now-notorious hacks into the trading exchange platforms that in many cases have catalyzed steep Bitcoin (and other crypto-currency) valuation drops – driven by the brazen theft of other’s digital money.

Tulip Price Index


There are approximately 130 cryptocurrency exchanges around the globe today. Most are based in Asia. They’ve existed in a foggy no-man’s land of oversight that banks only dream of. Because of the trans-national locations of these entities and the diverse composition of investor nationalities, regulatory oversight of cybersecurity standards has been virtually non-existent.

One fact is clear though: investors do not want to lose their monetary assets to hacker-thieves.

Here at Crossmatch, we’ve taken a look at the top 20 cryptocurrency heists, which comprise more than $1.5B in stolen funds – and we’ve compiled a top 5 ‘countdown’-style list on security vulnerabilities that led to these thefts. We suggest that trading exchanges and their investors consider these findings. In each of the top five, at least a single example is cited, as illustrative of a multi-example trend we’ve spotted. In descending order, here they are:

The use of “tumbler” services enable crypto-currency “laundering”, ensuring the continuity of identity anonymity for hackers that have pulled off these heists, to be able to cash in. These tumbler services break apart the transaction fingerprint designated by the Blockchain, mixing it into many parts that make personal identity indistinguishable.

5. Lack of hot wallet protection

Live hoards of investors’ digital cash, aka “hot wallets”, live in the crypto-exchange server and storage networks, and have been the targets of plunder in many hack cases. In the record-breaking $500M+ heist of XEM currency in January 2018, Coincheck, a Japan-based currency exchange, admitted it did not secure a hot wallet with multisignature private keys. Hackers had obtained access to a single private key to unlock the digital wallet. If multisignature keys had been in use, they would have been stored in distributed fashion and not accessible to the single breach. How the hackers even breached the database of private keys has not yet been disclosed.  This private key breach attack occurred in the Bitfinex (2016) and Parity (2017) hacks as well.

‘Tumbling’ crypto-currency

Tumbling crypto-currency

4. Transaction malleability

The sequence of transactions in the blockchain is intended to be highly secure because it’s allegedly an immutable record. However – not the case 100% of the time. Each transaction has a signature and transaction ID. The loophole is that the signature can be manipulated pre transaction-close, which changes the transaction ID. In the case of the ‘Mt. Gox’ hack – the second largest crypto-heist in history (also in Japan), $473M worth of Bitcoin was diverted to hackers by submitting code changes to the blockchain ledger prior to the initial transactions being posted.  This hack bankrupted the Mt. Gox exchange.

3. Cryptocurrency code vulnerabilities

A related manipulation of transactions at a code-level occurred in the DAO (Decentralized Autonomous Organization) – this was a complex smart contract coded in the cloud, which specified that Ethereum currency must be held for 28 days before being spent, followed by a cash-out function. This attack, which siphoned $50M of Ethereum currency through a recursive function put into the code, that continually cashed out existing accounts until it was halted.

2. Employee phishing scams

Relentless phishing scams targeting employees, have allowed malware and ransomware to be injected into the networks of cryptocurrency exchanges. In these cases, entry of malicious code was facilitated through a simple, single click on an emailed file attachment, by an employee. Such was the case in the Bitstamp hack in 2015, in which a system administrator was phished and inadvertently admitted malicious code into the network.

1. Compromised employee login credentials

This is the number one root cause that has been a commonality across crypto exchange hacks – in the majority of cases we analyzed, hackers managed to breach VPNs or employee hardware with stolen, guessed or otherwise compromised credentials (NiceHash hack 2017, BitThumb hack 2017, YouBit hack 2017, et al) –  in order to manipulate code, inject malicious code, and/or create felonious transactions.

The addition of a simple biometric factor for authentication of employees of crypto-exchanges – for client, VPN and network logins, for example, while not preventing “inside jobs”, could have prevented the theft of hundreds of millions worth of cryptocurrency at the hands of well-meaning investors and the entrepreneurs that founded these trading platform companies.

Jonathan Sigel is a product marketing professional with 15 years of experience in the high-tech sector – spanning infrastructure, services, and software within security, web content management, and data storage segments, among others. He has held managerial positions with IBM and NEC Corporations and is currently Market Segment Manager at Crossmatch. In his current position at Crossmatch, Jonathan is evangelizing and guiding an evolution of Crossmatch DigitalPersona – a composite authentication solution portfolio that that addresses the data and systems security needs of financial services organizations – with use cases that meet regulatory compliance and go beyond, to support business continuity and growth.

IAM First: Your Best Approach to GDPR Readiness
Selecting an Authentication Solution: What you need to consider (Part I)
What will replace the CAC card?
There are currently no comments.