Bitcoin! Ethereum! Ripple! Do we have your attention yet?
Cryptocurrency has become a media darling. A societal fascination with all things vapor-money has blossomed. While the valuation trajectory of digital currencies now smacks of the 17th century Dutch tulip bubble; actually following the speculative rollercoaster is topically separate from that of drilling into analysis of now-notorious hacks into the trading exchange platforms that in many cases have catalyzed steep Bitcoin (and other crypto-currency) valuation drops – driven by the brazen theft of other’s digital money.
There are approximately 130 cryptocurrency exchanges around the globe today. Most are based in Asia. They’ve existed in a foggy no-man’s land of oversight that banks only dream of. Because of the trans-national locations of these entities and the diverse composition of investor nationalities, regulatory oversight of cybersecurity standards has been virtually non-existent.
One fact is clear though: investors do not want to lose their monetary assets to hacker-thieves.
Here at Crossmatch, we’ve taken a look at the top 20 cryptocurrency heists, which comprise more than $1.5B in stolen funds – and we’ve compiled a top 5 ‘countdown’-style list on security vulnerabilities that led to these thefts. We suggest that trading exchanges and their investors consider these findings. In each of the top five, at least a single example is cited, as illustrative of a multi-example trend we’ve spotted. In descending order, here they are:
5. Lack of hot wallet protection
Live hoards of investors’ digital cash, aka “hot wallets”, live in the crypto-exchange server and storage networks, and have been the targets of plunder in many hack cases. In the record-breaking $500M+ heist of XEM currency in January 2018, Coincheck, a Japan-based currency exchange, admitted it did not secure a hot wallet with multisignature private keys. Hackers had obtained access to a single private key to unlock the digital wallet. If multisignature keys had been in use, they would have been stored in distributed fashion and not accessible to the single breach. How the hackers even breached the database of private keys has not yet been disclosed. This private key breach attack occurred in the Bitfinex (2016) and Parity (2017) hacks as well.
4. Transaction malleability
The sequence of transactions in the blockchain is intended to be highly secure because it’s allegedly an immutable record. However – not the case 100% of the time. Each transaction has a signature and transaction ID. The loophole is that the signature can be manipulated pre transaction-close, which changes the transaction ID. In the case of the ‘Mt. Gox’ hack – the second largest crypto-heist in history (also in Japan), $473M worth of Bitcoin was diverted to hackers by submitting code changes to the blockchain ledger prior to the initial transactions being posted. This hack bankrupted the Mt. Gox exchange.
3. Cryptocurrency code vulnerabilities
A related manipulation of transactions at a code-level occurred in the DAO (Decentralized Autonomous Organization) – this was a complex smart contract coded in the cloud, which specified that Ethereum currency must be held for 28 days before being spent, followed by a cash-out function. This attack, which siphoned $50M of Ethereum currency through a recursive function put into the code, that continually cashed out existing accounts until it was halted.
2. Employee phishing scams
Relentless phishing scams targeting employees, have allowed malware and ransomware to be injected into the networks of cryptocurrency exchanges. In these cases, entry of malicious code was facilitated through a simple, single click on an emailed file attachment, by an employee. Such was the case in the Bitstamp hack in 2015, in which a system administrator was phished and inadvertently admitted malicious code into the network.
1. Compromised employee login credentials
This is the number one root cause that has been a commonality across crypto exchange hacks – in the majority of cases we analyzed, hackers managed to breach VPNs or employee hardware with stolen, guessed or otherwise compromised credentials (NiceHash hack 2017, BitThumb hack 2017, YouBit hack 2017, et al) – in order to manipulate code, inject malicious code, and/or create felonious transactions.
The addition of a simple biometric factor for authentication of employees of crypto-exchanges – for client, VPN and network logins, for example, while not preventing “inside jobs”, could have prevented the theft of hundreds of millions worth of cryptocurrency at the hands of well-meaning investors and the entrepreneurs that founded these trading platform companies.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.