The Biggest Hacks in the History of Crypto Exchanges

Crypto Exchange Hacks

Despite the fact that the cryptomarket is now facing not the best times, Bitcoin still hopes to hit its peak, just like in 2017. Nevertheless, it is gaining more and more new investors, whose first action would be purchasing coins from the stock. There are also new projects coming up to create their wallets and issue new tokens. The thing that unites the entire market and helps it to develop and grow is cryptocurrency exchange service. However, an exchange being hacked affects all its users and their wallets.

What are the biggest crypto-exchange hacks, and how could they have been prevented?

Exchange-Hack Statistics

Surprisingly, it is quite easy to commit a cybercrime and get away with billions of dollars worth of cryptocurrency. On 8th July 2018, investors and crypto brokers were startled by tons of headlines claiming that exchanges have a lot of soft spots. Many in the crypto-oriented media, including Cointelegraph, published the news that $1.1 billion in crypto had been stolen in the first half if 2018.

In July of this year, Carbon Black published a list of the crypto-hacked spheres that fall prey most often:

According to the biggest crypto portals, the number of attacks has grown rapidly. Applicature will reveal the reasons, along with the ways hackers have managed to accomplish this.

Exchange-Hack History

Since cryptocurrency and blockchain were created, they have experienced a huge number of hacks that have caused enormous losses in funds. Let’s take a look at the exchanges that have faced major hacks, and examine the reasons for these.

2012: Mt.Gox

Mt. Gox was the biggest and most popular Bitcoin exchange — which, by the way, came on the market as one of the earliest crypto exchanges. It faced several hacker attacks that ended up losing 1.35 million BTC for its customers.

Developer Jed McCaleb, who is also co-founder of Ripple and Stellar, started Mt.Gox as a website for the trading cards “Magic: The Gathering Online”. It later became the Magic the Gathering Online eXchange. It was based in Japan, and was then bought by the Frenchman Mark Karpeles, who, at that time, became the most hated villain in the world of crypto.

From 2013 to 2014, the exchange held 70 percent of all Bitcoins, and was believed to have been the most popular website for selling and buying BTC. However, in 2014, the company went broke and claimed to have lost 850,000 BTC. At a news conference in Tokyo, Karpeles said that these Bitcoins had disappeared due to a weakness in the system. As a result, there were 25,000 Mt. Gox users who wanted their money back.

Consequences

At that time, it was the worst disaster Bitcoin had ever faced: the price of Bitcoin crashed dramatically, and some even thought it would be the end of Bitcoin.

In the summer of 2015, Mark Karpeles was arrested and charged with embezzlement and manipulating electronic data. He spent almost a year in jail. However, in 2017, the U.S authorities arrested a Russian suspect, Alexander Vinnik, with the evidence that around 90 percent of the money stolen from Mt.Gox had gone directly to a wallet controlled by Alexander.

A strange thing happened a few days after Mt. Gox collapsed: Mark Karpeles was checking through all the digital wallets he owned, and came across his old wallet, which held 200,000 BTC. What a fortune! At that time, the price of Bitcoin had gone up over $2,000 U.S, which made Mark’s old wallet a gold mine that covered all the money he owed the angry Mt. Gox users.

What Caused the Biggest Exchange Fail Ever?

A lot of famous and successful companies experience problems. Some manage to fix them, but others fail and go broke. However, in the case of Mt. Gox, it all fully depended on management and the miscalculation of risk. Below are some of the problems that put Mt. Gox under threat of being hacked.

Lack of VCS

Version Control Software (VCS) is like a warm coat in winter — a must-have! It monitors all changes made in the database, and determines fraudulent actions, if there are any. With VCS, an IT company can see who made the changes and when he/she did it, and fix everything in time. Of course, for a company whose profit fully depends upon electronic data, lack of VCS can be fatal.

Lack of a testing policy

Thinking of the fact that Mt. Gox didn’t have a testing policy for a while, even though it was already the biggest exchange service for crypto, is extremely alarming. The company was literally providing an unsecured service for its customers.

A bottleneck issue

Oh, wait! They actually tested the code — with the help of their CEO, Mark Karpeles. He tested all codes coming from the Mt. Gox developers, which stalled the workflow.

Two Biggest Strikes on Mt. Gox

With all of the previously-mentioned issues as soft spots, the collapse for Mt. Gox was inevitable. It was only a question of time.

On July 19, 2011, an attacker hacked one of the company’s computers and transferred a huge amount of Bitcoin to the company itself. This caused the biggest dropdown in Bitcoin value ever seen in the system. In a very short time, the Bitcoin price had dropped to one cent in the exchange. See for yourself!

Bitcoin dropdown on Mt.Gox

In 2014, users of the exchange service started complaining about the amount of time it took them to conduct a transaction, and the Mt. Gox team decided to conduct a technical check that lasted a few days. When the hack occurred, they became the victims of a malleability attack that caused a loss of $473 million. This became the final resting place of the Mt. Gox story, which ended in a bankruptcy announcement.

2012: BitFloor

The U.S.-based exchange website and trading platform Bitfloor wasn’t the first, and it won’t be the last that had to shut down because of a hacker attack.

In 2012, when Bitcoin was just gaining in popularity, the servers of BitFloor were compromised, ending in a loss of 24 000 BTC. At the time of the hack, this was worth $250,000 U.S. What luck it didn’t happen in January 2017.

Any crypto exchange hacking attack results in loss of funds. However, every company manages it in a different way. But not BitFloor — they closed down in 2013, leaving their customers with nothing.

What the Hack?

The attacker compromised servers of the crypto exchange and gained access to backup keys that weren’t encrypted. The actual keys that control wallets were encrypted; however, this didn’t keep BitFloor safe. The hacker signed the transaction, moving funds from BifFloor’s wallet to his/her own.

Even though Roman Shtylman, founder of BitFloor, made an official statement apologizing for the delays and promising to return all lost funds to their owners, it never happened.

BitFloor made two mistakes, the avoidance of which could have prevent the hack:

  1. Holding data in an encrypted area. Roman Shtylman has admitted this in his official statement to the public.
  2. Keeping a big amount of money in a hot wallet. If BitFloor had used only cold storage, the hack wouldn’t have affected the funds.

2015: Bitfinex

One of the first crypto exchanges, Bitfinex, was founded in 2012 at a time of worldwide hype for investing in cryptocurrency. Now, Bitfinex is the world’s leading cryptocurrency trading platform. However, it has passed through some rough obstacles on its way to success.

On the 2nd of August, the Bitfinex website went offline, claiming that it had been hacked and was losing approximately 120,000 BTC, which was worth $72 million U.S. at the time. The hack caused Bitcoin to fall in price by nearly 20 percent.

An ironic thing about the Bitfinex hack was that the security measures taken by the company were the actual reason for the hack. To provide its users with higher security and liquidity, Bitfinex decided to adopt multi-signatures in users’ wallets on the platform.

How Do Multi-signatures Work?

Let’s imagine there is a wallet holding 100 BTC — that’s a lot of money, isn’t it? You wouldn’t like to lose that much. So, in order to protect your funds, there is a multi-signature technology that enables security for user wallets on the blockchain.

The idea is very simple: instead of having one crypto key for a wallet, the user will get three keys. To protect the money, users should create a multisig address that has three crypto keys, and set a rule to get access to the money. It is recommended to have at least two of three keys. Of course, keeping them together would just be the same as having one key. So, the user leaves one of them to him/herself and puts the second one to a safety deposit box as a backup key. The third key goes to the multisig provider.

Let’s suppose that Alice has a wallet encrypted by multi-signature and wants to buy some coffee, paying for it with money in her wallet. What does she do? She uses her private key, which she always keeps with her, on her phone. But she needs one more key to spend the money in her wallet. A message of the attempt to spend money goes to her multisig provider, which has to verify the transaction. Only after that Alice will get her coffee.

If the phone seems to be stolen, or if there is some suspicious activity detected by the provider, the transaction won’t be verified, and the fraudster will not get his/her coffee for Alice’s money.

How Could Multisig Lead to a Hack?

In 2015, Bitfinex started a partnership with BitGo, and implemented a multisig technology with the condition that Bitshares would keep two of the keys and BitGo would hold one.

With BitGo as additional security, Bitfinex decided not to use cold storage wallets, and instead continued to hold money in hot wallets protected by multisig.

However, the hackers that committed the attack managed not only to conduct invalid Bitcoin transactions with Bitfinex signatures on them, they also got the signatures of BitGo.

There is no official answer to how, exactly, the hackers did it. However, there are a lot of versions, and one of the most sensible is that the system of cooperation between Bitfinex and BitGo was faulty, so BitGo would sign off any transaction coming from Bitfinex. The only soft point to be considered was Bitfinex’s servers.

Bitfinex Overcomes the Hack

The way Bitfinex managed this hacker attack only justifies the saying: What doesn’t kill us makes us stronger.

In an attempt to return all lost funds to customers, Bitfinex issued BFX tokens as an IOU (“I owe you”). This seemed quite fake at the time, and looked as if they were trying to win some extra time. However, on September 1, Bitfinex bought out the first 1.1% of the BFX tokens from the customers in order to pay back the money stolen by the hackers.

2015: Bitstamp

Bitstamp is an excellent example of the human factor and curiosity that ends up losing huge amounts of funds for people whose only fault was their trust in the exchange service.

The hackers that attacked Bitstamp sent personal emails and messages via Skype to the users of the platform. This is called a phishing attack. Luka Kodrich, a system administrator at Bitstamp, got the same email, opened it, and downloaded the file it contained. After he did this, it didn’t take hackers a lot of time to steal 19,000 BTC, worth $5 million U.S at that time.

Surprisingly, but the company hasn’t paid the stolen funds back to its users. However, it has strengthened its security system with multisig technology and its partnership with BitGo. It also started keeping funds in cold storage.

2017: Poloniex

The cryptocurrency exchange service Poloniex, run by Tristan D’Agosta, who founded it in 2014, is now a worldwide trading platform whose parent company, Circle, has issued USD Coin, a U.S. dollar stable coin.

Poloniex provides an opportunity to trade with BTC, ETH, and USDC pairs, and promises more to come. Things are going fine; however, Poloniex is listed by Cointelegragh as one of the biggest crypto exchange hacks in the history.

So, what happened, and how did the company recover? In May 2017, a hacker found a vulnerability in the code, which meant that if several withdrawals took place at about the same time, they would be processed at the same time. This would cause the balances to go negative, but the transactions in the database would be considered valid.

The security system encountered unusual activity and froze the BTC, which was the right decision.
Tristan D’Agosta didn’t state the exact amount of money they had lost, only that the company’s funds were down 12.3 percent down.

Poloniex Hack Management

All balances of existing users on Poloniex at the time were reduced by 12.3% in order not to stop activity on the website. Mr. D’Agota promised to recover the customers’ funds as soon as possible and in order to do this, he increased fees for transactions by 1.5%.

All lost funds were soon paid back with the help of fees increase, Poloniex had stayed on the track and saved its reputation.

The Mistake Leading to the Hack

In his post on BitcoinTalk, Tristan D’Agosta uncovered the crucial point that became the cause for the vulnerability in the Poloniex system.

If the withdrawals were processed in the line, but not concurrently, the hack wouldn’t have occurred. After Poloniex experienced the attack, the company worked on making the system process withdrawals sequentially.

2018: Binance

Among other cryptocurrency exchange projects, Binance has earned the status of a reliable crypto exchange and trading platform. So, when users found out about the hack that happened in June 2018, they were astonished.

On June 10th, a Binance user approached the support department at Reddit. He claimed that 2 BTC had been stolen from his account. At the time, the account held $50,000 U.S, so what had kept the hackers from taking all the money?

How Could It Happen?

Binance set up the rule of only two Bitcoins for withdrawal per day, which is considered to be a restriction by many investors. Nevertheless, this restriction has saved users from being hacked for $50K.

The hacker used the ‘SIM swap’ method, which helped him/her get all of the necessary information sent to their phone while they pretended that they had become the victim of the hack.

Once the hacker got the information, it gave him/her access to the user’s Google Authenticator account, which is another security layer used by Binance.

The support department reacted to the threatening post on Reddit quite quickly, and in several minutes, the account was frozen.

Security Measures to Prevent Hacker Attacks

All of the above-listed hacker attacks occurred because of the gaps in the security systems of the crypto exchanges. However, all of these can be fixed to protect users and their funds. Here are some of the preventions for crypto exchanges:

  1. All funds should be stored in cold wallets. Otherwise, there is a big probability that a hacker will gain access to customers’ wallets.
  2. There shouldn’t be any intermediary between cold-storage addresses and wallets with deposits.
  3. Manual transfers will help prevent the system from missing a hack.
  4. The system should notify of any suspicious activity on the platform.
  5. If a user makes a request for more funds that are available in a hot wallet, the transaction shouldn’t be processed in less than 24 hours.
  6. Users and exchanges should keep a copy of the database in an encrypted area, so no hacker can change or delete a piece of it.
  7. Exchanges should frequently send account statements signed by a key that is not online-accessible or stored on a public server.

Conclusions

Crypto exchanges and trading platforms seem to concentrate the biggest crypto funds on the blockchain. That is why hackers are drooling at the sight of vulnerable exchanges.

Judging from the history of the most reliable and reputable exchanges, like Binance, they are still vulnerable to hacker attacks. This is why every security measure should be taken to protect user funds.

As we can see from the history of hacks, one of the biggest issues faced by exchanges is hot wallets, which hackers find quite easy to get access to.

For more information on the crypto market, check out the Applicature blog and our consulting team.

Insights from our Consulting Department

July 2, 2019
Is Facebook’s Libra a New Bitcoin?
May 8, 2019
A Definitive Guide to Initial Exchange Offerings

Leave a Reply

Your email address will not be published. Required fields are marked *

+1-209-813-2474 |  123 Mission St, San Francisco
Grab Your Complete A-Z IEO Guide, FREE NOW Read Now