The total market cap of all cryptocurrencies could exceed US$1 trillion this year. The phenomenal growth of the crypto sector has given rise to some incredible innovations in technology that have laid the foundations for disruption on a scale we could previously have only dreamed of. But within the space, we have to acknowledge that mistakes and oversights have been made along the way. Crypto grew very big, very quickly, with huge amounts of money pumped into Bitcoin and the thousands of altcoins that have been introduced, some for only a short time. From the humble beginnings of the first Bitcoin exchanges, we now have hundreds of exchanges all around the world serving increasing numbers of people who put their trust in these third-party services on a daily basis.
The ball has been dropped too many times when it comes to the security of people’s digital assets, with US$1.7 billion-worth of cryptocurrencies lost to hacks and scams between 2011 and 2018. These situations have become the norm and are almost expected now. Without regulation and nobody to enforce checks and balances, the door has been left wide open for hackers to exploit vulnerabilities.
At QUOINE, we refuse to repeat the mistakes made by others over the past few years. Our approach has always been to put security at the heart of everything we do. That’s why we use 100% cold wallet storage, Iron Shield and more to keep our customers safe. We are also licensed by the Japanese Financial Services Agency and we were the first crypto company to be audited by a Big 4 firm, Deloitte. We make security our highest priority because we want to build something sustainable that will be around for years to come. For a little perspective on what has driven us to raise the bar for security within the crypto sector, we have compiled a timeline of significant crypto exchange hacks. We hope that others will follow our example and that we can look forward to a bright future together.
June 2011
Mt. Gox part 1
Mt. Gox used to be the largest Bitcoin exchange, with over 70% of worldwide trading volume. There were a number of issues with the exchange that had been identified by various people in the community long before public issues arose. In June 2011 the price of Bitcoin on Mt. Gox dropped massively and quickly, with a huge increase in trading volume. This was allegedly caused by a hacker taking control of a computer that belonged to an auditor of Mt. Gox.
Using this computer the hacker was able to sell a huge number of Bitcoin to themselves. At the time Bitcoin was trading for around $15. The hacker’s massive sell off, to themselves, resulted in the price reaching as low as $0.01 for a short period of time, before correcting back towards $15. The hacker reportedly acquired around 2000 Bitcoins as a result of this, and a further 650 Bitcoins were purchased on the market at the artificially deflated prices. None of these coins were returned to their rightful owners.
Sources:
February 2014
Mt. Gox part 2
Mt. Gox managed to recover in the eyes of the community from the security breach in 2011. But then, in January 2014 many Mt. Gox users were reporting delays using the platform. On the February 7, Bitcoin withdrawals were halted on the website in an effort to identify the issues. On February 10, Mt. Gox issued a statement saying it was due to something known as transaction malleability. The company said this was a bug in the Bitcoin code that allowed transaction details to be altered so it appeared a transaction had not been sent, which would then allow the transaction to reoccur as the first transaction appeared to have not completed.
The users of Mt. Gox continued to be frustrated and worried as other competing exchanges continued to function and they had no access to their funds.
On February 24, Mt. Gox stopped all trading on their platform, and shortly after their entire website went offline. Information was leaked stating the company was insolvent, due to 744,408 Bitcoins being stolen over a number of years undetected. Overall, this issue caused the price of Bitcoin to drop ~36%.
Sources:
July 2014
Cryptsy
The founder of the cryptocurrency exchange Cryptsy announced that the exchange had been hacked more than a year after it had been discovered internally. The exchange was denying users access to funds while the public was not aware of the hack. More users were continuing to deposit, unbeknownst to the fact that they would not have the ability to access their funds stored on the exchange’s wallet. Cryptsy attempted to cover the hack by distributing earned money to the affected users.
The attacker is known for creating Lucky7Coin. They managed to insert Trojan malware into the code of Cryptsy which enabled them to transfer coins worth $6m. The hacker mainly took Bitcoin and Litecoin, with values of 13,000 and 300,000 stolen respectively.
Sources:
July & December 2014
Mintpal
In July 2014 Mintpal, a large exchange, announced that millions of vericoins had been hacked from their exchange hot wallet. The total amount equated to 30% of the total circulation of vericoins. The attacker in this instance managed to control internal features that allowed them to withdraw the coins. During this attack the Bitcoin and Litecoin funds were targeted but unaffected as they were in cold storage. Vericoin performed a hard fork to render the hackers coins obsolete.
Unfortunately, Mintpal was attacked again in December 2014, when more than 3700 BTC was stolen. After the attack in July, Mintpal was acquired by Ryan Kennedy. Shortly after, Kennedy’s company announced bankruptcy and that Mintpal had been hacked, and all the Bitcoin had been stolen. However, Kennedy was caught selling these Bitcoin using LocalBitcoins.
Sources:
January 2015
Bitstamp
An individual was targeting Bitstamp employees with phishing attempts in December 2014. One of the employees downloaded a malicious file from one of these phishing attempts, which they believed to be from a known organisation representative. The downloaded file enabled the attacker to access the hot wallet and password store on the servers, accessible through the compromised computer. The attacker took a total of 18,866 Bitcoins from this wallet, which was valued at a price of more than $5m at the time of the theft. The theft was noticed by the company on January, 4 2015.
Source:
February 2015
BTER
BTER was a cryptocurrency exchange based in China. BTER announced in February 2015 the hack, claiming that their cold wallet system had been hacked, with 7170 Bitcoins stolen. At the time this was valued at around $1.75m. It is unknown to the public how the cold wallet was compromised, but it appears that their definition of a cold wallet was incorrect. Previously, BTER was hacked for a smaller amount of cryptocurrency, but they managed to regain community trust before the second hack. The token stolen in the previous attack was NXT. BTER exchange is now closed.
Sources:
June 2016
Decentralised Autonomous Organisation (DAO)
The DAO was a smart contract on the Ethereum network that was designed to create a digital app venture capitalist fund that was completely decentralised. When it was created there was a funding period. During this, people could contribute ETH and receive DAO tokens. The idea behind it was that companies could create proposals for digital applications which would then be voted on by token holders. If the proposal received the required amount of votes they would receive the required funding for the development of their application.
The token sale was extremely successful, with more than 11,000 contributors raising $150m+ over a 30 day period, beginning on 30th April, 2016. During this time, however, members of the community expressed their concerns with the security of the smart contract.
An individual managed to exploit one of these security flaws, and drained a total of 3.6 million Ether into a different DAO. The Ether wasn’t attainable to the attacker, but it did cause a large drop in price of Ethereum, from $20 to $13.
A soft fork of the Ethereum network was proposed to prevent the attacker from accessing the funds. The hacker responded by providing incentive for miners to not update their nodes in line with the soft fork code, with more than 1 million Ether offered as this incentive. As a result, Ethereum hard forked on July 20, 2016, in an attempt to rectify this massive security flaw. This was a result of the code of a smart contract on the Ethereum network, not a flaw in the Ethereum code.
Sources:
August 2016
BitFinex
BitFinex was, and still is, one of the world’s largest cryptocurrency exchanges. BitFinex was victim to massive theft of Bitcoin on in August 2016. BitFinex had implemented multi-signature wallets in 2015 in the interest of increased security for their users. These wallets were impacted by the attack. In total, 119,756 BTC was stolen from the exchange, which was valued at around $70m at the time of the theft.
Sources:
December 2017
NiceHash
NiceHash is a Slovenian company that provides an online market place for buying and selling hashing power that can be used to mine cryptocurrencies. In December 2017, NiceHash closed after reportedly being hacked. The official statement said that the payment system was compromised, and the Bitcoin wallet owned by NiceHash had been emptied. A total of 4,450 Bitcoin was taken from this wallet. NiceHash has announced that they will payback all of the users affected by this hack.
Sources:
January 2018
Coincheck
Coincheck is an exchange based in Tokyo, Japan. At the end of January, the exchange was victim to a major hack. The attacker took almost $500m worth of as NEM. There are no details about the cause of the security breach, however Coincheck has stated that it was not an inside job. However, it is known that the funds were stored in a hot wallet without multi signature security measures in place.
The stolen coins have been traced to 11 addresses that have been labelled as hacker addresses in the attempt to stop the hacker from being able to cash out these funds. Coincheck announced in March that they will refund the affected users at the rate of $0.83 per NEM in FIAT.
Soucres:
February 2018
Bitgrail
Bitgrail is an Italian cryptocurrency exchange that was relatively unknown. It was one of the only places to buy an increasingly popular coin, RaiBlocks, which has now re-branded to NANO. In January the exchange halted all deposits and withdrawals of NANO. This was announced under the guise that Bitgrail were implementing identity verification and anti-money laundering measures. The community reacted to this negatively, with many NANO holders suspecting that Bitgrail was on the way to an exit scam. As a result, the price of NANO dropped about 20%.
At the start of February, Bigtrail founder, “Bomber”, announced that 17 million NANO tokens had been stolen, at the time valued at $195m. Bomber responded asking for the code to be forked, which the NANO developers rejected. The NANO team also released a statement describing how Bitgrail may have been insolvent long before the announcement, with withdrawals that were part of the hack occurring back as early as October 2017. The founder of Bitgrail is blaming the incident on the NANO code, while the NANO developers are certain that this fault is to do with the code of Bitgrail.
Bitgrail has announced a repayment plan, with no clear end date, where the effected users will be repaid. The users that sign up to this plan will receive 20% of the lost funds immediately, and the 80% will follow at some point — and this 80% won’t be paid in NANO, it will be paid in Bitgrail Shares token. However, to join the repayment plan you have to accept the terms and conditions that withdraw your rights to legal action against Bitgrail if you are not reimbursed. Due to this, many of the impacted users are pursuing legal action against Bitgrail.
Sources:
April 2018
CoinSecure
Coinsecure is a cryptocurrency exchange based in India, founded in 2014. Coinsecure announced on April 12, 2018, that 438 Bitcoin had been transferred from the Coinsecure wallet to one that the company does not control. At the time this was around $3m. Interestingly, the released statement described how the company has never been compromised or hacked, and the lost Bitcoin is the result of trying to extract Bitcoin Gold to distribute to Coinsecure’s users.
The company has announced that the impacted users will be reimbursed. It was stated that if the siphoned Bitcoins can be recovered, they will be returned to the users. If they cannot be recovered, the users will be credited with 10% of their lost Bitcoin balance and the remaining 90% will be credited in INR (Indian Rupee).
Sources:
June 2018
Coinrail
Coinrail is based in South Korea, and at the start of June it was hacked. Sources claim that the hack resulted in about $40m in lost funds. Coinrail were fairly vague about the tokens that were taken, but the Pundi X project posted stating what they believed the hacker had taken, including 2,619,542,080 NPXS tokens that were transferred to IDEX. The Coinrail and Pundi X team were able to reach out to IDEX and freeze the trades of the attacker.
