The 2017 spike in the value of cryptocurrencies generated a corresponding torrent of news stories about ‘blockchain hacking.‘ The idea of an entirely digital coin used for anonymous, irreversible transactions was novel enough; the stories of hackers making off with hundreds of millions in untraceable funds was frightening. Few media accounts bothered to explain that most cryptocurrency hacks didn’t target the blockchain technology itself. The unregulated nature of cryptocurrency and reliance on technology-based trust attracted scam artists and Ponzi schemes while most hacks targeted cryptocurrency services like wallets and exchanges, exploiting network weaknesses with traditional cybercrime techniques.
Value Overflow Incident (August 2010)
The domain name “bitcoin.org” was registered in August 2010. The first open source client was hosted on SourceForge in January 2009. In August 2010, a developer named Jeff Garzik noticed a block that had created 92 billion BTC, well over the ultimate finite supply of 21 million BTC envisioned by the currency’s creator. An enterprising hacker had modified one block in the chain to allow outputs so large that they overflowed the value checking function when added together. This block created and added together two identical 92 billion BTC transactions. Within five hours of discovery, the patched client began replacing flawed blocks with valid ones, an early example of a cryptocurrency ‘hard fork.’ The 184 billion BTC, at current valuations worth 16 times the total world money supply, was rendered worthless. This is one of the few cases where blockchain technology was directly hacked.
AllinVain Theft (June 2011)
A hacker accessed the hard drive of a cryptocurrency miner with the username AllinVain and transferred 25,000 BTC to an external wallet, never recovered. Except for the digital nature of the money stolen, this theft was analogous to hackers draining any bank account from a PC. It was notable for being one of the first reported cryptocurrency thefts.
Bitcoinica (March & May 2012)
An exchange is a digital marketplace where cryptocurrencies are bought or sold for fiat currencies (dollars, Euros, etc.). One early exchange platform was Bitcoinica, which was hacked twice in spring 2012. The attack came through lax security at Bitcoinica’s web host and someone, perhaps another customer or rogue employee, gained access to customer data, including encryption keys. Thieves stole 61,000 BTC in total and forced Bitcoinica’s liquidation.
Bitfloor (September 2012)
In an attack reminiscent of Bitoinica’s, hackers breached the servers of another exchange and made off with 24,000 BTC. Bitfloor never recovered from the loss and closed the following April.
Poloniex (March 2014)
Hackers breached the servers of Poloniex, a two-month-old exchange, in March 2014. The exchange’s founder Tristan D’Agosta explained that a hacker discovered the Poloniex withdrawal system allowed negative balances if hit with multiple simultaneous requests. The withdrawal system noticed the unusual activity and shut off access to affected accounts, but not before 12.3% of the total Poloniex cryptocurrency reserve was stolen. Poloniex reduced each account holder’s balance by 12.3% temporarily but ultimately repaid each account in full. The company survived and was acquired in early 2018.
MtGox (Feb 2014)
The first major cryptocurrency hack, both in coin count and value, hit the oldest and largest exchange. MtGox was repurposed in 2010 from a site where players of “Magic: The Gathering Online” could trade cards. The original developer had abandoned the project as not worth the effort when in July 2010 he read an article about cryptocurrency on Slashdot. He repurposed the code enough to sell it to a Tokyo-based developer named Mark Karpeles. By 2014 MtGox was handling 70% of all BTC exchange transactions.
On February 7, 2014, MtGox suddenly suspended all trading, citing a bug in its security software. Trading remained suspended for two weeks, and then the site suddenly disappeared. MtGox filed for bankruptcy. Losses were put at 850,000 BTC, valued at the time at $470 million. The problem caused a 36% decline in the value of all bitcoin as investors argued whether the currency was secure enough to take seriously.
The cause of the MtGox implosion has been vigorously debated. Many suspect Mark Karpeles, who was arrested in Japan in 2015 for fraud, embezzlement, and manipulating ledger balances, although those charges seem to be indirectly related to the disappearance of the 850,000 BTC. The owner of a rival exchange was arrested in Greece in 2017 and charged with money laundering, including coins traceable to MtGox.
An equally strong argument has been made for third-party hackers taking advantage of mismanagement and unsecure operations. MtGox had been hit by a nearly $9 million hack through its auditor’s computer in 2011. After the Japanese bankruptcy trustee took control of the assets in 2014, 200,000 BTC were found in an old wallet. Analysts pointed to a lack of version control systems and rigorous test procedures which rendered software updates anarchic, as well as acute managerial incompetence. As one analyst said the year before MtGox imploded, “Magic The Gathering Online Exchange is a systemic risk to bitcoin, a death trap for traders and a business run by the clueless.”
Bitstamp (January 2015)
After repeated hacks, crypto exchanges learned to store coins in two locations. A ‘cold’ wallet is a server not connected to the internet, essentially air-gapping it by blocking external network access. A ‘hot’ wallet made enough money available for users to transact normal day-to-day operations. Bitstamp’s hot wallet was looted of 19,000 BTC by hackers using spear-phishing attacks that finally duped a systems administrator after weeks of effort. Fortunately, 90% of Bitstamp’s coins were in the cold wallet and weren’t affected.
DAO (June 2016)
Ethereum-based cryptocurrencies operate differently from bitcoin but have also proven susceptible to hackers. The Ethereum environment differs from other digital coin currency. Tokens of value, called Ether (ETH), are exchanged via computer code called ‘smart contracts’ which runs when prespecified conditions are met. Because they run on a blockchain network of 6000 computers, they are impervious to modification or censorship. The Ethereum architecture supports decentralized autonomous organizations (DAO) which define rules and decision making by encoding them in the blockchain, allowing for smart contracts to function independently of documentation or human oversight.
In April 2016, the Genesis DAO created a community where investors could vote on projects, and those with at least 20% support would be funded. The DAO began crowdfunding $250 million in Ethereum-based venture capital, In June, a hacker exploited a flaw that allowed multiple withdrawals on the same token faster than the smart contract code could update. Within a few hours, 30% of the ETH in the DAO had been diverted. As soon as the theft was reported, the developer team behind Genesis DAO implemented a hard fork which created a new blockchain. Unlike bitcoin’s Value Overflow Incident, the DAO fork met resistance from some members of the Ethereum community who argued that tampering with the immutability of the stolen Ether would damage the value of everyone else’s Ether. The Ethereum community then voted; 89% agreed to accept the hard block. The dissenters split away from the community and continued to recognize the original blockchain as ‘Ethereum Classic.’
Genesis DAO was significant for a couple of reasons. It was a legitimate blockchain hack, rather than thieves stealing from an exchange or a wallet. It is also one of the largest crypto hacks and is still unsolved. At today’s prices, the 3.6 million stolen Ethereum Classic Ethers are worth over $40 million, although if redeemed at the current forked Ethereum valuation, they would be worth over $1 billion.
Bitfinex (August 2016)
The second largest exchange hack after MtGox looted hot wallets, ironically by using a flaw in the design implemented to increase security. Bitfinex set up a system that required multiple signatures (multi-sig) to authorize a transaction with software provided by a vendor called BitGo. There has not been a clear explanation of how the hackers were able to bypass the need for multiple keys so easily, but the most accepted hypothesis points to an improper system installation on the Bitfinex servers. The thieves stole 120,000 BTC, worth $72 million at the time.
Parity (July and November 2017)
Ethereum has also been affected by flaws in multi-sig systems. On July 17, 2017, someone hacked a multi-sig wallet provider named Parity. The targets were three companies that had recently raised funds through Initial Coin Offerings (ICOs). The hacker took 153,037 BTC, valued at $32 million. Only the intervention of white hat hackers who diverted the wallet contents of other recent ICOS to secure locations prevented the hack from being more expensive. Parity attributed the hack to a flaw in the Parity wallet version of the smart contract code and released a patch on July 20.
Unfortunately, the patch addressed the smart contract vulnerability but had another flaw. Parity put a ‘kill’ function on its smart contract code. The kill function allowed users to permanently lock their Parity wallets. Rather than deploy the entire updated code onto each wallet, Parity’s developers decided that some functions, including ‘kill,’ should make a function call into a central library. On November 6, a new user called as “devops199” accidentally killed the library, which permanently killed all wallets connected to the library at the time. There were 587 wallets which contained 513,774 ETH, valued at around $150 million.
This was not a crime or malicious act, but it presented the Ethereum community with a problem. Should they again hard fork the Ethers to restore the frozen 587 wallets? Is yet another blockchain the answer? In April Parity had the vote put to the Ethereum community, which rejected the hard fork proposal 55% to 45%. The 513,774 ETH affected are permanently lost.
NiceHash (December 2017)
A Slovenian mining company, NiceHash, was penetrated by a hacker who spear-phished an employee’s credentials. The company lost 4700 BTC, valued at $80 million.
Coincheck (January 2018)
500 million tokens of a Japanese cryptocurrency created by the NEM foundation were stolen from Coincheck, a Japanese exchange. The hackers took the tokens from wallets and converted them into other currencies so quickly that NEM abandoned recovery efforts. Coincheck froze NEM deposits but was able to reassure investors and remain open, although Japanese authorities noted that the value of the loss, $530 million, exceeded that from MtGox in 2014.
Coinrail and Bithumb (June 2018)
In June two separate South Korean exchanges suffered attacks. Coinrail lost about 5300 BTC or $40 million, apparently taken from hot wallets. Weeks later, Bithumb — one of the ten largest crypto exchanges — lost $31 million in another hot wallet raid.
Current Blockchain Hacking Status
While hacking isn’t noticeably slowing, costing $1.1 billion in the first six months of 2018, non-crypto financial institutions would recognize most of the access methods as not unique to the blockchain world. While the blockchain itself has been mostly impervious to hacking thus far, leading some to claim that it ‘can’t be hacked,’ corporate security officers aren’t so sure. While acknowledging the power of blockchain, they cite vulnerabilities including the modification of smart contracts, incompetently implemented technology such as wallets, and human error. One so far undetected scenario discussed is the 51 percent attack, in which someone takes over at least 51 percent of nodes in a blockchain to create blocks faster than everyone else and thus control it. To date, crypto-focused malware botnets have been used mostly to deploy infected computers for bitcoin mining, since creating a coin becomes ever-more resource intense. Experts don’t rule out ransomware attacks or something equally insidious. They note that the SHA256 encryption algorithms are challenging but not impossible to crack. Perhaps the greatest challenges around blockchain hacking are the ones that are still undetected. “The industry is so new right now, that we don’t even have a platform for finding and reporting vulnerabilities” noted one McAfee executive. Perhaps the best advice for the moment is to only participate in blockchains with large communities and high transparency, to use two-factor authentication and hardware wallets, and above all to avoid complacency.
- www.washingtonpost.com/news/the-switch/wp/2018/06/20/why-bitcoin-exchanges-keep-getting-hacked-and-how-to-protect-yourself/ ?
- https://www.wired.com/2014/03/bitcoin-exchange/ MtGox
- https://www.bloomberg.com/features/2017-the-ether-thief/ DAO
- https://www.cryptocompare.com/coins/guides/the-dao-the-hack-the-soft-fork-and-the-hard-fork/ Good DAO
- https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee /
- https://cointelegraph.com/news/world-bank-and-australias-largest-bank-issue-bond-exclusively-through-blockchain Parity