An incredible story about how no one noticed the hacking of Cryptopia

“I hadn’t visited the exchange for a month, but when I entered, I saw that the site was hacked and all my coins disappeared…” — this is one of the many messages that have flooded the Internet recently.

What happened to one of the most reliable sites?

The reason is well-known to any crypto-enthusiast: this year Cryptopia became the first exchange to be marked by hackers. The attackers didn’t hesitate for too long and drained roughly $16 million worth of crypto from the site!

Another crypto exchange has failed to provide adequate security of its customer’s funds. And this could be the end of the story, but it had an incredible continuation. No, the funds haven’t been miraculously recovered. The hackers showed up again a few weeks later. At the end of January, they syphoned off around 180 thousand USD. The reports show that a total of 17,000 wallets were compromised in these two subsequent attacks.

After the first hack, the experts warned that the remaining wallets were vulnerable too, but this warning reach the users who either couldn’t see the message on time, or simply did not have enough time to withdraw their ETH. It should be noted that after the first hack, Cryptopia had to withdraw the clients’ funds, but for some reason they didn’t. Moreover, the Cryptopia had lost control over the users’ private keys. And now, all the exchange’s customers are left with are bullshit excuses on Twitter.

After the first attack, the exchange acknowledged the existence of an error in the security system, which had led to this tragic outcome. After the second theft, Cryptopia representatives simply referred to the police report — the theft by the way is currently being investigated by the New Zealand Police and the High-Tech Crime Division.

Cryptopia and big concerns about its security system

As early as in the spring of 2018, the exchange representatives boasted about their innovations that were designed to protect customers against all sorts of hacker attacks and data leaks. It was about changing the rules of two-factor authentication. The exchange reported that when entering from a new IP address, a unique code should have been sent to the client’s mail. Such solution, according to Cryptopia management, could protect customers from losing coins.

“To improve the security of your account, we are gradually abandoning alternative two-factor authentication check options, as we strive to provide a secure experience to our users,” representatives of the exchange reported on their blog, which is now unavailable. — If you log in from a new IP address, you will be prompted to enter a dynamic unique code that will be sent to your registered email address each time you log in. From now on, Email will be your two-level default authentication every time you login. And the code will be valid for only 15 minutes.”

Unfortunately, this strategy did not prevent the recent hackings. WhalePanda, a Twitter user popular in the cryptosphere, tactfully hinted that there may have been an internal theft, but we’d like to believe that this wasn’t the case.

However, there’s no harm in blaming the exchange’s representatives, who failed to recognize signs of a hacking attack. If we take into account the fact that cryptocurrencies are now stagnant, and users simply do not see the point in moving coins, it becomes even more vexing. It took some time for most crypto holders to notice that their accounts had been wiped out. Now, that is has already happened, any advice to keep coins in cold wallets will be useless. But we’ll still talk about it in the next paragraph.

Heads of major exchanges gave advice to Cryptopia users

The hacking of Cryptopia wasn’t ignored by Changpeng Zhao, the CEO of Binance, and Jesse Powell, the head of Kraken. Zhao noted that all responsibility for the security of the coins lies primarily on the users themselves, who shouldn’t rely on an exchange.

To protect yourself from being hacked, here are some common sense measures:

— verify the URL during the work. Cunning hackers replace links as quick as lightning. By the way, one of the most common tricks to cheat crypto enthusiasts is the substitution of the address bar. A user copies one link, but after inserting it into the address bar, it is replaced, and the user is transferred to the phishing site. If you’ve been sent to such a website and didn’t notice it — you may as well say goodbye to your funds.

— the browser itself can help hackers steal funds too. To avoid such incidents, do not install any “cryptocurrency” applications and keep your browser clean for transactions.

— do not trade when connected to a public Wi-Fi. Lots of people forget this seemingly obvious rule.

— hackers have also learned to intercept data even through SMS sent via the SS7 protocol, so it is best not to trust two-factor authentication to your mobile gadget. You can replace this method, for example, by working with the Google Authenticator application.

Cryptopia… more like Crypto utopia. Funny word play, huh? Anyways, if you haven’t withdrawn your funds from your exchange, it’s about time to do it now to protect yourself from theft. Another smart decision would be to let your coins circulate and not hold them forever. You can transfer them to a brokerage account and let the broker hold them on your behalf, or even trade with them. But it’s up to you of course. Either way, stay alert — don’t let hackers steal from you!